"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification." - Mat Honan via wired.com The epic hacking of Mat Honan demonstrated how disastrous an attack can be on a personal level, as well as how strikingly revealing such an attack can be on the industry as a whole. If you haven’t heard about Mat Honan’s ordeal, there are several good articles (listed below) covering what happened, how it happened, and, for the most part, why it happened- at least two accounts directly from him. To “briefly” sum it up here, the attackers were after his three-digit Twitter account (@mat), as well as Gizmodo’s Twitter account, where Honan was a former writer. In the process of acquiring these “prizes”, the attackers used some interesting, well-crafted techniques to commit a series of hacks… 1st Hit: Mat’s Amazon & Apple account (utilizing customer support facilitated password reset procedures, attackers gained access to iCloud and .mac) 2nd Hit: Mat’s Gmail account (Gmail password reset link sent to his .mac account, which the attackers already compromised) 3rd Hit: Mat’s personal Twitter account (Twitter password reset link sent to the compromised Gmail account ) 4th Hit: Gizmodo’s Twitter account (Gizmodo’s account was linked to his personal account when he worked there, and access was apparently never revoked) Unfortunately for Mat, he lost volumes of data, including irreplaceable pictures, emails, and documents because the attackers wiped all his devices remotely to prevent him from hindering their progress- and he didn’t have backups. That’s quite a chain of events. However, if it weren’t for the wanton destruction that was chalked up to “collateral damage” of the attacks, it would have been a very clever commentary on how both:
- Security policy for the industry as a whole needs to evolve
- The weakest link in the technology chain is still a human behind a keyboard.
The latter point above- the weakness existing between the keyboard and the chair- will always be a risk that needs to be dealt with on an ongoing basis (mainly through training, reminders, and policy). This is a “known issue” and is fairly well understood, despite its prevalence. What I find fascinating is the “disconnect” between the organizations’ policies and how, given the right sequences of overlaps and gaps, they can line up and fall over like dominos. In this case, Apple was using the last four digits of a presumably well-guarded credit card number as an identifier, and Amazon withheld all but the last four digits. According to the Payment Card Industry Data Security Standard (PCI DSS), the last four OR first six digits are the maximum number that may be displayed- so it doesn’t appear that anything was violated by either party there. In fact, Apple and Amazon can’t be the only two companies where their policies align in just the right way to allow someone to traverse from link to link, like a chain leading to the end goal. So, clearly it’s not that the security gurus, lawyers, and policy writers at Apple and Amazon need to have a pow-wow to sort this out once and for all. That would get a bit unworkable if every company needed to make sure their policy jibed with everyone else’s. There are numerous sources for boilerplate policies and best practices, but without a consensus it’s almost assured that a situation like this could rise again. Do I have the answer right now? No, I don’t. But I do feel that it deserves more attention from the industry as a whole. Some of the best minds in the security community might have ruminated on this already and have some good ideas- and if they haven’t, it would be a great panel discussion at some conference. What about you? Do you have a workable solution? I’d love to hear about it!
Continue the Conversation on Twitter @SafelightSec
Connect with Mike on Twitter @SafelightCoop
Sources (retrieved 9/14/2012): http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ http://www.wired.com/wiredenterprise/2012/08/mats-epic-hack/ http://www.dailydot.com/news/clan-vv3-gizmodo-twitter-hack/ http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/ http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf