Not So Secret Answers | TechSNAP 70

Not So Secret Answers | TechSNAP 70

A Gawker Reporter’s entire online presence is hacked, and all his devices wiped. We’ll walk you through the details of this attack, and why it suggests we might be facing some fundamental challenges.

Plus: Your questions, our answers, and so much more.

On this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Gawker Reporter gets entire online presense hacked

  • Gawker Reporter and formed Wired editor Mat Honan had his entire digital life destroyed in a matter of minutes last week
  • A hacker going by the pseudonym Phobia, originally targeted Mat’s twitter account because of its 3 character username
  • The @mat twitter account linked to Mat’s personal website, which listed his gmail address
  • The attacker then started the password recovery process to reset the password of the gmail account
  • Since the gmail account had not been configured for two-factor authentication, the reset option was to send a new password to the alternate account configured in gmail
  • The address of this account is obscured and displayed so you know which email to go check, but when the alternate address for is displayed as m***** it is pretty easy to guess the email address
  • Now, in order to reset the password of the AppleID, the attackers would normally need the answers to the account’s “Secret Questions”, however, there is a fallback method, when these cannot be provided by the customer
  • Apple only requires that you provide the billing address and last for digits of the credit card on file for the account
  • The billing address is fairly easy to come by (phone book, domain whois, people search, blog posts, etc), but the last four digits of the credit card number are less so
  • Since the hacker knew the victims email address, the next target of the attack was
  • The attacker had an associate call Amazon and claim to be the victim, wanting to add a new credit card to the account. This process only requires knowing the account holders name, billing address, and the new credit card (Adding a new credit card to your account does not seem like a high security operation, and it would seem to make sense for companies to make this process as easy as possible)
  • The trick is, you then call Amazon back, and now you are able to provide the account holders name, billing address, and current credit card number. With this information to verify your identity, you are able to change the email address on the account, to one that you control
  • Now that you control the Amazon account, you simply login, and look at the other cards on file, you don’t get to see the entire credit card number, but the first and last 4 digits are displayed, so that customers can identify which card is which
  • With that information in hand, it now time to call AppleCare, and reset the password on the AppleID, gaining you access to the iCloud account and email address of your victim
  • Next you can reset the password of the gmail account, and then once you control that, reset the password of the twitter account
  • Now, if you want to prevent your victim from interfering with your actions, you need to disable their ability to fight back. This is where iCloud’s ‘Find My’ service comes into play
  • The attacker used the service to initiate a remote wipe of the victim’s iPhone, iPad and MacBook, as part of this process, the devices are also locked with a PIN code, which only the attacker has
  • The next step was to delete the gmail account, so it couldn’t be used to regain control of the twitter account. Normally you are able to undelete a gmail account, however it requires external verification, in this case via a text message to the cell phone tied to the gmail account, which the victim had not yet regained control of
  • All of this points out that the serious weak link in most all security systems, are the people, and the ways around the security systems we put in place, for when people forget their passwords
  • As we have seen in other cases like this, with some basic personal information that is pretty easy to acquire, and attacker could have transferred the phone service from the victim’s cell phone to another device in order to intercept verification text messages from services such as gmail or the victim’s online banking
  • Mat Honan admits that a number of the security problems that made this attack possible were his own fault, not having recent backups of his devices, not using two-factor authentication for gmail and other services and having only a 7 character password for his AppleID (although this didn’t factor into this attack as originally believed, it is still a security failure)
  • Wired did its own tests using the methodology that the attacker claimed to have used, and was able to completely compromise two other Wired employees
  • Apple and Amazon have both since stopped doing password resets over the phone

Secret Questions Don’t Work

  • The problem with Secret Questions is that in order for a question to be general enough that it will apply to most people and static enough that the answer won’t change by time you need to use the questions to recover your password, the answers end up being very generic and can usually be found with a bit of research
  • You also have to consider who may be attacking your secret questions, if the question is “What was the name of your first Teacher”, what if the attacker is someone you went to school with?
  • Another problem is how strictly the answers are verified, a common security question when calling your credit card company is your mother’s maiden name. In a great deal of cases, if you just mumble something this will be accepted and you will be able to make changes to the account
  • A good security question must maximize these four criteria:
  • Definitive: there should only be one correct answer which does not change over time.
  • Applicable: the question should be possible to answer for as large a portion of users as possible (ideally, universal).
  • Memorable: the user should have little difficulty remembering it
  • Safe: it should be difficult to guess or find through research
  • Feedback: Send in your ideas for good secret questions, and we’ll critique some of the suggestions next week
  • Bruce Schneier on Secret Questions



Question? Comments? Contact us here!