This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.guardian.co.uk/technology/blog/2012/aug/08/apple-amazon-patch-security
The article has changed 13 times. There is an RSS feed of changes available.
| Version 8 | Version 9 |
|---|---|
| Apple and Amazon patch security flaws exposed by hack heard round the world | Apple and Amazon patch security flaws exposed by hack heard round the world |
| (35 minutes later) | |
| They are tent poles of the economy, companies so big that for many, it can seem hard not to do business with them. Now Apple and Amazon are moving like a pair of lumbering synchronized swimmers to plug gushing leaks in their online security policies. | They are tent poles of the economy, companies so big that for many, it can seem hard not to do business with them. Now Apple and Amazon are moving like a pair of lumbering synchronized swimmers to plug gushing leaks in their online security policies. |
| In the last 24 hours, Apple stopped processing password resets over the phone, and Amazon stopped accepting changes to account settings – including credit card numbers and emails – over the phone. | In the last 24 hours, Apple stopped processing password resets over the phone, and Amazon stopped accepting changes to account settings – including credit card numbers and emails – over the phone. |
| The reason? On Friday, reciprocating vulnerabilities in the two companies' security practices allowed hackers moving between Amazon and Apple to pull off an attack heard around the world – the technology world, at least. | The reason? On Friday, reciprocating vulnerabilities in the two companies' security practices allowed hackers moving between Amazon and Apple to pull off an attack heard around the world – the technology world, at least. |
| The hack exploded in the news because on Monday the target of the attack, Mat Honan, published a detailed, damning 3,500-word piece about it on the technology site Wired.com, where he works as a senior writer. | The hack exploded in the news because on Monday the target of the attack, Mat Honan, published a detailed, damning 3,500-word piece about it on the technology site Wired.com, where he works as a senior writer. |
| "Those security lapses are my fault, and I deeply, deeply regret them," Honan wrote. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's." | "Those security lapses are my fault, and I deeply, deeply regret them," Honan wrote. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's." |
| Neither Apple nor Amazon is commenting on the security changes, which were first reported in Wired. | Neither Apple nor Amazon is commenting on the security changes, which were first reported in Wired. |
| The attack erased Honan's digital existence and wiped clean the contents of his iPad, iPod and MacBook hard drive, including all his pictures of his one-year-old daughter. It obliterated eight years of Gmail messages. It culminated in the hijacking of his Twitter account, which was the hackers' goal in the first place – a coveted prize, according to a hacker whom Honan succeeded in contacting, due to its stylish three-letter handle, @mat. (Honan has since regained control of his Twitter account, and reports headway in Apple's attempt to recover his hard drive data, including the pictures.) | The attack erased Honan's digital existence and wiped clean the contents of his iPad, iPod and MacBook hard drive, including all his pictures of his one-year-old daughter. It obliterated eight years of Gmail messages. It culminated in the hijacking of his Twitter account, which was the hackers' goal in the first place – a coveted prize, according to a hacker whom Honan succeeded in contacting, due to its stylish three-letter handle, @mat. (Honan has since regained control of his Twitter account, and reports headway in Apple's attempt to recover his hard drive data, including the pictures.) |
| How did it happen? The short answer is that Honan made it easy for the hackers to guess the .Me email address associated with his AppleID by using the same email prefix for multiple accounts. His use of iCloud – which Apple aggressively promotes – meant hackers could remotely wipe all his Apple devices. | How did it happen? The short answer is that Honan made it easy for the hackers to guess the .Me email address associated with his AppleID by using the same email prefix for multiple accounts. His use of iCloud – which Apple aggressively promotes – meant hackers could remotely wipe all his Apple devices. |
| Honan's telling is a recommended read, not least for his description of the instant-message exchange he had with one of the hackers. In an act of journalistic aplomb, Honan pursues the hacker as a source to explain exactly why the hack was carried out and how it worked. | Honan's telling is a recommended read, not least for his description of the instant-message exchange he had with one of the hackers. In an act of journalistic aplomb, Honan pursues the hacker as a source to explain exactly why the hack was carried out and how it worked. |
