- Symantec Sees Links Between 2011, 2013 Cyber-Attacks on South Korea
- Largest-Ever DDoS Campaign Demonstrates Danger of New Attack Method
- Malicious Code Regularly Dodging Defenses, Palo Alto Finds
- Malware Abuses Chromium Embedded Frameword to Bolster Attacks
- Slow Android Phone Patching Prompts Vulnerability Report
The hack into a writer’s iCloud account puts a spotlight on steps consumers should take to protect their data and flaws in the policies of Apple, Amazon and other vendors.The hack into a Gizmodo writers Amazon and Apple accounts over the weekend is being used as a cautionary tale for consumers, a call to action for cloud providers regarding security policies and a sounding board for concerns about the rush to the cloud. In a lengthy first-person account in Wired magazine, writer Mat Honan outlines how an attacker quickly found his way into Honans iCloud account and wiped everything from his Mac, iPhone and iPad, all of which were linked to Apples cloud service. The attacker also hacked into his Twitter and Gmail accounts. In the story, Honan admonishes himself for failing to follow basic security protocol"his online accounts were linked together, and he had failed to back up his data, for example.However, the larger concern was how quickly and easily the attacker"who called himself Phobia"was able to get gain control of Honans Apple iCloud account through just a couple of phones calls to Amazon and Apple, convincing customer service representatives at both places that he was Honan. The attack was less about hacking into the accounts via a computer and more about social engineering gleans the necessary personal information from Amazon and Apple. according to reports. "I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. ¦ I want to feel that I own things. A lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it." In the wake of Honans article, computer security experts have talked about steps consumers need to take to retain as much control as possible over the data they are putting into the cloud. And it goes beyond passwords, according to Lisa Myers, a blogger on the Mac Security Blog site for Apple security software vendor Intego. As much as we like to trumpet the use of good passwords, this is one instance in which this would not have made a difference, Myers said. You can use the best password in the world, but if someone can socially engineer you or someone from the site or service itself to reveal your password, it will make no difference. That isnt to say that strong passwords are not important; having a strong password will protect you against the majority of common attacks. But you should definitely not bet the farm on a password. There are steps consumers should take, she and others said. That includes encrypting as much of the online data as possible, making it more difficult for hackers to use data they gain access to. Reconsider linking accounts"trading in convenience for security"and using two-factor authentication when possible. Also, for such accounts, use an email that is unknown to others. In addition, according to Paul Ducklin, head of technology for Asia-Pacific for security software vendor Sophos Lab, consumers should make and keep backups outside of the cloud, and use an independent remote wipe service rather than one that is part of the cloud service. As much as consumers have to take steps to protect themselves, vendors like Apple and Amazon, which hold so much personal information of their users, need to bulk up their policies. An Apple spokesperson told Honan that in his case, the companys internal policies were not followed. In addition, Wired reported that Amazon Aug. 6 changed its customer privacy policies, including no longer allowing people to call in and change account settings in their user accounts. Neither Apple nor Amazon have commented publicly about Honans case. Sophos Ducklin said in an Aug. 6 post on his companys Naked Security blog that Apple recently bolstered its security policies by asking users to provide a number of security questions for further authentication. However, he said that in Honans case, because the hacker used social engineering and talked an Apple representative into giving him the information, the tighter security policies wouldnt have mattered. Apple, Amazon and others are in a difficult spot, Ducklin said. Companies can enforce utterly inflexible procedures for password reset, he said, but that is done more to save money by reducing the workforce rather than security. It also leads to situations where legitimate consumers cant solve password reset issues. Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark, he wrote. That's what happened with Honan.