Hacked journalist reminds us security is people plus process

Hacked journalist reminds us security is people plus process

Summary: Poor processes combined with people who aren't trained in security are more dangerous than most technical vulnerabilities.

TOPICS: Security

When Wired journalist Mat Honan realised his Twitter, Amazon and iCloud accounts had been hacked, he initially thought someone had brute-forced his seven-character, alphanumeric password.

That's not impossible — GPU computing in the cloud makes cracking passwords much easier. If you care about an account, your password needs at least 12 characters. That can be two or more common words together rather than a single Brobdingnagian word.

But what allowed a hacker who just wanted a cool Twitter handle to get so much access to Honan's accounts were failures in the security processes at both Amazon and Apple, and good old human error. Forget zero-day vulnerabilities and buffer overruns and heap-spraying attacks. If you forget that security has to be a combination of people, process and technology, then someone is going to get hacked.

Engima keyboard

Technology as secure as the Enigma machine isn't enough if people and processes are insecure

I'm not quite sure why Amazon ever allowed customers to add a credit-card number to their account over the phone — some oddity of the US banking system, because it's easier than typing it in on a phone screen? But allowing someone to add a security credential to their account and then use it almost immediately is clearly a bad idea.

It's something that many credit-card and banking-fraud systems look for, actually. You could force a waiting period between entering and using a new credential, or insist on out-of-band confirmation — such as the emails you get when you set up new accounts with many websites — or you could stop someone adding a new security credential without confirming an existing security credential.

The problem here is that Amazon was conflating a service — adding a new way to pay — with a security check — using a credit card number to reset an account. It amounted to a process failure it's since fixed, compounded by Apple using just the last four digits of a credit card for a password reset. Presumably, Apple employees weren't asking for the other security features such as the expiry date and security code because they weren't being used for a purchase, and there's some dispute as to whether that was official policy or not. If it was, that's a process failure. If not, it's people failure.

Security experts sometimes joke that two-factor authentication stands for, "Something you've lost and something you've forgotten" — a physical object that you can prove is in your possession as well as a password you can memorise. In this case it was, "Something you can find out and then pretend to remember".

But we do forget passwords and lose or break physical items such as keycards and tokens. Having a live human being as the last resort for regaining access to your account is a good thing, but you have to make it an annoying process for legitimate users to avoid making it to easier for hackers to get around.

Social engineering means getting someone to break the rules. Having good rules and training people to understand why they're important is the best protection.

My bank gets some of that right and some of it wrong. For example, I have to type in a code it texts to my phone to set up a new standing order. That's good two-factor authentication. But I recently lost access to my business bank account because the banking site told me I'd changed computers, which I hadn't, or IP address, which I hadn't either.

What I had done was swap back to the Windows 7 image I took before installing Windows 8 CP so I could upgrade to Windows 8 RP, deleting or replacing whatever cookie the bank had used last to identify my computer — often this is a randomly-generated number. I was confronted by a set of security questions that should have unlocked my account. But my account was set up before those security questions were added to the system and my answers didn't work.

When I phoned the bank, the security procedure involved asking me a lot of other questions. Not just my name, address, date of birth and company name, but when I opened the account, who else could operate it, full security details from the account credit card plus details of the balance and recent transactions that you wouldn't know unless you'd already hacked me.

That's a good process and lot more secure than security questions you can find the answer to on Facebook. One US bank warns you to pick answers that no-one else can give and then asks for the name of your first boyfriend or girlfriend. At least one other person on the planet knows that even if you haven't told the world on a social network.

I couldn't answer all the questions straightaway. We stayed on the phone for half an hour running through alternative but equally secure questions before I'd proved my identity enough for the bank to reset the security-question prompt. That's people applying the process well. No, they didn't reset my password. They just let me set up new security questions but answering them didn't get me into my account. I still needed both my password and passcode to log in.

All this is a crutch for dealing with the broken system of passwords that's going to keep letting us down. A much better idea would be to use something harder to copy, find online, crack and lose.

It's not perfect, but using the trusted-platform model (TPM) that's in many modern PCs would be a good start. Windows 8 PCs will have TPMs in far more systems. Firmware TPMs are built into Windows RT tablets and SoC devices running Windows 8 and even consumer PCs will start to include them because Windows 8 uses the TPM to help guard against rootkits that mess with the operating system directly.

You can use a TPM as a virtual smartcard in Windows 8, so you could tie important accounts to the hardware of your PC — which wouldn't change if you upgraded your OS or logged in from a different network.

Lose, break or replace your PC? The recovery system can use a mobile phone for secondary authentication — something you're less likely to lose control of than an email address — and fall back to a call centre, with well-trained people following a good security process.

Topic: Security

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hard lesson Learned

    Dude that was a very hard lesson to learn and it is sad to see something like this happen, but I think this is the type of wake-up call that they needed to kick the complacent attitude that many companies have about authentication and passwords. There continues to remain the need for more preventative measures to be put in place. For example many of the leading online storage providers are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim that the verification process makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more providers start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
    • Dude?

      Um, Branden_B,
      The writer of the article is a woman. At best you come off as quite immature, at worse stupid with the inability of reading comprehension.

      Even using the term Dudett is in bad taste.
      • Calm down

        The victim was a man,he was referring to how bad it was for him to experience that, being a woman doesn't mean she deservers any more respect than a male journalist.

        Also it could be dudess or dudine FYI
        beau parisi
      • the dude abides

        I don't mind being a dude, a dudette or one of the guys; as long as I'm not a dud. we do need to generally raise security levels; the problem is when an inconvenient process makes us take shortcuts like reusing passwords so we can remember them...
  • Clown Computing

    Yes, "Clown Computing" is the characterisation of accessing the cloud with Username & Password. Trusted Comuting and TPM can be used from Windows XP and higher. All tools commercially available.