Sophos Cloud Optix
Mat Honan is a living example of Journalism 2.0.
He’s influential in the social media whirl; he writes – or wrote – for Gizmodo; he used to be something-or-other at WIRED magazine; he lives in the Haight in San Francisco; he’s not afraid to say what he thinks about Google; he made a post-modern website about Barack Obama of which he’s inexplicably proud (the website, not POTUS); and he’s moderately keen on himself – but only moderately so, at least for a Journo 2.0.
Honan has also recently been the victim of a hack – a hack of the “why bother with security when I can talk my way past it” sort for which Kevin Mitnick achieved his infamy.
Indeed, some people will probably spend hours telling us that it doesn’t even qualify as a hack, although it effectively hacked Honan’s digital life into shreds.
Simply put, the hacker – forget that, the criminal – called up Apple support and tricked them into handing over control of Honan’s iCloud account.
Apple recently beefed up its password security by forcing users to provide a bunch of security questions. (For the record, Chester liked the idea, but I thought it was a step backwards, and we argued about it in a Chet Chat. The disagreement starts at about 5’30” below.)
In this case, however, the crook side-stepped any and all security using social engineering, persuading an Apple support staffer that he really was the lawful owner of the account, and thereby getting access.
It’s really hard to defend against this sort of attack.
You can have – and enforce – utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn’t to improve security, it’s to save money by taking humans out of the loop. The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.
A physical-world analogue of this sort of inflexibility might be a hotel which had no procedure for recovering property from the room safe. “Sorry, Sir,” they’d say. “We don’t even look to see what you have left in there to work out if it’s really yours. We simply drill the safe out of the wall and destroy it in its entirety. We did warn you: don’t forget the code.”
Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark.
That’s what happened with Honan.
Sadly, the crook wasn’t happy just with breaching security at Apple. The hacker also took the trouble of invoking the remote wipe feature of Honan’s iDevices – and he’s an unashamed fanbuoy, using an iPhone, an iPad and a Macbook Air. The crook was also able to take over Honan’s Gmail account, his Twitter account and – through account linking – the Twitter account of Gizmodo, with whom Honan has, or had, a trusted journalistic relationship.
Of course, Honan found out the hard way about all this criminal activity, because the crook redirected his “did you mean to change your password” emails and changed his passwords.
The lessons to be learned?
* Encrypt everything you put into the cloud, using an encryption solution which operates outside the cloud.
* Keep your online accounts separate. Don’t link accounts together for convenience, lest they all get compromised in one go.
* Don’t link personal and work social media accounts, lest an injury to one become an injury to both.
* Make and keep backups for yourself, outside the cloud. (Honan admits he didn’t, and has gone so far as to call himself “a jerk” for not doing so.)
* Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect.
I know that this advice sounds as though I’m urging you to buy a dog and bark yourself. Why embrace the cloud if you end up re-implementing some of the features it offers you (often apparently “for free”)?
The answer is simple: it’s your digital life.
Use the cloud to add some convenience to your digital lifestyle, but make sure that you embrace the cloud. Don’t let the cloud embrace you!
–
Do you have any encryption services you recommend?
Errr, as a matter of fact, I do 🙂 I didn't labour the point in the article, since the service I'm thinking of is our own…but here is the blurb:
http://www.sophos.com/en-us/products/encryption/s…
We also have remote wipe services in various of our products. Articles which might be of interest (and which include some light marketing 🙂 are here:
http://nakedsecurity.sophos.com/2012/07/31/almost…
http://nakedsecurity.sophos.com/2012/03/05/bring-…
HtH.
What about Mac Users? The blurb seems to refer to Windows only.
And if you have no product for Mac, can you suggest any? (You're not marketing, I'm asking.)
