Isolated corporate security is inappropriate

In my previous post I mentioned Mat Honan, the Wired author whose digital life was destroyed by hackers within an hour.  How they did it has big implications for how companies and corporate security think about and implement security and their security policies.

Using Amazon to hack Apple to hack Google to hack Twitter

The entire article about Mat’s experience is very interesting, and details exactly how quickly and easily the hackers were able to take over his account.  Mat actually talked with the hackers and they explained how they did it:

4:00pm  Use fakenamegenerator.com to get a “valid” fake credit card number

4:05pm  Called Amazon.com and add the new fake credit card (just need Name & e-mail address to do this)

4:10pm  Called back to Amazon and reset the password (just need name, e-mail, and 1 credit card, which of course they had just added – this has since been fixed at Amazon)

4:15pm  Logged into Amazon; see all the credit cards (last 4)

4:33pm  Called Apple and asked for a password reset (just need name, e-mail and last 4 of credit card; they couldn’t even answer the security questions, but the Apple tech-support guy let them through anyway!  One more reason why security questions suck.)

4:50pm  Password reset confirmation arrived in inbox, but deleted immediately by hackers

4:52pm  Gmail password recovery initiated (again, password-e-mail immediately deleted)

5:00pm  Used iCloud “Find My” tool to remotely wipe iPhone, iPad, and MacBook to prevent recovery

5:02pm  Reset Twitter password, and started posting homophobic and racists comments.

What is very interesting to me is how they combined seemingly minor security lapses from completely different companies – in this case Amazon and Apple – to completely take over this person’s online identity.

Companies are no longer operating in a vacuum…

Amazon, E-Trade and Google to hack PayPal

The article discusses another example, explained by the hacker that compromised Mat’s account:

[quote style=”1″]You call PayPal, and you have to have the last four of a payment method. You can get that from Amazon or you can impersonate a PayPal agent. They access your account from the last four. You tell them you want to add a phone number, and you add a Google Voice number. And then you say, I also want to add a new bank account I just got. And they add that for you.

Then you hang up, go to PayPal.com, and go to Reset My PayPal Account. It says send to a phone number and shows the last digits. You pick your Google Voice number, and then it calls your phone and gives you the reset code.  You enter that, and you go to a new page of verification that says please enter your full bank account with routing number.  You just add the bank account number you just made with E-Trade.[/quote]

Using Amazon and Google to hack PayPal, which of course probably has direct access to your bank account!  (Wired notified PayPal about this and it has been fixed – PayPal will no longer send a password reset to a phone number until that phone number had been verified by logging in).

Hacking RSA to hack Lockheed Martin

This is an extreme example of corporate espionage, and it was later demonstrated that the attack on RSA was probably done by the Chinese military.

Attack-at-Lockheed-Martin

The  hackers sent an e-mail to 3 (just THREE!) employees at RSA security – the ones that make those little RSA security tokens pictures above.  The e-mail contained the following silly text”

[quote style=”1″]I forward this file to you for review. Please open and view it[/quote]

At least one of the three opened the Excel file, only to find out that it was looked like an empty spreadsheet.  Unfortunately, it also contained a zero-day Flash vulnerability which instantly and silently installed a back-door onto the RSA employee’s computer.  This allowed the hacker complete control over the computer that was sitting INSIDE the RSA firewall!

The hackers used that to quickly spread to other machines and eventually to the server that keeps all the secure information about the RSA key-fobs for Lockheed Martin and L3 – two US defence contractors!  Obviously the hacker then used this information to duplicate the secret numbers being generated by those key-fobs and started launching attacks on Lockheed Martin.

Fortunately in this case the breach was discovered by RSA and new fobs were issued and the hackers never breached Lockheed or L3 (that’s the public story at least 🙂

Conclusion

Clearly hackers will go after data in one company just to hack another company.  It is also obvious that these hackers are clever and thinking in new and novel ways, and are not afraid of a little social engineering with a company’s call centre.

These conclusions have some very big impacts for companies.

  1. Clearly companies can’t implement security in a vacuum any more, and need to be aware of what juggernauts like Amazon, Apple, PayPal, Google and Microsoft are doing;  a large percentage of your clients will certainly have accounts with these tech giants, and thus your security needs to be informed by their implementations.
  2. Companies need to start training their call-centre staff to be more vigilant towards these kinds of social engineering attacks.
  3. Corporate security needs to improve to defend against these kinds of attacks; weak password policies, one-factor authentication, failure to automatically filter e-mail, and failing to hash security answers are not acceptable practices!

I’m reminded of the following security quote:

[quote style=”1″]Security systems have to win every time, the attacker only has to win once.
– Dustin Dykes[/quote]

Robert

Leave a Reply

Your email address will not be published. Required fields are marked *