Aug 30, 2012

Tech News: Lessons Learned from Wired’s Mat Honan Hacker Attack

As we go about building an online life for ourselves, often a common thread – our personal information – ties the different media, storage, and shopping services together. By itself, each one is fairly innocuous in the information it can yield to non-friendly outsiders. But taken together, a snapshot might be created that yields enough information to take control of those online accounts. There is probably no one more acutely aware of this than Wired’s Mat Honan. Mat Honan recently found that his iCloud had been hacked, and through that hack all of his devices were wiped clean. Not just his tablet and smartphone, but also a laptop, which removed many irreplaceable files that included family photos. While the hacking of Mat Honan seems like a perfect storm of actions, in reality it is too easy to replicate for many users. Could you do anything to avoid the same type of attack? The answer is yes, and the steps to take are easy enough if you are willing to lose a little convenience. Don’t Store Credit Card Information on Amazon The real lynchpin in the hack was the last four digits of Mat’s credit card.[1] With that final piece of information, the hacker was able to convince Apple to reset the iCloud password. As it turns out, Amazon will expose the last four digits of a credit card fairly easily through use of its account maintenance – even if it is someone else’s account. The best way to keep Amazon from exposing that information is to not give it to them in the first place. Sure, you will have to enter the card number each time, but until this hole is closed, it is comforting to know that, should your Amazon account be challenged, there is little information that can be stolen. Use Different Payment Methods with Major Web Sites and Services Many of us use the same credit or debit card with different online services, mostly out of convenience. For example, many consumers use the same card for both iTunes and Amazon. But while we trust these online vendors to protect our information from a monetary standpoint, that same information is often used to validate an account. And as time goes on, that could be the biggest threat. Unlike monetary loss (which is often protected by the issuing credit card company), account access can lead to loss of irreplaceable information. By using different cards or other forms of payment at major providers, the potential of damaging information is greatly reduced. That is, the information that is gained from Amazon would be of little use in an iCloud account takeover attempt if a different card were used with iTunes. Turn Off ‘Find My Mac’ for Now While we can point out that it was information from Amazon that led to Mat’s iCloud account being breached, the last link of the chain lies at Apple’s feet. And until Apple issues a fix in policy and/or procedure that would prevent such account change, the solution is quite simple – don’t use those features that would allow such a hacker to do damage by remote control. This means turning off the Find My Mac feature. The function itself is great, with the end user having the ability to locate a stolen or lost Mac, and even remotely wiping the machine to prevent data from falling into the wrong hands. But in this case the machine was in the right hands - Mat’s – when it was wiped. By having the service off, it would not be possible to do such damage. Now, it might be good to note that the loss of data on a laptop might be preferred over that same data being lost and not being erased. In such a case, the end user may have to weigh that decision. Which leads us to our final point, backups. Backup to Different Paradigms In Mat’s case, the loss of irreplaceable data proved to be the damage inflicted by the hack. But if such data is backed up on a regular, ongoing basis, it protects you from such attacks. Every user of data probably knows the importance of having data in more than one location, but as this example shows, even users that are supposed to be very tech savvy forget this simple action. When you do backups, spread it out past a single ecosystem. By doing so the data is more secure in case that ecosystem is breached. For example, when devices and laptops are nefariously wiped remotely, any laptop data backed up on the device would be lost as well. The interconnected world we build is exactly that – interconnected. By limiting what we replicate across the services we use, the harder we make it for outside forces to get a complete snapshot of our data. In the end, having non-universal data where possible is the greatest protection we have in our online world. [1] How Apple and Amazon Security Flaws Led to My Epic Hacking