Lessons learned from the recent Find My Mac remote-wipe attack
The hacker attack that wiped Wired's Mat Honan's MacBook Air, iPad and iPhone revealed a number of important vulnerabilities in cloud-based services and cloud backups. But just as important to users and IT managers, it shows that old practices may be best practices for data security and password management.
Following the attack that wiped his Apple MacBook Air, iPad and iPhone, Honan wrote last week in a Gadget Lab post that he was finally able to restore 75 percent of his data, including family photos of his young daughter. However, this was thanks to a DriveSavers recovery, an expensive restoration process. And that doesn't count the hours and hours lost trying to find passwords and data.
When my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation.
The post is interesting reading. Honan details how the hackers gamed the Internet-based services and took advantage of their vulnerable password and account policies. The companies say they've changed their practices. Good luck to us (and them) with that.
What would have saved Honan much of his trouble would have been a local backup and system clone. As I mentioned in a recent post on preparing for Mountain Lion installation, make a clone of my MacBook Pro's entire system twice a day and run a background Time Machine backup for file-level changes. All of this is done to a speedy external Thunderbolt RAID box.
We are living in one of the best times for such local backups. With Thunderbolt and USB 3.0 on Macs, these backups can be performed very easy and quickly. I am always impressed with how fast my four-drive RAID Level 5 array can backup my system. But you don't need to spend $1,000 for such a setup. There are single drive solutions as well as small two-drive JBOD/RAID Level 0 systems that can do the job quickly and economically.
In addition, Honan said he had some initial problems with passwords. He used Agile Bits' excellent multiplatform 1Password utility to create and manage long passwords (I use this product as well).
I’m a heavy 1Password user. I use it for everything. That means most of my passwords are long, alphanumeric strings of gibberish with random symbols. It’s on my iPhone, iPad and Macbook. It syncs up across all those devices because I store the keychain in the cloud on Dropbox. Update a password on my phone, and the file is saved on Dropbox, where my computer will pull it down later, and vice versa.
But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox.
While I like the convenience of 1Password, I now make my own passwords using several alphanumeric bilingual puns, specific parts of the site's identity and extended characters. This gives me a very long, strong password that's unique to each service and device. At the same time, I can recall them mostly from memory (I have changed the puns and criteria over time). I've been testing them recently with the interesting Passfault Demo Password Evaluation tool. It looks at all kinds of measurements of strength.
Check Out: Checking for password duplication in Keychain Access and 1Password
Finally, the Honan story shows that consumers have no clue what real security should be used for recovering their online properties such as these accounts.
I recently dealt with Network Solutions to regain control of a domain of a non-profit group whose domain had expired. The account had been set up years ago by a long-ago webmaster, someone was no longer associated with the group. Everyone thought the information was somewhere and that notifications were coming to the group. Some notifications were but the ones that counted for restoring the account weren't. The verification required the faxing of documents and personal verification of identity. It wasn't a quick process either.
This hardcore recovery process isn't one that consumers will tolerate. Consumers want access to their accounts and they want them now. However, until we have biometric standards or some other verifier, recovery shouldn't be so easy.