60-minute security makeover: Prevent your own 'epic hack'
- 23 August, 2012 11:44
How's this for a digital nightmare? Your Twitter account hijacked; racist and homophobic tweets posted in your name. Your Apple account breached; data wiped from your iPhone, iPad and Mac laptop. Your Gmail password reset by hackers and your Google account deleted.
That's what happened to Wired journalist Mat Honan recently. And while news coverage of his "epic hack" may be easing, you can bet there's an army of would-be imitators who, as you read this, are trying to duplicate that attack.
Honan was somewhat careless (especially having no backups of his wiped data) but also very unlucky. However, now that word of the attack has been widely publicized, it would be wise to try to protect yourself from these now well-known vulnerabilities.
The good news? It won't take long. And while you can't expect to create an impenetrable defense in an hour, you can implement some strategies to harden your own accounts.
Issue: Using public email addresses for account access, password recovery
Threat: It's hard to believe that attackers only needed Honan's email address to kick off the process of hijacking his Twitter and Apple accounts. But the attackers did indeed start with only Honan's Gmail address and billing address (available in many public records) to leverage lax security policies at Amazon and Apple and access his accounts.
Defense: Don't use a publicly known email address for your account login and password-reset contact info. Instead, use one or more separate addresses that you reserve only for this use and not for any other type of communication. This makes it harder for someone who knows your personal or business email address to use that information to gain access to other accounts.
Your ISP likely allows you to add additional email accounts. Alternatively, you can use an email service you trust to create a new account, or you can register your own domain and add a hard-to-guess email address (which you should not use as the contact address for that domain).
Really security conscious? Set up multiple email addresses so you've got different ones per account, or have multiple addresses that forward to one private box. This way, even if one account is breached, it won't help anyone gain access to another by knowing the email address you use there.
Bonus: People trolling for information about you will have less success overall.
Time: Setting up a new address at your ISP or domain: 3-5 minutes. Setting up multiple forwarders to that address: another 3-5 minutes. Changing login/contact/password reset email address: 1-2 minutes per account. Suggestion: It will probably feel less onerous if you change contact addresses the next time you log into each of your accounts, instead of sitting down to do them all at once. (story continues on next page)
How the "epic hack" went down
1. The attackers followed a link on Mat Honan's Twitter account to his personal website, which listed his Gmail address (firstname.lastname@example.org).
2. Entering his Gmail address on Google's password recovery page allowed them to see his alternate email address, partially obscured. They guessed that email@example.com stood for firstname.lastname@example.org. Since Me.com is an Apple service (now called iCloud), they knew Honan had an Apple ID.
3. The attackers found Honan's billing address via a whois search on his website's domain name. (That information is also available in many public records.) Using this and his email address for verification with Amazon.com, they social engineered their way into seeing the last four digits of the credit card he had on file.
4. Those four digits were the ticket into Honan's Apple ID account, giving the attackers enough information to convince an AppleCare phone support rep to issue a temporary password to them for the account. They then reset Honan's Apple ID/iCloud password, locking him out.
5. The attackers used the Me.com address they now controlled to change Honan's Google account password, and they used access to his Gmail to change his Twitter password -- after which they deleted his Google account. Meanwhile, they used iCloud's remote wipe service to completely erase Honan's iPhone, iPad and MacBook.
Issue: Having multiple email addresses with same user name
Threat: Using the same prefix -- email@example.com and firstname.lastname@example.org -- was one factor that led to hackers knowing Honan's Apple ID user name. (Me.com is an Apple service.) Because they knew his Gmail address, they were able to see a partially blacked-out me.com address on the Google password reset page and guessed the rest.
Defense: It's easy enough to vary your email user names across domains going forward; this makes it less likely that someone can social engineer a password reset for your account. It may be tough to change your email user name on addresses you already use, however.
Time: 5-10 minutes to change an existing address that you're not using much, but significantly more if you have to notify (and perhaps remind) people who know the old address. Best to keep this rule in mind for the private address you're setting up in the step above.
Issue: Using lax Google authentication
Threat: Hackers saw the partial information for Honan's me.com address when entering his Gmail address into Google's password reset page because he hadn't turned on two-step verification. They were also able to reset his Google password after hacking into his Apple account because access to his me.com address was the sole thing anyone needed to change his Google password.
Defense: Turn on Google's two-step verification, which requires entering an additional code sent to your mobile phone before an account password can be changed -- or even for logging in from a new device or browser. Plus, anyone trolling for information won't be able to see even part of your recovery email address. In addition, hacking into your alternate email address wouldn't be enough to change your Google password and seize control of your account. This type of two-factor authentication makes your account safer from other types of hacks as well, such as a compromised password.
While having to enter an additional code sent to your mobile phone may sound onerous, it's a lot less of a hassle than being hacked.
To enable two-step verification, go to the drop-down menu at top right under your email address to get to Account settings, then select Security from the left navigation and click the Edit button next to "2-step verification." Google provides more information on two-step verification here.
