Security in the iCloud age
Editor’s note: Mat Honan has posted a full account of how hackers gained access to his accounts and wiped out the data on his devices. Apple spokesperson Natalie Kerris told Macworld: “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected.”
The future is now. Our devices are interconnected, and that linking where everything can access everything is wonderful. But it turns out there’s a dark side, too: All that connectivity makes it much easier for an attacker to compromise all our data, no matter where it is. Wired’s Mathew Honan learned this the hard way over the weekend, as a hacker not only gained access to his devices, but also wiped all the data from them causing a fair bit of mayhem along the way.
As Honan reported on his blog, he was hacked hard. And the attacker didn’t use complicated algorithms to brute force his way into Honan’s accounts. Instead, the hacker reportedly called up Apple’s technical support line, pretended to be Honan, and successfully provided answers to Honan’s self-selected security questions—the very ones Apple asks of all iCloud customers, to ensure that their accounts are secure. (We contacted Apple to confirm that account of events, but the company hasn’t responded.) [Update: Honan has said via Twitter that the hacker did not provide security question answers, but rather compromised the account in a different way.]
That’s a technique called “social engineering,” which takes advantage of what is often seen to be the weakest link in the security chain: other people. Even the most secure password in the world can be compromised if you can convince the person on the other end of a phone line that you’re the account holder in question.
Merely having his Twitter and Gmail accounts compromised, and the data on his iPad, iPhone, and Mac wiped out would be bad enough for Honan (who, we should note, is a former Macworld editor). What made matters worse in Honan’s case was the fact that he lacked any backups for more than a year’s worth of data.
The take-home lesson for the rest of us, then, is that our security is multi-faceted. There are many steps you can take to keep your data secure, and some important questions you might want to consider before you sign up for new services or add new devices.
Secure that password!
Any password can be compromised (especially given enough time or inclination). But a secure password is still your first line of defense. Using common data like a birthday or a child’s name can be guessed by anyone who has access to your Facebook profile. And yet, past password leaks have shown that many users still rely on inane passwords like ‘1234’ or even just the word ‘password.’ Those are in many cases as ineffective as having no password at all.
A good password has two important qualities. First, unlike the aforementioned passwords, it’s hard to guess, meaning that somebody has to either trick a person into revealing their password, or perform what’s called a brute-force attack—essentially, trying every possible password until they hit upon the correct one.
Second, a good password is easy to remember. That means that it’s something you can recall without writing it down—because, as soon as you have to write it down, it means that you’ve already compromised the security of that password. The best password is stored only in your head.
So, though you might be encouraged to create a password of random alphanumeric characters, like xdK92z!, it turns out that they’re not terribly secure, because they’re hard to remember, and relatively simple for a computer to crack. You can add a tremendous amount of complexity to your password with a technique that ends up keeping your password fairly simple to remember: Use a full sentence. This adds an order of magnitude of difficulty for a computer to guess your password through brute force, particularly since—despite thrilling movie scenes that show passwords hacked character by character—a hacker needs to determine your entire password in one go. With a password like “Six dogs ate schnitzel in a haberdashery,” instead of merely needing to pick one right word at random, or a relatively short series of jumbled characters, the algorithm would need to correctly guess seven unique words in tandem.
Even just a series of random words that you can connect with a mnemonic (such as “correcthorsebatterystaple”) is more secure than many randomized passwords.
Passwords are not recyclable—do not reuse
And as you’ve no doubt heard, you don’t want to use the same password at more than one site. Though there are software solutions—including OS X’s own built-in Keychain—that can help you keep track of multiple passwords, there’s an easy way to do so on your own, too: Keep your core password the same, and add special pre- and/or post-fixes based on the specific sites or services you’re using.
For example, you might decide to take the first and last letter of a site’s name and use them in combination with your password: “Six dogs ate schnitzel in a haberdashery” becomes “ANSix dogs ate schnitzel in a haberdashery” for Amazon, and “EYSix dogs ate schnitzel in a haberdashery” for eBay. That way, it becomes considerably more difficult for a hacker who gets access to your Amazon password to use that information to start bidding on auctions elsewhere. (The more complicated your pattern, of course, the better you’re protected.)
The security question question
Even if you follow all that password advice, though, it’s not enough to guarantee your security: Many attackers take a social engineering approach instead. Even the toughest password in the world could fall victim to a charming hacker who sweet-talks the agents on the line for customer support.
