Last week I read the horrifying story of how an otherwise tech-savvy guy got hacked. Big time. The hackers compromised a number of his accounts and he lost tons of files. The good news is that there’s a lot we can all learn from his experiences.
For a bit of background, the entire process started when his iCloud account was compromised. They then used his iCloud account to remotely wipe his Macbook, iPhone, and iPad — effectively cutting him the outside world. The associated dot mac (.mac) e-mail address serves as the backup for his main Gmail account, so they were then able to reset his Gmail password.
Once your primary e-mail account has been exposed you are, for lack of a better term, screwed. The hacker can mine your mail for services that you use, and use that very same account to receive and act on password reset requests. In this case, it appears that they were mostly focused on gaining access to his Twitter account, but things could have been much, much worse.
Think of everything you do online nowadays. And think of how badly you could be hurt if someone managed to take control of it all. As it turns out, this whole episode was touched off by a bit of clever social engineering. Details on this aspect of the story aren’t available, but…
Apparently the hacker didn’t break into the victim’s (Mat Honan’s) account the old fashioned way. Instead, he talked his was past Apple customer service and managed to get the iCloud password reset. Sadly, Mat wasn’t in the habit of backing up his data so he lost all kinds of things, including a year’s worth of photos, e-mails, documents, etc.
There are, of course, some lessons to be learned here.
- Use strong passwords. No, Mat’s accounts weren’t compromised via brute force hacking, but they could have been. And once someone gains access to your primary e-mail account, all bets are off.
- Beware of unsecured wifi networks. Here again, his login info wasn’t compromised per se, but this is another easy way for people to get that information.
- Beware of public computers. As above, it’s all too easy for someone to grab your login credentials using key logger software (or something similar) on a public internet terminal.
- Use two-factor authentication. If available and not switched on by default, be sure to activate two-factor authentication. Here is a good overview.
- Encrypt sensitive information on your hard drive. I’ve talked about this before, but tools like TrueCrypt are great for protecting your secrets on your hard drive.
- Don’t share personally identifying information. Yes, I know that social networking is all the rage, but… Over-sharing of your personal information is a great way to give hackers critical information that could facilitate any attempts at social engineering (not to mention password-guessing if you ignored #1 above).
- And finally, backup your data! I use a combination of TimeMachine for local backups to an external hard drive and an online backup service for off-site backups.
Given our heavy reliance on the internet for everything from simple communication to the management of our financial lives, you owe it to yourself to be as cautious as possible.
Oh, and before you lay this all at the feet of iCloud, keep in mind that the “Find My iPhone” feature was instrumental in recovering tech writer David Pogue’s stolen iPhone at just about the same time the system was being used to destroy Mat’s online existence.
Ironically, Pogue pointed to that same “remote wipe” functionality that was used against Honan as an important security feature that he could use to prevent the thieves from accessing anything on his phone (once they got past the PIN code).
Hopefully Apple (and others) will revisit their customer service policies and put better protections against whatever sort of social engineering tricks were used in the first place.
Update: Mat has written an article on Wired explaining exactly how the hack went down, complete with details ont the “social engineering” aspect. Fascinating and scary all at once.