| But the attack could not have happened without seemingly lax and interlocking security rules at Apple and Amazon. Once the hackers had Honan's Apple email, they needed only two other pieces of information to gain full access to his Apple kingdom: a billing address and the last four digits of a credit card number. | But the attack could not have happened without seemingly lax and interlocking security rules at Apple and Amazon. Once the hackers had Honan's Apple email, they needed only two other pieces of information to gain full access to his Apple kingdom: a billing address and the last four digits of a credit card number. |
| The billing address was obtained through a quick search for Honan's personal web domain on whois.com. | The billing address was obtained through a quick search for Honan's personal web domain on whois.com. |
| The credit card is where Amazon came in. Before the recent change in policy, all the hackers needed to crack Honan's Amazon identity – and view the last four digits of his credit card number – was a name, an email address and a billing address. They had all three. | The credit card is where Amazon came in. Before the recent change in policy, all the hackers needed to crack Honan's Amazon identity – and view the last four digits of his credit card number – was a name, an email address and a billing address. They had all three. |
| They got the digits. Then they called back Apple. | They got the digits. Then they called back Apple. |
| "At 5:02 p.m., they reset my Twitter password," Honan writes. "At 5:00 they used iCloud's 'Find My' tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack." | "At 5:02 p.m., they reset my Twitter password," Honan writes. "At 5:00 they used iCloud's 'Find My' tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack." |
| To learn how to protect against a hack like the one that hit Honan, click here. Two quick steps: make sure you use different passwords for different accounts and if you use Gmail, set up two-step verification for access to your account. | To learn how to protect against a hack like the one that hit Honan, click here. Two quick steps: make sure you use different passwords for different accounts and if you use Gmail, set up two-step verification for access to your account. |
| The new security rules at Amazon and Apple seem to have plugged the leak used by Honan's hackers. An attempt by Wired on Tuesday to replicate the hack failed, after similar attempts Monday had succeeded. | The new security rules at Amazon and Apple seem to have plugged the leak used by Honan's hackers. An attempt by Wired on Tuesday to replicate the hack failed, after similar attempts Monday had succeeded. |
| Do the security patches at Amazon and Apple go far enough? Unfortunately the hackers are likely to know before the rest of us do. | Do the security patches at Amazon and Apple go far enough? Unfortunately the hackers are likely to know before the rest of us do. |
| Comments | Comments |
| 58 comments, displaying first | 58 comments, displaying first |
| 8 August 2012 6:33PM | 8 August 2012 6:33PM |
| Any chance this hacker could be caught? | Any chance this hacker could be caught? |
| Link to this comment: | Link to this comment: |
| 8 August 2012 7:36PM | 8 August 2012 7:36PM |
| Gaping leaks? Awful. | Gaping leaks? Awful. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 7:48PM | 8 August 2012 7:48PM |
| Effoprts? | Effoprts? |
| Link to this comment: | Link to this comment: |
| 8 August 2012 8:46PM | 8 August 2012 8:46PM |
| gushing? | gushing? |
| Link to this comment: | Link to this comment: |
| 8 August 2012 8:54PM | 8 August 2012 8:54PM |
tech_goop 8 August 2012 6:24PM Nice article. No doubt its a smart move by Amazon. Learning from others mistakes. Well, security should be a part of cloud provider’s core Philosophy. If security isn’t part of the DNA, good luck bolting it on later. After Amazon, SalesForce, and DropBox; now iCloud has also hit the news, putting another “question mark” on Cloud security. | tech_goop 8 August 2012 6:24PM Nice article. No doubt its a smart move by Amazon. Learning from others mistakes. Well, security should be a part of cloud provider’s core Philosophy. If security isn’t part of the DNA, good luck bolting it on later. After Amazon, SalesForce, and DropBox; now iCloud has also hit the news, putting another “question mark” on Cloud security. |
| But in my opinion, cloud is strongly secured. There are many other factors that we sometimes neglect to consider before jumping to the decision. | But in my opinion, cloud is strongly secured. There are many other factors that we sometimes neglect to consider before jumping to the decision. |
| Here’s an article on Cloud security that I found very informative, and may address most of your questions regarding cloud-security. | Here’s an article on Cloud security that I found very informative, and may address most of your questions regarding cloud-security. |
| http://www.dincloud.com/blog/Cloud-Security-Whos-Job-is-it | http://www.dincloud.com/blog/Cloud-Security-Whos-Job-is-it |
