August 7, 2012

Of all the scary stories I’ve read about online security – and I’ve read a lot in the past year – this is the scariest.  And it’s also the most recent, which is scarier.

I’ll sum up, since most of you probably won’t want to take the time to read and I don’t blame you, but first I need to establish some credibility.

And I can’t.  Every time I think I can, every time I start to make a mental list of my computing bona fides, my decades of key tapping and logging and learning, I get overwhelmed by what I don’t know.  I’ve written code over the years, but anything past basic javascript and I’m completely lost.  I’m essentially a macro programmer, and an incredibly casual one.  I could probably get better, but I haven’t worked up the interest or the time.

Networks?  Please.  I work at home.

I’m more accomplished at hardware, but hardware is pretty simple, at least if we’re talking about swapping out video cards, processors, or power supplies.  And I still get sweaty and anxious doing that.

What I am, then, and have been for a long time, is a user.  An engaged user, maybe.  A user with an interest in all things tech, too, which essentially means skimming the technology news every day, trying out new tweaks, learning about new threats, figuring out what the really smart people have already figured out.

Engaged and paranoid.  It’s hard to avoid.

Anyway.  The summing up.

Mat Honan, a senior writer for Wired magazine, got hacked the other day, and not in an annoying, embarrassing, time-consuming way.  In a devastating way.

And for no good reason, too.  Somebody liked his Twitter handle, and decided to steal it and mess around, and also decided to use a method with which they’d had some success in the past.

It’s a pretty glorious hack, if you like ingenuity, if you can avoid the visciousness of it, if you like thinking that old ways translate into new ways pretty easily.

Here’s an old way: Let’s say somebody writes you a bad check, on purpose.  An old trick (and probably won’t work anymore) would be, on taking the check to the bank it’s drawing on and finding out there’s not enough money in the account to cover it, to find out how much money is in that account, deposit enough to cover the difference between that and your check, then cash it, emptying the account and extracting your vengeance.

What Honan’s hacker did was, after some simple research, call Amazon, give them Honan’s basic info (email address, billing address, name), and add a credit card to the account.  Then he called back and said he’d lost access to the account.  Amazon verified his identity in the way they apparently do, which was to ask for the last four digits of a credit card associated with the account.

You follow?  He knew a credit card number, because he’d just added it.

Once he was into Honan’s Amazon account, he had access to the last four digits of all of Honan’s credit cards on file with Amazon.  Using this information, he accessed Honan’s Apple email (@me), which was the recovery email for Honan’s Gmail account.  And so he reset Honan’s Apple and Gmail passwords and was off to the races.  Suddenly everything was open, including the Twitter account the hacker wanted in the first place.

The rest was just malicious.  He used Apple’s Find My Phone/Find My Mac to remotely wipe Honan’s computer and phone.  He emptied his email.  And so on.  Just because he could.

Understand that Mat Honan is a writer for Wired.  A technology magazine.

Honan made some baffling errors.  He didn’t have two-step verification turned on for his Gmail account (Google sends you a text message with a code if your account is being accessed by a different computer, etc.  Facebook also has this.  If your email client doesn’t, you might want to think about switching).  He didn’t have his Mac backed up (WTF?), so he apparently lost a bunch of precious pictures.

Again, this was a targeted attack, not because of who Honan was but because he had a Twitter handle the hacker decided to take, for some reason.  There are billions of Internet users/consumers.  The percentages are in your favor, particularly if you take some basic precautions, like using a password manager, don’t re-use passwords for different sites, carefully consider security questions, etc.

And given the prominence of Wired, I’m sure Amazon and Apple will beef up this security flaw.  As I’m sure other flaws will be found.  This is how barn doors get closed; the horse has to get out first.

In this world, though, with our lives in the Cloud now and our money (and everything else) on the line, we can either back completely offline or heed the stories, and do better.  I still feel secure.  Just not the way I felt yesterday, and I’m not looking forward to tomorrow.