Hacking via peopleware

Anyone can get hacked, even people who supposedly know better:

In one night, Wired technology writer Mat Honan saw his entire digital existence horrifically erased before his eyes. Using security loopholes in Amazon, Apple, Google, and Twitter, hackers were able to piece together enough information to remotely wipe clean his iPhone, iPad, and MacBook — including irreplaceable pictures he had stored of his baby’s first year of life. “Those security lapses are my fault,” says Honan, detailing the cautionary tale on Wired. “And I deeply, deeply regret them.”

 What happened to Honan was not an Apple vs. PC problem. It wasn’t a security hole in the operating system. It wasn’t even a case of phishing. It just took some people who knew what information they needed to wreck havoc, and knew how to get it. They didn’t have to do much real hacking, simply know how to wheedle information out of people.

This isn’t even entirely a Cloud Computing issue, though I do see yet more reasons to be suspicious of the concept. No, there are a few real take-aways from this:

  1. Backup, backup, backup! If your information is important, then make sure you’re backing it up. And not just in the cloud. Even my automated backups are vulnerable, because if someone could gain control of my PC they’d be able to see I have a backup drive and wipe it.
  2. Never give any more info than necessary. Again, I’m guilty as charged. The hackers here used the who.is record to get the victim’s mailing address. I just checked mine, and they could get mine the same way. My only consolation is that it’s outdated info, so it would take them longer to get the right address. But my web host gives me the option to hide my whois information. I should. There are many other places I’ve probably given more info than necessary.
  3. Opt for stronger security. No matter how inconvenient, it may not be a bad idea to allow tighter security when available. Google, for example, can be set to make the user enter additional verification if the account is accessed from an unfamiliar device. It wants your smartphone info to do this, and my phone is stupid, so I haven’t done it. But it’s not a bad idea.
  4. Select odd email account names.This is a little more difficult. Everything online is about branding, and most people will tell you to get an email account that matches up with the name you go by most. The trouble is, this is the first weak link that got the victim in the article. Is it worth the risk to have a memorable email account? Probably, but you’re playing the odds.

Online security is something we should always be concerned about. This latest anecdote is even more frightening, because online security worked correctly, and yet the hackers still got what they needed. They just got it by findin just enough information to be convincing to humans, who sometimes can be the weakest link of all.