The Epic Hack– A new front in spear phishing

Mr. Malicious has opened a new front in online fraud. But of course you have read about Mat Honan already.

As with any social engineering attack, the hacker reconnoitered his target, collecting bits of information here and there to build a profile of his mark.  The innovation here is to spear phish Apple’s techical support staff instead of the mark or one of his friends. The way Mat Honan centralized control of other accounts to his Apple email allowed full cloud root.

TIME suggests doing away with username/passwords altogether, replacing it with some improved OpenID-like schemes. These simply move the phishing target to another authentication service provider like Disqus here below.

Time Warner Cable’s technical support handles password resets by deleting the user’s profile. No information is disclosed and, if you are the legitimate account holder, you can reconstruct it in about half an hour. Many online services could use this approach. But Apple stores too much valuable data for that to work. Dropbox, Facebook et al.

Apple has a good possible fix: the Macintoshes and iDevices all have unique serial #s obtainable by software and Apple has complete control over them through the software update process. They could switch to two factor idevice and password based authentication for AppleID and supply a stronger OpenID to web applications approved by Apple. To reset a password, you must initiate it from your Apple product, then call support, then wait 72 hours (to give the owner a chance to report a stolen device). Something like this will give Apple an edge over pure software-based security solutions and avoid the cost of distributing onetime key fobs.

Advertisements

About magicianeer
Web Services Architect and Software Engineer specializing in internet applications built on LAMP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: