BIGVAMS

One of this week’s big tech stories has been the hacking of Wired reporter Mat Honan, who had his digital life “destroyed” by hackers, after they took over his Google account, his Twitter account, and his AppleID.

AppleID allows users to log in to iTunes, iCloud, iChat, Apple’s online store, Apple retail stores and Apple.com support.

He admits that much of his ruination could have been avoided by some precautions he failed to take himself (such as two-step verification on his Google account), but he also pointed a couple of fingers at Amazon and Apple, saying in his highly publicized Wired article:

Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.

div.twitterditto232995306680221696 { background: #BADFCD url(http://a0.twimg.com/profile_background_images/22152170/SF.jpg) no-repeat; padding: 20px; } div.twitterditto232995306680221696 a { color: #FF0000; } div.twitter-inner-ditto232995306680221696 { background: #fff; padding: 10px 12px 10px 30px; margin: 0; min-height: 48px; color: #000; font-size: 22px !important; font-family: Georgia, “Times New Roman”, Times, serif; line-height: 30px; -moz-border-radius: 5px; -webkit-border-radius: 5px; } div.twitter-inner-ditto232995306680221696 div.metadata { display: block; width: 100%; clear: both; margin-top: 8px; padding: 12px 0px; height: 55px; } div.twitter-inner-ditto232995306680221696 div.follow-button { float: right; padding: 0 30px 0 0; } div.twitter-inner-ditto232995306680221696 div.metadata div.author { line-height: 20px; color: #333; font-family: Arial, Helvetica, sans-serif; } div.twitter-inner-ditto232995306680221696 span.tweet { font-size: 22px; } div.twitter-inner-ditto232995306680221696 div.metadata div.author img { float: left; margin: 0px 7px 0px 0px; } div.twitter-inner-ditto232995306680221696 a:hover { text-decoration: underline; } div.twitter-inner-ditto232995306680221696 div.timestamp { font-family: Arial, Helvetica, sans-serif; font-size: 12px; display: block; color: #999; margin: 10px 0 0 0; line-height: 25px; } div.twitter-inner-ditto232995306680221696 div.timestamp a { color: #999; text-decoration: none; } div.twitter-inner-ditto232995306680221696 div.timestamp a > span { display: inline-block; width: 16px; height: 16px; background-image: url(”http://images.ientrymail.com/socialditto/everything-spritev2.png”); background-repeat: no-repeat; } div.twitter-inner-ditto232995306680221696 div.timestamp a.twitreply > span { background-position: 0px 3px; } div.twitter-inner-ditto232995306680221696 div.timestamp a.twitreply:hover > span { background-position: -16px 3px; } div.twitter-inner-ditto232995306680221696 div.timestamp a.favorite > span { background-position: -32px 2px; } div.twitter-inner-ditto232995306680221696 div.timestamp a.favorite:hover > span { background-position: -48px 2px; } div.twitter-inner-ditto232995306680221696 div.timestamp a.retweet > span { background-position: -80px 3px; } div.twitter-inner-ditto232995306680221696 div.timestamp a.retweet:hover > span { background-position: -96px 3px; } p.indent { margin-left: 20px; } div.twitter-inner-ditto232995306680221696 span.name { font-weight: bold; } div.twitter-inner-ditto232995306680221696 span.at-name a,div.twitter-inner-ditto232995306680221696 span.at-name a:visited, div.twitter-inner-ditto232995306680221696 span.at-name a:hover { color: #999; text-decoration: none; font-size: 14px; font-weight: normal; }

Follow @mat

Is this Mat Honan?
@mat

Also my source at Apple confirmed issuing password reset based on name, last 4 of CC, address, and AppleID was “absolutely” Apple policy

 Reply  ·  Retweet  ·  Favorite
15 hours ago via web · powered by @socialditto

!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=”//platform.twitter.com/widgets.js”;fjs.parentNode.insertBefore(js,fjs);}}(document,”script”,”twitter-wjs”);

In a follow-up Wired piece, Honan (along with Nathan Olivarez-Giles) reports that Apple ordered its staff to “immediately stop processing AppleID password changes requested over the phone” for at least 24 hours. The piece also indicates that Amazon has closed a security hole of its own.

