Cyber-Security and you - WIRED journalist got hacked

Click here and disable ads!

Mat Honan, journalist at WIRED recounts his story of how his digital life has been wiped after he got hacked due to a chain of own mistakes and obvious flaws in the security protocols of two well-known big companies:
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

The cloud's bad for you!

Got what he desserved for using twatter and Jewbook.... And he's also Apple user.... what a faggot. Somebody Has made huge act of.

One of the things that annoys me about Web 2.0 is how all the sites tend to automatically remember your credit card info on file. Where is the option to never store cards? Sure, you can go in manually and remove cards, but I should be able to set the default behavior. Of course, they don't care, because if you have a card on file it makes it easier for somebody to make instant purchases.

I always change my address, name and credit card info when I am done with a purchase.

I use Spideroak as cloud storage, and Countermail for e-mail with a USB key for 2 step authentication. In both cases only I have the decryption key. The staff cannot see anything in my accounts.

What this story shows is that the weak link is the minimum wage CSR who hates his job and just wants to get things done ASAP. Also that most organizations demand way too little information when someone calls to make a request before they give it away.

Look at Wired trying to be relevant.

"So guys it turns out that there are these groups called hackers that can get your datas. Lulz long cat is long guys LOL!"

please describe i need tips

Remember when you guys said I was being paranoid? It's like I keep saying, it's not paranoia when they really are out to get you. The worst part is that it's not even a malicious conspiracy. People aren't out to get you because you did something to antagonize them. They do it for the lulz, because they can. They didn't get this guy because of anything he did. It didn't take a government conspiracy to do it (those don't really exist, anyway). It's truly worse than that. "They" are everyone. One should always treat the Internet with the same level of caution and distance that one would use to handle antimatter. The Internet is a powerful force that can be used for great good or evil, and you don't want to get any of it on you.

Yes, pretty scary. And somewhat sad.
Although the hacker might be a liar and is probably not to be trusted completely (and therefore neither what he said about his motivations).

But anyway I found it to be an interesting story about how a mixture of some sub-optimal security measures by both the customer and the companies can easily result in a total screw-up.
Taken for themselves, neither of those things would have had much impact, but due to the easy cross-connections of internet and cloud-based systems it results in a security nightmare.

Trust me, I know these kinds of people. That motivation is totally and completely believeable. Other common motivations are "because I could", and "dick-size contest with other hackers". Yes, that's right, you're not even a target, you're collateral damage. That's somehow worse than being a target. If you were a target because of some action YOU did, you could just avoid doing those actions. But simply being collateral damage? There's NOTHING you can do to avoid being part of that other than to eliminate your attack surface. Otherwise you get hit simply because you're there.

His practice of using the same password for everything was moronic, but at the same time it exposes the fact that Apple's security is just not very good. Seriously, last 4 digits of the credit card number? You mean the ones anyone can see in plain text when you use your credit card? I know it's hard to come up with a foolproof failsafe short of a biometric scan, but it's still pretty inadequate.

It's also funny as hell how everyone always takes security "very seriously" as soon as someone writes an article exposing how shitty it is in the first place. Prior to any colossal fuck-ups they're probably still storing everything as plain text.

My understanding was that he was using the same email format for everything, not the same password.

biometric is not foolproof. Well maybe foolproof but not averageproof. In fact biometic is one of the shittiest security keys possible simply because it's so easy to target and acquire (if harder to use without specialized equipment) and it's not even revocable.

Oh so true...

I don't want ANY form of "security" that is somehow physically linkable to me. THAT is a disaster. If something goes wrong with a regular-security thing, I can just disown and deny. It never existed. I don't know this guy and I've never heard of him. You can't do that with "biometrics". I don't want to have to keep a jar of human eyeballs just to login to my accounts.

Why do you think governments and companies love biometrics but hate private-key schemes?

Do you think google couldn't have put in gmail completely opaque for everyone by now (have to use a unsupported firefox plugin just to use my gpg key with their emails for signed emails).

Super long and complex passwords generated and stored with Keypass is the way to go.

Once I had jar of chicken eyeballs and one day I just gifted it to my neighbour for the lulz. He was both revolted and excited. Good times.

No it isn't. Ridiculously long, unmemorable passwords are counterproductive, and concentrating them all into a single place just gives you another single point of failure. On top of that, nobody actually breaks security this way. I have used the lousiest passwords on places that I really don't give a shit about for years. Nobody's ever broken them. If someone really wants an unprivileged forum account used only for lurking...they can have it.

That strip is complete baloney.

You're out of your mind if you think even moderately long and complex passwords are hard to crack due to rainbow tables. One of the millions accounts released recently had like 98% of all its passwords cracked.

And it's not frail. Lastpass gives you two step authentication. Keypass a combination of your long password and a keyfile. The info is also protected whenever loaded in RAM.

It is infinitely better than what you are doing.

The best online security is anonymity. The guy was a minor net celebrity, he got what he was asking for.

Yeah, but no one really breaks typical accounts that way.

And all of these fail if someone gets access to your computer, and all of these can be bypassed completely, anyway. Note the number of passwords which were guessed or cracked in this attack: Zero.

No, no it isn't. What I'm doing is different: I'm working from the position that everything can and will be broken one way or another, often rather trivially and in non-standard ways, and limiting the amount of damage an attacker can accomplish compromising any or all of the things involved. For instance, this forum account is actually rather poorly secured. The password is simple and not all difficult to break. However, the account has no privileges, the email goes to nowhere of any worth or relevance. If someone were to compromise the codex DB in some way, this account has no value whatosever. If I lost it, it would be at best a minor annoyance.

My computer, on the other hand, contains no meatspace information. If you were to somehow remotely gain access to it, it contains nothing about me. If you were to physically attempt to gain access to it, you would find yourself in possession of a pool of molten slag. And I know that forum admins are prone to stalking, so if one of them is looking at my IP, it goes to a VPN and Tor node, so that's worthless, too.

Well, if knowledge is power, then to be unknown is to be unconquerable. However, his mistake was allowing the Internet to touch his real life, with his name, and meatspace photos, and whatnot. Me, I have no such links. Because the Internet is like antimatter: Allowing even the smallest bit of it to touch you is a bad, bad thing.

At least you get hit because you are famous. Instead of you get hit because.