Hey! You! Get off of my iCloud!

[WT Sharpe]

Interesting article at Scientific American: "How the iCloud Hack Happened and How to Avoid Being Next" by Paul Wagenseil and SecurityNewsDaily (August 7, 2012).

Quote:

....."What happened to me exposes vital security flaws in several customer-service systems, most notably Apple's and Amazon's," Honan wrote in a long piece published on the Wired magazine website last night (Aug. 6). "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit-card number — that Apple used to release information.
....."In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification."

http://www.scientificamerican.com/ar...-cons-of-jailb

[KenJackson]

This is scary. The SSN is abused similarly.

It's not uncommon for a financial institution to ask for "the last four digits of your social" to authenticate your identity. The thinking apparently is that if you know those four digits, then that's proof that you are who you say you are.

But not very long ago the SSN was used widely, mindlessly and indescriminately for everything from driver's licences to miltary service numbers to college IDs to insurance policy IDs. We were even encouraged to inscribe it on our belongings so the police could return them to us if they were stolen and recovered. One video rental where I rented movies long ago even required your SSN to rent a movie.

And as late as last year, a ski rental shop where I rented skis had a blank on the rental form for your SSN. My friends and I never fill it in, of course, but I'm sure some people do.

[yvanleterrible]

Hmmm! I avoid using iCloud for a good portion of what I do and will refuse to in the future. No data is safe anywhere and worse off in transit. If its out there it's out of your control. Period.

[wizwor]

Someone at work forwarded this to me. Mat's problem is that he offended someone who is smarter than he is. That's easy to do on the internet. It's even possible when posting about things as benign as e-readers.

This is not something that is an internet problem. It happens in real life too. One time I was walking through a park during a snow storm. A car full of kids drove past throwing snowballs. I went to the local police station with the license plate. They provided an address and I showed up at the front door. The driver happened to be the son of a doctor and I assured him I'd return when his father was home. Was he hacked or just stupid?

I vote stupid and Mat is stupid too. I say IS because his home address is still on his home page. So is his home phone. It's not hard to be less stupid.

First, be nice. It's OK to disagree with someone and people do get excited, but if you tork off enough people, one of them is going to pull a gun on you. Worked a chat channel in the 90s. One of the people who helped out referred to herself as DocB. She was pretty smart and one night when a rude kid disrupted out chat, she followed him back to a channel that used special characters to form its name. She just wanted to let him know she was smart enough to follow him home. Next day she got an email with a listing of all the files on her computer. Google DocB to get her email address, then her email address to get some snail mail addresses and business activities...just saying.Rule #1: when discussion comes to the point where neither side is going to change their mind, change the topic.

Second, be smart. You should have at least three email accounts. One account should be for business -- important business like banking and bill paying. One account should be for shopping. One account should be for trivial communication. Use this account for social sites and commenting on things. If your post about chick-fil-a offends people, they should not be able to run up your credit card or empty your bank account. Rule 2: separate business from pleasure.

Finally, be discreet. If you are required to provide personal information to participate in a service, make it up. No one needs your home address or phone number. No one needs to know your politics or hobbies. Create a unique, disconnected profile for each service you belong to. It's OK to have a professional facebook or twitter account with contact information. It should include basic professional information. It should not include sexual preference, social activities, a photo, or even your date of birth. Employers are not allowed to ask for these things, so do not provide them voluntarily. Do not 'link' your alter egos with common information. If you google wizwor, you should not find my home address, phone number, or place of employment. If use of the resource requires some of this information, disassociate it from the rest. IOW, if fatwallet.com has your address, use a different userid on that forum. Do not allow cookies to be stored on your computer. Rule 3: don't leave breadcrumbs.

PS, be thoughtful. Use different passwords for each email account. Passwords are stored somewhere and are unencripted by computer programs. If someone gets, say, a list of linkedin accounts with passwords and emails, using the same password on linked in as gmail and having gmail listed as your email account will allow the hacker to visit your mailbox. With this access, the hacker will likely be able to get in your mailbox and will be able to learn about your business and reset passwords. Also a good idea to not store too much information in your online mailbox. It's also a good idea not to leave too much information on a computer always connected to the internet. If you have to do this, use truecrypt to create a safe place for your data on the pc. (I have moved my financial/tax info to a thumb drive which i read/edit on a computer that is rarely connected to anything.)

If you're nice, use separate accounts for business and pleasure, and take care not to link the two, whatever hacking happens will be incidental, damage will be limited, and responsbility will be shared with an institution with the resources to help clean things up.

Disclosure: I don't do all of these things. I do more today than I used to (separate accounts, unique passwords, limited personal information), but the internet houses a lot of my personally identifiable information.

[Andrew H.]

Quote:

Originally Posted by wizwor

Someone at work forwarded this to me. Mat's problem is that he offended someone who is smarter than he is. That's easy to do on the internet. It's even possible when posting about things as benign as e-readers.

He didn't offend the hacker.

Quote:

I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.


“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.

I don't particularly think that the hacker was "smarter" than Honan, any more than a burglar who convinces a neighbor to give him your house key is smarter than you.

[snip of irrelevant stuff]

Quote:

Second, be smart. You should have at least three email accounts. One account should be for business -- important business like banking and bill paying. One account should be for shopping. One account should be for trivial communication. Use this account for social sites and commenting on things. If your post about chick-fil-a offends people, they should not be able to run up your credit card or empty your bank account. Rule 2: separate business from pleasure.

Again, Honan didn't offend anyone. Multiple e-mail addresses *may* have helped, though. Using Google's two-factor authorization definitely would have helped.

Quote:

Finally, be discreet. If you are required to provide personal information to participate in a service, make it up. No one needs your home address or phone number. No one needs to know your politics or hobbies. Create a unique, disconnected profile for each service you belong to. It's OK to have a professional facebook or twitter account with contact information. It should include basic professional information. It should not include sexual preference, social activities, a photo, or even your date of birth. Employers are not allowed to ask for these things, so do not provide them voluntarily. Do not 'link' your alter egos with common information. If you google wizwor, you should not find my home address, phone number, or place of employment. If use of the resource requires some of this information, disassociate it from the rest. IOW, if fatwallet.com has your address, use a different userid on that forum. Do not allow cookies to be stored on your computer. Rule 3: don't leave breadcrumbs.

None of this is really helpful if your job is being a blogger, though. I'm not sure how disabling cookies would have helped either - if anything, it would make it more difficult for you to use something like KeePass or another password locker that makes it easier to use multiple passwords.

Quote:

PS, be thoughtful. Use different passwords for each email account. Passwords are stored somewhere and are unencripted by computer programs. If someone gets, say, a list of linkedin accounts with passwords and emails, using the same password on linked in as gmail and having gmail listed as your email account will allow the hacker to visit your mailbox. With this access, the hacker will likely be able to get in your mailbox and will be able to learn about your business and reset passwords. Also a good idea to not store too much information in your online mailbox. It's also a good idea not to leave too much information on a computer always connected to the internet. If you have to do this, use truecrypt to create a safe place for your data on the pc. (I have moved my financial/tax info to a thumb drive which i read/edit on a computer that is rarely connected to anything.)

If you're nice, use separate accounts for business and pleasure, and take care not to link the two, whatever hacking happens will be incidental, damage will be limited, and responsbility will be shared with an institution with the resources to help clean things up.

It's possible that this would have helped Honan, although, again, it's not clear. As a columnist for Wired, there is going to be more information out there about him than most other people, and anonymity is going to be impossible because it's his job to be public. (It's also not going to be possible to not annoy some people with his opinions, no matter how "nice" he is...although that was not at all the reason for this hack.)

