Cloudburst! – First reports of iCloud security breaches surface

Social Engineering. That’s a polite term used to describe the art of lying
to obtain sensitive information from unsuspecting victims, or in this case,
service providers. It’s a tactic that has been used for decades, whereby
someone poses to be you, and asks a series of carefully worded questions
designed to get into your account. If the setup is convincing enough,
compassionate service staff is duped into helping an impostor access your
account. Remember those times you tried to “talk sense” to the support desk,
but they wouldn’t help you if you couldn’t remember the answers to security
questions? This is why. These kinds of social engineers have gotten really good at pleading
for help on your behalf (or what the target assumes is your behalf). Situations range from “mom is in the hospital”, “I’ll lose my job”, to the financial ruin they (you) will face unless they (you) can retrieve that spreadsheet for a meeting. With multiple online services that don’t use a standardized security format, innocuous information on one account can serve to unlock an account elsewhere. According to Mat Honen, an IT journalist for Gizmodo and Wired Magazine, this was the tactic used to wipe the last year of data he stored on iCloud. He is the first to admit that as an IT journalist, he should have known enough to backup his data elsewhere, in addition to what he had in the Cloud. But like many of us, he never quite got around to it. A link to the full story of his nightmare is posted at the end of this article.

In the beginning of our modern era, social engineering was used effectively by pranksters to gain information about phone services, so they could then make calls for free. (Case in point, Steve Jobs and Steve Wozniak, who went on to build “Blue Boxes” to place free long-distance calls). Since then, criminals have taken the art to entirely new levels, gaining access to email, online data, credit card information, and even bank and investment accounts.

How many times have you requested a new password be emailed to you because you couldn’t remember it? Hacking a server that stores your email could make it available to that hacker. There are time limits on temporary passwords, in an effort to protect you of course. However, many of us out there use the SAME password across to board, for all accounts. Once one “harmless” account’s password is revealed within an email, it can be used to
unlock everything else, for an unlocking, cascading, domino effect bonanza. Worried yet?

In the aftermath of Mat Honen’s disaster, Apple has quietly made adjustments to their security procedures. (Mat, by the way, was by no means the only victim. He just happens to be the public face on the issue). At Applecare, passwords will apparently no longer be reset over the phone. Period. That takes some of the human error out of the equation. Amazon, meanwhile, is said to be reviewing its security practices as well.

So do we throw up our hands in surrender? Do we lose sleep over all the data we have already sent out via email, shuddering at the implications of the security risk? No. What we want to do is lock down our information in a simple, yet effective manner. First, don’t upload your sensitive data to a “cloud” (read “online storage”) account of any kind, UNLESS you encrypt it first. Encryption can be achieved in several ways. There are inexpensive apps available to do the job, or you can use the Disk Utility in your Utilities folder, to create what’s known as an encrypted disk image. (See our how-to video clip on how to do that, coming soon). Microsoft Word also offers a relatively easy way of password-protecting documents from within the program. The catch is, of course, that if you forget that password, the data is irretrievable. The average Joe will not be able to get back in to that data, nor want to pay some genius hacker somewhere to crack it open. Back it up before you encrypt it and post it.

Second, don’t send explicit photos of your naked significant other via email, unless you won’t mind those images being posted  across the universe, completely out of your control. Eventually, someone you never intended, somewhere you never imagined, could access those images and run with them, even use them on their own site. Just ask the thousands of teenagers who have faced suspension, expulsion and / or ridicule as their private images made the rounds of their schools. Or celebrities whose smartphones were supposedly hacked (more likely, things were forwarded, then forwarded again, multiple times).

Third, do not use the same password for your online banking, your online gaming site, and the local online pizza delivery service. Use passwords that make sense to you, but no one else, preferably combining an invented word or short phrase with a number (NOT “123”!) Create a high-security, for-your-eyes-only password that only YOU know, for your online financial accounts. Never stick to a temporary password a provider gives you. It’s best to take the time to go in and change that temporary password to something you will remember. Who can remember “tZ005Ty#4eduL”? Not me. We encourage clients to change their passwords on their Macs after we’ve made a service call. Or, they can change their admin passwords to something they’d only use for troubleshooting, then change it back to something private and more secure after a technician leaves. Absolutely valid. For our part, as techs for our clients, we do not track client passwords as a matter of policy. We fully expect our clients to change their passwords themselves on a regular basis. It’s the smart thing to do. (For instructions on how to do this on a Mac, see our how-to video. The process remains the same across all OS X versions)

It’s always fascinating to me when I find someone using their first name or the word “password” as their online password for anything. While I understand keeping it simple for the login in of a kid’s profile on a Mac at home, you would never want to use something like that online. Indeed, many online services won’t allow it, and will prompt you to choose something more secure. Other favorite (and easily guessed) passwords are pet names, kid names, addresses and birthdays. One scan of your facebook account will offer that information up pronto.

Believe me, I feel your pain. Who can track all the various types of passwords that online services, computers, and devices require to get anything done? Some sites want caps, no caps, numbers and symbols, while others require more than six, but no more than eight characters. Apple iTunes requires that you use a DIFFERENT password if you’ve already used a favorite one within the past year. And they wonder why a majority of IT guys are bald, but wear a goatee.

What we suggest to our clients is a database. There are many out there that will fit the bill. Obviously the database itself should be password protected, with something secure (read “complex”), yet easy for you to remember – like “Green!Berries9”. Bento, and offshoot of Filemaker, is a good option if you want to keep it relatively easy. Apple makes that available for download online for about $50. A database like Bento is more practical than a Word document, because databases are searchable. Yes, Word documents are searchable too, but who wants to scan through a Word document to find a password?

We would not recommend storing passwords online. Keep a written record somewhere in your home, preferably not in a booklet labeled “Passwords” on your kitchen table. Why not cut out a hidden compartment into that paperback copy of War and Peace, and hide it in there? Works for drug dealers. At least in the movies.

But seriously, we do NOT recommend storing passwords within your Mac address book. Now that contacts sync wirelessly, losing your phone means you could potentially lose your keys to your Kingdom, and to your identity.

Rather than going the other extreme, whereby you lock yourself in your house, unplug the computer from the internet, and refuse to store anything digitally, we suggest you take some necessary precautions when venturing onto the world wide web. Just as the safer days of leaving your door unlocked in a major city have mostly evaporated, so too have the carefree days of  surfing the internet. Use the “Cloud” by all means, but keep in mind what you upload could potentially fall into the wrong hands. (Several clients who had refused to use iCloud are feeling pretty smug about now). And always, always backup you data. It is so inexpensive and easy to do these days, that no one really has an excuse for losing data. Especially not, by his own admission, an IT journalist.

To read Mat Honan’s digital nightmare in detail: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/