Hacked Knightmare

A few years ago, Sarah Rees Brennan, fantasy author and charming blogger, had her blog and email hacked the day before her first novel was due to be published:

I was very lucky. My friends all leaped into action like an army of trained tech ninjas. As such, I have decided to give them titles. Eimear the Bold, Charlotte the Gentle, Chiara the Resourceful and Bob the Extremely Tall told me exactly what to do, and soon recaptured my email and my livejournal for me.

At that point I discovered that all my emails and contacts had been deleted, along with the seven years’ worth of posts and comments on my livejournal. Not only that, but given timing and other details that I (tech savvy of a lizard!) do not understand, it looks likely that this was malicious.

I have absolutely no idea why anyone would want to hurt me like this. (Why people might want to thump me in the back of the head for laughing like a hyena during a movie, well, that’s less of a mystery.) I feel crushed, dismayed and a little tottery on my feet still, but can only resolve to be brave like my ninja friends.

Some people may have wondered whether this was a joke or some strange flight of fancy of mine: let me be very clear. I love this livejournal, and respect and value those who read it, far too much to dream of ever doing such a thing. I don’t make jokes like this.

2,267,233,742 people use the Internet: 32.7% of the world population. Given the numbers, it should surprise no one that though most people are not malicious assholes, some people on the Internet suck.

On 29th July, Santiago Zabala, the ICREA Research Professor of Philosophy at the University of Barcelona, mused on the New Statesman blog:

Today if you are not often wired, you do not exist. Like radio and television in other times, the internet has become not only an indispensable tool but also a vital component of our life. It has become so useful, significant, and meaningful for variety of administrative, cultural, and political reasons that a life without it seems unimaginable in the twenty-first century. But the ownership of this interactive life is troubled: when you start seeing interesting advertising on your Gmail banner, personalised ads aimed just at you, your existence has begun to belong to others.

It’s not even been 22 years since Tim Berners-Lee gave the World Wide Web to all of us as the best Christmas present ever.

Yet what has changed our lives more in such a short space of time? World Wide Web, and the subsequent inventions depending on it, made it possible to get online – to get wired – without having any technical knowledge at all. You don’t have to understand TCP/IP or HTTP to be able to write a blog, send an email, book a holiday, post a photograph. You can of course: I am handcoding the HTML markup for the text of this page, but that’s just because I’m old enough to remember DOS and I do find it easier to type in codes for emphasis and links and images than to stop and press a button.

A few years ago, when showing a friend how to use her laptop, I noted that one of her neighbours had a wifi network with a signal strength good enough for her to piggyback on it, and reminded her that she would need to set up a secure password for her wifi network when she got hers set up. “For example,” I said, “Don’t pick one of the easily-guessed passwords, like FRED?” I typed it in.

Her neighbour’s wifi network verified that this was the correct password, and we both looked at each other in mutual horror and amusement. I logged her out, and the password she picked for her wifi network is so complicated she has to have it written down or she wouldn’t remember it. (I didn’t recommend that, either, but the FRED? moment scared her.)

XKCD: Password strength

Most computer errors are the result of simple human stupidity. I opened up the Yahoo page once in a public computer in a supermarket and found that the person who’d used the computer before me had left himself logged into Yahoo.

(Yes, I sent him an email from his own email account pointing out what he’d done. Yes, I then logged out without reading any of his emails. Yes, I felt slightly guilty for my smugness when I discovered that the supermarket computer had its screensaver setup to appear that you had logged out of everything whether you actually had or not.)

There’s a famous instance of Big Scottish Bank miscoding a mass-mailed letter to customers who had more than fifty thousand in their accounts, so that all the recipients got a letter which was addressed not to “Dear Mr/Ms Surname” but “Dear Mr/Ms {{Rich Bastard}}”. (I cannot verify that bit of geeky gossip, so I merely repeat it.)

On 1st August, Knight Capital lost $440m on NASDAQ between 9.30am and 10.15am New York time, when an automated trading system sent out hundreds of orders to buy and sell without regard to value, which in turn caused extraordinary swings in the share prices of almost 150 companies and left Knight Capital with a loss of three times its annual profit. Those 45 minutes probably killed Knight Capital, though it was “rescued” by predatory investors.

Nanex research suggests that the probable cause was testing software for Knight Capital’s market research software released into the NYSE system:

Because the Tester indiscriminately buys at the ask and sells at the bid, and because the bid/ask spreads are very wide during the open, we now understand why many stocks moved violently at that time. The Tester was simply hitting the bid or offer, and the side it hit first, determined whether the stock opened sharply up or down.

Since the Tester doesn’t think it’s dealing with real dollars, it doesn’t have to keep track of its net position. It’s job is to send buy and sell orders in test pattern waves. This explains why Knight didn’t know right away that it was losing a lot of money. They didn’t even know the Tester was running. When they realized they had a problem, the first likely suspect would be the new market making software. We think the two periods of time when there was a sudden drop in trading (9:48 and 9:52) are when they restarted the system. Once it came back, the Tester, being part of the package, fired up too and proceeded to continue testing. Finally, just moments before an economic news release at 10am, someone found and killed the Tester.

We can fully appreciate the nightmare their team must have experienced that morning.

That, like the Big Scottish Bank letters, was a classic example of corporate / human error. That is a lot less scary that what happened to Mat Honan, senior reporter at Gizmodo, on 4th August.

I asked him why. [Wired] Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.

“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.

As Alex Hern wrote yesterday:

In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan’s iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What’s particularly scary about Honan’s situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything.

Mat Honan described what happened as being “Hacked. Hard” but quite literally, he was unwired:

I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.

I went to connect it to my computer and restore from that backup—which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin.

I didn’t have a four digit pin.

By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn’t turn on my computer, my iPad, or iPhone.

I used my wife’s iPhone to call Apple tech support. While on hold, I grabbed her laptop and tried to log into gmail. My password had changed. I couldn’t reset it either because the backup went to iCloud, where my password had also changed.

I checked Twitter, and saw someone had just sent a tweet from that account. I tried to log into Gmail again, and now it told me that my Google account had been deleted. The way to restore it was to send a text message to my phone which I didn’t (and still do not) have access to.

A similiar thing happened to MyBB earlier this year, apparently through a similar breach in Apple security:

There are still a few missing pieces, but at this stage we have a pretty clear understanding of what happened. Contrary to what has been posted elsewhere, we do not believe social engineering was the culprit, although the hackers did try unsuccessfully to gain access to several of our accounts via this method.

The main incident that lead to the breach was a compromise of Chris’ personal Apple ID (iCloud, etc) account. From there, the hackers were able to reset passwords to our hosting and domain accounts. It’s still not clear how they got access to this account, however they also had numerous personal details about Chris, including contact details and knowledge of at least the last four numbers of his primary credit card.

The Internet has made it possible for people without much power, money, or leverage, to communicate with more people, faster, and in more ways, than anyone but science-fiction fans would have thought possible back in the 1980s. You now have to have all sorts of different ways of locking your door (Alex Hern describes some in his post). But one thing remains the same, as one of the first commenters to Mat Honan’s tumblr said:

People suck sometimes. I’m so sorry this happened to you.

Leave a comment

Filed under Unanswerable Questions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.