After Steve Wozniak attended "The Agony and the Ecstasy of Steve Jobs" in Washington, a one-man play performed by Apple critic Mike Daisey, Wozniak was invited on stage where he said, "I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. With the cloud, you don't own anything. You already signed it away," Woz added. “I want to feel that I own things. A lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything onto the web, onto the cloud, the less we're going to have control over it."
Speaking of that cloud where you have no control and horrendous things that can happen, tech journalist and former Gizmodo staffer Matt Honan just suffered a horrible hack. Through him, Gizmodo’s Twitter account was hacked too and spewing foul-mouthed and racist tweets. Although the hijacked Gizmodo account seems to have been compromised by hacker group Clan Vv3, Honon blames Apple tech support for all of it.
“I was hacked. Hard,” admitted Honan who now writes for Wired. “At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash,” he wrote. “At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed. At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”
Originally, Honan thought it was a software glitch, but his iCloud login to restore didn’t work on his iPhone and his MacBook Air informed him that his Gmail account information was wrong. It went gray and asked for a four digit pin which he didn’t have. “I checked Twitter, and saw someone had just sent a tweet from that account," he wrote. "I tried to log into Gmail again, and now it told me that my Google account had been deleted.” He could have restored Gmail but that required a text message to his phone that he didn’t have access to. Then he dealt with Apple tech support that ran him around in circles before he realized Apple was looking at the wrong account due to incorrectly spelling his last name.
Luckily for Honan, he had help from friends in high places who had inside contacts for Google and Twitter. You might be interested to read Honan’s entire story and his many updates, but he knew by “update three” that the hack was accomplished by social engineering Apple tech support. “I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of.”
Gizmodo’s story doesn’t exactly match up with Honon’s updated account that his iCloud password was not brute-forced at all, yet Gizmodo wrote, “Don’t rely on the cloud.” In talking about “how you should defend yourself” against such a hack, Gizmodo wisely recommended using different “super-secure passwords” for every account. But “if you can't be bothered to memorize a whole bunch of alphanumeric gibberish, pick up a password manager like 1Password or LastPass, and lock it down with one insanely secure (and unique) master password.”
It’s interesting to note that 1Password says it’s ready to take on the latest "community-enhanced" release of the password cracking tool John the Ripper. It is ultimately the user’s responsibility to come up with a great Master Password. Although John the Ripper was adapted to crack password managers Master Passwords, and recently developed “tools specifically designed for making John the Ripper work with 1Password’s Agile Keychain Format,” 1Password claims to have designed its security around the assumption that there is an “automated Master Password guessing tool that is tuned to 1Password data.” This security makes “any password guessing program work extra hard, so that it can only guess thousands of passwords per second instead of many millions per second.” You can try it for free for 30 days, but a single user license for 1Password costs $49.99.
There are plenty of free password managers like Clipperz, LastPass, KeePass and Password Safe which Bruce Schneier recommends. Schneier is but one security expert who has handed out password advice. There are also plenty of tests and opinions on what password managers fail or work best. Ironically some will store that password in the cloud that you don't control and that takes us back to Woz who believes the cloud is horrendous and we'll have "horrible problems" within the next five years. Even if you keep an ultra secure password or passphrase, if your services are connected to and stored in the cloud, and therefore accessible to law enforcement or government snooping via ECPA, there is a possibility that you could be done-in by tech support with loose lips that succumbs to clever social engineering. Why? Because it is human nature to want to help . . . and also because there is no patch for human stupidity.