2. It takes for cloud service providers to review their mechanisms
of customer identification and finally get serious about social
engineering attack vectors?
On August 3, a "hack epic 'Twitter account compromise
technology journalist Mat Honan. On the way, the attacker-
called "Phobia", also managed to remotely wipe Honan Apple
laptop, iPhone and iPad. In addition, he has a phobia social
engineering as in, trick-customer service at Amazon and Apple,
which allows it to obtain sufficient information to first access to
iCloud Honan and Gmail accounts.
Obviously, a Bradley Associates output capacity of a supposedly
19 years running attack several strata engineer also questioned
who else-intelligence agencies, criminals and legions of bored
teenagers -may have been putting these techniques to work,
only without the victims ever accroîtrent.
3. Who is responsible? Start with the identity verification system used by
technology giants."Amazon system is partially at fault, but the weak link is by far
the apple," says Marco Arment, co-founder of Tumblr, on his blog. "It is appalling
that they give control of your account iCloud to anyone who knows your name
and address, which are very easy for anyone to find, and the last four digits of
your credit card, which are generally considered safe display on websites and
revenues. '
When it comes to screening for consumers, businesses are lazy. "What is
authentication-how you verify that someone is who they say they are? Right now,
the industry standard that you provide a few bits of personal information, "says
the director of threat intelligence Trustwave SpiderLabs, which will" Thug space,
"speaking by phone. Chock the problem now clear: "It secret information," he
said. "All this is easily obtained through Google or other methods. '
That security teams to Amazon and Apple proactively spot-or bothered to
address attacks phobia-style is obvious. (Both companies were reassessing their
checks and balances.) At Black Hat Europe conference in Amsterdam earlier this
year, penetration testers detailed concerts in which they were hired by a
company to identify security vulnerabilities information. Often they found flaws
in Web applications expected. But too often, they literally as backdoors unlocked
encountered Bureau itself and printed user names, passwords or other sensitive
information carefully listed inside cabinets unlocked.
4. Professional penetration testers would have made short work of Apple
and Amazon, given the ease with which consumers can be
spoofed. "People do this all the time, this is not an isolated case that
happened in Honan," says space Snape, who helped noted consultancy
@ stake, and already worked for security research think tank L0pht
Heavy Industries.
If companies are lazy, it is consumers and Honan admitted guilt in the
attack against his online identity. "These security holes are my fault and I
deeply regret," he wrote in a summary of the attacks. However, after
making this statement early on in his article, Honan then spent 3300
words analyzing everything others, including Apple and Amazon, hurt.
To repeat: do not be a Honan. He did not save its devices to a hard drive,
despite the incredible "shoot and forget" Time Machine backup software
included with her laptop Apple OS X. He used the same email address
prefixes, first initial, last name, through many services, who made his
account address easy for an attacker to guess. And he tied together
many accounts, creating a single point of failure.