the cloud bites back ( or cumulus security is all wet and see through )

der.hans PLUGd at LuftHans.com
Mon Aug 6 22:58:23 MST 2012 

moin moin,

Wired reporter Mat Honan lost almost all of his data. It took hackers an
hour to take over his Gmail, Amazon, Apple and Twitter accounts. Along the
way they deleted all the data on his phone, his tablet and his laptop (
all Apple products using one stop deletion from Apple ). They also deleted
his Gmail account and all 8 years of his email.

Do you allow the cloud to delete your data?

Do you store email addresses and physical addresses in your contact
list? Do those people use that same email address for banking? Online
shopping? Social networking?

Do other people store the email address you use for banking alongside 
your physical address?

See my presentation Thursday on "Online security, privacy and password
management" for tips and tricks on how to keep this from happening to you.

http://PLUG.phoenix.az.us/meetings/14-east-valley-meeting/89-plug-east-meeting-for-aug-9.html

Oh, and make sure you have off-cloud backups of important data!

Here's the longish story:

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

Below are some choice quotes:

###
In many ways, this was all my fault. My accounts were daisy-chained
together. Getting into Amazon let my hackers get into my Apple ID account,
which helped them get into Gmail, which gave them access to Twitter.
###

###
After coming across my account, the hackers did some background
research. My Twitter account linked to my personal website, where they
found my Gmail address. Guessing that this was also the e-mail address
I used for Twitter, Phobia went to Google’s account recovery page. He
didn’t even have to actually attempt a recovery. This was just a recon
mission.
###

###
“You honestly can get into any email associated with apple,” Phobia
claimed in an e-mail. And while it’s work, that seems to be largely
true.
###

###
First you call Amazon and tell them you are the account holder, and want
to add a credit card number to the account. All you need is the name on
the account, an associated e-mail address, and the billing address. Amazon
then allows you to input a new credit card. (Wired used a bogus credit
card number from a website that generates fake card numbers that conform
with the industry’s published self-check algorithm.) Then you hang up.
###

### 
And it’s also worth noting that one wouldn’t have to call Amazon to
pull this off. Your pizza guy could do the same thing, for example. If
you have an AppleID, every time you call Pizza Hut, you’ve giving the
16-year-old on the other end of the line all he needs to take over your
entire digital life.
###

### 
They could have used my e-mail accounts to gain access to my online
banking, or financial services. They could have used them to contact
other people, and socially engineer them as well. As Ed Bott pointed
out on TWiT.tv, my years as a technology journalist have put some very
influential people in my address book. They could have been victimized
too.
###

ciao,

der.hans
-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  "It is a miracle that curiosity survives formal education."
#   -- Albert Einstein

More information about the PLUG-discuss mailing list