Monday, August 06, 2012

Net security is completely broken

Matt Honan was thoroughly hacked, including having his iCloud link computers obliterated [1], because our net security infrastructure is completely broken.

Here's just one bit of the hack ...

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com

... It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud...

... First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers [1] that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time....

That sound you hear is the hollow laughter of Bruce Schneier, who used to write about the madness of 'secret questions' before the sheer stupidity of it all wore him down.

It's all broke guys.

Once upon a time civilians [2] used the same password everywhere. Smart civilians made it a bit harder to guess, like "Joseph45206". They knew their passwords.

They were hacked of course. So companies began insisting on more robust passwords. Civilians stopped remembering their passwords. So they took to requesting password resets whenever their browsers forgot a password. Except email addresses fade away, so resets often failed. Then sites started asking 'secret questions' to do resets, but nobody remembers the answer they gave to their #$! secret question [3]. So now Apple support basically hands over credentials to nice sounding voices.

This system can't be fixed.

Phone based two-factor might help, but I've been using Google's two-factor since day 1 and it's still a royal pain in the ass. It's strictly for geeks. Not to mention what happens when you lose your phone.

We need to give Schneier a few drinks and get him to talk about this again. Failing that:

  1. Backup for Darwin's sake.
  2. Don't enable remote wipe of Mac OS X hardware. Just encrypt it.
  3. Use Google two-factor (two-step verification) if you are a geek and can stomach it.
  4. Fear the Cloud. Keep the data you value most close to you.
  5. Don't use iCloud.
  6. Don't trust Apple to get anything right that involves the Internet and/or Identity. [4]
Not being Schneier my advice isn't worth much, but fwiw I suspect the "solution" is:
  1. Get rid of the secret security question.
  2. Strictly limit password resets. If someone lost last access, charge them $50 to go to bank, post office or notary to establish their identity.
  3. Incorporate biometrics (thumb print and speech probably).

[1] Of course he didn't have backups. Don't beat him up about that, he's busy flogging himself.
[2] As opposed to geeks with 15 yo FileMaker password databases stored on encrypted disk images. 
[3] Unless they've added a $!%!%$! secret question field to the #$!#$ FileMaker encrypted disk image database and the answer to the secret question is something like: "4hgoghi4ohh4tt".
[4] Apple needs to pay their executives less and their geeks more. 

4 comments:

Martin said...

If you have lost your phone, you can still use the printed one-time tokens for Google's 2-factor authentication.

John Gordon said...

Yes, if I can remember where they are. I really don't have a 'standard' place to keep information like that. FWIW I think I know where one copy is, and I think I have another copy in my encrypted database.

Really though - who can handle this complexity? Most of us have too much going on in our lives, and our brains aren't improving.

I'm bemused by people who claim Google 2-factor is pain free. I assume they need to create the backdoor passwords used by Mail.app and the like.

In truth though, with phone loss, I was thinking more that the phone is a great kit for attacking my identity. (Yes, it's encrypted, but that's another thing to handle.)

Many of the geeks I like and read are in denial about how broken things are. They keep coming up with ever more extreme measures for us to follow, as though it's all natural.

Frogs jump out of hot water, but humans just settle in for the boil.

Martin said...

I fully agree … it is somehow tragic that iCloud who made cloud computing accessible and relatively easy for many users failed tragically. The world is full of users waiting to be hacked, exploited etc. and Apple, Google etc. have no clue how to improve things, maybe because an improvement here is not possible but at least too expensive and does not scale well.

Ironically, social engineering for a Google Apps account might be rather difficult since human Google support is almost impossible to contact, even as a paying Google Apps customer …

P.S.: I hate your CAPTCHAs. I submit my comments as a paying Google Apps customer. Why does Google challenge with with CAPTCHAs almost impossible to solve?

John Gordon said...

I can't do the CAPTCHAs either. Blog authors don't usually see them, but occasionally I'm connecting with a non-owner account.

I think they've evolved to a point that only experts can solve them, and they all work for spammers.

Problem is I allow anonymous comments and only moderate if > 4 days, so there's only CAPTCHA and Google spam detection between me and mosquitoes.

As an experiment I've disabled captchas on notes.kateva.org. I'll see how good Google's spam detection is.

If the volume is too high I'll turn off anonymous access. I agree, CAPTCHA has reached the end of the road.