Lessons to learn from the UGNazi hacking attacks against Mat Honan and Cloudflare

Filed Under: Apple, Data loss, Featured, Google, iOS, Law & order, OS X, Privacy, Twitter, Vulnerability

RSA ConferenceTechnology journalist Mat Honan and Cloudflare CEO Matthew Prince have something in common - they've both been hacked by a Long Beach teenage member of the UGNazi hacktivist group.

At the RSA Conference in San Francisco today, Honan and Prince spoke about their experiences in a session entitled "We were hacked: Here's what you should know".

And, I'm afraid what they had to say spells bad news for those of us who love to use the internet and embrace cloud-based technologies to manage our lives more easily.

Because you no longer have to worry just about your own computer security - you also need to start worrying about everybody else's.

The hack of Mat Honan

In the case of Honan, who has written for publications such as Gizmodo and Wired, the hack last year resulted in him having his Gmail account hijacked, and his iPhone, iPad and MacBook Air remotely wiped.

To make things worse, Mat Honan hadn't backed up his laptop for 2 years. And when his MacBook was wiped, he lost priceless photos of his daughter who was just 18 months old at the time. (Yes, he admits he was "a jerk" for not making backups.)

For good measure, the hackers also locked Honan out of his @mat Twitter account, and began to post racist and offensive comments. For a short while, the hackers were also in control of the official Gizmodo Twitter account too.

Just how Matt Honan's online accounts fell at the hands of hackers has been well documented - although Honan himself has to shoulder some of the blame for not using free security features such as two factor authentication to defend his Google account, Apple and Amazon's customer service departments and account recovery processes unwittingly assisted the hack.

As Honan described it in his talk, "you do have to worry about your own security, but you also need to worry about everybody else's".

All of this effort to hack one journalist, and you have to ask yourself why? According to Honan, the only answer he ever got from the hackers was that they were after his rare three character Twitter account - @mat.

How the hack of Cloudflare hit 4Chan

CloudflareMatthew Prince had a similar unpleasant experience, at the hands of UGNazi hackers - even though he probably thought he was doing everything right. For instance, he had a long, complex, randomised password to protect his Gmail account.

But last year hackers were able to trick Google into adding a bogus recovery email address to Prince's personal Gmail account, and then use that address to reset his password.

No guessing or cracking of Prince's passwords was required.

In a series of automated voicemails, the hackers taunted Prince - even revealing that they had bought his social security number from an underground Russian website.

As Prince told the delegates at the RSA conference, "If you don't think your social security number can be bought from a Russian website, you're wrong. It can."

It gets worse, though. Prince is CEO of Cloudflare, and like many other companies Cloudflare uses Google Apps for Business for its email system. The hackers, who were now in control of Prince's personal account, were able to request a password reset for Cloudflare's Google App's admin panel.

This shouldn't have been possible, because Cloudflare was using two-factor authentication for its Google Apps accounts, but an oversight in Google's account recovery process meant no authentication code was ever asked for. (Google says it has since fixed the problem).

With apparent ease, the UGNazi hackers had gained access to Cloudflare's communications.

UGNazi on Cloudflare hack

Prince described how the attackers could have been much more malicious if they had had financial motivations. They could, for instance, have forwarded all the emails belonging to a Brazilian bank, but instead they had a particular Cloudflare customer in mind as their target: 4chan.

The hackers updated 4chan's DNS records to redirect visitors to their own UGNazi Twitter page, and posted a message claiming responsibility.

A desire for revenge, and the fall of UGNazi

Matthew Prince says that although the attack was against his company, in order to mess with 4chan, he and his staff took it personally. Within 24 hours they believed they had the names of three individuals responsible.

One was a 15-year-old kid in Long Beach, California nicknamed "Cosmo" or "Cosmo The God". The second a 17-year-old from New York, and the third a 20-something based in Virginia. There was also a fourth suspect, whose name was never uncovered, believed to based in India.

