As we're still getting back on our proverbial horses after our very fun but furiously fast trip to the UK, we have a whole lot to get caught up on at home. DIY projects, day job deadlines, and other maintenance items that need a look (like a fridge with very little food), were all unceremoniously placed on hold for four days, and they desperately need some attention. But one thing above all others jumped into my focus on Tuesday morning, and I feel like it's important I take a moment to talk about it (even though Wendy says "You're seriously writing a post about that? OMG, SO BORING!").
I'm not sure if you've heard, but my nerd corner of the Internet has been all a buzz about an event that occurred last Friday, August 3rd. A single incident of outright malicious Internet graffiti in the name of fun, with the victim, Mat Honan, a tech writer for Wired who once worked for Gizmodo (a tech website). Honan, who happens to be a high profile target in the tech world, had his life turned upside down because a few teenage hackers had it out for him, or more specifically, his twitter account "Mat."
Before I get into it, let me first say, this post may seem like it is rather out of left field, given the typical DIY/our life and living in Old Town type of posts. However, I feel like I am qualified enough in the field of Internet security that I can do a bit of a service to our readers who would otherwise not have heard about this until it is too late, until they have fallen victim to what Mat Honan has had to endure.
I've actually been professionally involved in Internet security for many years, and my involvement started out as a hobby for me back in college (I apparently pick weird hobbies). Yes, my geekyness doesn't stop at putting underglow on my desk, running thousands of feet of network cable in our 125 year old house, or building my own DIY server rack for all of my home's network and audio gear. I'm nerd, though and through.
I figure the population of our readers probably have a pretty significant online presence, many of whom are bloggers themselves, and this sort of destruction would be simply unimaginable if it happened to me. So I'm going to put my knowledge of the Internet and its most easily implemented security practices to use and hopefully help you protect yourself.
This is scary stuff in today's digital age, but it's easy to protect yourself as long as you know how. Besides, quite honestly, protecting yourself and your online life is really almost totally a DIY endeavor. (Do you see what I did right there?)
So What Happened?
The gist of Honan's story is simple, but shocking. On Friday, August 3, Mat Honan's digital life of email, contacts, photographs, documents, appointments, and anything else he had worked for and stored on his computer or iPhone, was wiped out in a matter of minutes. It was all done by a person or small group of people with malicious intent, and it was all done using public knowledge of systems and a form of social engineering (the term used when someone gains unauthorized access to systems through coercion rather than technical means). And I think the worst part is that it was all done simply by gaining access to personal and cloud hosted email accounts from Apple and Gmail. So if you use any Apple products (like an iPhone, iPad, iTunes, iCloud, etc), have a Gmail account, or have an email account through some other provider like Yahoo, AOL, Hotmail, or anywhere else (that narrows the population of those at risk to a few billion), it's important that you keep reading so you can protect yourself.
There were no viruses on Honan's computers, no wiretaps in his home, and nobody working on "the inside," as you might see in movies.
The hackers used nothing more than a telephone, an Internet connected computer, and information freely available online to essentially undo and destroy the records of eight years of Honan's life, including all photographs of his one and a half year old daughter. (Parents, how does that make you feel? Angry?) This was all done because he owned a three character Twitter username, "Mat", and that is a desirable entity in the online world. The hackers wanted to use this three character account to embarrass its owner by posting inappropriate tweets. That's it, that's all, similar to a passing thief smashing all of the windows in a car to steal a single cigarette from the console, or a kid getting jumped because he was wearing a nice pair of shoes, and the aggressor just wanted to spray paint those nice shoes.
This story really struck a chord with me. As a blogger, we have so many things stored in various places online. Photos, contacts, interactions, and other bloggy stuff. If it were all gone tomorrow, all of the efforts we've put in over the last year would be for naught. On a personal level, we would be just as devastated. Family photos, programming code, all of the things I've worked on for the last 15 years could be missing. Because of the potential impact, I've tried to be very proactive about Internet security. I think the scariest part is that, in the case of Honan's issues, he is a very knowledgeable user, but his vulnerability was ultimately the fault of Apple and Amazon's customer support security practices, and in his failure to implement his own security best practices.
The whole thing was senseless and horrible, but also completely preventable. And as bad as it was, it could have been and will be so much worse to future victims. The hackers could have accessed information in his email, gained access to his financial information and quietly transferred away all of his savings. They could have infiltrated his life and the life of his contacts to exploit more unsuspecting people. So much potential for destruction of lives that goes so far beyond a few tweets that are paramount to a digital toilet papering of a lawn. And as I said, it's preventable, but you have to know how to prevent it and what the root of the problems are.
How Did this Happen to Mat Honan?
The fact is, Honan's data was lost because Amazon and Apple have conflicting security protocols that classify and protect personally identifiable information in a different manner. PII, as it is commonly referred to, is something you will hear more and more about in the coming months and years. PII is any combination of information that can be used to identify you specifically to a third party. Things like Social Security Number (or last four), mother's maiden name, your email address, your date of birth, or any combination of information that a company feels can uniquely identify that you are who you say you are. You know how you call the bank or credit card customer service and they ask for the last four of your SSN and mother's maiden name? That, in a sense, is your username and password to your credit card company, and it uniquely identifies you.
Apple customer service uses different requirements then your credit card company to identify you. Apple feels your billing address, email address, and the last four numbers on your credit card verifies you are who you say you are. The problem with this, anyone with a little time and knowhow can determine your billing address (WhitePages.com or other searches based on your name) and your email address (through various online profiles that are publicly available). To determine a credit card last four is a little harder, but still very possible.
I suspect this will be changing very soon, but Amazon.com allows you to add a new credit card number to any account by calling their customer service. You don't need to log in or provide any additional information to perform this action. So the hacker can call with your email address to your Amazon account and add a credit card number, even a fictitious one. Once added, the malicious user then hangs up and calls customer service again, gets a different rep, and says "I've lost my password, can you please reset it?" To verify identity, the hacker provides the account email address and the last four digits of the fake card they just added. The password is reset, now the hacker has access to your Amazon account. Once in your Amazon account the hacker can order things to their heart's content, but more importantly, they have have access to your account profile page that displays the last four digits of all of your cards on file. With that information, the hacker is now free to assume your identity and "verify" they are you to Apple or other customer service people with the same protocols.
From that point, they are free to reset passwords to email accounts, initiate password retrievals from other email accounts, use cloud services to delete emails or files stored in the cloud (think Gmail, iCloud, Yahoo, Hotmail, Flickr, Facebook, anything). It's a worst case scenario, and it's all made possible by a small hole in Amazon's security protocols and software systems.
But How do you Protect Yourself?
Surprisingly, if you use Gmail as your primary email provider, it's rather easy to protect your account. Using a technology called "Two Factor Authentication," you are able to thwart would be hackers from proceeding with login attempts even if they've stolen your password (or reset it to something only they know).
There are three types of security in the computer world.
- What you know - Passwords, secret answers, obscure information.
- What you have - Physical items like keys or cards, or your phone.
- What you are - Eyes, fingerprints, DNA, the things that make you, you.
Two factor authentication incorporates at least two of the above items. In the case of Gmail's approach, they implement #1 and #2. This way, even if someone knows the password and conquers the "What you know" aspect, they don't have what you must physically possess, and are denied access to your email.
Enabling two factor authentication is simple, and anyone with a cell phone can do it. You just have to go through the guided setup for your email account, provide your cell phone number, and Google will send you a text message with a six digit number each time you need to log in. The URL to begin the setup is: https://accounts.google.com/SmsAuthConfig
The number is a time based token that is only good for a limited period, which means that someone can't use an old and expired token to break in.
If you have an iPhone, Android, or Blackberry phone, it's actually even easier, and you can still access the token even if you don't have cell reception. There's an app that you can download called Google Authenticator. When you are setting up your two factor authentication, you can specify that you have a smartphone. The system will display a QR Code for you to scan and will then configure the app with the uniquely generated time based token. Here's a screen shot from my phone. There are multiple numbers listed, one for each account I have setup for two factor authentication.
It's so simple, even a (digitally inclined) caveman could do it.
There is an annoyance factor involved in setting up two factor auth. You must have your phone on you when you want to login to your email under a new system, or on one that you first entered the code into 30 days prior. Also, if you have apps that use Google auth for persistent access, such as the iPhone's mail app, you will need to setup one of the persistent use passwords. And to be sure you aren't SOL if you somehow totally lose your phone, you should print out the list of secret single use codes and put them somewhere very very safe. Though it can be a bit annoying, it is far less annoying on its worst day than losing everything.
That's it, it's that simple. Two factor auth will save you in most circumstances, but beyond two factor auth, how else can you protect yourself? Well, there are lots of simple and free ways that are easy to setup.
1. Retrieval Email Accounts
Set up an email account that has the only purpose of being your backup account for password retrieval on your important systems. For example, if you use Gmail, you can setup a secondary email in the event you need a password reset, don't make this email just another email address you use. Instead, create a new email address and don't use it for anything else. Make sure you create it on a secure system that allows for two factor auth, and you should be secure.
2. Vary Your Passwords
Don't use the same password everywhere. Vary your password and determine which variation you use based on the type of system you are accessing. This is a pain, and a serious pain at that, but the same password everywhere will be tragic if exploited. We make sure we use different groups of passwords on financial systems, social networking systems, general accounts, and whatever else we login to. We have what we classify as "very secure", "sort of secure", and "we don't care" types of password.
Every time I'm entering a password into a website I think to myself "Do I trust the people who are running this webiste? Should I trust them? And what would happen if someone was able to break into their database and see this passowrd?" This means we use totally different passwords between our credit card company and, for example, a Washington Nationals message board.
