How can you avoid an 'epic hack' involving your Apple iCloud account, as journalist Mat Honan just experienced? Follow these strategies.

Mathew J. Schwartz, Contributor

August 8, 2012

6 Min Read

Who Is Anonymous: 10 Key Facts

Who Is Anonymous: 10 Key Facts


Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)

How can cloud service users avoid Mat Honan's fate?

For those not in the know, Honan was the unlucky journalist who had his Macbook Air, iPhone, and iPad remotely wiped Friday by an attacker who seized control of his Twitter account--simply for the lulz--and who wanted to make it difficult for Honan to regain control of it.

But as Honan detailed Monday in "How Apple and Amazon Security Flaws Led to My Epic Hacking," the attack led to the loss of a year's data, including personal photos, as well as the deletion of his Google account and eight years' worth of emails.

Security-wise, what should Honan have done differently? Unfortunately, the attack succeeded not through technical sophistication, but smooth talking on the part of the attacker. In a blog post, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, characterized the attack as "a hack of the 'why bother with security when I can talk my way past it' sort for which Kevin Mitnick achieved his infamy. ... The hacker--forget that, the criminal--called up Apple support and tricked them into handing over control of Honan's iCloud account."

Thanks to a reconstruction of the attack--in return for Honan agreeing to not press charges, the attacker, who goes by the name Phobia, agreed to walk him through what he'd done--there are a number of techniques that other cloud service users can practice to help protect any data they store online. Here's where to start:

1. Don't trust cloud providers. Do you think that cloud services offer security or privacy by default? Think again, as cloud-storage businesses are in business to make money, and that can lead to business decisions which prioritize information sharing and ease of access over security or privacy concerns. Notably, "Google's services are not secure by default," said security and privacy researcher Christopher Soghoian in a blog post that points to comments made by Google officials that anyone concerned with government surveillance of their documents or communications--such as journalists--shouldn't rely on services like Google Docs just out of the box. But the same goes for anyone who's concerned about the security of information they store at Google, or with any other cloud storage service.

2. Use fake personal data. Mother's maiden name? Name of your favorite pet? Place where you were born? Thanks to the Internet, the personal information that many websites ask you to input--in case they later ever need to verify your identity--can be discovered by motivated online researchers. For example, Mitt Romney's personal Hotmail account was reportedly hacked thanks to the attacker guessing the name of his favorite pet. Accordingly, consider not just using unique passwords for every website that requires a password, but also inputting fake personal data for each one as well. Then use a password manager or password wallet to help track all of this information.

3. Regularly make local backups. Honan said he lost photos, emails, and documents that he'd been storing on his laptop, iPhone, and iPad, because the data existed only there or on cloud services. To prevent this from happening, the related fix is clear: regularly back up to an external hard drive—or, preferably, two. "Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location," said Honan.

4. Avoid daisy-chaining accounts. Don't link online accounts. Notably, Honan's attacker came gunning for his Twitter account, which by the way was still linked to the Twitter account of Gizmodo, where he'd formerly worked. To get to the Twitter account, the attackers essentially worked backward. "My accounts were daisy-chained together," wrote Honan. "Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc."

5. Consider Google's two-factor authentication system. Per Honan's advice, Google users should employ Google's two-factor authentication system, a.k.a. "two-step authentication." It works by either having Google text a temporary password to a user whenever they attempt to log on to their Google account, or else by using a Google two-factor password generator smartphone app. According to user reviews of the service, however, it's prone to losing tokens, which then requires the user to reauthorize every device or application that's tied to Google. Still, the extra authentication might slow or stop would-be attackers.

6. Disable remote wiping for laptops. Honan's attacker was able to not only remotely wipe his iPhone and iPad, but also his laptop, using the iCloud "Find My Mac" service. But use that type of service with caution, because if breached, it gives attackers inordinate power. "Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect," said Ducklin at Sophos.

7. Press cloud providers for better password practices. In the wake of the hack of Honan's accounts, Wired reported that Amazon and Apple have reportedly discontinued the password-reset practices that Phobia used in his social engineering attack.

Apple, for example, has temporarily discontinued password resets by phone, and Amazon has stopped taking new credit card numbers by phone. That's important, because Phobia had added a bogus credit card number to Honan's Amazon account, then later called back and used the bogus credit card number to "verify" that he was Honan. From there, Phobia was able to see the last four digits of Honan's actual credit card number, which he used to validate his identity with Apple technical support, which--together with a billing address (retrieved via a whois lookup of Honan's personal site)--was all he needed to have Apple generate a temporary password, despite his not being able to answer the security questions that Apple had on file.

8. Keep fingers crossed. Unfortunately, the hack of Honan's Apple, Amazon, Google, and Twitter accounts demonstrates that a determined attacker--Phobia told Honan he was only 19--can find ways to circumvent cloud service security. As Soghoian noted in a blog post, the incident offers "a clear demonstration of how difficult it is for users to protect their data even when using tools and services created by billion-dollar corporations." Thanks to internal customer-service changes made by Amazon and Apple, these types of attacks might be more difficult, but whenever using cloud services, always consider what would be possible if an attacker does manage to gain access to your account.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights