Apple, Amazon Security Fails: Time For Change
No Easy Answers
(Page 2 of 2)
compromised the AppleID of Ireland's top cybercrime investigator. Because the cop was also forwarding his work emails to a Gmail account that he'd set his iPhone to check, O'Cearrbhail was able to eavesdrop on a conference call between the FBI and overseas law enforcement agencies.
Unfortunately, when it comes to securing people's increasingly connected online lifestyles, there aren't any easy answers. "People want to leverage technology to make their lives easier, so they link all of these accounts together, and by doing so, they put themselves at risk," says Space Rogue. "Is it the fault of the technology companies for allowing people to do this, or people's fault? This is something that society is going to have to deal with as we move forward."
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Detecting and Stopping Advanced Threats
Thankfully, Honan's cautionary tale--and excellent analysis of how his life was hacked, made possible by Phobia telling all, in return for a guarantee that Honan wouldn't prosecute him--has now put this question front and center.
But should you suffer a similar fate, don't expect the white-gloves treatment afforded Honan, which has included Apple working to restore the files that were remotely deleted from his hard drive. "The victim here is a popular technology journalist, so he got a level of tech support that's not available to most of us," said Bruce Schneier, chief security technology officer of BT, in a blog post. "I believe this will increasingly become a problem, and that cloud providers will need better and more automated solutions."
What might these improved security solutions look like? As noted, Apple and Amazon can start by at least offering two-factor authentication. Given that both companies earn big bucks from running smartphone app stores and have those distribution channels, creating a two-factor smartphone app would be a natural next step. Or they could just use Google's smartphone app.
Meanwhile, for people who want to call customer service to reset a password, but who--like Phobia when he contacted Apple--lacked the answers to security questions already on file, make them jump through hoops. For example, after allowing a user to request a password reset by phone, why not "make the person call back the next day," says Tumblr co-founder Marco Arment. "If you forget your password and the answers to your security questions, it's not unreasonable to expect a bit of inconvenience." Especially if you don't want to see your digital life compromised by a social-engineering-savvy attacker.
Distributed denial-of-service attacks can do serious damage. Get ready before you're hit. Also in the new, all-digital Save Your Assets issue of Dark Reading: Next-gen attackers aren't out to steal your money, and your old style of defense isn't going to stop them. (Free registration required.)