|Back to Blog|
One Man Hacked: A Story of Lost Information Part II
One Man Hacked: A Story of Information Lost|
Dominion Dealer Solutions
In Part I of “One Man Hacked: A Story of Information Lost”, the story of a WIRED Magazine article went viral when Senior Writ Mat Honan was “epically hacked”, was described as a cautionary tale for all. Mr. Honan’s Google, Twitter and AppleID account were compromised, resulting in the posting of racist and homophobic messages and the information on his iPad, iPhone and MacBook remotely wiped out by his hacker.
Ouch. Certainly a cause to blush given that Mr. Honan writes for one of the country’s leading tech publications. In short, he should have known better, but his story serves as warning for all of us.
I will get into the details later, but let’s start with this: When was the last time you changed your personal passwords – Amazon, email, PayPal, banking, etc.? How many readers use the same passwords across multiple accounts, allowing a “hacker” one-stop shopping access across platforms, or even use the Internet’s most common password: 123456? If you answered, “Yeah, that’s me,” you may be more vulnerable than you expect. Let’s peel back the layers and see what happened.
As pointed out in Part I, the term “social engineering” best fits this situation and most situations of compromised accounts or “hacking”. Social engineering uses the power of persuasion, human nature, and general laziness to entice users or employees to divulge critical information, sometimes without their even knowing.
In this case it was Apple and Amazon who were engineered. Apple blundered by divulging information without the hackers being able to answer security questions, although they were able to provide other data commonly available on the Internet – a billing address. Combined with the last four digits of the credit card that was supplied by Amazon, Apple unlocked the account, provided a new password, and the hackers were off to the races without having written a single line of code. Next, they proceeded to hack Mr. Honan’s AppleID account and obliterate every shred of information from his iPhone, iPad, and MacBook, along with all the items he had sitting in the iCloud- including all the photographs of his daughter, now just over a year old, which he hadn’t backed up.
True to his nature as a journalist, Mr. Honan started a dialogue with one of the hackers after being messaged, staying true to his ethics not to attempt to track down the guilty parties. But he was able to discover their motivation, which didn’t involve money or private data. Instead, they simply wanted his three-letter Twitter account handle, and one thing led to another. His attacker wrote, ““I honestly didn’t have any heat towards you before this. I just liked your username.”
Although Apple and Amazon responded within a few days time, patching the flaws in their policies, the damage was already done to Mr. Honan. There is, however, a satisfying post-script to this story. Using a private service called Drivesavers, Mr. Honan sent away his compromised hard drive, and they were able to recover nearly all of his data.
What can we learn from this? A few points that come to mind:
• I already mentioned passwords. Rotate them frequently, don’t use the same ones across platforms, choose alpha-numeric options, don’t use ones that are easy to guess, etc.
• Don’t assume that the entities to which you trust your data “have your back.” Policies can be flawed, people can be manipulated, and no software is perfect. Revisit your vendors and the businesses you frequent online. Do you feel safe under the policies they have in place? Could you easily “hack” yourself if you tried?
• “The Cloud” can be risky business, especially if you rely on your data being there exclusively. It’s not magic.
• Backup. Backup. Backup. Buy yourself a portable USB hard drive and regularly copy over the stuff you don’t want to lose. Services such as Google Drive can also be handy for these purposes, and it will even perform ongoing backups all day long, but a physical copy is essential.
• Finally, on the other side of the coin, look at Drivesavers: Don’t ever assume that what you delete is permanently gone. This especially holds true if you sell or dispose of old computers. At the very least, pull or wipe the hard drives, but bear in mind that it might not be permanent if you don’t do it right.