What were the critical system design and operational flaws that allowed hackers to gain control over Mat Honan's accounts? What lessons should we learn from this about designing secure systems?
It is pretty clear that in the real world, public-key encryption is practically never used to encrypt actual messages. The reason is that it requires so much computation—even on computers, public-key is very slow. According to a widely cited estimate by Schneier, public-key crypto is about a thousand times slower than conventional cryptography. As a result, public-key cryptography is more often used as a solution to the key-management problem, rather than as direct cryptography. People employ public-key to distribute regular, symmetric keys, which are then used to encrypt and decrypt actual messages. In other words, Alice and Bob send each other their public keys.
To investigate further, we looked to existing software to find a program that was representative of the best current user interface design for security, an exemplar of general user interface design as applied to security software
This, along with much of the detail from our evaluation results, supports our hypothesis that security-specific user interface design principles and techniques are needed
There are several reasons behind the perfectly done hack. The main reason why hackers were able to access all the accounts of Mr Mat Honan is because all his accounts were inter connected somehow. The accounts were daisy-chained together. Getting into Amazon let hackers get into Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had Mat Honana used two-factor authentication for his Google account, it’s possible that none of this would have happened. But the verifications were not active. The second reason is that because of poor security concern and precaution it made easy for hackers to enter in system and brust it.
The third and most important reason is that all the tech support from apple and amazon made the work of hackers easy and allowed them to enter even if the security questions were provided wrong and they just told about address and phone number, which enabled them access.
Over this all his data was backed up
"Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s "
One should setup strong security access and multiple entries should be required by the tech support.
Why do Whitten and Tygar think that end-user email encryption software is so difficult to use? What is their suggestion for a better design strategy?
It is pretty clear that in the real world, public-key encryption is practically never used to encrypt actual messages. The reason is that it requires so much computation—even on computers, public-key is very slow. According to a widely cited estimate by Schneier, public-key crypto is about a thousand times slower than conventional cryptography. As a result, public-key cryptography is more often used as a solution to the key-management problem, rather than as direct cryptography. People employ public-key to distribute regular, symmetric keys, which are then used to encrypt and decrypt actual messages. In other words, Alice and Bob send each other their public keys.
To investigate further, we looked to existing software to find a program that was representative of the best current user interface design for security, an exemplar of general user interface design as applied to security software
This, along with much of the detail from our evaluation results, supports our hypothesis that security-specific user interface design principles and techniques are needed
There are several reasons behind the perfectly done hack. The main reason why hackers were able to access all the accounts of Mr Mat Honan is because all his accounts were inter connected somehow. The accounts were daisy-chained together. Getting into Amazon let hackers get into Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had Mat Honana used two-factor authentication for his Google account, it’s possible that none of this would have happened. But the verifications were not active. The second reason is that because of poor security concern and precaution it made easy for hackers to enter in system and brust it.
The third and most important reason is that all the tech support from apple and amazon made the work of hackers easy and allowed them to enter even if the security questions were provided wrong and they just told about address and phone number, which enabled them access.
Over this all his data was backed up
"Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s "
One should setup strong security access and multiple entries should be required by the tech support.
No comments:
Post a Comment