Apple, Amazon Security Fails: Time For Change

  /     /     /  
Publicated : 22/11/2024   Category : security

Apple, Amazon Security Fails: Time For Change


What will it take for cloud service providers to overhaul their customer identification mechanisms and finally get serious about social engineering attack vectors?


Call it the security fail experience for Amazon and Apple.
On Aug. 3, an epic hack compromised technology journalist Mat Honans Twitter account. Along the way, the attacker--known as Phobia--also managed to remotely erase Honans Apple laptop, iPhone, and iPad. Furthermore, Phobia did it by
socially engineering
--as in, tricking--customer service representatives at Amazon and Apple, allowing him to gain sufficient information to first access Honans iCloud and Gmail accounts.
Obviously, a self-described 19-year-olds ability to execute a multi-layered social engineer attack also calls into question who else--intelligence agencies, criminals, or legions of bored teenagers--may have already been putting these techniques to work, only without victims ever wising up.
Whos to blame? Start with the identity verification system employed by the technology giants. Amazons system is partially at fault, but the weakest link by far is Apple, says Marco Arment, the co-founder of Tumblr, on his
blog
. Its appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.
[ Learn how to protect yourself. Read
8 Ways To Avoid Getting Your Life Hacked
. ]
When it comes to screening consumers, businesses are lazy. What it comes down to is authentication--how do you verify that someone is who they say they are? Right now, the industry norm is that you provide some bits of personal information, says the threat intelligence manager for Trustwave SpiderLabs, who goes by Space Rogue, speaking by phone. Cue the now-obvious problem: None of that stuff is secret information, he says. All of that is fairly easily gotten to through Google or other methods.
The failure of the security teams at Amazon and Apple to proactively spot--or else bother to address--Phobia-style attacks is glaring. (Both companies are reportedly reevaluating their checks and balances.) At the
Black Hat Europe conference
in Amsterdam earlier this year, penetration testers detailed gigs in which theyd been hired by a business to identify its information security vulnerabilities. Oftentimes, they found the
expected flaws in Web applications
. But too often, they literally also encountered unlocked backdoors to the office itself, and printouts of usernames, passwords, or other sensitive information carefully indexed inside unlocked filing cabinets.
Professional penetration testers would have made short work of Amazon and Apple, given the ease with which consumers can be impersonated. People do this all the time, this isnt an isolated case that happened to Honan, says Space Rogue, who helped found noted consultancy @Stake, and whos previously worked for security research think tank L0pht Heavy Industries.
If businesses are lazy, so are consumers, and Honan admitted culpability in the attack against his online identity. Those security lapses are my fault, and I deeply, deeply regret them, he wrote in a
recap of the attacks
. Still, after making that statement early on in his article, Honan then spent 3,300 words analyzing everything that others, including Amazon and Apple, did wrong.
To reiterate: Dont be a Honan. He failed to back up his devices to a hard drive, despite the amazing fire and forget Time Machine backup software included with his Apple OS X laptop. He used identical email address prefixes--first initial, last name--across numerous services, which made his account addresses easy for an attacker to guess. And he tied numerous accounts together, thus creating a single point of failure.
11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)
Honan is hardly the first tech-savvy person to make these types of mistakes. Accused LulzSec and Anonymous participant Donncha OCearrbhail claimed to have
compromised the AppleID of Irelands top cybercrime investigator
. Because the cop was also forwarding his work emails to a Gmail account that hed set his iPhone to check, OCearrbhail was able to eavesdrop on a conference call between the FBI and overseas law enforcement agencies.
Unfortunately, when it comes to securing peoples increasingly connected online lifestyles, there arent any easy answers. People want to leverage technology to make their lives easier, so they link all of these accounts together, and by doing so, they put themselves at risk, says Space Rogue. Is it the fault of the technology companies for allowing people to do this, or peoples fault? This is something that society is going to have to deal with as we move forward.
Thankfully, Honans cautionary tale--and excellent analysis of how his life was hacked, made possible by Phobia telling all, in return for a guarantee that Honan wouldnt prosecute him--has now put this question front and center.
But should you suffer a similar fate, dont expect the white-gloves treatment afforded Honan, which has included Apple working to restore the files that were remotely deleted from his hard drive. The victim here is a popular technology journalist, so he got a level of tech support thats not available to most of us, said Bruce Schneier, chief security technology officer of BT, in a
blog post
. I believe this will increasingly become a problem, and that cloud providers will need better and more automated solutions.
What might these improved security solutions look like? As noted, Apple and Amazon can start by at least
offering
two-factor authentication. Given that both companies earn big bucks from running smartphone app stores and have those distribution channels, creating a two-factor smartphone app would be a natural next step. Or they could just
use Googles smartphone app
.
Meanwhile, for people who want to call customer service to reset a password, but who--like Phobia when he contacted Apple--lacked the answers to security questions already on file, make them jump through hoops. For example, after allowing a user to request a password reset by phone, why not make the person call back the next day, says Tumblr co-founder Marco Arment. If you forget your password and the answers to your security questions, its not unreasonable to expect a bit of inconvenience. Especially if you dont want to see your digital life compromised by a social-engineering-savvy attacker.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Apple, Amazon Security Fails: Time For Change