Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Google Apple

Companies Advise Tighter Security After Honan Hack 99

In the wake of the hacking of Mat Honan's accounts, Google, Facebook, Amazon, and Apple are just a few of the companies making their security policies tougher, and they are advising people to do the same. From the article: "Even as those companies’ teams moved to patch the holes, others moved to offer security tips. Matt Cutts, head of Google’s Webspam team, used his personal Website to urge Gmail users to embrace two-factor authentication. 'Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,' he wrote in the August 6 posting."
This discussion has been archived. No new comments can be posted.

Companies Advise Tighter Security After Honan Hack

Comments Filter:
  • by A beautiful mind ( 821714 ) on Monday August 13, 2012 @03:06PM (#40976937)
    In the name of security Google has been pestering for my phone number for years, while their motives are much less about my security and more about their business reasons.
    • Re: (Score:3, Funny)

      by Anonymous Coward

      God, this thing annoys the hell out of me.
      I need to write a userscript to auto-skip the page.

      I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
      TAKE THE HINT GOOGLE.

      I swear if this leads to more messages about this, I am just switching e-mail services.
      My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.
      And I'm not someone stupid who runs fart.exe for funny fart noises.
      They should just have an option in t

      • by ThunderBird89 ( 1293256 ) <zalanmeggyesi@y a h oo.com> on Monday August 13, 2012 @03:18PM (#40977065)

        Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion.
        Seeing the contradiction?

        [First sentence is deliberately self-referential and obfuscated]

        • by jhoegl ( 638955 )
          Ironically people also use public forums to dispute their government, the very same government that gives them the freedom to do so.
          So... this isnt a new thing.
          • Yes, but not disputing the forum itself. In your analogy, I'd equate the internet with the forum, not with the government (after all, the internet is the means for dispute, not the subject), with internet fora being subsets.

          • by Teun ( 17872 )
            Duh, the government is me.

            Or at least a small part of it is till the next vote.

        • Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion. Seeing the contradiction?

          Should I be worried that you take a rant against Google as a rant against the Internet?

          • When will the web die? Will it be soon? Please tell me it will be soon!

            QED.

            • When will the web die? Will it be soon? Please tell me it will be soon!

              QED.

              So you take the last couple of words from a long rant against Google, and claim the whole thing to be against the internet, for which you have to equate "the web" with "the internet"? QED indeed.

              • As he goes on, he goes from anti-Google to griping against "insultingly simple websites", which make up an increasing percentage of the internet in his opinion (reading between the lines). At least that's the impression I get from the rant, hence taking it to be against the internet in general.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Mat, the guy who was "hacked", also had a great password and didn't run attachments. The hackers didn't even need to know his password to gain access to his accounts. He was more a victim of using guessable e-mail addresses to log into Apple, Amazon, Gmail, and Twitter. He also bought stuff on Apple and Amazon. If you've done those things, then you too can be a victim. It was more a hack of the "forgot password" pages. some social engineering of the support staff, and intimate knowledge of the identifi

        • forget it, he's rolling.
      • by kqs ( 1038910 )

        I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
        TAKE THE HINT GOOGLE.

        I swear if this leads to more messages about this, I am just switching e-mail services.
        My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.

        You despise Google but use their email? You seem to be a very confused person...

        Why do you think the length of your password matters? Do you seriously think people are brute-forcing gmail passwords?

        Google wants phone numbers for exactly one reason: so that when, against all odds, the gmail account of a self-proclaimed genius is hacked, google can restore the account to their control. Otherwise, after posting screeds about the Evil Google trying to steal their phone number, this theoretical mental midget

        • No, the poster despises cellphones and will never have one. Google insistence on repeatedly asking for a cellphone number when none is forthcoming is the source of the rant. It annoyed me too but I haven't been prompted for a while now.

      • It annoys me every time i need to login, especially on my iDevice where i have to click no, reload, hit back and refuse again before it loads properly.

        I should set up a voip number similar to a certain luggage combo and enter that to click yes but i bet it would violate the TOS...