UGNaziPrince didn't make clear how they had managed to identify the individuals so quickly, but it is perhaps telling that the UGNazi hacktivist group were also customers of Cloudflare, and clues may have been shared that way.

Prince says that he and his team began to have revenge fantasies. They found, on a dating website, the profile of the Long Beach suspect's mother and fantasised about going on vengeful dates with her.

It's probably good that they didn't. Mat Honan, who interviewed "Cosmo", says that the teenage hacker claims to stand a daunting 6'7" tall, and is a "big athletic guy".

The teenager was a keen gamer, whose interest in hacktivism had evolved from knocking other players offline to win games, through the SOPA controversy, to ultimately joining the UGNazi hacking crew.

UGNazi made an ugly name for itself, with its logo of Adolf Hitler, and hitting websites that supported the controversial SOPA act with defacements and DDoS attacks.

Inevitably, the computer crime authorities had their eyes on UGNazi and arrested members of the group.

Amongst them was 15-year-old "Cosmo", who was given probation and told he wasn't allowed to use internet-enabled computers without permission for six years.

Cosmo arrested

Why did UGNazi hack? Mat Honan says they did it for entertainment, because there was nothing else going on in their lives that they excelled at. In short, teenage vandalism.

"In the 1970s they would have been hitting mailboxes with baseball bats," says Honan.

Clearly, in hacking groups like UGNazi there is a lot of desire for notoriety.

Prince agrees, adding that the UGNazi hacktivists combined a clear degree of sophistication in its methodical hacks with childish naivety.

A silver lining

When bad things happen, you can learn from the experience and teach others on how to avoid the same thing happening to them.

Cloudflare CEO Matthew Prince says that one of the first questions his company now asks suppliers is what extra additional security features can be put in place for all of their accounts? For instance, two factor authentication, limiting what IP addresses can access an account, etc.

Although no firm would want to suffer at the hands of hackers like Cloudflare and its customer 4chan did, incidents like this do raise awareness.

For his part, Honan says that he has learnt not to use the same email address to login everywhere - and that if you make that mistake you are using a universal username, which becomes effectively a single point of failure. Instead, he uses private usernames/email addresses that are different from the public one on his blog or business cards.

And Honan says that he now backups up his computers to both external devices and the cloud, realising just how much he could potentially have lost.

The technology journalist says that as a result of the hack, he now believes in owning his own data and reminds everyone that an iTunes password isn't just for buying music - it can now be used to wipe remote computers too.

You may have set up your AppleID account years ago, and not realised what other services and capabilities Apple has integrated with it since.

The final word has to go to Matthew Prince. The way that he and his company Cloudflare have responded to and spoken about the hack has been refreshingly candid, and an example to other firms that "being transparent, being forward, being out there... helps build trust."

, , , , , , ,

You might like

One Response to Lessons to learn from the UGNazi hacking attacks against Mat Honan and Cloudflare

  1. macgyver826 · 550 days ago

    Cloudflare builds trust? Not so mon ami. Cloudflare have long allowed the LulzSec organization (and others of heir ilk) to use their services to avoid detection and escape retribution for their deeds.

    LulzSec wasn't using Cloudflare for mere Internet access, but for the anonymity and protection their service provides.

    Pleas from anti spamming and hacking groups to deny LulzSec service have fallen upon deaf ears. If the UGNazi group was indeed using their service as well, I see this as a sort of "Karma attack".

    I have read many of the interactions between Cloudflare and the representatives of the website security experts myself, and can tell you Cloudflare is a long way from building trust.

    "If you lie down with dogs, you get up with fleas".

    I am truly surprised that Sophos hasn't already picked up on the problem with Cloudflare shielding international criminals behind their services knowingly.

    I truly hope you guys aren't using Cloudflare, because it would indicate a conflict of interest, and would also shock people in the same business as yours: "protecting the innocent on the Internet".

    Me? I wouldn't use Cloudflare's services if they gave them to me free; it's a matter of principle.

    If you would like documentation of what I said merely contact me. I'll put you in touch with the right people.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.