Apple and Amazon have patched security flaws that allowed hackers to delete the digital existence of Wired and Gizmodo journalist Mat Honan.
The companies reportedly changed their respective security policies on Thursday, with Honan claiming Apple has stopped processing password resets over the phone, while Amazon has stopped accepting changes to account settings like credit card numbers and emails over the phone. At the time of publishing, neither Amazon nor Apple had responded to V3's request for confirmation.
The patches follow on from a cyber campaign against Honan, which he detailed on his Tumblr blog and then in a lengthy piece on Wired.com. The attack saw the hacker systematically erase Honan's digital existence.
This included wiping clean the contents of Honan's iPad, iPhone and MacBook hard drive, including all his pictures of his one-year-old daughter, and erasing eight years of Gmail messages, finally going on to hijack his Twitter account.
While we're happy Apple and Amazon have addressed the concerns, there are other important lessons to be learned from Honan's experience. As admitted by Honan, the hack was possible because of his own lax attitude towards security.
Honan made it easier for the hackers by using the same email prefix for multiple accounts, making it easy for the hackers to guess the email address associated with his Apple ID. Once the hackers had Honan's Apple email, they needed to find his billing address and the last four digits of a credit card number to illegally seize control of his account.
The hackers reportedly got Honan's billing address by searching for his personal web domain on whois.com. They went on to get his card's last four digits via Amazon, which until its recent update, only required a name, an email address and a billing address to give up the information.
Equipped with the three vital pieces of information all the hackers then had to do was to phone Apple and pretend to be Honan. After this, thanks to Apple's new centralised iCloud integration across all its products, the hackers had free rein to ruin Honan's life.
"At 5:02 pm, they reset my Twitter password," wrote Honan.
"At 5:00 they used iCloud's 'Find My' tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook.
"Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack."
While the hackers did have to put a fair amount of work and know a lot about Apple and Amazon's security policies to mount the attack, the core flaw that led to the breach was still human error. Time and time again security experts have warned against using the same password and email address across multiple accounts.
This lesson was even shown off earlier in 2011 when hacktivist collective Anonymous managed to hack government and military security consultancy Stratfor by exploiting the fact a senior employee had used the same password for his work and social media logins.
The fact is, Honan's experience once again showcases what experts have been telling us for years: most hacks are the result of human error, a fact not lost on Honan.
"Those security lapses are my fault, and I deeply, deeply regret them," he noted.
For us this means that while we feel for Honan and are glad Apple and Amazon have taken note of his experience, the real victory will come when people personally learn from his example and start taking cyber security seriously.
Posted by Rian Priyadi On Agustus 10, 2012 0 CommentsJika artikel ini bermanfaat,bagikan kepada rekan melalui: