Apple, iCloud, and Gmail’s cloud security lesson

Honan's narrative really puts it best, so if you’ve not yet done so, I encourage you to read it from the source. But the gist of how it happened is that Amazon's support desk was tricked into giving up the last four digits of his credit card, and that was used to hoodwink Apple into resetting his iCloud account.

Honan admits to many regrets and lessons learned. But apart from learning to never, ever, rely completely on cloud backup ever again (Honan hadn't backed up his files locally), he discovered something surprising about Apple's security practices: The company can't stop a malicious hacker once he's broken into your iCloud account.

While running through his list of regrets, Honan wrote: "Mostly, I shouldn’t have used Find My Mac." Find My Mac is a feature built into OS X 10.7 Lion that lets users remotely locate and wipe their laptops, just like Find My iPhone. But while Find My iPhone is practical, since phones are easily lost, Find My Mac was poorly implemented.

Honan noted: "When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe – someone who gained access to your iCloud account through malicious means – there’s no way for you to enter that PIN."

As soon as I read that, I felt a sense of déjà vu...

Back in June, cloud start-up CloudFlare found its Google Enterprise Apps account hacked (or jacked, as Honan's attackers Vv3 prefer to call it) with some simple social engineering.

The guilty parties were different, but the methods were similar: In CloudFlare's case, the attackers bypassed two-factor authentication in Google's enterprise app account by hacking into a secondary email address with information provided by AT&T, and resetting its password.

The irony here is that in both cases, two security features – two-factor authentication and remote wipe – involved weak account recovery practices, and wound up being used against the victims.

How Google responded

But unlike Apple, Google disclosed the problem publicly and fixed the loophole right away. CloudFlare CEO Matthew Prince learned how the attackers bypassed Google's two-factor authentication:

"If an administrator account that was configured to send password reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process," a Google spokesperson told reporters. "This could have led to abuse if their secondary email account was compromised through some other means. We resolved the issue last week to prevent further abuse."

"Cloud" isn't the problem, it's policy. Gmail learned from its mistake (and we're scratching our heads trying to think of another consumer cloud that uses two-factor authentication); it's high time for others to follow suit.

Fallen Hero Pwnie?

Tangentially related, I think Honan deserves an honorary Pwnie award next year. The comments to his Tumblr blog posts are among the nastiest I've ever seen. Yes Honan journalist made lots of silly, humiliating security mistakes – which almost cost a year's worth of photos of his young daughter – but now all of us are reaping the benefits of learning from these mistakes.