| I hope you will find it useful. | I hope you will find it useful. |
| Anybody could get the impression that you are in the business of either flogging, providing or developing cloud services ? Let's face it all the cloud is a nice biz rebranding exercise of existing technology for idiotic IT management. | Anybody could get the impression that you are in the business of either flogging, providing or developing cloud services ? Let's face it all the cloud is a nice biz rebranding exercise of existing technology for idiotic IT management. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 8:55PM | 8 August 2012 8:55PM |
| Effoprts? | Effoprts? |
| The very least one should expect from a newspaper is proper spellong. | The very least one should expect from a newspaper is proper spellong. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 9:00PM | 8 August 2012 9:00PM |
| I recently reactivated an online bank account whose login details I had long lost/forgotten. Going to the website in search of a number to ring I found I could reactivate the account entirely online. The process was so easy it was scary. To compound this the bank then sent me my new password (which I had to confirm I had noted) in a plain text email. I emailed back complaining about this and pointing out how insecure it was and have received no reply. | I recently reactivated an online bank account whose login details I had long lost/forgotten. Going to the website in search of a number to ring I found I could reactivate the account entirely online. The process was so easy it was scary. To compound this the bank then sent me my new password (which I had to confirm I had noted) in a plain text email. I emailed back complaining about this and pointing out how insecure it was and have received no reply. |
| I almost gave up online access except if I don't have online access I cannot know if someone else has usurped it, Catch 22. | I almost gave up online access except if I don't have online access I cannot know if someone else has usurped it, Catch 22. |
| Meanwhile The Register has run several articles highlighting and expressing serious doubts about security on 'The Cloud'. Put nothing there that is confidential or can be used in ID theft, put nothing on there that is not backed up elsewhere, preferably offline. Be wary of the interoperability services Apple and others offer to link up different devices since as this case shows this gives anyone who gains access to your Cloud space the ability to access and change anything on those devices, including adding spyware etc. | Meanwhile The Register has run several articles highlighting and expressing serious doubts about security on 'The Cloud'. Put nothing there that is confidential or can be used in ID theft, put nothing on there that is not backed up elsewhere, preferably offline. Be wary of the interoperability services Apple and others offer to link up different devices since as this case shows this gives anyone who gains access to your Cloud space the ability to access and change anything on those devices, including adding spyware etc. |
| I am not some luddite who is against the new, if I could afford it I would likely be an early adopter of much. I just don't trust marketing hype, especially about security. | I am not some luddite who is against the new, if I could afford it I would likely be an early adopter of much. I just don't trust marketing hype, especially about security. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 9:21PM | 8 August 2012 9:21PM |
| Better :P | Better :P |
| Link to this comment: | Link to this comment: |
| 8 August 2012 9:33PM | 8 August 2012 9:33PM |
| Also, what a monumentally dick move to wipe his stuff. I mean whatever about the lulz of exposing flaws in company security and hijacking Twitter for a bit. But wiping the guy's work and photos and mail is just sadistic. | Also, what a monumentally dick move to wipe his stuff. I mean whatever about the lulz of exposing flaws in company security and hijacking Twitter for a bit. But wiping the guy's work and photos and mail is just sadistic. |
| Hopefully the hunt is on. | Hopefully the hunt is on. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 10:15PM | 8 August 2012 10:15PM |
| Put nothing there that is confidential or can be used in ID theft, put nothing on there that is not backed up elsewhere, preferably offline. | Put nothing there that is confidential or can be used in ID theft, put nothing on there that is not backed up elsewhere, preferably offline. |
| Hmmm, let me see, what does that leave? | Hmmm, let me see, what does that leave? |
[this space intentionally left blank] | [this space intentionally left blank] |
| ps The Register isn't what it used to be. Their advice on this is reasonable, but there's a load of less useful stuff on there too these days. | ps The Register isn't what it used to be. Their advice on this is reasonable, but there's a load of less useful stuff on there too these days. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 10:48PM | 8 August 2012 10:48PM |
