Hacking Gmail, Amazon, and Apple – Problems with Humans and Cloud Security
Re-posted from SEC4Lib:
On Tue, Aug 7, 2012 at 8:41 AM, Blake Carver <firstname.lastname@example.org> wrote:
Here’s a follow up on that story from yesterday. It’s a good, short, read and has some really good lessons. I know I need to make some changes now.
“How Apple and Amazon Security Flaws Led to My Epic Hacking” http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
“I should have been regularly backing up my MacBook. I shouldn’t have daisy-chained two such vital accounts I shouldn’t have used the same e-mail prefix across multiple accounts I should have had a recovery address that’s only used for recovery without being tied to core services. I shouldn’t have used Find My Mac.” –
To me, this is the result of short-term profit maximization at the corporate level mixed with the path of least resistance at the user level. Companies can operate cheaper, more efficiently up to the point of the hack in the cloud and maximize profits. Users don’t have to do too much to enjoy the convenience of the cloud up to the point of the hack. Yet, with each successful hack, the knowledge of how to hack becomes known globally – greatly increasing risk to all users and all companies using the cloud.
When I did a quick security review of Ocean State LIbraries, Sacramento Public Library, and The Library Connection last year, even fundamental security measures were not being taken: http://bestofpublib.wordpress.com/2011/05/15/pubic-library-security-insecurity/
Fortunately, OSL did step up their security a bit with pins, but it created inconvenience to the administrators and the users. One of the librarians who witnessed the events leading to the change told me that the battle for security over short-term convenience was ugly but she did not want to speak about it publicly. I can understand that - given the justifiable paranoia over having the circulation records used for identity theft and no one wanting to take responsibility. But, all it takes is just a bit of laziness at the top levels and bad policy to put everyone at risk. And, unfortunately, the first rule of Library Fight Club is not to talk about Library Fight Club so everyone does not know of the risk. Knowledge of risk is limited to insiders who may not know how to manage risk and insure accountability.
I think the real point of the Mat Honan article is that the writer was not dumb – he is most likely in the top 2% of people who understand technology. So, every ‘error’ he made – which would not be considered errors by the other 98% of us - is a risk.
The people working in libraries most likely represent the upper 30 or 40% of people who understand technology simply by being surrounded by books and publicly paid for technology. But, as gatekeepers to those resources they create the impression of expertise. Some are experts, but really most are not. Standing next to a pile of books does not mean you read them. Being able to turn on a computer does not mean you know how it works. Being responsible for information security does not mean that the information is secure.
What we can take from the Mat Honan article is the humility of the author in showing that he failed himself and should have known better. There are many, many people in administrative positions including libraries that are responsible for information security who would never admit that they know not what they do. There are many, many people in corporations that will never admit or may not even know that their systems have been or are compromised. All we can hope for is strong laws that mandate reporting and at least a few people such as the author of the Wired article to own up to what they do not know as an example for the other 98% of us.
It used to be that you would need to be able to configure Satan and really have a strong grasp of command line interfaces and operating systems to be a hacker. You really would need advanced knowledge and some fairly sophisticated resources to hack. Not any more.
Backtrack : http://www.backtrack-linux.org/ can be installed very easily and used by novice hackers with ill intent utilizing easy to follow step-by-step instructions on Youtube. Just using one of my high gain antennas with a little laptop, I can war drive or sit in my house and see many, many exploitable WIFI services locally with little or no protection. I could crack a WEP in about 2 minutes, but so many people now rarely even bother to protect their WIFI. They are just happy that it works out of the box. As an ethical hacker, I will never exploit those vulnerabilities. But, the time when exploitation was limited to those with wilful intent, advanced knowledge of computer systems along with strong social engineering skills has passed. We are now in an era where a hack can be easily accomplished with a bit of simple social engineering (SPOKEO anyone?), the intent and common access to a computer. In fact, with very little knowledge about computer systems it would be very easy to inadvertently exploit a system using Backtrack without intent.
I think one of the upsides of less need for advanced knowledge is that we are now seeing powerful cases being built against companies from the digital forensic side where they are doing some pretty sleazy things at the highest level: http://www.sfgate.com/business/bloomberg/article/Standard-Chartered-Falls-Most-in-24-Years-on-N-Y-3769142.php In the paper age, the information about these sorts of activities was much easier to control and compartmentalize. Automated computer forensic tools can greatly simplify investigation without requiring advanced degrees in computer science to operate.
Robert L. Balliot
Please join us on BestofPublib Facebook
The Publib Archives
Archives compiled after Dec. 7, 2011 are available here: Archives
Filed under: Administration, Circulation, Ethics, Information Security, Library Marketing, Library Profession, Public Services, Security, Technical Services, Technology Tagged: | Amazon, Apple, Gmail, library fight club