You may have heard about the unfortunate tale of Mat Honan, an editor at Gizmodo whose iCloud account was hacked. This resulted in his iPhone, iPad and MacBook Air being remotely wiped, and his Twitter and Google accounts compromised as well. Yesterday, Honan wrote an article for Wired detailing exactly what happened, so go and read that before continuing.
Honan wasn’t picked by chance. He has a three-letter twitter handle, @mat, and the hacker in question wanted to access it to show off, basically. However, in order to access it, and prevent Honan from regaining control of the account, the hacker also took out his Gmail account, and his Apple devices.
Access was gained by social engineering
Unlike recent attacks against sites like LinkedIn and last.fm, this wasn’t a case of a database being compromised; the attacker used various publicly available information about Honan and then convinced technical support staff at Apple and Amazon to provide the missing pieces. Amazon gave the hacker the last four digits of Honan’s credit card, which Apple use as a form of proof of identity if you lose your iCloud password, and then he was able to reset Honan’s iCloud password.
Next, the attacker was able to reset the password to Honan’s Gmail account, because the password reset email went to his iCloud address. And then he was able to access any other account linked to Gmail, such as Twitter.
The attack would have probably been thwarted by two-factor authentication
Google have offered two-factor authentication on all their accounts for the past 18 months – I enabled it in February last year – which means that an attacker would not be able to access your account even when they have your username and password. The attacker would need the second factor as well; so in my case, they would need my username, password and access to my iPhone. That doesn’t make it impossible, but would mean that an attacker would also need to either hack into my phone or physically steal it from me, so a break-in to my Google account would therefore be very unlikely.
Honan didn’t have this enabled. Furthermore, when the attacker tried to request a new password, Google asked if he wanted a password reset email sent to ‘firstname.lastname@example.org’. Which, because Honan uses the same username on iCloud, meant that once the attacker had access to iCloud, getting access to the Google Account would be relatively easy. Had two-factor authentication been enabled, Google would have asked for a PIN code before revealing any more information.
Back-up, back-up and back-up again
There are two kinds of people in the world – those who have had a hard drive failure, and those who will.
I’m in the former category, having suffered a failure in my laptop in 2004 which meant that I lost several irreplaceable photos. Honan hadn’t backed up his MacBook in a while, and so when the attacker instigated a remote wipe, the data was gone. This included the only copies of some photos of his young daughter. He’s hoping that forensic examination of his computer will get some of the data back but it’s not guaranteed.
If you have ‘Find My Mac’ enabled in iCloud, then be aware that someone could hack in and remotely wipe your Mac, so make sure your data is backed up. External hard drives are pretty cheap these days – you can buy terabyte drives for under £100 now – and all Macs come with Time Machine which, once set up, you can pretty much forget about as it’ll quietly back up everything without any further effort.
I would also recommend some kind of online backup, just in case both your computer and external drive are damaged. I keep important documents in Dropbox (referral link), but there are plenty of other cloud storage and backup services out there.
With sites like Facebook defaulting to ‘public’ unless you tell it otherwise, it can be hard to keep personal information private. You may reveal your current location, details about friends and family or even telephone numbers to anyone on the internet if you’re not careful, and this may include people trying to impersonate you. You may, therefore, wish to keep things like your middle name, mothers maiden name, full date of birth and so on, out of public view.
In this case, the attackers obtained Honan’s address from the WHOIS record for his domain; one of the reasons why I use .uk domains is that private individuals can opt out of having their addresses on the WHOIS records without needing to use a domain privacy service.
The problem with keeping all of your eggs in one basket
Way back when I first created my Apple ID in 2004, I only used it to buy an iPod Mini online, and later for buying songs from the iTunes Store. Nowadays, your Apple ID is a gateway to a whole range of interconnected services, and if its compromised, there’s a lot to lose. And Apple is actively pushing iCloud to all users of its current hardware, both on OS X and iOS.
Apple need to follow Google’s lead and consider offering two-factor authentication, as well as tightening up their customer support processes so that it is harder for attackers to gain access by deception. In the Wired article, it is claimed that Apple’s processes were not followed correctly, but Wired stated that they were able to repeat the process themselves over the weekend.
Either way, this is something that everyone who has a lot of personal data stored by third parties need to be aware of. It’s certainly made me review what I have available in the cloud.