How Bad Actors Find the Keys to your Credentials

Watch CEO Bart McDonough explain the shared security model, how easy it is for bad actors to access your credentials, and what it means to “leave the keys on the hood of your car.” To protect your assets from hackers, make sure your end users know how to stop and evade an attack. Agio’s Cybersecurity Awareness Training can help.

Transcription:

How did the iCloud hack happen?

The bad actor simply went to the Apple site. He found their email addresses online, typed in their emails, and hit “Reset Password”.  At the time on iCloud, you could reset your password one of two ways. It would either email you a password reset, or you could answer some security questions. He chose the latter. According to his own testimony, he found all of the answers to those questions on one website. Anyone know what that would be? You can’t say Google. I consider that cheating. All of the answers: first car, favorite color, dog name, etc; he found through Wikipedia. So he answered the questions, logged in, and changed the password. He found the photos and shared them.

This is what I mean by a shared security model. Apple, Google, all of the tech companies, say “I’m going to protect the backend, the vault, but I’m going to give you keys”. We call those credentials. It’s a form of your username and password on those websites. Your credentials give you access, but when there’s a data breach, the company is blamed. We don’t take our credentials very seriously. It would be like if you go to the Ford dealership, pick up a car, and drive to the local sports game. You leave your car in the parking lot, take your key, put it on the hood, and you walk into the game. You walk out of the game, and there’s no car. And you think Ford. Right? That doesn’t make any sense. But that’s what we do as individuals every day in this shared security model. We think it’s the company’s fault. It’s their service, but they give you keys. So we operate in a shared security model.

How did the iCloud hack happen?

The bad actor simply went to the Apple site. He found their email addresses online, typed in their emails, and hit “Reset Password”.  At the time on iCloud, you could reset your password one of two ways. It would either email you a password reset, or you could answer some security questions. He chose the latter. According to his own testimony, he found all of the answers to those questions on one website. Anyone know what that would be? You can’t say Google. I consider that cheating. All of the answers: first car, favorite color, dog name, etc; he found through Wikipedia. So he answered the questions, logged in, and changed the password. He found the photos and shared them.

VIEW MORE

Share post

LinkedInTwitterFacebookEmail
LIMITED TIME OFFER
Get 25% off XDR when bundled with Managed IT.
Did you know that firms that bundle managed IT and XDR with Agio are 80% less likely to have a vulnerability escalate to an incident than those who take only one service? Let's get you protected.
Let's get you protected.
Offer valid until 12.13.21

Testing normal
popup heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In id magna viverra, accumsan dui vel, dapibus tortor. Mauris ac bibendum enim, eget volutpat ipsum. In pretium finibus ante, a volutpat purus. Maecenas diam ipsum, euismod id magna quis, aliquam sodales mauris. Maecenas sed lectus tellus. Sed bibendum vestibulum neque, sit amet blandit tellus tincidunt a. Proin condimentum odio eget ante venenatis, ut euismod lorem viverra. Nulla et odio quis ante tempus mollis.

Maecenas euismod, tortor id elementum sollicitudin, augue dui tempor felis, quis egestas neque purus id nunc. Etiam commodo enim libero, et viverra enim finibus non. Vivamus sed suscipit quam, vel mattis urna. Aliquam erat volutpat. Proin accumsan leo elementum finibus cursus. Suspendisse potenti. Donec tempor nisi mauris, elementum viverra magna rhoncus non. Integer sit amet velit non elit maximus venenatis nec id ipsum. Pellentesque velit mi, pellentesque eget lectus vel, sagittis vehicula lorem. Ut vel mi viverra, mattis ante in, sodales lacus.