007 and the Hacker Threat

“You have a secret that can ruin your life.”

That’s how Mat Honan opens his article in this month’s Wired magazine: Kill the Password: Why a String of Characters Can’t Protect Us Anymore. Please set aside 15 or 20 minutes to read that article. Save it to Instapaper, print it out, whatever. Finish it before you go to sleep tonight. The article is that important.

The key point I want you to take away from the article is that it can happen to you.

I think someone tried to hack my life a bit in the last couple of weeks. Not as bad as what Mat Honan went through, but enough to put me on hyper alert.

Incident One: About a week ago I received a notice from American Express that the company had detected some questionable activity on one of my accounts. Specifically, it appeared someone tried to use my wife’s card to try to purchase some crap. I spoke with Amex, got it taken care of, and that should have been the end of it.

Incident Two: Over the weekend, I received a notice from another credit card company that again someone tried to use the card in my wife’s name to purchase some junk. One of the attempted transactions was a purchase at a company that also showed up on the Amex fraud alert. Interesting. The company, Skinit.com (I won’t give them a link), makes iPhone cases. It’s a small company, so the fact that it showed up twice in attempted fraudulent transactions makes me think it was the same person. How that individual got two credit cards for our household is unknown, but I don’t like it.

Incident Three: I received an email from Twitter dated last Wednesday so I could reset my password. Someone tried to reset my Twitter password. I know I didn’t try to reset it because I was completely off the grid on Wednesday. The email might be a phishing attempt, but maybe not.

I don’t want to seem paranoid, but I’m reminded of something Ian Fleming wrote in Goldfinger:

Mr Bond, they have a saying in Chicago: ‘Once is happenstance. Twice is coincidence. The third time it’s enemy action’.

Yes, two of the incidents were financial fraud attempts and the third looks like a hacking attempt. The odds are good that the same person who tried credit card fraud is not the same person who tried to reset my Twitter password. Nevertheless, how many wakeup calls do I need?

More importantly, will you look at what’s happened to a low-profile lawyer and conclude you need to act before something bad happens to you? Will you also look at what happened to Mat Honan and realize you’re not immune?

First thing I’m going to do is a massive password reset on every web site and service I can think of. I’ve already removed all credit cards stored at Amazon.com. I’m using double authentication for Google Mail and Dropbox. I’m also setting up a “password reset-only” email address per the suggestion in the Wired article. And I’m going to be a little more paranoid from here on. As a witness in a trial I worked on once remarked, “Just because you’re paranoid doesn’t mean they’re not out to get you.”

Advertisements

Security and hacking nightmare

Wired Magazine journalist Mat Honan had his life hacked over the weekend. Hackers exploited security weaknesses in Amazon and Apple’s iCloud service to take over his Twitter account and Google account. They used the Twitter account to post all sort of racist and homophobic messages. That’s embarrassing, but it’s also minor compared to what else he went through.

In a nutshell, the hackers were able to disable his iPhone, disable his iPad, and wipe his MacBook. As in erase everything, including the last year or two of photographs of his young daughter. (Foolishly, Mat did not have a backup, and he accepts that if he had one, certain irreplaceable things wouldn’t be probably lost forever.)

If you are at all concerned about having someone take over your digital life, you need to read that article in full. Right. Freakin’. Now. You need to understand just how easy it was for these hackers to bypass the security measures at Amazon and Apple. Once the hackers got through those, everything else was even easier.

Don’t think for a minute that Mat Honan set himself up as a target for hackers. They did it for a very simple reason that had nothing to do with him. You can’t assume that since you’re a “nobody” online that hackers wouldn’t target you.

There are lessons to be learned here:

  • Back up your data. All of it. In multiple places. On my work laptop, I use an external hard drive divided into two partitions. One partition uses Apple’s Time Machine backup. The other partition is a clone of the hard drive that gets updated each night. I also use CrashPlan so I have an off-site backup as well. I figure three layers of backup, with one being off site, is a good level of protection. I duplicate this arrangement with the home laptop. With CrashPlan, I can back up unlimited data from as many computers as I want for one reasonable annual fee. They don’t advertise as much as, say, Carbonite, but I think CrashPlan is the best of the online backup options.
  • Don’t use one email address and one password for everything. I’ve written about passwords before, and if you reuse passwords you’re a fool. I hate to be so blunt and insulting, but it’s a fact. Don’t reuse passwords. Period. Not even once.
  • Use smart passwords.
  • Turn on two-factor authentication on Google accounts. This takes a couple minutes to set up, but basically it requires anyone signing into your Google account to have your password and your phone. When you sign in, you’ll have to also type in a code from your phone.

Mat Honan’s story is an important one to read. I consider myself to be reasonably cautious about my online security practices, but I have to admit it: what happened to Mat scared the hell out of me. I’ve already gone and turned on Google’s two-factor authentication and taken other steps based on what happened to Mat Honan. (Needless to say, “Find my Mac” is now turned off.) We all know people who have skipped simple things and paid a price later. Don’t be one of those who stand amid the wreckage of their digital lives and say, “I should have…”