Thanks,
paul
I may suggest proofreading this again. There are a few mixed bits such as. "side-stepped and any all security" should read "side-stepped any and all security" Also you state "a hack so trivial in some respects that Kevin Mitnick could have done it." Not sure what you are implying here. Do you mean to say that Kevin Mitnick is somehow incapable of a non trivial hack and even incapable of some trivial hacks? Maybe I am reading it wrong but that is how it appears to me.
Thanks – the "any and all" is now fixed, and I reworded the Mitnick reference to try to avoid ambiguity.
Proofread again – what is "the social media whirl" ?
Just read an article the other day about how the Woz is alarmed over the potential for a dreadful mishap with cloud computing (and I have to agree with him). I guess this wasn't the mishap he had in mind but sometimes we need little warnings to appreciate the bigger worries.
Nice article. Can you clarify what you mean by recommending (in a couple of your bullet points towards the end) not linking accounts together, please? Is this something specific to twitter or does it apply to email accounts too- in which case what is it?
See @Richard's comment – I meant to avoid making your everyday FB account (for example) the same one that is linked to your work account with "admin" privileges. As @Richard suggests, this technically could get you in hot water with the T&Cs, though if you have two accounts, both in your real name (or two variants of it), and you use only one of them for your personal stuff…can't see how that would be objectionable. You wouldn't be pretending you're someone you're not.
Same sort of reason that you don't give your everyday Windows account admin rights…you don't want admin rights when you're not adminning…
"Don't link personal and work social media accounts"
As far as this is concerned, to operate within the T&Cs you have no choice. For example Facebook. You're technically only allowed 1 account that must be your real name and you must then manage the work based pages from that account.
Twitter etc might be a different story but it's easier said than done if you wan't to comply with the T&C's and lets be honest every Company or Professional should.
Although I agree with many of your recommendations, surely even if Mat had implemented a third party wipe service, this wouldn’t have helped him, as I don’t believe you can disable the wipe facility (without going the whole hog and not using it at all on any device)…
Thank you, Mat; for vindicating my anti-cloudist stance (we really need a word for anti-cloudist).
For many years, clients and colleagues have proffered me gifts of meter after meter of aluminium foil.
Whoever coined the term "cloud" was a person of great wisdom.
Clouds are impermanent, fragile and can be swiftly and easily dispersed.
Whomever relies solely upon "the cloud", or indeed uses it unless it isn’t absolutely necessary; he or she deserves a dose of Honanism.
he made a post-modern website about Barack Obama of which he’s inexplicably proud (the website, not POTUS);
Err, that joke doesn’t quite work. If “he” (meaning Honan) was proud of POTUS rather than the website, then it would be “of whom he’s inexplicably proud”, not “of which”; there isn’t actually any ambiguity in that. I think you misidentified where the ambiguity lies: there is in fact an ambiguity there, but it’s about whether the “he” who is proud of the website is Honan or Obama, not about whether Honan’s proud of the website or the POTUS. You should have written:
he made a post-modern website about Barack Obama of which he’s inexplicably proud (Honan, not POTUS);
Has anyone yet reported exactly what the pest (I won't malign hackers) said to gain the trust of the Apple Employee? He must have known some key piece of information or more about Honan for the ruse to work.
The latest update has (reportedly) the full steps taken by the hackers – Apple took 4 digits from his credit card info as proof and those were the 4 digits that the hackers had access to after some social engineering got them into his Amazon account.
http://www.wired.com/gadgetlab/2012/08/apple-amaz…
This highlights some of the problems with the new "everything connected in the cloud" ecosystems that Microsoft, Apple and Google are pushing. Microsofts version via skydrive and Windows8 seems particularly troubling as there are few controls within Win8 for how accounts and permissions are shared and they are all/nothing style sledgehammers. "it just works" is the mantra and unfortunately they give little details about "how" and what the implications may be if something goes wrong.
Apple could avoid permanently deleting data during a remote wipe by *encrypting* the data instead of deleting it.
I have a simpler suggestion: DON’T KEEP SENSITIVE INFORMATION IN “THE CLOUD”. Idiots.