Posts Tagged ‘Internet danger’

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.


First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.


This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.


All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.


Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.


Read Full Post »

I’ve written a series on Internet malware (see the tags), during which I’ve gotten progressively more pessimistic about the state of the Internet as regards increasingly aggressive malware infections. I’m concluding that people aren’t worried enough about what their computer is up to behind their back. But now I want to spend a moment debunking at the other end of the scale — the currently received wisdom that our kids are at the mercy of Internet-based pedophiles, molesters, rapists, and kidnappers. If you have a short attention span, here’s the answer: they aren’t in any such danger, and they’re skillful enough to defend themselves from these vermin with no difficulty.

Now, part of the reason for this is that today’s younger generation, and I’m talking about kids from 10 to young adults of 25 or so, have an Internet-mediated life that is unbelievably rich and varied, and which they control and manage with considerable skill. If you’re a parent, and you email, fine, but they are light-years ahead of you. They consider email rather dull and lifeless; they text-message with their camera cell phones, they user services like Twitter to broadcast what they’re up to, they forward pictures back and forth from computer to cell phone and back, they have websites and (more importantly) FaceBook sites, they instant message with each other from a variety of devices . . . the list goes on and is actually evolving and expanding as we sit here. And you, who think email is pretty exciting, are going to be able to assess risk for them, and control the situation? Do you Tweet? Come back and see me when you do.

Are they going to be willing to give this rich social environment up because there are a few creeps out there? They are not. At the upper end of this age spectrum, these facilities help kids keep in touch when they go off to college, and then when they graduate, as they again disperse to go find jobs. These kids are keeping in touch on a daily basis, around the world, around the clock, and they love it. At the bottom end, 10 and 11-year-olds far from retreating into their computers, are richening their social environment via the Internet as we used to do, in the days of the ancients, by telephone after school. But they keep it up at their brother’s sports practices, while shopping with their parents, and even right in movies.  They’re glued into multiple social contexts and they shift back and forth instantly.

And at all ages, they experiment with their “selves.”  Here in meatspace, where we are only who we are, we can’t escape ourselves.  But online, kids can, if they’re clever, reinvent themselves — kids make themselves older, or boys try being girls and vice-versa, or pretend to be very much cooler than they are, convince others that they’re really braniacs interested in chess . . .  without having to really be that, or carry it off in real life.  What’s so bad about that?  Just another kind of growing up, I would say.

I think most studies have shown that kids who run off and meet unknown people they’ve come in contact with over the Internet are kids who are already engaging in risky or even self-destructive behavior in real life — the real world drives their Internet bahavior, not the other way around.

So buck up.  Basically, until you are enrolled in Twitter, it’s your kids who are going to be protecting YOU online.

Read Full Post »