Journo totally owned thanks to over-helpful iCloud support
Mat Honan is a living example of Journalism 2.0.
He’s influential in the social media whirl; he writes – or wrote – for Gizmodo; he used to be something-or-other at WIRED magazine; he lives in the Haight in San Francisco; he’s not afraid to say what he thinks about Google; he made a post-modern website about Barack Obama of which he’s inexplicably proud (the website, not POTUS); and he’s moderately keen on himself – but only moderately so, at least for a Journo 2.0.
Indeed, some people will probably spend hours telling us that it doesn’t even qualify as a hack, although it effectively hacked Honan’s digital life into shreds.
Simply put, the hacker – forget that, the criminal – called up Apple support and tricked them into handing over control of Honan’s iCloud account.
Apple recently beefed up its password security by forcing users to provide a bunch of security questions. (For the record, Chester liked the idea, but I thought it was a step backwards, and we argued about it in a Chet Chat. The disagreement starts at about 5’30” below.)
In this case, however, the crook side-stepped any and all security using social engineering, persuading an Apple support staffer that he really was the lawful owner of the account, and thereby getting access.
It’s really hard to defend against this sort of attack.
You can have – and enforce – utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn’t to improve security, it’s to save money by taking humans out of the loop. The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.
A physical-world analogue of this sort of inflexibility might be a hotel which had no procedure for recovering property from the room safe. “Sorry, Sir,” they’d say. “We don’t even look to see what you have left in there to work out if it’s really yours. We simply drill the safe out of the wall and destroy it in its entirety. We did warn you: don’t forget the code.”
Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark.
That’s what happened with Honan.
Sadly, the crook wasn’t happy just with breaching security at Apple. The hacker also took the trouble of invoking the remote wipe feature of Honan’s iDevices – and he’s an unashamed fanbuoy, using an iPhone, an iPad and a Macbook Air. The crook was also able to take over Honan’s Gmail account, his Twitter account and – through account linking – the Twitter account of Gizmodo, with whom Honan has, or had, a trusted journalistic relationship.
Of course, Honan found out the hard way about all this criminal activity, because the crook redirected his “did you mean to change your password” emails and changed his passwords.
The lessons to be learned?
* Encrypt everything you put into the cloud, using an encryption solution which operates outside the cloud.
* Keep your online accounts separate. Don’t link accounts together for convenience, lest they all get compromised in one go.
* Don’t link personal and work social media accounts, lest an injury to one become an injury to both.
* Make and keep backups for yourself, outside the cloud. (Honan admits he didn’t, and has gone so far as to call himself “a jerk” for not doing so.)
* Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect.
I know that this advice sounds as though I’m urging you to buy a dog and bark yourself. Why embrace the cloud if you end up re-implementing some of the features it offers you (often apparently “for free”)?
The answer is simple: it’s your digital life.
Use the cloud to add some convenience to your digital lifestyle, but make sure that you embrace the cloud. Don’t let the cloud embrace you!
Elyssa D. Durant © DailyDDoSe™ 2007-2014