| OMG FFFFFFFFFFFFUUUUUUUU . . . | OMG FFFFFFFFFFFFUUUUUUUU . . . |
| If your digital stuff is that precious (and it always is to its owner) back up, back up and back up again. | If your digital stuff is that precious (and it always is to its owner) back up, back up and back up again. |
| iCloud is NOT a back up - merely a convenience. | iCloud is NOT a back up - merely a convenience. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 10:50PM | 8 August 2012 10:50PM |
| Well this is the Grauniad. | Well this is the Grauniad. |
| Link to this comment: | Link to this comment: |
| 8 August 2012 11:10PM | 8 August 2012 11:10PM |
| When will people realise this wretched Cloud doesn't exist? Your stuff is actually on someone else's server, a long, long way away! | When will people realise this wretched Cloud doesn't exist? Your stuff is actually on someone else's server, a long, long way away! |
| And use Laspass - it's free. | And use Laspass - it's free. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 5:18AM | 9 August 2012 5:18AM |
| Cloud is pie in the sky. | Cloud is pie in the sky. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 5:38AM | 9 August 2012 5:38AM |
| This comment was removed by a moderator because it didn't abide by our community standards. Replies may also be deleted. For more detail see our FAQs. | This comment was removed by a moderator because it didn't abide by our community standards. Replies may also be deleted. For more detail see our FAQs. |
| 9 August 2012 7:29AM | 9 August 2012 7:29AM |
| Also, what a monumentally dick move to wipe his stuff. I mean whatever about the lulz of exposing flaws in company security and hijacking Twitter for a bit. But wiping the guy's work and photos and mail is just sadistic. | Also, what a monumentally dick move to wipe his stuff. I mean whatever about the lulz of exposing flaws in company security and hijacking Twitter for a bit. But wiping the guy's work and photos and mail is just sadistic. |
| According to the original article at Wired, the hacker said he did this in order to prevent Mat from using his devices to quickly access the websites that were about to be accessed in order to change passwords quickly. It wasn't a sadistic or personal move, just a preventative one on the hacker's part. | According to the original article at Wired, the hacker said he did this in order to prevent Mat from using his devices to quickly access the websites that were about to be accessed in order to change passwords quickly. It wasn't a sadistic or personal move, just a preventative one on the hacker's part. |
| But yes, it's horrible. Make backups, people, that's the single most important thing I took away from this, but I already make double backups of everything thankfully. | But yes, it's horrible. Make backups, people, that's the single most important thing I took away from this, but I already make double backups of everything thankfully. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 7:52AM | 9 August 2012 7:52AM |
| Uh, even having read the Wiki entry on cloud computing, I'm no wiser about what the heck it is. A brief explanaton at the top of the article for us numpties might have helped. Is it intended as a backup system or what? (on current evidence I think I'll stick to my Luddite 'everything on at least three seperate devices' backup system). | Uh, even having read the Wiki entry on cloud computing, I'm no wiser about what the heck it is. A brief explanaton at the top of the article for us numpties might have helped. Is it intended as a backup system or what? (on current evidence I think I'll stick to my Luddite 'everything on at least three seperate devices' backup system). |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:07AM | 9 August 2012 8:07AM |
| Essentially, it means saving a copy of your files to a remote server somewhere so that you can access them from a number of devices - home computer, work computer, portables, phones - rather than just the one you created it on. Often if you update a file on any connected device, the version stored in the cloud will be updated too so that you always have access to the most recent version. | Essentially, it means saving a copy of your files to a remote server somewhere so that you can access them from a number of devices - home computer, work computer, portables, phones - rather than just the one you created it on. Often if you update a file on any connected device, the version stored in the cloud will be updated too so that you always have access to the most recent version. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:21AM | 9 August 2012 8:21AM |
| Curious choice of picture to illustrate "apple got hacked". | Curious choice of picture to illustrate "apple got hacked". |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:45AM | 9 August 2012 8:45AM |
| There's been a lot of hype around cloud, and a lot of negative reactionary comment. | There's been a lot of hype around cloud, and a lot of negative reactionary comment. |
