You're not in control of your own security

You're not in control of your own security

Summary: No one is ever completely secure, but the recent hacking of a journalist has demonstrated that no matter what you do for your security, some things are just out of your control.

TOPICS: Security

commentary Whenever I hear a case of a high profile subject being hacked, I start to look for which common security recommendation was overlooked or ignored. Was it a poor password that was shared among several sites? Or was it something a little more exciting, like Bluetooth being left on and data stolen that way?

Everyone, myself included, stress the importance of strong passwords, putting PINs on devices, never letting your smartphone out of sight and turning off unnecessary sharing services, so usually when someone is breached, it's because they failed to implement one or more of those similar measures. However, none of them would have helped former Gizmodo journalist Mat Honan, who had his digital life wiped.

If you haven't read my colleague Emil Protalinski's write up on how the hack went down, I urge you to go read it.

In a nutshell, Honan lived through a geek's worst nightmare: his MacBook Air, iPhone and iPad were all wiped; his Gmail, .mac email, iCloud and Twitter accounts completely compromised. The hack even had consequences for his former employer, which had still not revoked Honan's access to the Gizmodo Twitter account.

But this isn't a dig at Honan, as his case demonstrates that even if he had followed all of the traditional advice that security gurus usually dole out, it wouldn't have made much difference in preventing the wipe of his data.

Sure, he had a seven character weak-by-today's-standards alpha-numeric password on his iCloud account and no PIN on his iPhone, but that didn't really matter.

What did matter was that an Apple employee was socially engineered into providing a stranger with access to Honan's account. It effectively meant that even if Horan was a paranoid security geek and had an extremely long password and a PIN that changed every few hours, he still would have fallen victim to the attack. Honan could have implemented all the security measures he wanted on his devices and physically locked down his MacBook Air, but at the end of the day, he still would have been compromised by the duped customer support employee, sitting in a call centre on the other side of the world.

What's most worrying about the situation is that Honan wrote on his blog that Apple's staff chose to bypass his security questions. Honan could have been blamed if he had poorly chosen his security questions and answers, which could have been pulled from social networks or by social engineering Honan himself, but these never came into the equation.

Two-factor authentication may have prevented this, yes — but, again, that has been shown to (at least temporarily) have flaws on the provider's side, and when it comes to high-profile targets, even the token providers themselves may be vulnerable. And the onus is still on Apple to provide this service, which it currently doesn't.

The fact is, Honan's case demonstrates a gaping loophole in the effectiveness of one's own security. You can't just trust yourself to implement great security, you have to trust that your provider cares about it as much as, or even more than you do. And when it comes to determining how much we can trust a provider, it's a bit of a stab in the dark.

You might trust Apple, given that it may be more vigilant following this episode, but more realistically, you're probably stuck using it, as only Apple can provide iCloud services. Even when it comes to other services that may have multiple providers, it's almost impossible to tell how good their security is. Who is manning their call centres — who ultimately holds the keys to your accounts? Are they an easily bribed kid, looking for some money over the summer break? Or someone who can be easily manipulated through threats on their family? Is the call centre even internal to the company, or is it outsourced? The sad fact is, we'll likely never know, but we still have to trust them.

At this level of scrutiny, you could accuse me of being too pedantic about security — and in the past, I might have agreed with you — but security is risk based, and the risks are, again, beginning to shift. There was minimal risk in the past that someone would actually call up and try and dupe call centre staff, so we lived with it. There was also less information online that fraudsters could use as ammunition. Honan's case, however, shows that you only need to be a journalist, one that may not have even deeply offended anyone, to have your digital life erased for someone else's entertainment.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "B2" Clouds

    No surprise!

    This again points out the problem with "blaming the customer/user" - the current fad in information assurance advice, particularly from governments worldwide.

    The REAL problem is that the "cloud" system, by 2012, should have been based around an operating system / virtual machine structure similar to the old "B2" - mandatory access control - facility clearly defined in the mid-1980s for modern operating systems and supporting sub-systems. Simple, there is NO B2 SUPER-USER! There is no "override"!
    Policy is enforced.

