"You do have to worry about your computer security, but you also need to worry about everybody else's"

Technology journalist Mat Honan and Cloudflare CEO Matthew Prince have something in common - they've both been hacked by a Long Beach teenage member of the UGNazi hacktivist group.
At the RSA Conference in San Francisco today, Honan and Prince spoke about their experiences in a session entitled "We were hacked: Here's what you should know".
And, I'm afraid what they had to say spells bad news for those of us who love to use the internet and embrace cloud-based technologies to manage our lives more easily.
Because you no longer have to worry just about your own computer security - you also need to start worrying about everybody else's.

The hack of Mat Honan

In the case of Honan, who has written for publications such as Gizmodo and Wired, the hack last year resulted in him having his Gmail account hijacked, and his iPhone, iPad and MacBook Air remotely wiped.
To make things worse, Mat Honan hadn't backed up his laptop for 2 years. And when his MacBook was wiped, he lost priceless photos of his daughter who was just 18 months old at the time. (Yes, he admits he was "a jerk" for not making backups.)
For good measure, the hackers also locked Honan out of his @mat Twitter account, and began to post racist and offensive comments. For a short while, the hackers were also in control of the official Gizmodo Twitter account too.
Just how Matt Honan's online accounts fell at the hands of hackers has been well documented - although Honan himself has to shoulder some of the blame for not using free security features such as two factor authentication to defend his Google account, Apple and Amazon's customer service departments and account recovery processes unwittingly assisted the hack.
As Honan described it in his talk, "you do have to worry about your own security, but you also need to worry about everybody else's".
All of this effort to hack one journalist, and you have to ask yourself why? According to Honan, the only answer he ever got from the hackers was that they were after his rare three character Twitter account - @mat.

How the hack of Cloudflare hit 4Chan

CloudflareMatthew Prince had a similar unpleasant experience, at the hands of UGNazi hackers - even though he probably thought he was doing everything right. For instance, he had a long, complex, randomised password to protect his Gmail account.
But last year hackers were able to trick Google into adding a bogus recovery email address to Prince's personal Gmail account, and then use that address to reset his password.
No guessing or cracking of Prince's passwords was required.
In a series of automated voicemails, the hackers taunted Prince - even revealing that they had bought his social security number from an underground Russian website.
As Prince told the delegates at the RSA conference, "If you don't think your social security number can be bought from a Russian website, you're wrong. It can."
It gets worse, though. Prince is CEO of Cloudflare, and like many other companies Cloudflare uses Google Apps for Business for its email system. The hackers, who were now in control of Prince's personal account, were able to request a password reset for Cloudflare's Google App's admin panel.
This shouldn't have been possible, because Cloudflare was using two-factor authentication for its Google Apps accounts, but an oversight in Google's account recovery process meant no authentication code was ever asked for. (Google says it has since fixed the problem).
With apparent ease, the UGNazi hackers had gained access to Cloudflare's communications.

By Graham Cluley
Source and read more:
http://nakedsecurity.sophos.com/2013/02/27/worry-about-security/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

0 yorum: