A cautionary tale has emerged in the last few days centring around a person who works for Wired magazine who suddenly found his various online accounts being hacked and, at the same time, his Apple devices being wiped. It is a stunning illustration of how social engineering, company security policies and a sprinkling of individual naïveté can allow chaos to flourish.
The full story – and it is well worth a read – can be found in this lengthy Wired article by Mat Honan, the hapless victim. The first inkling of a problem was when his iPhone spontaneously powered down. When it restarted, it opened to a setup screen and wouldn’t accept Mr Honan’s credentials. Turning to his Apple laptop, a message from iCal told him that his Gmail credentials were not accepted; almost immediately, his laptop screen went grey and a dialog box asked him for a four-digit PIN. He didn’t have a four-digit PIN… so he could not prevent his laptop being remotely erased. His iPhone, iPad and laptop were all remotely erased in those moments.
Unfortunately – if that’s not too much of an understatement – he had not backed-up the photos on his laptop, believing them to be safely backed-up in iCloud, Apple’s cloud solution. Which was being wiped by the hackers.
When the hack reached its conclusion, the hackers had taken over his Google, iCloud and Twitter accounts and, to stop Mr Honan from being able to reset them, had wiped any device that he had linked to his iCloud account.
The article by Mat Honan, like I say, is well worth a read, as it sets out in detail how social engineering can be used to link seemingly disconnected bits of information and allow someone to get access to another person’s accounts. It also repeats the dialogue that Mr Honan entered into with – allegedly – one of the hackers.
Since the details of the hack emerged, both Apple and Amazon have taken steps to tighten-up their security (although Apple’s current steps are temporary while it works out more permanent solutions). Details of the Apple reaction are in this Wired article and of the Amazon reaction in this Wired article. Mat Honan has also promised to write a follow-up Wired article in the coming days.
There is a tendency to embrace the undoubted benefits of cloud-based functionality without considering what this could actually mean if your account was hacked. And believing your account not to be important enough to warrant hacking is not good protection, because much hacking activity is random. As one of the hackers in this instance claims, “they just wanted to take [Mat Honan’s Twitter handle], … , and watch it burn. It wasn’t personal.” (Sorry, I’ve excised the sweary bit; the full quote is in Mat Honan’s article.)
Our advice is:
- Think about the risks of having your stuff in the cloud. And make sure that you have a good backup of your stuff that is not in the cloud.
- Decouple your different accounts. For example, Google lets you put another email address on your Google account. I strongly suggest that you don’t put any cloud-based email address (such as a Mobile Me or iCloud one) on there, if possible.
- If two-factor authentication is possible, switch it on. Google accounts, for example, can be set up so that a code is sent to your mobile phone if a new device is used to access your account.
- Don’t make use of the Back to My Mac and Find My Mac functions of iCloud on computers. The latter was how Mat Honan’s laptop was remotely wiped. When the process is initiated, it displays a message allowing you to enter a PIN if you want to abort the process. But of course, that can only work if you’ve initiated the process yourself. If the process has been started by a hacker – as in Mat Honan’s case – you have no way of knowing the PIN.
- Don’t use the same login details for different accounts. And as I’ve said before, change your passwords regularly.
(Photo of shredded paper by Jonathan Natiuk. Other image is a screenshot taken by Anthony Lambert.)