| Using cloud services means will continue to grow because people want access to their stuff where ever they are. And that includes expensive Apple devices that have fixed memory; Apple can sell you cloud storage (iCloud) to fix that, instead of having a slot for a memory card. | Using cloud services means will continue to grow because people want access to their stuff where ever they are. And that includes expensive Apple devices that have fixed memory; Apple can sell you cloud storage (iCloud) to fix that, instead of having a slot for a memory card. |
| But storing data in the cloud doesn't mean you don't have to manage your risk properly. Use different accounts, different usernames, different passwords etc. | But storing data in the cloud doesn't mean you don't have to manage your risk properly. Use different accounts, different usernames, different passwords etc. |
| Cloud isn't good or bad - it's just a resource that people use carelessly or carefully. And it's not new - current definition of cloud tends to include SAAS, which has been used commercially for at least a decade. | Cloud isn't good or bad - it's just a resource that people use carelessly or carefully. And it's not new - current definition of cloud tends to include SAAS, which has been used commercially for at least a decade. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:49AM | 9 August 2012 8:49AM |
| But yes, it's horrible. Make backups, people, that's the single most important thing I took away from this, but I already make double backups of everything thankfully. | But yes, it's horrible. Make backups, people, that's the single most important thing I took away from this, but I already make double backups of everything thankfully. |
| Whilst I agree with you - people should make local backups of their data, unfortunatley these services are being perceived as the backup service. | Whilst I agree with you - people should make local backups of their data, unfortunatley these services are being perceived as the backup service. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:55AM | 9 August 2012 8:55AM |
| The internet is NOT secure. It never will be. Please get used to it. | The internet is NOT secure. It never will be. Please get used to it. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 8:56AM | 9 August 2012 8:56AM |
| But storing data in the cloud doesn't mean you don't have to manage your risk properly. Use different accounts, different usernames, different passwords etc. | But storing data in the cloud doesn't mean you don't have to manage your risk properly. Use different accounts, different usernames, different passwords etc. |
| Cloud isn't good or bad - it's just a resource that people use carelessly or carefully. And it's not new - current definition of cloud tends to include SAAS, which has been used commercially for at least a decade. | Cloud isn't good or bad - it's just a resource that people use carelessly or carefully. And it's not new - current definition of cloud tends to include SAAS, which has been used commercially for at least a decade. |
| Thats not the issue. The issue is education and understanding. Unfortunatley, it seems the most common way for lay peple to gain understanding is by suffering a huge data loss. | Thats not the issue. The issue is education and understanding. Unfortunatley, it seems the most common way for lay peple to gain understanding is by suffering a huge data loss. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 9:00AM | 9 August 2012 9:00AM |
| iCloud is NOT a back up - merely a convenience. | iCloud is NOT a back up - merely a convenience. |
| Unfortunatley Apple don`t tell you that on thier website. Might be helpful if they did. | Unfortunatley Apple don`t tell you that on thier website. Might be helpful if they did. |
| (same goes for any cloud storage vendor) | (same goes for any cloud storage vendor) |
| Link to this comment: | Link to this comment: |
| 9 August 2012 9:01AM | 9 August 2012 9:01AM |
| When will people realise this wretched Cloud doesn't exist? Your stuff is actually on someone else's server, a long, long way away! | When will people realise this wretched Cloud doesn't exist? Your stuff is actually on someone else's server, a long, long way away! |
| You can access your passwords from any computer by logging into lastpass. Doesn't that mean that all your password are actually on someone else's server, a long, long way away? | You can access your passwords from any computer by logging into lastpass. Doesn't that mean that all your password are actually on someone else's server, a long, long way away? |
| Link to this comment: | Link to this comment: |
| 9 August 2012 9:15AM | 9 August 2012 9:15AM |
| The internet is NOT secure. It never will be. Please get used to it. | The internet is NOT secure. It never will be. Please get used to it. |
| Quite, nothing is ever totally secure. Use the internet, take what sensible steps you can to be more secure and live with it. Houses are not secure, but we live in them with all our possessions. | Quite, nothing is ever totally secure. Use the internet, take what sensible steps you can to be more secure and live with it. Houses are not secure, but we live in them with all our possessions. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 9:22AM | 9 August 2012 9:22AM |
