Journo totally owned thanks to over-helpful iCloud support

Filed Under: Apple, Data loss, Privacy, Social networks

Mat Honan is a living example of Journalism 2.0.

He's influential in the social media whirl; he writes - or wrote - for Gizmodo; he used to be something-or-other at WIRED magazine; he lives in the Haight in San Francisco; he's not afraid to say what he thinks about Google; he made a post-modern website about Barack Obama of which he's inexplicably proud (the website, not POTUS); and he's moderately keen on himself - but only moderately so, at least for a Journo 2.0.

Honan has also recently been the victim of a hack - a hack of the "why bother with security when I can talk my way past it" sort for which Kevin Mitnick achieved his infamy.

Indeed, some people will probably spend hours telling us that it doesn't even qualify as a hack, although it effectively hacked Honan's digital life into shreds.

Simply put, the hacker - forget that, the criminal - called up Apple support and tricked them into handing over control of Honan's iCloud account.

Apple recently beefed up its password security by forcing users to provide a bunch of security questions. (For the record, Chester liked the idea, but I thought it was a step backwards, and we argued about it in a Chet Chat. The disagreement starts at about 5'30" below.)

In this case, however, the crook side-stepped any and all security using social engineering, persuading an Apple support staffer that he really was the lawful owner of the account, and thereby getting access.

It's really hard to defend against this sort of attack.

You can have - and enforce - utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn't to improve security, it's to save money by taking humans out of the loop. The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.

A physical-world analogue of this sort of inflexibility might be a hotel which had no procedure for recovering property from the room safe. "Sorry, Sir," they'd say. "We don't even look to see what you have left in there to work out if it's really yours. We simply drill the safe out of the wall and destroy it in its entirety. We did warn you: don't forget the code."

Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark.

That's what happened with Honan.

Sadly, the crook wasn't happy just with breaching security at Apple. The hacker also took the trouble of invoking the remote wipe feature of Honan's iDevices - and he's an unashamed fanbuoy, using an iPhone, an iPad and a Macbook Air. The crook was also able to take over Honan's Gmail account, his Twitter account and - through account linking - the Twitter account of Gizmodo, with whom Honan has, or had, a trusted journalistic relationship.

Of course, Honan found out the hard way about all this criminal activity, because the crook redirected his "did you mean to change your password" emails and changed his passwords.

The lessons to be learned?

* Encrypt everything you put into the cloud, using an encryption solution which operates outside the cloud.

* Keep your online accounts separate. Don't link accounts together for convenience, lest they all get compromised in one go.

* Don't link personal and work social media accounts, lest an injury to one become an injury to both.

* Make and keep backups for yourself, outside the cloud. (Honan admits he didn't, and has gone so far as to call himself "a jerk" for not doing so.)

* Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect.

I know that this advice sounds as though I'm urging you to buy a dog and bark yourself. Why embrace the cloud if you end up re-implementing some of the features it offers you (often apparently "for free")?

The answer is simple: it's your digital life.

Use the cloud to add some convenience to your digital lifestyle, but make sure that you embrace the cloud. Don't let the cloud embrace you!


, , , , , , , ,

You might like

18 Responses to Journo totally owned thanks to over-helpful iCloud support

  1. Carrie · 1154 days ago

    Do you have any encryption services you recommend?

  2. Brian Shaw · 1154 days ago

    I may suggest proofreading this again. There are a few mixed bits such as. "side-stepped and any all security" should read "side-stepped any and all security" Also you state "a hack so trivial in some respects that Kevin Mitnick could have done it." Not sure what you are implying here. Do you mean to say that Kevin Mitnick is somehow incapable of a non trivial hack and even incapable of some trivial hacks? Maybe I am reading it wrong but that is how it appears to me.

    • Paul Ducklin · 1154 days ago

      Thanks - the "any and all" is now fixed, and I reworded the Mitnick reference to try to avoid ambiguity.

  3. Ken Davey · 1154 days ago

    Just read an article the other day about how the Woz is alarmed over the potential for a dreadful mishap with cloud computing (and I have to agree with him). I guess this wasn't the mishap he had in mind but sometimes we need little warnings to appreciate the bigger worries.

  4. Jon · 1154 days ago

    Nice article. Can you clarify what you mean by recommending (in a couple of your bullet points towards the end) not linking accounts together, please? Is this something specific to twitter or does it apply to email accounts too- in which case what is it?

    • Paul Ducklin · 1153 days ago

      See @Richard's comment - I meant to avoid making your everyday FB account (for example) the same one that is linked to your work account with "admin" privileges. As @Richard suggests, this technically could get you in hot water with the T&Cs, though if you have two accounts, both in your real name (or two variants of it), and you use only one of them for your personal stuff...can't see how that would be objectionable. You wouldn't be pretending you're someone you're not.

      Same sort of reason that you don't give your everyday Windows account admin don't want admin rights when you're not adminning...

  5. Richard · 1154 days ago

    "Don't link personal and work social media accounts"

    As far as this is concerned, to operate within the T&Cs you have no choice. For example Facebook. You're technically only allowed 1 account that must be your real name and you must then manage the work based pages from that account.

    Twitter etc might be a different story but it's easier said than done if you wan't to comply with the T&C's and lets be honest every Company or Professional should.

  6. Stephen Wing · 1154 days ago

    Although I agree with many of your recommendations, surely even if Mat had implemented a third party wipe service, this wouldn't have helped him, as I don't believe you can disable the wipe facility (without going the whole hog and not using it at all on any device)...

  7. Lucifer · 1153 days ago

    Thank you, Mat; for vindicating my anti-cloudist stance (we really need a word for anti-cloudist).

    For many years, clients and colleagues have proffered me gifts of meter after meter of aluminium foil.

    Whoever coined the term "cloud" was a person of great wisdom.

    Clouds are impermanent, fragile and can be swiftly and easily dispersed.

    Whomever relies solely upon "the cloud", or indeed uses it unless it isn't absolutely necessary; he or she deserves a dose of Honanism.

  8. DaveK · 1153 days ago

    he made a post-modern website about Barack Obama of which he's inexplicably proud (the website, not POTUS);

    Err, that joke doesn't quite work. If "he" (meaning Honan) was proud of POTUS rather than the website, then it would be "of whom he's inexplicably proud", not "of which"; there isn't actually any ambiguity in that. I think you misidentified where the ambiguity lies: there is in fact an ambiguity there, but it's about whether the "he" who is proud of the website is Honan or Obama, not about whether Honan's proud of the website or the POTUS. You should have written:

    he made a post-modern website about Barack Obama of which he's inexplicably proud (Honan, not POTUS);

  9. M.L. Price · 1153 days ago

    Has anyone yet reported exactly what the pest (I won't malign hackers) said to gain the trust of the Apple Employee? He must have known some key piece of information or more about Honan for the ruse to work.

  10. Mark · 1153 days ago

    This highlights some of the problems with the new "everything connected in the cloud" ecosystems that Microsoft, Apple and Google are pushing. Microsofts version via skydrive and Windows8 seems particularly troubling as there are few controls within Win8 for how accounts and permissions are shared and they are all/nothing style sledgehammers. "it just works" is the mantra and unfortunately they give little details about "how" and what the implications may be if something goes wrong.

  11. anon · 1151 days ago

    Apple could avoid permanently deleting data during a remote wipe by *encrypting* the data instead of deleting it.

  12. Joe Rioux · 1124 days ago

    I have a simpler suggestion: DON'T KEEP SENSITIVE INFORMATION IN "THE CLOUD". Idiots.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog