Berkeley CSUA MOTD:Entry 54455
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2019/04/21 [General] UID:1000 Activity:popular
4/21    

2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "

        "Next you call back, and tell Amazon that you’ve lost access to your
         account. Upon providing a name, billing address, and the new credit
         card number you gave the company on the prior call, Amazon will
         allow you to add a new e-mail address to the account."
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2019/04/21 [General] UID:1000 Activity:popular
4/21    

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/7/13-8/19 [Computer/Companies/Yahoo, Computer/SW/Security] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
Cache (8192 bytes)
www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
Illustration: Ross Patton/Wired In the space of one hour, my entire digital life was destroyed. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location. Those security lapses are my fault, and I deeply, deeply regret them. But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices. The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. Moreover, if your computers aren't already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms -- which can be cracked, reset, and socially engineered -- no longer suffice in the era of cloud computing. I was playing with my daughter when my iPhone suddenly powered down. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn't accepted. I went to connect the iPhone to my computer and restore from that backup -- which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN. For the first time it occurred to me that I was being hacked. Unsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed my wife's phone, and called AppleCare, the company's tech support service, and spoke with a rep for the next hour and a half. It wasn't the first call they had had that day about my account. In fact, I later found out that a call had been placed just a little more than a half an hour before my own. But the Apple rep didn't bother to tell me about the first call concerning my account, despite the 90 minutes I spent on the phone with tech support. Nor would Apple tech support ever tell me about the first call voluntarily -- it only shared this information after I asked about it. And I only knew about the first call because a hacker told me he had made the call himself. At 4:33 pm, according to Apple's tech support records, someone called AppleCare claiming to be me. It did this despite the caller's inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover. At 4:50 pm, a password reset confirmation arrived in my inbox. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password. Two minutes later, another e-mail arrived notifying me that my Google account password had changed. At 5:00 they used iCloud's "Find My" tool to remotely wipe my iPhone. posted a message to my account on Twitter taking credit for the hack. By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage. My MacBook data -- including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life -- weren't the target. Nor were the eight years of messages in my Gmail account. My MacBook data was torched simply to prevent me from getting back in. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn't answer the security questions it had on file for me. Because of that, I couldn't answer my security questions. Me account: a billing address and the last four digits of my credit card. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said. We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected." On Monday, Wired tried to verify the hackers' access technique by performing it on a different account. This means, ultimately, all you need in addition to someone's e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. By exploiting the customer service procedures employed by Apple and Amazon, hackers were able to get into iCloud and take over all of Mat Honan's digital devices -- and data. On the night of the hack, I tried to make sense of the ruin that was my digital life. I decided to set up a new Twitter account until my old one could be restored, just to let people know what was happening. I logged into Tumblr and posted an account of how I thought the takedown occurred. At this point, I was assuming that my seven-digit alphanumeric AppleID password had been hacked by brute force. and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end of the post, I linked to my new Twitter account. We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up: "didnt guess ur password or use bruteforce. No, Phobia said they hadn't even been aware that my account was linked to Gizmodo's, that the Gizmodo linkage was just gravy. He said the hack was sim...