    • by patchmaster ( 463431 ) on Monday August 13, 2012 @03:14PM (#40977031) Journal

      Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

      I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

      • Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

        I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

        haha phone call from Google. You wont get one. You will receive one from 3 letter agency reminding you about that anonymous post you made 15 years ago on some obscure board.

        • What part of ...

          I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

          didn't you understand?

      • by Hatta ( 162192 )

        I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

        The fact that a single "no" is not enough to get them to stop asking is evidence enough.

        • by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Monday August 13, 2012 @04:38PM (#40977875)

          I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

          The fact that a single "no" is not enough to get them to stop asking is evidence enough.

          Not to mention Google really tries to hide the "No" button. It just pops up as a box that says you need to enter your phone number. If you look down, the link to skip it is very tiny, enough to miss it. I'm willing ot bet most people don't even know there's an option to skip it.

          It also pops up randomly on you, and each time it seems the "No" link gets tinier and moved somewhere else.

          For Do No Evil, they certainly are applying all the usual marketing tricks to hide stuff like free downloads and such. If they really cared, it would be in normal font with text saying it's completely optional and you can bypass it by clicking the nice big link.

          • by Teun ( 17872 )
            Those that don't have a cell phone will find the button, those that prefer privacy don't use a google account.
        • by c++0xFF ( 1758032 ) on Monday August 13, 2012 @06:38PM (#40979021)

          It's in Google's and your own best interest to make your accounts as secure as possible. They get a black eye in the media every time there's a high-profile hacking of a Google account ... which in turn hits at their reputation for providing solid, secure services.

          Given that most users don't know what's best for them, I think it's completely reasonable for them to pester a little bit about a way to improve security.

          Now, that said ... there should be a way to turn the reminder off completely. Some people (me) simply can't use it.

      • I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

        The key thing to know is that phone based password recovery on Gmail has been used to hack accounts [cloudflare.com] and that that has been widely publicised. In other words, giving your phone number over is less secure than not giving it over. In this case, Google is either stupid for continuing something they should know doesn't work or is evil for lying about why they want your phone number.

        P.S. They have no intention on using the phone number to call you; Phone calls are much more expensive than the various other w

      • +1 to evidence based paranoia. Google IS my phone number, and whatever their faults, they don't call me and don't appear to share that number.

      • by Xest ( 935314 )

        This is the fundamental problem with anti-Google FUD, despite all the claims of "Google collects this", and "Google collects that", the claims that it's a privacy nightmare have yet to materialise. Google has a lot of information on me and has for over 10 years, but I've never ever seen it end up in the hands of other companies I'm not happy with or used in ways I was not expecting.

        Compare this to Facebook, Microsoft, Monster.com who have all also had data on me and have managed to pass it to companies I di

        • by pnutjam ( 523990 )
          I think facebook and linkedin somehow scrape information if you have your email authenticated in a different browser tab. I don't know how to test this, but I am suspicious.
      • by Nyder ( 754090 )

        Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

        I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

        What I find funny is I have a googe voice account, and I have a gmail account and oddly enough, they are both the same account, yet I still get Google asking for my phone number. Seriously google, you have all my phone numbers already. Not sure why you are so stupid about it though...

    • by vlm ( 69642 )

      I know for a fact you can use a GOOG voice number for two-factor. That's what I used. They technically advise against it, but allow it.
      Its just a backup for my authenticator app anyway. If I lose my phone, my paper password printout, access to my regular email, and everything else, then finally also lose or screw up my goog voice, then yes I'll be screwed.

    • by Daas ( 620469 ) on Monday August 13, 2012 @03:16PM (#40977045)

      You're OK with them storing every single one of your emails but not your phone number? I hope tinfoil hats are on sale these days.

      If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.

      • by 6ULDV8 ( 226100 )

        If I'm spammed, opening another Gmail account is free. Changing my phone number costs $36.

      • by codegen ( 103601 )

        If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.

        Myth #7 - The google authenticator app does not require your phone number and SMS messages.

