Hacked journalist reminds us security is people plus process
When Wired journalist Mat Honan realised his Twitter, Amazon and iCloud accounts had been hacked, he initially thought someone had brute-forced his seven-character, alphanumeric password.
That's not impossible — GPU computing in the cloud makes cracking passwords much easier. If you care about an account, your password needs at least 12 characters. That can be two or more common words together rather than a single Brobdingnagian word.
But what allowed a hacker who just wanted a cool Twitter handle to get so much access to Honan's accounts were failures in the security processes at both Amazon and Apple, and good old human error. Forget zero-day vulnerabilities and buffer overruns and heap-spraying attacks. If you forget that security has to be a combination of people, process and technology, then someone is going to get hacked.
Technology as secure as the Enigma machine isn't enough if people and processes are insecure
I'm not quite sure why Amazon ever allowed customers to add a credit-card number to their account over the phone — some oddity of the US banking system, because it's easier than typing it in on a phone screen? But allowing someone to add a security credential to their account and then use it almost immediately is clearly a bad idea.
It's something that many credit-card and banking-fraud systems look for, actually. You could force a waiting period between entering and using a new credential, or insist on out-of-band confirmation — such as the emails you get when you set up new accounts with many websites — or you could stop someone adding a new security credential without confirming an existing security credential.
The problem here is that Amazon was conflating a service — adding a new way to pay — with a security check — using a credit card number to reset an account. It amounted to a process failure it's since fixed, compounded by Apple using just the last four digits of a credit card for a password reset. Presumably, Apple employees weren't asking for the other security features such as the expiry date and security code because they weren't being used for a purchase, and there's some dispute as to whether that was official policy or not. If it was, that's a process failure. If not, it's people failure.
Security experts sometimes joke that two-factor authentication stands for, "Something you've lost and something you've forgotten" — a physical object that you can prove is in your possession as well as a password you can memorise. In this case it was, "Something you can find out and then pretend to remember".
But we do forget passwords and lose or break physical items such as keycards and tokens. Having a live human being as the last resort for regaining access to your account is a good thing, but you have to make it an annoying process for legitimate users to avoid making it to easier for hackers to get around.
Social engineering means getting someone to break the rules. Having good rules and training people to understand why they're important is the best protection.
My bank gets some of that right and some of it wrong. For example, I have to type in a code it texts to my phone to set up a new standing order. That's good two-factor authentication. But I recently lost access to my business bank account because the banking site told me I'd changed computers, which I hadn't, or IP address, which I hadn't either.
What I had done was swap back to the Windows 7 image I took before installing Windows 8 CP so I could upgrade to Windows 8 RP, deleting or replacing whatever cookie the bank had used last to identify my computer — often this is a randomly-generated number. I was confronted by a set of security questions that should have unlocked my account. But my account was set up before those security questions were added to the system and my answers didn't work.
When I phoned the bank, the security procedure involved asking me a lot of other questions. Not just my name, address, date of birth and company name, but when I opened the account, who else could operate it, full security details from the account credit card plus details of the balance and recent transactions that you wouldn't know unless you'd already hacked me.
That's a good process and lot more secure than security questions you can find the answer to on Facebook. One US bank warns you to pick answers that no-one else can give and then asks for the name of your first boyfriend or girlfriend. At least one other person on the planet knows that even if you haven't told the world on a social network.
I couldn't answer all the questions straightaway. We stayed on the phone for half an hour running through alternative but equally secure questions before I'd proved my identity enough for the bank to reset the security-question prompt. That's people applying the process well. No, they didn't reset my password. They just let me set up new security questions but answering them didn't get me into my account. I still needed both my password and passcode to log in.
All this is a crutch for dealing with the broken system of passwords that's going to keep letting us down. A much better idea would be to use something harder to copy, find online, crack and lose.
It's not perfect, but using the trusted-platform model (TPM) that's in many modern PCs would be a good start. Windows 8 PCs will have TPMs in far more systems. Firmware TPMs are built into Windows RT tablets and SoC devices running Windows 8 and even consumer PCs will start to include them because Windows 8 uses the TPM to help guard against rootkits that mess with the operating system directly.
You can use a TPM as a virtual smartcard in Windows 8, so you could tie important accounts to the hardware of your PC — which wouldn't change if you upgraded your OS or logged in from a different network.
Lose, break or replace your PC? The recovery system can use a mobile phone for secondary authentication — something you're less likely to lose control of than an email address — and fall back to a call centre, with well-trained people following a good security process.