Mat Honan was the victim of a rather vicious hack. It resulted in the erasure of his iPhone, iPad, his Mac, and his Gmail account. It was accomplished through a combination of social engineering (a hacker term for fooling people to obtain important information), personal complacence, and the ability to obtain disparate pieces of information that by themselves are harmless but together can be used to exploit security systems.
Honan compounded the problem by not having a backup of his computer (an unforgivable sin for a tech blogger). he lost a ton of pictures and other information when his Mac got wiped. He also helped the hacker by doing some things that made it easy to jump from account to account. Unfortunately, those things are incredibly common practices with the public at large.
His misfortune made me reexamine my own security habits. Some of the things that happened were behind his control. Both of the companies involved with the social engineering aspects are in the process of addressing that angle. He could have prevented a lot of the other things with just a few tweaks but those involve work and most of us lean towards convenience instead of security. So what could he have done, and what should I do?
There are several types of security exploits that I know of. It is possible to have a key logger or other surveillance software installed on your machine and a cracker could then directly access your information. It’s also possible to have a directed social engineering attack like Honan did. Both of those exploits usually require someone wanting specific information from you. These are the kinds of things that the FBI might do to get information on a suspect. In Honan’s case, they were after his Twitter account.
The things that regular folks need to worry about are theft of their devices and online services being hacked and exposing their information. Obviously, if a thief has your computer, phone, or iPad, they could potentially do all sorts of damage. Luckily, most thieves are much more interested in selling the device and will therefore promptly erase it. Plus, I would imagine it would be a little more difficult to find buyers of information than devices.
Ideally, if a service gets hacked it would only affect that particular service. The real problem is that so many people use the same password for so many things. If someone gets your email address and a password, it wouldn’t be too difficult to try other services. Hell, they may not have to try if you use the same password for your email. They could just read through your emails and see what services you use.
So that’s lesson #1, use different passwords. Yes, I know, it’s a total pain, but it is necessary. There are a number of ways to organize and maintain all of the different passwords we have. I use 1Password, a well known password manager and generator. Other people keep a file of their passwords (encrypt it!) and others resort to writing them down. The main point is to start using different passwords, just start doing it.
So OK, you have different passwords for everything, but so did Honan. What happened? The weak point is your email. Every online service that I know of will send you an email to reset your password. If someone gets into the email you use for services, you are done. It is super easy to reset passwords to lock you out of not only your email but also all of your services. Think Facebook, Twitter, banking, credit cards, brokerage, the whole 9 yards. If there’s one thing you have to concentrate on securing, it is your email. How do you do that?
Obviously, a good password is a good start. Honan freely admits that if he had a feature called two step authorization activated on Gmail he could have avoided a lot of subsequent damage. If you have that turned on, signing into Gmail from another machine will require a code that is texted to your phone. A hacker would have to have your password and your phone to get into your email account. Clearly, that is much more secure.
There is usually a tradeoff between security and convenience. The more secure something is, the more difficult it is to get into it. Makes sense really. That’s the trade off, two step verification is much more secure, but it becomes problematic if you have a lot of apps that make use of your Google information. Apps typically can’t deal with two step verification so Google generates special passwords for each app. In my case, that involved 12 different passwords spread across my computer, iPhone, iPad, and Apple TV. Still, once you put it in, it will stay there.
One thing you shouldn’t overlook is that securing your email from hackers makes it really tough for them to get to it. It could conceivably make it hard, or impossible for you to get into it as well! I can envisage a situation where I would not be able to get into my own account and therefore wouldn’t be able to access a lot of other things as well. If I didn’t have one of my own devices at hand, including my phone, I wouldn’t be able to log into my own account. Google does provide you with a list of passwords that can be printed out for absolute emergencies. It’s an important key so take care of it!
So this is what I have done so far in reaction to the massive hack of Honan. I have gone through and made much more secure passwords for all of the online services that are important. I will update others like online forums as I come across them. I have enabled two step verification on my main Gmail account. I have three others left to do but they aren’t used for anything facing the web. I need to activate two step verification on them and Facebook. I also need to make secure passwords for my iPhone and iPad. It would be silly to go through all of this just to have someone take one of them (again) and have direct access to my email.
I’m only really truly worried about someone stealing my devices or a hack of one of the services I use. The two step verification is for piece of mind. It’s nice to know that the lynchpin is locked down really well. Having different passwords will most likely prevent a breech of any of my other services. It has made things slightly less convenient but the tradeoff is worth it to me.
OK, the secure password on my iPad and iPhone simply isn’t working. Typing in a 15 digit password every time I pick up them up is just not acceptable. I realized that I have the ability to erase these things remotely so all I need is a little time if they get stolen. I have a better password than the default 4 digit option that is offered, but it isn’t super long. I think that’s a good compromise.