        Fact - You cannot set up the authenticator app unless you ahve given your phone number to Google and first authenticated using SMS

        My cell phone number is known only to 10 of my friends and 2 companies (one of which is the provider). I have no intention of giving it to Google. Also, I only use gmail for personal non-financial/business mail. I have an email account that is protected by stronger privacy laws than exist i

        • by Anonymous Coward

          And how have you prevented your 10 friends from syncing their address books through any 3rd party software?

          On a more personal note, why do you have a cell phone to call only 10 people?

          • And how have you prevented your 10 friends from syncing their address books through any 3rd party software?

            He can't - that's why he doesn't want to give Google his phone number, so Google can't link his identifying phone number with the same phone number in his friend's synced phone directory.

  • One major problem with Google's two-factor authentication is that it requires mobile phone reception. There are many settings where mobile reception is not available. It would make more sense to SMS or print a one-time pad with enough numbers to last until the user decides to generate a new pad.

    • by zrbyte ( 1666979 )

      No it doesn't. You can use the Google authenticator app. [google.com]

      • by cvtan ( 752695 )
        You need a smart phone for that. You can print out a bunch of verification codes and stick them in your wallet. Cell reception is not reliable.
        • But the app doesn't require cell phone service to be usable. You just need the smartphone or tablet. (in reference to your last sentence).

          I do have a printout of one-time codes, but I find that I never use them anymore because I always just use the phone app, because it works as long as the phone has juice. Which you should have some available if you're using a computer to check your gmail...
        • by robmv ( 855035 ) on Monday August 13, 2012 @04:01PM (#40977523)

          Adding more info about the application, the client is OSS [google.com] so anyone can port it to Windows/Linux/Mac/Browser extension/you name it, there is nothing in Google solution that requires an smartphone nor data connection

    • It has an OTP you're required to save before completing the process (ten keys), and the mobile app doesn't require a data connection to my knowledge, after the initial pairing.

    • by kaiser423 ( 828989 ) on Monday August 13, 2012 @03:33PM (#40977237)
      Uh, they do have a one-time pad of pre-authenticated numbers, and an app that doesn't require an internet connection. I've authenticated form a 9200bps modem from the middle of the Pacific using my list of one-time security access codes.

      In other words, it's glorious. Google does security right, and everyone else needs to take notice. Including corporate IT departments. I've used it for years, and every now and then when I need a new account, I go and get an outlook.com account or similar, because all the regular names are taken in gmail, but I always feel so naked using them. No security at all.
    • by robmv ( 855035 )

      As others has said, there is no need for data connection, the common problem user experience with Google application (that implements the OATH standard) is that it requires a little of time synchronization, if your phone date and time is too far from the real one, the generated code will not work. Google application request the Internet connection permission in order to query the time from Google servers and store the offset with your phone time, in case it your phone time is wrong. It connect sometimes to

  • by Anonymous Coward

    Strong long password is all I need for a free email service.

    Why would I want to give my mobile number to google with their track record on privacy etc...

    This smells the same as the 'iPhone is uncrackable' story.

  • You took one for the team.

  • by the_B0fh ( 208483 ) on Monday August 13, 2012 @03:37PM (#40977289) Homepage

    Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me? Any computer I use to check gmail is fully under my control.

    1) no man-in-the-middle sniffing
    2) no key logger sniffing
    3) assuming no one steals the password file from Google
    4) my gmail password is not used elsewhere.

    • Re: (Score:3, Insightful)

      by kaiser423 ( 828989 )

      Any computer I use to check gmail is fully under my control.

      Lucky you. That's not the case for most of us.

      • I do realize that :) Not too many people can have a computer or phone that is fully under their control, especially if it's work provided. But all mine are installed from media (openbsd, debian, osx, and even windows).

        I would be screwed if something like On Trusting Trust happens, but then they could just man-in-the-middle the transactions anyway.

    • Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me?

      You are perhaps not the best target for 2-factor as your secondary (or tertiary) security measures given the fact that you already use 3 different security practices when accessing email: SSL, own computer, un-shared password. You probably also have a robust password. A lot of, if not most, people use only one, weak level: a six to eight character password shared across multiple sites. Two-factor will help them. (Of course, they should also use a unique, harder to crack password, but turning on 2-factor

      • #1 - not willing to give out my phone number to google.
        #2 - if you only set it up once, that may not be the 2 factor you think you have...

