It is a truth universally acknowledged that where there's a hacker up for mischief, there are security settings just waiting to be breached. I have a begrudging respect for mischievous hackers: wherever the rest of us have been blithely accepting of whatever security protocols we don't read about in Terms of Service, they have figured out exactly how to exploit that for their own purposes. This week, Wired reporter Mat Honan, was the victim of an "epic hack." My first reaction upon reading this (it's long, but worth it) was to freak out and delete my entire digital existence. Then I realized I am too lazy to actually go through with that. Instead, I tracked down security forums, blog posts, and other tips from the interwebs to share with my friends and gradhackers so that we might better protect ourselves. While these tips won't make you invulnerable (even Superman has his kryptonite), at least we can rest easier about our digital lives. I realized it isn't entirely wise to be a person who gives up her bike just because someone is able to bypass the lock.
For those of you who aren't familiar with what happened, a brief overview: Mr. Honan realized he had been hacked when his computer, iPad, and iPhone were completely deleted of all of their data. Because the hackers had taken control of his Apple account, the cloud backup was gone as well. This was done not by breaching his password, but by taking a series of steps that began with gmail and ended with his entire digital life wiped from the planet. All of this was done for mischief (lulz) brought on by jealousy over Mr. Honan's three-letter twitter handle, @mat. Now there were two major aspects of this hack. The first were some lapses in Mr. Honan's security settings, which is what we can control individually and will be the focus of this post. The second were some very serious lapses in security policy on the part of Apple and Amazon. As Mr. Honan says himself, "I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life." Yeah, that terrifies me, too.
So what can we do as we wait for Apple and Amazon to sort out how they plan to patch their security holes? A round-up of advice from the interwebs:
Here's the thing, as Lifehacker puts it, "Strong Passwords Aren't Enough." What's that you say? You use the same username and password combination on everything? Stop it. Stop it right now. Now that we've had that lecture, it's time to focus on the fact that the passwords were never the issue in this case. For most of the people I know, we'd pat ourselves on the back for cleverly using password managers like 1Password to keep us safe. Those days are gone. Lifehacker gives a few strong suggestions in this post, along with explanations of how to do them. They include auditing your cloud services, making password recovery more difficult, setting up two-factor authentication (both gmail and facebook have this), and backing up data to an external hard-drive (or two) in addition to cloud backup. The Atlantic, in the article "Four Things You Should Do Right Now," also noted the issue with "daisy-chaining" accounts together, which was the issue that allowed Mr. Honan's hackers to access so much of his information.
In review, here are your top priorities:
- Turn on two-factor authentication when possible
- Make sure your backups have a backup (in other words, don't only back up to one cloud service)
- Set aside a few hours to double-check all of your account settings and unlink accounts
How are you planning to change the way you interact with your online services? Tell us in the comments!
Note: at the time of this writing, both Amazon and Apple had responded by changing their policies to prevent the same type of hack from happening. This story garnered a lot of attention and information is moving quickly. I will do my best to update the post if necessary.