It's bad enough for anyone to have their digital existence laid waste by a hack attack. Perhaps it's slightly worse if you're a tech journalist. Mat Honan, a senior writer at Wired magazine's Gadget Lab, has been painfully honest in laying out the details of an exploit which commandeered his Google and Twitter accounts and erased data from his iPhone, iPad, and MacBook.
"In many ways, this was all my fault," wrote Honan. "My accounts were daisy-chained together." Indeed, the victims of such attacks are legion, and many of us have been wondering this week just how vulnerable our accounts might be.
Honan does pass some blame around, however, and rightly so. Amazon and Apple's customer support portals were weakly defended, and the hackers broke in that way, apparently intent on seizing his Twitter account and using it to post offensive messages (the valued data on his Apple devices seems to have been just collateral damage).
Wired journalists retraced the attackers' steps. All the hackers needed was Honan's name, address, and email. Thus armed, they were able to add a new credit card to the target's Amazon account, and, by using the number of that credit card as validation, add an email address to the account. Send a password re-set request to that new account, and you're in. Although Amazon displays only partial credit card numbers, one of these was enough to persuade Apple to issue a temporary password.
No advanced tech skills were needed here, note, just some remarkably easy social engineering.
Apple and Amazon have been swift to close and lock these particular barn doors, or so they say: customers will no longer be able to make password changes or adjust account settings by phone. (Apple did not respond to my request for comment.)
In Honan's case, the misery has been personal. But what if the hackers had been targeting enterprise data? The story underlines how simple it is for bad actors to access corporate systems, wherever an employee has "daisy-chained" -- great term -- his or her vulnerable private accounts to internal networks (via shared passwords, for example) -- or has downloaded corporate data to his or her private device.
Social engineering is elementary in an age when people not only voluntarily post identifying details -- birthplace, birthday, address, phone numbers -- on social platforms like Facebook, but involuntarily find it appearing on sites like PeekYou and Spokeo. Armed with such basic information, and minimal ingenuity, it's facile for hackers to persuade weary call-center staff (and not just at Amazon and Apple) to provide the key that unlocks an account. Confidential data derived from that account can be used to unlock others.
Before you know it, the hackers are at the enterprise's digital front door, and it's wide open.
Solutions are available. Forced enterprise password changes, policies against "daisy-chaining," controls on downloading files, and, above all, awareness can all help. Nobody wants to be the IT manager who wakes up to find, as Honan put it, "my entire digital life... destroyed."
— Kim Davis , Community Editor, Internet Evolution