    The problem - governments have taken an 18th century "laissez-faire" attitude to the ICT industry in regard to security and governance (compare that to the totally different approaches to the car and pharmaceutical industries for a start) and now - with the installed base - it is really rather late to try and "backstitch".

    Read Microsoft's "Palladium - NGSCB" project proposals and justifications of 2002 and on (yes, 10 years ago!).

    Yes - governments must accept that today there may be little to nothing the end-user can do to protect themselves in the "cloud" - or even possibly on their own home / office systems!

    So, it is time that governerments realised that it is the responsibility of the system supplier, product, system or service, to warrant and guarantee that what they offer is safe and secure and - simply - "fit for purpose", just like in any other industry. Unfortunately with the USA's "Cybersecurity Act 2012" unlikely to get passed by its Congress, perhaps the lead being taken in Europe may be the only short term policy direction.
    • About

      The problem is that the whole "cloud" thing is just marketing and BS. It is all about 1960-1970 Unix technology but implemented in totally wrong ways, by making everything so complex and bloated instead simplicity and small.

      At end of 70's there you could have computers what stored all their data to mainframes somewhere else, where they were backed up and distributed. You could share specific files with other users and even do collaborative work with them in real-time (document editing). If you swapped computer, you only needed to log in with your user account. Still, there were measurements to stop hijacking happening (like this article does) because social engineering couldn't bite because the system protected user from user itself as well. So even if you actually gave up your own account details to someone, who logged in and deleted everything, you would have been save. It just would have brought little more time consuming to recover from that instead just continuing work but a hour or two here or there was not a problem when situation was controlled.

      Even that MAC is designed to operating systems in 80's, the MLS was possible to do but was just more time consuming.
      Today servers are designed for idiots, who only want to click a button on screen and then call them self as professionals, example

      We have gone almost full circle in computer development, we started with computers filling whole room, developed Unix model (what has survived to today) and then added bloat and complexity with Windows on "Microsoft world". ANd now Microsoft is coming back after 30 years to same direction where Unix already was at 70's. But this time Microsoft is doing it in GUI side as well as Unix GUI's did at 80's.

      Governments doesn't need to care about anything what their citizens does with corporations. Government job is not to protect users from their idiocracy if citizens like to be idiots and support capitalistic and creedy private corporations.

      Problem is that corporations are the ones what has the power and money, not governments (what are slaves to corporations). And now first step is made with today "Cloud" marketing, where citizens privacy, life and wealth is moved to private corporations (banks, online services, healthcare, transportation etc) and government can not even anymore stand against it because they have been bought out because the small minority of citizens who knowledges it has no power to stop it happening, not even by voting.
    • Exactly

      The internet technologies that emerged from 1980s Unix were almost completely devoid of security, but were cheap and easy to implement. They worked tolerably well on a small network of semi-trusted machines, but were never suitable for a global public network. Various security measures have been bolted on over time, but the whole thing still isn't fit for purpose.

      Security experts know how to design secure systems, and have done for decades. However, making systems secure dramatically increases development and operating costs, both for hardware and software, and buyers are generally not willing to pay for it. As a result, firms need an extra push in the form of regulation, or else they won't do it.

      An additional problem is that, whenever governments or firms attempt to modernise the internet, they are invariably opposed by self-styled 'freedom' and 'privacy' advocates, often with either anarchistic or extreme libertarian tendencies, who frighten people into believing that any change means either Big Brother or the corporate equivalent. In fact, the current chaotic state of affairs is almost certainly a bigger threat to both freedom and privacy than a more structured and regulated system would be.
      • "They worked tolerably well on a small network..."

        Care to explain how the Internet happened then?
  • The weakest link and shifting sands

    You're only as secure as your weakest link and this is a great example of weak security at the service provider side - in this case Apple. As hackers try their exploits they'll change their tactics and exploit the easiest ways into your data, your bank accounts, your life. This is exactly what happened to Honan. Don't be surprised if there are a bunch of hackers all calling Apple (or your company) to try this on for size.

    We frequently forget the security isn't just about the product but is also about process and people. Honan had decent security around the product but it was the process & people side that let him down. Let's hope Apple is doing some significant retraining now.

    And let's hope we all learn a lesson from this.

    Jackson Shaw, Quest Software