8 Ways To Avoid Getting Your Life Hacked

  /     /     /  
Publicated : 22/11/2024   Category : security


8 Ways To Avoid Getting Your Life Hacked


How can you avoid an epic hack involving your Apple iCloud account, as journalist Mat Honan just experienced? Follow these strategies.



Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)
How can cloud service users avoid Mat Honans fate?
For those not in the know, Honan was the unlucky journalist who had his Macbook Air, iPhone, and iPad remotely wiped Friday by an attacker who seized control of
his Twitter account
--simply
for the lulz
--and who wanted to make it difficult for Honan to regain control of it.
But as
Honan detailed
Monday in How Apple and Amazon Security Flaws Led to My Epic Hacking, the attack led to the loss of a years data, including personal photos, as well as the deletion of his Google account and eight years worth of emails.
Security-wise, what should Honan have done differently? Unfortunately, the attack succeeded not through technical sophistication, but smooth talking on the part of the attacker. In a
blog post
, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, characterized the attack as a hack of the why bother with security when I can talk my way past it sort for which Kevin Mitnick achieved his infamy. ... The hacker--forget that, the criminal--called up Apple support and tricked them into handing over control of Honans iCloud account.
Thanks to a reconstruction of the attack--in return for Honan agreeing to not press charges, the attacker, who goes by the name Phobia, agreed to walk him through what hed done--there are a number of techniques that other cloud service users can practice to help protect any data they store online. Heres where to start:
1. Dont trust cloud providers.
Do you think that cloud services offer security or privacy by default? Think again, as cloud-storage businesses are in business to make money, and that can lead to business decisions which prioritize information sharing and ease of access over security or privacy concerns. Notably, Googles services are not secure by default, said security and privacy researcher Christopher Soghoian in a
blog post
that points to comments made by Google officials that anyone concerned with government surveillance of their documents or communications--such as journalists--shouldnt rely on services like Google Docs just out of the box. But the same goes for anyone whos concerned about the security of information they store at Google, or with any other
cloud storage service
.
2. Use fake personal data.
Mothers maiden name? Name of your favorite pet? Place where you were born? Thanks to the Internet, the personal information that many websites ask you to input--in case they later ever need to verify your identity--can be discovered by motivated online researchers. For example,
Mitt Romneys personal Hotmail account
was reportedly hacked thanks to the attacker guessing the name of his favorite pet. Accordingly, consider not just using unique passwords for every website that requires a password, but also inputting fake personal data for each one as well. Then use a
password manager
or password wallet to help track all of this information.
3. Regularly make local backups.
Honan said he lost photos, emails, and documents that hed been storing on his laptop, iPhone, and iPad, because the data existed only there or on cloud services. To prevent this from happening, the related fix is clear: regularly back up to an external hard drive—or, preferably, two. Had I been regularly backing up the data on my MacBook, I wouldnt have had to worry about losing more than a years worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location, said Honan.
4. Avoid daisy-chaining accounts.
Dont link online accounts. Notably, Honans attacker came gunning for his Twitter account, which by the way was still linked to the Twitter account of Gizmodo, where hed formerly worked. To get to the Twitter account, the attackers essentially worked backward. My accounts were daisy-chained together, wrote Honan. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, its possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc.
5. Consider Googles two-factor authentication system.
Per Honans advice, Google users should employ
Googles two-factor authentication system
, a.k.a. two-step authentication. It works by either having Google text a temporary password to a user whenever they attempt to log on to their Google account, or else by using a Google two-factor password generator smartphone app. According to user reviews of the service, however, its prone to losing tokens, which then requires the user to reauthorize every device or application thats tied to Google. Still, the extra authentication might slow or stop would-be attackers.
6. Disable remote wiping for laptops.
Honans attacker was able to not only remotely wipe his iPhone and iPad, but also his laptop, using the iCloud Find My Mac service. But use that type of service with caution, because if breached, it gives attackers inordinate power. Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect, said Ducklin at Sophos.
7. Press cloud providers for better password practices.
In the wake of the hack of Honans accounts,
Wired
reported
that Amazon and Apple have reportedly discontinued the password-reset practices that Phobia used in his
social engineering attack
.
Apple, for example, has temporarily discontinued password resets by phone, and Amazon has stopped taking new credit card numbers by phone. Thats important, because Phobia had added a bogus credit card number to Honans Amazon account, then later called back and used the bogus credit card number to verify that he was Honan. From there, Phobia was able to see the last four digits of Honans actual credit card number, which he used to validate his identity with Apple technical support, which--together with a billing address (retrieved via a whois lookup of Honans personal site)--was all he needed to have Apple generate a temporary password, despite his not being able to answer the security questions that Apple had on file.
8. Keep fingers crossed.
Unfortunately, the hack of Honans Apple, Amazon, Google, and Twitter accounts demonstrates that a determined attacker--Phobia told Honan he was only 19--can find ways to circumvent cloud service security. As Soghoian noted in a
blog post
, the incident offers a clear demonstration of how difficult it is for users to protect their data even when using tools and services created by billion-dollar corporations. Thanks to internal customer-service changes made by Amazon and Apple, these types of attacks might be more difficult, but whenever using cloud services, always consider what would be possible if an attacker does manage to gain access to your account.
One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment arent exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our
Measuring Risk: A Security Pros Guide
report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
8 Ways To Avoid Getting Your Life Hacked