You’ve likely noticed a trend in recent years towards more, shall we say, creative security questions from certain websites. As “your mother’s maiden name” becomes overused, banks and other sites that value security have turned to increasingly esoteric questions: the city where you met your spouse, the first name of your oldest niece, or the street of the first place you lived. Some sites even provide the ability to make your own custom questions. Which can be helpful, up until two years later, when you suddenly can’t remember the answer to “Why we laughed all night on that Hawaiian vacation?”
In the past, hackers have even gained access to Sarah Palin and Paris Hilton’s inboxes by providing the necessary (and discoverable) answers via an online form—no extra human required. A good rule of thumb is: If someone can guess or Google for the answers to your security questions, they’re not very secure.
This puts customers in a tough spot. Your first instinct might be to use fake answers to your security questions, since in theory an intrepid searcher shouldn’t be able to guess those. But just as “xdK92z!” makes a lousy password, it’s a subpar security answer, too, because it’s yet another piece of data—in this case fictional—that you have to remember.
One option you could consider is using a pseudo-password alongside your security answers: If your Mom’s maiden name is Ellen, you might use “Ellen schnitzel haberdashery” instead; your eldest niece becomes “Claire schnitzel haberdashery.” Such a secure measure should at least give a theoretical support rep pause before agreeing to an imposter’s request to reset your password. Unfortunately, though, unless Apple overhauls its security policies—by implementing two-factor authentication, limiting under what circumstances or time frames it will allow a customer’s data to be reset, or both—your iCloud account is still only as safe as a support rep treats it.
Google, for example, offers two-factor authentication as an option. When you enable it, after you log in with your password, Google sends a code to your cell phone via text message. Only after you enter that code do you get logged in. That way, an attacker needs to figure out your password and steal your phone to break into your account, and we know most nerds don’t make good muggers.
Consider your options
Apple has been pushing iCloud hard with the release of Mountain Lion, and the company’s only likely to become more insistent over time. But as great as it is to have all your documents and other information available, no matter which device you’re on, it can lead to vulnerabilities, too.
For example, the Find My iPhone service not only allows you to locate your iPhones, iPads, and Macs—which could be a potential security risk if you don’t want people knowing where you are—but once you’ve logged into the service, you can also use it to remotely wipe data from those devices.
On the upside, you can use that service to prevent someone who’s stolen your physical device from gaining access to your data. On the other hand, if someone breaks into your account and remotely wipes your data, that means you’ll at the very least have to spend time restoring your devices. Far more catastrophic is the case where, as with Honan’s situation, you have out-of-date backups or no backups at all.
Of course, that’s not a reason not to use that feature, any more than worrying about sharks is a reason not to go swimming. But it’s worth considering the consequences of a service before you blithely sign up for it, and it’s definitely worth making sure that an account which has access to such capabilities is as secure as possible.
Back that disk up
It should go without saying that every user needs to have a current backup of the data on their electronic devices—preferably more than one. Data loss happens for a number of reasons, but that can include security violations. Having a remote online backup is valuable, just in case your house is flooded or catches on fire, but it’s unwise to put your only backup into the hands of an online service. Had Honan’s hacker been especially malicious, he could easily have deleted the iCloud Backups for Honan’s iOS devices.
We’ve written plenty about backing up, but the short short version is: Use Time Machine, sign up for a service like CrashPlan, or at the very least, save your most important data to Dropbox. Of course, no online service is bulletproof, so it’s always wise to keep at least one local copy of your data, just in case.
What happened to Mat Honan was, in a word, awful. We don’t want that to happen to us, or you. But while an Apple support rep may be to blame for enabling Honan’s victimization, blame for the data loss—as Honan would no doubt agree—falls squarely on his shoulders.
Having good backups means never worrying about your data.
Couple that peace of mind with strong passwords, strong security answers, and careful consideration about the services you enable, and you needn’t feel fear each time you register for a new online service or save your files to the cloud.
Updated at 11:34 a.m. PT throughout to reflect that Honan’s account was not compromised via his security questions.
Updated at 5:13 p.m. PT with comment from Apple and a link to Honan’s own post.
[Senior editor Dan Moren and staff writer Lex Friedman strongly urge you not to use “schnitzel haberdashery” as your password, since we’ve now given that one away.]