60-minute security makeover: Prevent your own 'epic hack'
Got an hour? Here are some ways to better secure your digital life.
August 23, 2012 06:02 AM ET
Computerworld - How's this for a digital nightmare? Your Twitter account hijacked; racist and homophobic tweets posted in your name. Your Apple account breached; data wiped from your iPhone, iPad and Mac laptop. Your Gmail password reset by hackers and your Google account deleted.
That's what happened to Wired journalist Mat Honan recently. And while news coverage of his "epic hack" may be easing, you can bet there's an army of would-be imitators who, as you read this, are trying to duplicate that attack.
Honan was somewhat careless (especially having no backups of his wiped data) but also very unlucky. However, now that word of the attack has been widely publicized, it would be wise to try to protect yourself from these now well-known vulnerabilities.
The good news? It won't take long. And while you can't expect to create an impenetrable defense in an hour, you can implement some strategies to harden your own accounts.
Issue: Using public email addresses for account access, password recovery
Threat: It's hard to believe that attackers only needed Honan's email address to kick off the process of hijacking his Twitter and Apple accounts. But the attackers did indeed start with only Honan's Gmail address and billing address (available in many public records) to leverage lax security policies at Amazon and Apple and access his accounts.
Defense: Don't use a publicly known email address for your account login and password-reset contact info. Instead, use one or more separate addresses that you reserve only for this use and not for any other type of communication. This makes it harder for someone who knows your personal or business email address to use that information to gain access to other accounts.
Your ISP likely allows you to add additional email accounts. Alternatively, you can use an email service you trust to create a new account, or you can register your own domain and add a hard-to-guess email address (which you should not use as the contact address for that domain).
Really security conscious? Set up multiple email addresses so you've got different ones per account, or have multiple addresses that forward to one private box. This way, even if one account is breached, it won't help anyone gain access to another by knowing the email address you use there.
Bonus: People trolling for information about you will have less success overall.
Time: Setting up a new address at your ISP or domain: 3-5 minutes. Setting up multiple forwarders to that address: another 3-5 minutes. Changing login/contact/password reset email address: 1-2 minutes per account. Suggestion: It will probably feel less onerous if you change contact addresses the next time you log into each of your accounts, instead of sitting down to do them all at once. (story continues on next page)
How the "epic hack" went down
1. The attackers followed a link on Mat Honan's Twitter account to his personal website, which listed his Gmail address (firstname.lastname@example.org).
2. Entering his Gmail address on Google's password recovery page allowed them to see his alternate email address, partially obscured. They guessed that email@example.com stood for firstname.lastname@example.org. Since Me.com is an Apple service (now called iCloud), they knew Honan had an Apple ID.
3. The attackers found Honan's billing address via a whois search on his website's domain name. (That information is also available in many public records.) Using this and his email address for verification with Amazon.com, they social engineered their way into seeing the last four digits of the credit card he had on file.
4. Those four digits were the ticket into Honan's Apple ID account, giving the attackers enough information to convince an AppleCare phone support rep to issue a temporary password to them for the account. They then reset Honan's Apple ID/iCloud password, locking him out.
5. The attackers used the Me.com address they now controlled to change Honan's Google account password, and they used access to his Gmail to change his Twitter password -- after which they deleted his Google account. Meanwhile, they used iCloud's remote wipe service to completely erase Honan's iPhone, iPad and MacBook.