Like many geeks, I’ve been watching the Mat Honan saga unfold with both trepidation and horror. The good news is that ultimately, if you ignore time lost and money spent and the amount of stress caused by this hack, Mat lost a lot less than he initially worried he had. Of course, that time and money is not inconsequential, and the stress? massive.
I’m not going to try to tell the experts how to fix this problem; ultimately, Mat got hacked despite doing almost everything right and to do it required social engineering of multiple organizations (Apple and Amazon) in ways to grab data that seemed safe within the context of that company’s site, but were combined in a way to break open Mat’s life.
That’s a hard series of hacks to protect yourself against. The one thing I haven’t heard discussed is the implication here: that “personal security” is no longer a site evaluating how it protects user data, but how protected their data is against attacks that cross onto multiple sites. The job of the security geek is a lot tougher now that this kind of attack has gotten such publicity. It’s not enough for Apple’s site to be secure, it now has to worry about weaknesses in other sites that might break open things. it gets even worse when you have to start doing risk assessment on what might be social engineered out of another site that might have an impact on your own site. Have fun, security geeks.
(my only suggestion: security questions, as currently implemented on many, many sites, needs to die).
What I’ve tried to do is evaluate my own setup based on what happened to Mat, and what I need to do to improve my security further. Here are some thoughts you might find helpful as you think through what you should do as well.
Good news: I had implemented two-factor authentication where I could (google, Facebook, battle.net). I expect you’ll see a lot more sites bringing on two-factor authentication, and they should. The downside is I see my smartphone being inundated with authenticator apps, one for every site where I have two-factor set up. I’m not looking forward to that, but I don’t see an easy alternative and I prefer that to not having two factor on things.
Good news: when I left HP, I used that as an excuse to evaluate my working tools and my best practices, and one thing I did was get serious about using a password wallet (I chose 1Password. I still like it a lot. Recommended if you’re a Mac/IOS geek; haven’t tried it on windows or android). It was surprisingly hard to convince myself to turn off “save passwords” in my browser, because the convenience is, well, really convenient.
In both cases — using the wallet and using two-factor — the setup is a bit of a pain, but mostly, it’s a grind. It’s tracking stuff down, it’s making sure the data’s where it should be. it takes some time, and it forces you to relearn some habits. Once I was through it? I find neither tool invasive or a pain. Once you get used to the change, you won’t mind it. it’s that change of habit time that puts people off.
So seriously: get a good password wallet. Even better, get a good cross-platform, syncing one like 1Password. My passwords go everywhere with me now, so I can use strong passwords and not worry much about remembering anything. This is a Good Thing. And I can attest: once you get it set up, it works.
Two factor authentication (or in the case of Apple, lack of it) was a primary reason I use gmail as my primary (and public) email. I will admit that my one big worry about Google is how many things they’ve integrated into my google account, and how — ugly — it can get if for some reason Google decides it doesn’t like me and shuts things down (or it gets hacked and gets blocked, or whatever). I’ve thought in the past that maybe I need to diversify more; for now, I continue to just have “hot spare” places for key things I can fall into if something bad happens. But I think this is something Google needs to get a better handle on. It doesn’t happen often, but it happens just often enough where I hear about it for me to keep wondering whether living this closely with Google is a good thing.
How Mat Honan recovered from his hacking – Marco.org:
My email and Dropbox passwords are both unmemorized 1Password gibberish. To prevent this scenario when I started using 1Password, I printed these two passwords onto two different pieces of paper, unlabeled and inconspicuous, and hid them in safe places.
From a clean install, with access to my email and Dropbox, I can get 1Password up and running to unlock everything else I need. (In theory, I could just do this for the Dropbox password, but it makes me feel more comfortable to have emergency email access, too.)
If you use 1Password or similar password generators, evaluate your contingency plan: if all of your computers and devices were stolen, destroyed, or rendered inoperable suddenly, and you had to start fresh from a completely clean setup, can you get through your own security measures?
That doesn’t mean my setup was perfect. Because various sites want a “backup” email handy, my various email accounts tend to get linked. If one of them falls, there’s a good chance it can cascade and cause all of them to get breached, and on sites with multiple emails linked, you’re only as secure as your least secure email account. That’s something I’m mulling over how best to manage. I don’t have a good/easy answer. I think it’s tied to the next point, though:
My next thought is that I need to better separate my public life and my private life. At the least, that means multiple gmail accounts, the one people see, and the one I don’t talk about that has things like credit cards and etc attached. They can’t be linked in any overt way (i.e. can’t be each other’s “backup” accounts). After a quick look, I realized detangling things is a fairly complex process, so since I think my risk situation is pretty well managed right now, this is more of a long-term project. I do think it’s something I should do, but I can afford to do it at a slower pace and not risk doing it wrong and creating new problems.
Marco has an important point here: recovery if you lose your devices. I personally think the “unlabeled/inconspicuous/hidden” is a bit of overkill. A second aspect of this I don’t know that he’s considered, too: what if you’re not there? as in “oh, Marco was such a great guy, too bad he got hit by that bus?” — will others be able to get into your password wallet and onto your hardware and take care of things?
So my suggestion is this: find a place in your files, and keep in it a sealed envelope with the necessary particulars to unlock the keys to things. Include a description of what’s what and where to find the important pieces, because it likely won’t be obvious, even to a spouse. Seal all that up and put it in a file in a cabinet with an appropriate label on the sealed envelope. Right next to a copy of your will is probably a good place. If someone has the time to break into your house, go through your stuff, find this file and unseal it to access your passwords, well, honestly, I don’t think your passwords are your biggest problem. And by doing this, and making sure the people who need to know do know where to find it if needed, you’ve simplified their life a lot at a time when a little simplification probably helps.
This article was posted on Chuq Von Rospach, Photographer and Author at Marco on recovering from the “Mat Honan hack”. This article is copyright 2013 by Chuq Von Rospach under a Creative Commons license for non-commericial use only with attribution. See the web site for details on the usage policy.