Lessons learned from the recent Find My Mac remote-wipe attack

Lessons learned from the recent Find My Mac remote-wipe attack

Summary: The recent remote wipe attack through Apple's Find My ... service on a Wired reporter's Mac, iPhone and iPad shows that local backups, system clones and strong passwords are more important than ever.

SHARE:

The hacker attack that wiped Wired's Mat Honan's MacBook Air, iPad and iPhone revealed a number of important vulnerabilities in cloud-based services and cloud backups. But just as important to users and IT managers, it shows that old practices may be best practices for data security and password management.

Following the attack that wiped his Apple MacBook Air, iPad and iPhone, Honan wrote last week in a Gadget Lab post that he was finally able to restore 75 percent of his data, including family photos of his young daughter. However, this was thanks to a DriveSavers recovery, an expensive restoration process. And that doesn't count the hours and hours lost trying to find passwords and data.

When my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation.

The post is interesting reading. Honan details how the hackers gamed the Internet-based services and took advantage of their vulnerable password and account policies. The companies say they've changed their practices. Good luck to us (and them) with that.

What would have saved Honan much of his trouble would have been a local backup and system clone. As I mentioned in a recent post on preparing for Mountain Lion installation,  make a clone of my MacBook Pro's entire system twice a day and run a background Time Machine backup for file-level changes. All of this is done to a speedy external Thunderbolt RAID box.

We are living in one of the best times for such local backups. With Thunderbolt and USB 3.0 on Macs, these backups can be performed very easy and quickly. I am always impressed with how fast my four-drive RAID Level 5 array can backup my system. But you don't need to spend $1,000 for such a setup. There are single drive solutions as well as small two-drive JBOD/RAID Level 0 systems that can do the job quickly and economically.

In addition, Honan said he had some initial problems with passwords. He used Agile Bits' excellent multiplatform 1Password utility to create and manage long passwords (I use this product as well).

I’m a heavy 1Password user. I use it for everything. That means most of my passwords are long, alphanumeric strings of gibberish with random symbols. It’s on my iPhone, iPad and Macbook. It syncs up across all those devices because I store the keychain in the cloud on Dropbox. Update a password on my phone, and the file is saved on Dropbox, where my computer will pull it down later, and vice versa.

But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox.

While I like the convenience of 1Password, I now make my own passwords using several alphanumeric bilingual puns, specific parts of the site's identity and extended characters. This gives me a very long, strong password that's unique to each service and device. At the same time, I can recall them mostly from memory (I have changed the puns and criteria over time). I've been testing them recently with the interesting Passfault Demo Password Evaluation tool. It looks at all kinds of measurements of strength.

Check Out: Checking for password duplication in Keychain Access and 1Password

Finally, the Honan story shows that consumers have no clue what real security should be used for recovering their online properties such as these accounts.

I recently dealt with Network Solutions to regain control of a domain of a non-profit group whose domain had expired. The account had been set up years ago by a long-ago webmaster, someone was no longer associated with the group. Everyone thought the information was somewhere and that notifications were coming to the group. Some notifications were but the ones that counted for restoring the account weren't. The verification required the faxing of documents and personal verification of identity. It wasn't a quick process either.

This hardcore recovery process isn't one that consumers will tolerate. Consumers want access to their accounts and they want them now. However, until we have biometric standards or some other verifier, recovery shouldn't be so easy.

Topics: Apple, Apps, Laptops, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • JBOD system

    I'm not familiar with a "small two-drive JBOD/RAID Level 0" system. Is this something that you make or buy? Or can you provide a link? I'm happy to assemble my own hardware, but haven't heard of this.
    howardgr
  • Backup is as easy, restoration much easier with Small Business Server

    You're better off without the expensive hardware (Apple hardware is too expensive, and a Thunderbolt RAID box? not needed, and you can build a server for less). I'm running Windows Small Business Server 2011, and it does automatic backups and can do a restore with a supplied boot disk to any image in about 30 minutes. Hard drive failure happens sometimes, and I like doing without the need of creating a DVD just so I can restore to last backup. A similar system really saved my bacon once due to hard drive failure.
    Griscom0
  • Wonderful!

    “When my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation.”

    Let me get this straight. It’s okay to get screwed by the cloud so long as you can manage to get your data back – no matter how long or hard or expensive the struggle???

    In this case, he was only able to get 75% of his data back, and that involved using “DriveSavers recovery, an expensive restoration process.” Oh, and plus the “hours and hours lost trying to find passwords and data.”

    Wonderful.

    “…details how the hackers gamed the Internet-based services and took advantage of their vulnerable password and account policies. The companies say they've changed their practices. Good luck to us (and them) with that.”

    Well, that’s what you get when you trust your data to a third party off in the cloud somewhere.

    And then Mr. Morgenstern suggests you do as he does and back your system up with “a clone of my MacBook Pro's entire system twice a day and run a background Time Machine backup for file-level changes. All of this is done to a speedy external Thunderbolt RAID box.” And his “four-drive RAID Level 5 array.” Which is only an extra $1000 at the usual cheap Apple prices.


    You know, I agree that backup is good, and I do it with my hard drives regularly. But that is because I know that it is not a question of IF a hard drive will fail, but WHEN. In this case, there is the additional danger of losing it in the cloud, or via the cloud, as this example shows.

    Look at how much trouble Mat Honan would have saved had he not been trusting the cloud in the first place.

    I find it interesting that in addition to the normal lack of acceptable reliability, security and additional cost of cloud processing, there is now the very real chance that the cloud can be used to reach right into your physical machine and screw it up.

    And who is pushing the cloud down our throats? The companies who will be making money off it, of course. They chuckle at the thought of making us pay monthly for software that we used to purchase once and use forever. They love the idea of how much the increased bandwidth usage will cost us. And, on top of all that, we have to pay them per gig to give them our data.

    The cloud? No thank you.
    Doc.Savage