Lessons to learn from the UGNazi hacking attacks against Mat Honan and Cloudflare

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

RSA ConferenceTechnology journalist Mat Honan and Cloudflare CEO Matthew Prince have something in common – they’ve both been hacked by a Long Beach teenage member of the UGNazi hacktivist group.

At the RSA Conference in San Francisco today, Honan and Prince spoke about their experiences in a session entitled “We were hacked: Here’s what you should know”.

And, I’m afraid what they had to say spells bad news for those of us who love to use the internet and embrace cloud-based technologies to manage our lives more easily.

Because you no longer have to worry just about your own computer security – you also need to start worrying about everybody else’s.

Sign up to our free newsletter.
Security news, advice, and tips.

The hack of Mat Honan

In the case of Honan, who has written for publications such as Gizmodo and Wired, the hack last year resulted in him having his Gmail account hijacked, and his iPhone, iPad and MacBook Air remotely wiped.

To make things worse, Mat Honan hadn’t backed up his laptop for 2 years. And when his MacBook was wiped, he lost priceless photos of his daughter who was just 18 months old at the time. (Yes, he admits he was “a jerk” for not making backups.)

For good measure, the hackers also locked Honan out of his @mat Twitter account, and began to post racist and offensive comments. For a short while, the hackers were also in control of the official Gizmodo Twitter account too.

Just how Matt Honan’s online accounts fell at the hands of hackers has been well documented – although Honan himself has to shoulder some of the blame for not using free security features such as two factor authentication to defend his Google account, Apple and Amazon’s customer service departments and account recovery processes unwittingly assisted the hack.

As Honan described it in his talk, “you do have to worry about your own security, but you also need to worry about everybody else’s”.

All of this effort to hack one journalist, and you have to ask yourself why? According to Honan, the only answer he ever got from the hackers was that they were after his rare three character Twitter account – @mat.

How the hack of Cloudflare hit 4Chan

CloudflareMatthew Prince had a similar unpleasant experience, at the hands of UGNazi hackers – even though he probably thought he was doing everything right. For instance, he had a long, complex, randomised password to protect his Gmail account.

But last year hackers were able to trick Google into adding a bogus recovery email address to Prince’s personal Gmail account, and then use that address to reset his password.

No guessing or cracking of Prince’s passwords was required.

In a series of automated voicemails, the hackers taunted Prince – even revealing that they had bought his social security number from an underground Russian website.

As Prince told the delegates at the RSA conference, “If you don’t think your social security number can be bought from a Russian website, you’re wrong. It can.”

It gets worse, though. Prince is CEO of Cloudflare, and like many other companies Cloudflare uses Google Apps for Business for its email system. The hackers, who were now in control of Prince’s personal account, were able to request a password reset for Cloudflare’s Google App’s admin panel.

This shouldn’t have been possible, because Cloudflare was using two-factor authentication for its Google Apps accounts, but an oversight in Google’s account recovery process meant no authentication code was ever asked for. (Google says it has since fixed the problem).

With apparent ease, the UGNazi hackers had gained access to Cloudflare’s communications.

UGNazi on Cloudflare hack

Prince described how the attackers could have been much more malicious if they had had financial motivations. They could, for instance, have forwarded all the emails belonging to a Brazilian bank, but instead they had a particular Cloudflare customer in mind as their target: 4chan.

The hackers updated 4chan’s DNS records to redirect visitors to their own UGNazi Twitter page, and posted a message claiming responsibility.

A desire for revenge, and the fall of UGNazi

Matthew Prince says that although the attack was against his company, in order to mess with 4chan, he and his staff took it personally. Within 24 hours they believed they had the names of three individuals responsible.

One was a 15-year-old kid in Long Beach, California nicknamed “Cosmo” or “Cosmo The God”. The second a 17-year-old from New York, and the third a 20-something based in Virginia. There was also a fourth suspect, whose name was never uncovered, believed to based in India.

UGNaziPrince didn’t make clear how they had managed to identify the individuals so quickly, but it is perhaps telling that the UGNazi hacktivist group were also customers of Cloudflare, and clues may have been shared that way.

Prince says that he and his team began to have revenge fantasies. They found, on a dating website, the profile of the Long Beach suspect’s mother and fantasised about going on vengeful dates with her.

It’s probably good that they didn’t. Mat Honan, who interviewed “Cosmo”, says that the teenage hacker claims to stand a daunting 6’7″ tall, and is a “big athletic guy”.

The teenager was a keen gamer, whose interest in hacktivism had evolved from knocking other players offline to win games, through the SOPA controversy, to ultimately joining the UGNazi hacking crew.

UGNazi made an ugly name for itself, with its logo of Adolf Hitler, and hitting websites that supported the controversial SOPA act with defacements and DDoS attacks.

Inevitably, the computer crime authorities had their eyes on UGNazi and arrested members of the group.

Amongst them was 15-year-old “Cosmo”, who was given probation and told he wasn’t allowed to use internet-enabled computers without permission for six years.

Cosmo arrested

Why did UGNazi hack? Mat Honan says they did it for entertainment, because there was nothing else going on in their lives that they excelled at. In short, teenage vandalism.

“In the 1970s they would have been hitting mailboxes with baseball bats,” says Honan.

Clearly, in hacking groups like UGNazi there is a lot of desire for notoriety.

Prince agrees, adding that the UGNazi hacktivists combined a clear degree of sophistication in its methodical hacks with childish naivety.

A silver lining

When bad things happen, you can learn from the experience and teach others on how to avoid the same thing happening to them.

Cloudflare CEO Matthew Prince says that one of the first questions his company now asks suppliers is what extra additional security features can be put in place for all of their accounts? For instance, two factor authentication, limiting what IP addresses can access an account, etc.

Although no firm would want to suffer at the hands of hackers like Cloudflare and its customer 4chan did, incidents like this do raise awareness.

For his part, Honan says that he has learnt not to use the same email address to login everywhere – and that if you make that mistake you are using a universal username, which becomes effectively a single point of failure. Instead, he uses private usernames/email addresses that are different from the public one on his blog or business cards.

And Honan says that he now backups up his computers to both external devices and the cloud, realising just how much he could potentially have lost.

The technology journalist says that as a result of the hack, he now believes in owning his own data and reminds everyone that an iTunes password isn’t just for buying music – it can now be used to wipe remote computers too.

You may have set up your AppleID account years ago, and not realised what other services and capabilities Apple has integrated with it since.

The final word has to go to Matthew Prince. The way that he and his company Cloudflare have responded to and spoken about the hack has been refreshingly candid, and an example to other firms that “being transparent, being forward, being out there… helps build trust.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.