3. Enable Facebook Login Alerts
Your Facebook account allows access to so many other systems (like our blog, for example), but they have some really great security protocols that are all disabled for most people. Turn on login notifications, login approvals, and manage your recognized devices and active sessions on your Facebook account so you can be alerted if someone is attempting to login on an unrecognized system with your Facebook info. The notifications can alert you in enough time that you can change your password and disable access for the unauthorized user, or even prevent unauthorized access.
4. Turn Off Mac Remote Wipe
In Honan's case, because the hackers wanted to slow him down, they remotely deleted his iPhone and MacBook using the iCloud "Find My" application. While a good thing in theory, especially for your phone if it is lost, having this enabled on your MacBook opens you to major problems if hackers break into your MobileMe account. You can turn this off under System Preferences and then iCloud options.
*As a commenter points out, remote wipe is great if your laptop is stolen and you want to be sure you can access it to erase your data. However, I don't like how it is implemented currently and would like to wait to turn this on until Apple places more security restrictions into initiating a wipe. For example, enabling two factor auth to initiate one. Just my 2 cents.
5. Create a Pin on Your Phone
If you have a smartphone, make sure someone can't just take your phone and start using it. Creating a lock screen pin or password secures your phone if it is lost or stolen. This way a thief doesn't have access to your personal information.
6. Don't Save Sensitive Account Info on Your Phone
I know it is inconvenient to have to type your username and password every time you wan to log into accounts within phone apps or on browsers, and that "Remember me" checkbox is so inviting and easy to click, but it's BAD! If someone finds your phone, they already likely have the first clue about where you do your banking or other important financial info from the apps on your phone. Don't make it even easier to log in by letting them know your username, or worse, saving all of your login info. Spending a few extra seconds typing this info each time can be the difference between a protected phone and an open one.
7. Back Up Often
This is actually one of the most simple things you can do to protect yourself, but it is also one of the things we all do the least. It's even easier on a Mac than in Windows by using "Time Machine," but use a backup device and service. I recommend a backup service that stores your hard work data in the cloud, as well as a local device that stored things in your house. Many people are going entirely to "The Cloud" but this has inherent risks. We use a My Book World Edition that has worked really well as a NAS (Network Attached Storage).
There you have it, those are my top seven tips on protecting yourself, your online identity, and your critical information. By no means is this a comprehensive list of steps one can take to ensure safety on the Internet, but they are seven major steps in the right direction.
Your online security is ultimately your own responsibility, and Mat Honan's incident shows that you can't rely solely on the smart people at the various tech giants you had hoped you could trust. In spite of their perceived best efforts, they serve the masses, not the individuals. As we are all forced towards the cloud and storing all of our most sensitive data on servers and computers that we don't own, there is going to be a very steep learning curve for many people.
The cloud, as a whole, has significant security, reliability, and ownership of data implications that need to be resolved. Couple this with lax security precautions revolving around personally identifiable information and you've got the recipe for disaster that ultimately ended up in Mat Honan's situation. It's an individual's responsibility to be informed, but when full information is dependent on non transparent processes for security (such as Apple's data requirement for password reset being in direct conflict with Amazon's approach for making your purchasing life easier), it is impossible for even the most well informed and capable users to be fully responsible for their own digital domain, so you need multiple fail safe precautions.
It will be interesting to see what happens first on the next few years. I'm interested to see if the industry will make necessary adjustments to properly protect their users' security before the crush of class action lawsuits that will surely result as hackers move from defacement exploits to a more financially more financially motivated approach remains to be seen. The Cloud is the new wild west of the Internet again, a little like the dot com boom time, just now you have a much wider and far less informed audience of unsuspecting targets than the few classrooms and bedrooms full of nerds that roamed the halls of the Internet in the mid to late 1990s.
Note: This commercial has NOTHING to do with the cloud, it's just marketing to the uninformed and hoping nobody notices. I just love that she says "yay cloud."
Ensuring your individual education and informed status will hopefully protect you from the fumbles that will inevitably continue at the highest corporate levels. When security and a thorough implementation of security best practices goes directly against a for profit company's bottom line, there's a good chance our security will not be held in the highest regard.
Ok, that's enough rambling about Internet security from my DIY blog soap box today. We'll be back next week with actual home improvement DIY stuff, so I hope I've not lost you as a reader. If you've made it to this point in today's post, I both thank you profusely for sticking it out, and also hope you've learned a little bit about Internet security and how to best protect yourself. And if there are a ton of typos and grammatical errors after the second or third paragraph, it's probably because Wendy, my editor, fell asleep at that point in the post.
Do you have any security best practices that you like to implement that I've not touched on? Any horror stories to share? I'd love to hear some of your ideas in the comments...if you're still reading. Are you out there...I hope you are.