        • #2 true, but then that goes for your "trusted computer" scenario. If you assume your computer is under your full control (the assumption I make for my desktop and laptop) then you don't "need" 2-factor. What the 2-factor prevents is someone stealing your password and logging in from their computer. If they steal your laptop or desktop (i.e. you lose the physical security layer), then your in trouble anyway.

          • I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.

            Someone stealing my laptop won't get my info because I have full disk encryption, so unless they can break my password...

            • I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.

              Well, you are semantically correct. When Google's 2-factor is turned on, anytime you log on to the account from an untrusted* computer, you must enter the 2nd factor authentication code. To be 100% 2 factor authentication you would want to force the entry of the second factor for *every* single login, but you also want to balance security and convenience based on your personal risk management algorithm. Just as it makes sense for you to not use 2-factor authentication because you always log in from a com

    • Assuming no one can hack SSL

      The bad guys don't have to hack SSL. They only have to hack a certificate authority.

      (IIRC, this is how the Chinese government broke into the Gmail accounts of various dissidents/activists.)

      • And I only use Chrome, which pins the certs, for gmail :)

        Well, I do use mail.app on the iphone... hmm... must go find out more about that.

    • "Any computer I use to check gmail is fully under my control."

      That's not really webmail then, is it? Most products are more secure when you don't use them.

      • What in the world are you talking about? I understand the individual words, but there appears not to be any sense to the way you're putting them together.

        • My point is that the obvious advantages of "web-based" email isn't really being delivered if you have to limit it to specific hardware in order to securely use it. Two factor lets you use webmail to it's potential (ie hardware agnostic) with some of the security assurances that hardware-specific solutions (like yours) can achieve.

          In general, I think security systems that require users to act against the implied promises of the UI are crappy systems, so I'm glad to see two factor auth - a partial solutions t

          • I do not authenticate to any services on anything I don't control.

            If you do, more power to you, but the same malware that can keylog your session can also insert itself into your data stream, whether there's SSL or not. So I don't understand what are the advantages of logging in on any computer you do not control.

      • by dkf ( 304284 )

        "Any computer I use to check gmail is fully under my control."

        That's not really webmail then, is it? Most products are more secure when you don't use them.

        You're claiming it's only webmail if you access it from a dodgy webcafe in Vietnam? That's... a strange position to take.

        OK, I've done a slight exaggeration of your position there, but really there's nothing about webmail that says you have to authenticate to it with a non-crypto identity (though particular services might not be so cautious) and from a device that you don't control utterly. Client devices are pretty cheap now, and common too, so you won't look strange for carrying yours around with you. You

  • The only problem I have with two factor authentication for Gmail is if I lose my phone how to I access my email? I don't want to be locked out of my email, ever.

    • by lpq ( 583377 )

      The only problem I have with this is -- what if you don't have a mobile phone?

  • by Chemisor ( 97276 ) on Monday August 13, 2012 @04:05PM (#40977569)

    2 factor authentication is unacceptable for anything that's frequently used. If you log in to your online banking account once a month, it's ok to jump through a few extra hoops for security. But for something you do every day, or several times a day like email, any extra barriers are unacceptable. I don't even want to enter my password more than once a day, why would I go through the incredible hassle of 2 factor authentication?

    • by Ant2 ( 252143 )

      I am guessing you have not tried Google's 2-factor authentication?
      I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.

      • by dgatwood ( 11270 )

        I am guessing you have not tried Google's 2-factor authentication? I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.

        That's because most of the time, Google's two-factor authentication isn't real two-factor authentication. It requires something you know, plus something you know. A stored cookie in a browser is just a shared secret (something you know), as is a password. Therefore, it is not true two-factor authentic

        • by alcourt ( 198386 )

          I've used real multi-factor auth in the form of SecurID. It isn't cumbersome. Doing it right doesn't have to be a PITA. If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.