Not that this is much of a new revelation, but Honan’s tale has really illustrated just how delicate our online profiles really are, and more specifically, how our various online accounts are connected with one another to a fault.

If all of this can happen to a senior writer at a major tech publication like Wired, what makes you think it can’t happen to you?

If you receive an email that looks like it’s from Facebook and says that you’ve been tagged in a photo, you may want to scour it for abnormalities. That’s because the latest malware on the loose involves a common Facebook email notification.

“Greetings, One of Your Friends added a new photo with you to the album…,” says the email. “You are receiving this email because you’ve been listed as a close friend.”

No, no, and nope. It’s actually a malware delivery system, and clicking on the attachment will infect your PC with a Trojan. Sophos’ Naked Security blog first spotted the malicious email.

Here’s what the malicious email will look like. Note that it contains the blue Facebook header, and a button to click to see the photo in an attachment. One way you know that this is complete bullsh*t is that Facebook never sends you photos that you’ve been tagged in as attachments. Facebook sends you links to said photos on their site.

Sophos identified the malware as Troj/Agent-XNN, a zip file designed to let distributors grab control of your computer.

This is not the first time in the last couple of months that malware has targeted people by posing as a Facebook photo tag notification. Last month, another malicious email scam purported to bring word of a new photo tag, but instead contained links to sketchy websites.

Just be vigilant. That’s always the advice. If it looks suspicious, it probably is. Check for misspellings, improper grammar, and other oddities. If something tips you off, your best bet is to avoid clicking anything.

Comments

Cybercrime is perhaps the most devastating, yet most preventable, form of crime. Victims can have their lives utterly destroyed by a hacker. Those same victims often share a part in the blame because it could have been easily prevented by using some common sense and utilizing online security tools that are freely available to all.

Unfortunately, many of the rules that help protect people from cybercrime go out the window as soon as we bring social or mobile into the picture. Both areas are still largely unexplored with hackers creating new malware all the time. It’s hard to keep up with the ever evolving social and mobile scene, and it shows in Norton’s statistics.

Norton recently published their annual Cybercrime Report and the results are a little terrifying. It shows that hackers are getting smarter with how they use social or mobile to their advantage. It’s sometimes hard to differentiate a scam versus a legitimate request when on a mobile phone.

Of course, our first problem lies in something very simple. The study found that two-thirds of adults use a mobile device to browse the Internet. The same number of adults don’t have mobile security software installed on their device. It’s especially problematic when 31 percent of respondents claim to have received a text message from a stranger that contained a link. A mobile anti-virus would normally be able to scan the link before you clicked on it to make sure it was safe.

It gets scarier when it comes to the more personal nature of social networks. Four out of 10 people have reported being a victim of cybercrime while using a social network. Out of that, one of out of six users found that somebody hacked into their profile and posted as them.

That last statistic is by far the most frightening as attacks can now come from people you normally trust. You may see that your friend is linking to something like, “You won’t believe what this man did to save his dog.” It sounds like a good story and you’re more than willing to install the Facebook to read just a single story. Before you know it, you’re infected with malware that came about through a simple social engineering Facebook hack.

Once again, it’s important to remember the number one rule when dealing with potential malware - use common sense. Never allow a Facebook application to install anything on your browser unless it’s from a trusted source. Such applications could still be malware in disguise regardless of who sent it. Your best friend could have had their profile taken over by a reprehensible Internet bandit.

If anything, Norton’s study shows that we must always be vigilant. Norton is obviously wanting you to buy their anti-virus software, but most anti-viruses, even the free ones, do a pretty good job of keeping your PC secure. As for mobile and social attacks, use a mobile anti-virus app and stay vigilant.