Today, I was reading a heck of a recap by tech journalist Mat Honan about how his iCloud account was hacked. From the vantage point of his iCloud account, they wiped his iPhone, wiped his iPad, wiped his MacBook Air, deleted his GMail account, and compromised his former employer’s Twitter account – talk about a painful outcome.
I noted a bunch of things that could have helped in this situation (better backup strategy, for example) but it turns out the weakest link in the security chain may not have been in Mat’s direct control.
Trust is not a control
You see, rather than brute-forcing Mat’s account, Mat says the “foul mouthed hackers” that took over his iCloud account gained access to his account by doing some creative social engineering by contacting Apple customer support and bluffing their way around the normal security questions. This allowed them to get into his iCloud account where they had access to his devices, email, and a bunch of other resource that enabled them to mess around with Mat – and I mean big-time.
The problem here is that we often turn over a lot of our data to 3rd-party providers without really understanding what protocols they have in place to keep our access and accounts safe. We also tend to link accounts for convenience without paying attention to the potential problems this can cause (Mat had his email linked to his employer’s Twitter account, and it stayed that way even after he moved on to other opportunities). And, even thought it doesn’t seem to have been the case here, a lot of us reuse passwords across multiple accounts.
The challenge here is that it creeps up on us in subtle ways, since we create these accounts and relationships in tiny steps over a longer period of time.
Take a fresh look at your security
From a personal perspective, it is up to us to review our security posture and try to find areas where we are relying on trust or weak security controls, and investigate ways to strengthen our security and hygiene. For example:
- we might consider turning on GMail’s 2-factor authentication;
- we may audit our accounts for weak or shared password;
- we may review our backup strategy and ensure the appropriate redundancy & frequency, etc.
Granted, we aren’t all as visible as Mat Honan, so we may not be as likely a target but it’s worth a look to see if we are relying on trust, luck, or some other deficient strategy for our security.
From a company perspective, it is probably also a good idea to engage an independent security assessor to vet our security and see if they can find any obvious or subtle ways of gaining access to our companies. I have heard too many stories about successful social engineering attacks, and we are often blind to our own limitations – get an objective person to help, if you can.
Also, check out the more comprehensive version of the story from Mat Honan regarding this incident at Wired magazine – “How Apple and Amazon Security Flaws Led to My Epic Hacking” – it’s quite an interesting read.