After what can only be described as a nightmare hacking experience left him with a wiped hard drive, a deleted Gmail and compromised Twitter and iCloud accounts, Wired reporter Mat Honan has been picking up the pieces of his digital life.
After first revealing details on his personal blog, Honan expounded on the situation in an essay entitled, "How Apple and Amazon Security Flaws Led to My Epic Hacking." It's a harrowing read that we encourage you to check out in its entirety.
What made this attack particularly jarring was that the hacker didn't get into Honan's account by cracking his password. Instead, the perpetrators used public information and light social engineering to get access to his accounts, thanks to assists from Apple and Amazon. As Honan wrote in his Wired story, ""Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information."
Since the story was published — Apple and Amazon have both made changes to their various security procedures, especially when it comes to getting access to accounts.
Although its easy to focus on the failures of Apple and Amazon — and indeed, it's critical to have a discussion aobut how much culpability and responsibility a company needs to take when these types of situations happen — it's also important to look at the broader consumer picture.
So what can we learn from Honan's story?
Backup, Backup, Backup
One clear takeaway is to back up, back up, back up. A failure to regularly save his data in another location means Honan is in danger of losing not only documents and emails but precious photos of his young daughter.
"Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location," Honan writes. "Those security lapses are my fault, and I deeply, deeply regret them."
Alarmingly, a recent survey by Seagate and Harris Interactive shows that Honan isn't alone. The poll of 2,205 U.S. adults revealed that only 10% of those surveyed back up their files daily and that even less used a cloud backup service like Dropbox or Carbonite. And what was the most prized digital asset of those surveyed? Almost three quarters of respondents said it was their digital photos and videos.
Backing up is one of the most important steps any computer owner can take. In the old days, backing up a computer was a time consuming and often expensive process. That's no longer the case. For over five years, Apple has included its own backup program, Time Machine, into OS X. There are a slew of great free options for Windows users as well. Moreover, users can get a multi-terabyte external hard drive for $99 or less.
Local backups not enough? Cloud-based services such as Carbonite and Backblaze both do a great job of backing up data to the cloud.
Backups aren't just important in the case of a rogue attack gone awry — they are also great insurance to theft or mechanical failure. If you don't backup your data at least once a month, you're asking for trouble. Just do it.
Use Two-Factor Verification
Because so much of our digital life crosses different services, sometimes ease of use and expedience can come at the expense of security. Services like iCloud, Gmail, and Twitter now let us daisy-chain our accounts but that convenience can come at cost.
In Honan's case, because he had linked his iCloud account to his Gmail account, hackers were able to gain access to and shutdown his email after bypassing Apple's tech support and gaining access to iCloud. But that didn't have to be the case.
"If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here," says Honan in his piece. "But using the .Me e-mail account as a backup told the hacker I had an AppleID account, which meant I was vulnerable to being hacked."
Two-step verification for Gmail, which adds an extra layer of security to your email account but complicates the sign-in process, is similar to security measures taken by your bank to protect your financial data. Matt Cuts, head of the webspam team at Google, has followed up Honan's story with a blog post detailing how to turn on two-step verification and debunking some of common myths about two-step verification. This Google video walks you through how to get started with two-step verification.
Don't Use the Same Email Address For Everything and Change Your Password Regularly
It's common to use the same email account or login for every major service. That makes it convenient to receive email and to keep track of logins. Still, that also makes the trove of information available under that account much more valuable.
Consider using multiple email addresses for different services — or at least not tying everything to one account. My Amazon account is not one of my regularly used email addresses (by coincidence, not design) and as a result, that makes it that much harder for a hacker to figure out what account of mine they need to hack in order to get access to my stuff.
If you do need to use the same email for all of your accounts, change the password on that account regularly. Additionally, don't use the same password for all of your accounts. Yes, it's a pain to remember different passwords for each service, but that's why password managers such as LastPass and 1Password are so great.
Reconsider Using Find My Mac
Wiping your computer is much different than wiping your phone. That may seem obvious but Apple uses the same approach to find and remotely wipe both your iPhone and Mac.
Honan says the worst thing he did, worse than failing to back up and link his accounts, was to use the "Find My Mac" feature. "While that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers," Honan writes. "You are almost certainly more likely to have your computer accessed remotely than physically."
As currently implemented, the "Find My Mac" feature doesn't offer a way to halt a remote swipe or verify one before it begins. Honan reports that Wired was able to duplicate the iCloud exploit and that Apple won't comment on whether or not it is considering stronger security measures for the Find My Mac feature.
Rather than using "Find My Mac," users might want to consider using something like Prey, an open-source utility that helps users track the location of their computer, in the event of theft. While users can remove passwords and email files remotely using Prey, they can't reformat a computer.
Stay Vigilant
No one can guarantee that their data online stays completely secure but we can at least learn from Honan's experience and take some small measures to minimize the risk to precious data, like family photos and videos. Be sure to check out Mat's full story on Wired and follow him on Twitter where he continues to answer reader's questions.
What did you think of Honan's story? Tell us what measures you're taking to secure your data in the comments.
Marc Georges co-wrote this article.
Image courtesy of iStockphoto, zimmytws
No hay comentarios:
Publicar un comentario