Opinion » Cybernaut

Hack reveals two exploits



Mat Honan is arguably one of the best-established technology reporters in the world, a former contributing editor to WIRED magazine and senior reporter for Gizmodo. He knows a few things about technology. Therefore he's the last person who should have been hacked, and so maliciously that the perpetrators deleted years' worth of his personal data from his computer and devices — apparently all in an effort to cover their tracks so they could take over his Twitter account for a little while.

Initially Honan took responsibility, believing that his password had been compromised, but it soon became clear that there are some glaring security issues out there. The hackers primarily exploited security flaws at Amazon and Apple, obtaining the last four digits of Honan's credit card number from an exploit at Amazon to "confirm" their identity with AppleCare customer service — and gain access to Honan's iCloud account, which they then used to remotely wipe his iPhone, iPad and MacBook of all his personal data. All of it. That includes photos of his newborn daughter. The hackers also gained access to his Gmail and Twitter accounts, which they also damaged.

The details of the hack are online at www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/, as well as a follow-up story of how Honan went about recovering some of his personal data. I'll leave it to you to read the grisly details, yourself. Both Amazon and Apple have since taken steps to patch their haphazard security and verification systems, and both will require more personal information before they share account information over the phone. But the question remains — how do you prevent this happening to you?

There are a lot of different ways that hackers access your information. While Hollywood makes it seem like hackers use sophisticated code cracking software to break in to your system, it's usually a lot more boring. Most of them use information that is readily available about a person, from paper statements thrown in the trash without being destroyed/shredded, to things like a person's birthdate, pet name, children's name, etc. to figure out your passwords. A lot of your information is also stolen online in mass data thefts, and for some hackers it's just a matter of filling in a few blanks before they can invade your world.

Most people are predictable and try to keep things simple. A lot of people use their primary email address as their user name, for example, or use the same password for every service they use — and base that password on something obvious, like the dog's name or their birthdate. People rarely change that information.

Also, if it's a question of making things harder for themselves — like setting up a bank account to ask them confirmation questions — most people will go the easy route.

I don't do that anymore. Someone out there already has my bank account number — which isn't really private information given that it's written on the bottom of every cheque I've ever signed. Someone also gained access to my Hotmail account through an exploit that's caught pretty much everybody I know (my bad for not changing my password every six months). At one point, both my bank account and Hotmail account even shared the same password. The only thing that prevented someone from gaining access to my bank account was that my personal verification questions were actually quite difficult, preventing the scammer from accessing my account. I've since changed my password and verification questions twice, and haven't had a single issue.

I've also taken the step of changing all of my Internet passwords every three to six months. While that may sound like a lot of work, I think I've come up with a personal system that makes them easy to remember while also making my passwords long and impersonal. Basically, I've given ever service I use a personal nickname, and I've come up with a code to date my password as well. Short of logging my every keystroke, there's almost no way a hacker is going to stumble on the right password.

I also keep track of all my passwords on a master document, which I've encrypted using Microsoft's Encrypting File System.

The other step I haven't taken yet but will to prevent another Honan from happening, is to use two-step authentication. Google offers this, sending a verification code to your phone or using an authenticator app to add another layer of personalized security to your email. Under your account setting, click on security to get started — or just change your password, which you probably need to do anyway after reading this, and two-step verification will be there as an option.

Honan's saga also underlines another important issue, and that's the need to have physical backups of everything — everything — that's important to you. Too many people trust all their data to "the cloud" these days, and that's never wise. Using an external hard drive or paying for the pro version of file sharing software like Dropbox is the best way to secure your data. Hackers are good at what they do, but we can take steps to reduce the harm, and make it as hard for them as possible.

Add a comment