The biggest mistake Honan made was in not backing up his stuff; the next biggest was probably not realizing that a hacker could remote wipe his laptop. But these mistakes didn't enable the actual hacking; they just made the damage much worse. WRT the actual hacking, Apple (and to a lesser extent Amazon) were much more responsible than Honan - they reset his password *even though* the hackers couldn't even answer the security questions (which are often a weak spot anyway).

Quote:

Disclosure: I don't do all of these things. I do more today than I used to (separate accounts, unique passwords, limited personal information), but the internet houses a lot of my personally identifiable information.

Yeah, at some point it's impossible to do everything you "ought" to do and still function. I like two-factor authorization plus a password vault program (which makes it much easier to use different passwords for different sites) - but if an important site will give out your password if you call them up and give them information that's not hard to find, having different, cryptic passwords for each site won't help much.

Although I do think that companies are going to be much more reluctant to do this now, so that's a good thing.

Realistically, of course, the problem is that the traditional username/password scheme, which was developed when people would have *one* account, and which still worked okay when people had a couple of accounts, is almost completely unworkable when people need 100+ different username/password combinations for various sites.

[wizwor]

Quote:

Originally Posted by Andrew H.

He didn't offend the hacker.

Says he. Victims of road rage are always completely innocent too.

[wizwor]

Quote:

Originally Posted by Andrew H.

None of this is really helpful if your job is being a blogger, though.

Producers of talk radio shows adopt fake names to protect their privacy. There is no reason a blogger needs to publish a home address or phone.

[wizwor]

Quote:

Originally Posted by Andrew H.

Realistically, of course, the problem is that the traditional username/password scheme, which was developed when people would have *one* account, and which still worked okay when people had a couple of accounts, is almost completely unworkable when people need 100+ different username/password combinations for various sites.

Right. Something you have + something you know is the best possible security solution. I like the RSA solution (though it has failed) and the PKI token. Still, this is not only a computer problem. We live in an age when people walk onto school buses wearing bombs and enter schools with guns. There is risk in taking sides. It just might be prudent to separate your political self from your family life if you are going to offend unknown persons.

[Ninjalawyer]

Quote:

Originally Posted by wizwor

Right. Something you have + something you know is the best possible security solution. I like the RSA solution (though it has failed) and the PKI token. Still, this is not only a computer problem. We live in an age when people walk onto school buses wearing bombs and enter schools with guns. There is risk in taking sides. It just might be prudent to separate your political self from your family life if you are going to offend unknown persons.

I also recommend you grab a copy of Stephen Pinker's new book which lays a convincing case that we're living in the safest period in human history.

[wizwor]

Define safe. No one has chased me home or run my car off the road, but a lot of people are dealing with a lot of unprovoked violence. And the potential for catastrophic violence has probably never been greater.

But that is not what OP was talking about. The internet has created an environment where people transact business with email addresses and userids. In most cases the business is between strangers. In the interest of convenience, we have created systems that allow users to recover lost passwords with only a little difficulty.

This is a risk and the steps I describe dramatically reduce the liklihood that the vulnerabilities will be exploited. Very worthwhile when I am protecting savings accounts and credit ratings that will put my kids through college.

[Ninjalawyer]

Quote:

Originally Posted by wizwor

Define safe. No one has chased me home or run my car off the road, but a lot of people are dealing with a lot of unprovoked violence. And the potential for catastrophic violence has probably never been greater.

Pinker would say that, statistically, your risk of "catastrophic violence" has never been lower in fact. Even with two world wars, he would argue that the odds of a violent death in the 20th century were far lower than the centuries that preceded it, and that the 21st century appears to be following that same downward trend.

That's not to say violence can't happen, just that your odds of suffering from it are lower now then previously (assuming you buy Pinker's argument), and that there is less worldwide violence overall.

If you're interested, I'd be more than happy to continue this via private message or some other means.

[wyndslash]

Quote:

Originally Posted by Ninjalawyer

I also recommend you grab a copy of Stephen Pinker's new book which lays a convincing case that we're living in the safest period in human history.

interesting. i might grab that