          Currently, I use the mobile SecurID app because my work phone I can treat like my physical factor. The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support

          • by dgatwood ( 11270 )

            Cumbersome is relative. Hardware tokens cumbersome so long as you only have one of them on your keychain. If every site used it, you'd need a chiropractor pretty quickly, not to mention stronger pants pockets. And if you switch to a model of central authentication, now you have one site that can be compromised and trivially turn hundreds or thousands of sites' security into a four-digit PIN, while simultaneously rendering hundreds of millions of dollars worth of hardware tokens useless until the users m

            • by dgatwood ( 11270 )

              Ouch. Somehow, I lost a word from that second sentence. I meant to say "Hardware tokens aren't cumbersome...".

            • by alcourt ( 198386 )

              The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case. As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible. Maybe it is using a hostID to modify the generated number. Not necessarily impossible to fake,

              • by dgatwood ( 11270 )

                The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case.

                Not really. Typically, systems based on those sorts of devices use a four-digit PIN. Wanna guess how many seconds it takes to crack a four-digit PIN? Besides, chances are, the user will end up logging in to some of those systems from the phone, at which point you have the PIN, to

                • by alcourt ( 198386 )

                  Even RSA admits no one should use a 4 digit PIN. The reason the PIN is acceptable in length is the only way to test a PIN is valid or not is to use it with the code to enter a passcode on an authentication site. If you are allowing over a thousand bad guesses, you're doing something else wrong. The PIN is used to modify the 8 digit token displayed on the screen and then that result is what is entered. Hardware tokens still have you enter PIN and token manually in some cases (not all hardware tokens work

                  • by dgatwood ( 11270 )

                    Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?

                    These days, the non-government attacker isn't a lesser threat. They have armies of captured Winzombies in a botnet at their disposal.

                    You do make them authenticate over an encrypted channel, right? Yes, someone might compromise the device with the software token, but that in theory should be hard.

                    Y

          • by kqs ( 1038910 )

            If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.

            Yeah, they could call it something like Google Authenticator. Like any local app or hardware token it's really something you know (the seed in the app), but it is hard enough to get the seed that it is effectively something you have.

            • by alcourt ( 198386 )

              Every factor could theoretically be reduced to something you "know", except it isn't something you know, because you can't key it in manually. Even a hardware token is really "something you know" in the strictest sense, the seed. But that's not what is generally meant by security folks when they speak of multi-factor.

              The Google authenticator app last I saw only worked on android devices. Not everyone has a fancy cell phone. Some of us make do with a regular computer or laptop.

              I think Google is trying to

    • by dgatwood ( 11270 )

      What you're really pointing out here is the need for diferent tiers of authorization. Without any unlock, I would like to be able to:

      • Call numbers from my preferred phone number list (including hands-free use)
      • Run the music player app
      • Use the maps application
      • Use the web browser.

      I would like to be prompted for my unlock password when:

      • I try to access notes, my calendar, or my mail.
      • I try to change any settings.
      • I try to do anything that could potentially cost me money.
      • I navigate to a web page for whic
  • Many more people have gone through what Mat Honan has or even worse, yet nothing was done before. I find that strange.
  • It seems that one can find out all google accounts associated to a recovery address by simply selecting "I don't know my username" in the google recovery menu. If the hacker would have known/used this, he could have had access to even more of Mr. Honan's stuff, provided he had more than one gmail accounts which used the same recovery address (and by the looks of it, I'm sure he would have daisy-chained that too). Google is happy to deliver the associated accounts to the recovery address, with no obfuscatio
    • by lpq ( 583377 )

      How would you suggest recovering an email registered account without sending an email with a new tmp password?

      You can't presume the user has anything other than the computer (or a computer) and email that they originally registered with...

      Isn't google's idea of two factor authentication sending SMS messages to a phone?

      AFAIK, landline phones don't have SMS and I certainly wouldn't want to pay extra for it -- HOWEVER, I know that gvoice will call your number and ask you to key in a number when you sign up, so

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...