From 337eed85d9e81da0ffe1cc47fce12ad6f0c6a390 Mon Sep 17 00:00:00 2001 From: Jet Hughes Date: Wed, 12 Oct 2022 12:29:46 +1300 Subject: [PATCH] vault backup: 2022-10-12 12:29:46 --- content/notes/ass03-security-flaws-essay.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/content/notes/ass03-security-flaws-essay.md b/content/notes/ass03-security-flaws-essay.md index da1a000b6..ea1efff76 100644 --- a/content/notes/ass03-security-flaws-essay.md +++ b/content/notes/ass03-security-flaws-essay.md @@ -57,7 +57,23 @@ Jet Hughes 9474308 - the attackers posted a message to my account on Twitter taking credit for the hack. - not only had the ability to control my account, but were able to prevent me from regaining access - those deletions were just collateral damage +- I spent an hour and a half talking to AppleCare + - Apple had been looking at the wrong account + - alternate set of questions + - a billing address and the last four digits of my credit card. +- all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. +- company spokesperson Natalie Kerris told Wired, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected." +- Wired tried to verify the hackers' access technique by performing it on a different account. We were successful +- I logged into Tumblr and posted an account of how I thought the takedown occurred +- one of my hackers @ messaged me - Phobia +- I agreed not to press charges, and in return he laid out exactly how the hack worked. +- “didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.” + - why - the hack was simply a grab for my three-character Twitter handle + - take it, and fuck shit up, and watch it burn. +- My Twitter account linked to my personal website, where they found my Gmail address +- I didn’t have Google's two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery - ****@me.com - rev +- Google partially obscures that information, starring out many characters, but there were enough characters available ## 2015 Brandom Anatomy of a Hack [link](https://blackboard.otago.ac.nz/bbcswebdav/pid-2956926-dt-content-rid-18904225_1/xid-18904225_1)