Google's two-step verification requires you to enter a special code sent to your mobile phone before you can log into your account from a new device or change your account password.
Time: Enabling two-factor authentication from your browser: 2-3 minutes. Signing in using new authentication with other browsers, devices and mobile apps: 1-2 minutes each. You'll need to do this once every 30 days on each desktop/laptop browser you use with your Google account.
Issue: Storing credit cards at online retailers
Threat: It seems harmless enough to store your credit cards on a site where even if someone breaks into your account, only the last four numbers are visible. But it turned out that the last four digits of the credit card stored in Honan's Amazon account was the last piece of ID hackers needed to breach his Apple account. While it appears that Apple has since suspended this policy and Amazon has changed its credit-card security policies as well, the last four digits of a credit card on file is probably a key piece of identification at other online destinations.
Defense: Don't store credit cards anywhere you don't have to, even if it takes some time to type in the number for each purchase.
Time: Deleting already-stored cards: 2-3 minutes per account.
Issue: Linking your online accounts
Threat: Whenever you've got accounts that are tied together, a breach in one puts others at risk. For example, if you use Facebook, Twitter or your Gmail address to log into other places, a hacker who gets into one account may be able to use it to get into others.
Defense: Be wary about what Honan called "daisy chaining" your accounts -- setting them up so that having access to one gives access to others. And if you are using one account to access others, make sure that account has its own email address and a secure password. This isn't complete protection, just as locking your car doesn't necessarily prevent things inside from being stolen; but it may send lesser-skilled or impatient thieves elsewhere.
Time: Varied: 2-3 minutes to change logins and passwords per account, but it could take more time to update additional apps that depend on such logins.
Issue: Using weak passwords -- or reusing them across accounts
Threat: While this wasn't an issue in Honan's hack, it remains a significant problem as passwords continue to be leaked -- such as the publication of 450,000 Yahoo passwords that were stored in plain text -- or guessed. Once email/password combos are leaked, it's likely that malicious hackers will try them elsewhere.
Defense: We've heard it before, but, like eating our five servings of vegetables daily, many of us still don't follow best practices when creating our passwords. Why? It's just too tough to remember multiple strong passwords, and also annoying to have to type them in -- especially on mobile devices with small on-screen keyboards.
There are various strategies for creating tough passwords -- ones that you can remember but that aren't easily guessed by a human (which means you don't want to use easily learned data about yourself, or "password123") or by a computer in a brute-force attack (words in the dictionary). For example, one approach is to use the initial letters of a long sentence with numbers and punctuation tossed in, such as IwtgttGCfm4b, which one might remember from "I want to go to the Grand Canyon for my 40th birthday."
However, unless you've also got a system for tying a specific sequence to a certain site, this will likely get unwieldy for more than a few passwords.
For lots of sites, it may be helpful to use a multi-platform password manager that can generate, remember and fill in your complex passwords. Just be sure you create an extremely secure master password for that, and never write it down or store it unencrypted.
Time: Downloading, installing and setting up a password manager: 15-20 minutes. Updating existing passwords: 1-2 minutes per site -- something else you may want to do as you naturally visit each site where you have an account, rather than all at once.
Issue: Storing sensitive data on your mobile device
Threat: Hackers can't count on being around if your phone falls out of your pocket, but your mobile device may be even more valuable than your wallet to a thief, and more vulnerable to loss. Imagine what a malicious hacker could do with access to all of your apps and email accounts.
Defense: If your mobile device leaves your home and can access your email, social media, shopping and especially financial accounts, it needs to be PIN- or password-protected. While you may not want to have to type in the complex string of digits, uppercase letters, lowercase letters and punctuation marks you use for financial accounts, you do want more security than a simple screen slide if someone else finds your device.
To set up a lock-screen passcode in iOS, go to Settings --> General --> Passcode Lock. You can find screen-locking options in Android under the Security options in Settings.
Depending on your mobile OS and management software, you might also be able to have data encrypted. In iOS, some data is encrypted once a passcode is enacted; Android 4.0 will add an encryption password if you enable it. Alternately, you can set your device to automatically wipe its data after a maximum number of failed entry attempts.
Time: Setting up a password or PIN on your device: 2-3 minutes. Inputting your password when you want to use your device: less than a minute.
Is it possible to make your email, social media and other online accounts 100% hack-proof? Probably not. But if you've got an hour to invest, you can shore up your defenses so at least you're a tougher target.
Sharon Machlis is online managing editor at Computerworld. Her e-mail address is email@example.com. You can follow her on Twitter @sharon000, on Facebook, on Google+ or by subscribing to her RSS feeds:articles | blogs.
Read more about data security in Computerworld's Data Security Topic Center.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
Thanks a million, Drupal
Optus goes over the top with VoIP service
Turnbull asks how the NBN got that way
U.S. retailers insist on PIN requirement in smartcard rules
Yelp speeds database access with flash storage