| If your digital stuff is that precious (and it always is to its owner) back up, back up and back up again. | If your digital stuff is that precious (and it always is to its owner) back up, back up and back up again. |
| Absolutely. The irony here is the Mac (as Honan was using) makes backup so easy. You plug in an external drive and you are immediately prompted if you want to use it as your Timemachine backup. Done. (Although of course the story is not just about what the hackers did but what they could have done - e.g. with bank details etc. so the lack of a backup is somewhat of a red herring). | Absolutely. The irony here is the Mac (as Honan was using) makes backup so easy. You plug in an external drive and you are immediately prompted if you want to use it as your Timemachine backup. Done. (Although of course the story is not just about what the hackers did but what they could have done - e.g. with bank details etc. so the lack of a backup is somewhat of a red herring). |
| Here's how my backup strategy/password works: 1. I pay the $100/year for 100 Gigs on Dropbox. Since Dropbox mirrors my computer the data is on both Dropbox and my computer. (You can get away with the free service if you invite people). 2. I use TimeMachine which also has incremental backups of Dropbox (nice that). 3. 1Password which encrypts all my passwords is stored on Dropbox (1P has a one click option for this). All my passwords are different. 4. I use Dropbox effectively to store all important stuff ( i.e. it's my Documents folder ) 5. Any security data is stored in 1Password secure notes. 6. 2-step authentication where I can: Facebook and Gmail. 7. Filevault is on. (i.e. if my laptop is stolen you can't reset password) 8. (Not an option for everybody: I run my own server and occasionally back up stuff to that) | Here's how my backup strategy/password works: 1. I pay the $100/year for 100 Gigs on Dropbox. Since Dropbox mirrors my computer the data is on both Dropbox and my computer. (You can get away with the free service if you invite people). 2. I use TimeMachine which also has incremental backups of Dropbox (nice that). 3. 1Password which encrypts all my passwords is stored on Dropbox (1P has a one click option for this). All my passwords are different. 4. I use Dropbox effectively to store all important stuff ( i.e. it's my Documents folder ) 5. Any security data is stored in 1Password secure notes. 6. 2-step authentication where I can: Facebook and Gmail. 7. Filevault is on. (i.e. if my laptop is stolen you can't reset password) 8. (Not an option for everybody: I run my own server and occasionally back up stuff to that) |
| Should my house burn down I have all my precious data on Dropbox. Should Dropbox go down, I have all my data on my computer. Should a meteorite take out both Dropbox and my house, I'll have more pressing things to worry about. | Should my house burn down I have all my precious data on Dropbox. Should Dropbox go down, I have all my data on my computer. Should a meteorite take out both Dropbox and my house, I'll have more pressing things to worry about. |
| Should Dropbox be hacked, they would also have to break the 1Password encryption before I changed the passwords. | Should Dropbox be hacked, they would also have to break the 1Password encryption before I changed the passwords. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 9:23AM | 9 August 2012 9:23AM |
| ^ YMMV. The above is not perfect, but it's pretty secure and should cater for most worst-case scenarios. | ^ YMMV. The above is not perfect, but it's pretty secure and should cater for most worst-case scenarios. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 10:30AM | 9 August 2012 10:30AM |
| First of all I must say that I have an extensive background in IT and cloud technology. It is sensible for me to be vague so as not to upset my employer. | First of all I must say that I have an extensive background in IT and cloud technology. It is sensible for me to be vague so as not to upset my employer. |
| Someone has already mentioned that the "Cloud", despite the nebulous name, is at the end of the day a collection of IT infrastructure. The only difference is that you do not host or manage it. | Someone has already mentioned that the "Cloud", despite the nebulous name, is at the end of the day a collection of IT infrastructure. The only difference is that you do not host or manage it. |
| Clearly this means putting your faith in the security put in place by the cloud provider. | Clearly this means putting your faith in the security put in place by the cloud provider. |
| It is becoming increasingly difficult for us to avoid the spread of our personal data across a huge number of different interconnected systems, whether it be internet banking, on-line shopping or social media sites. | It is becoming increasingly difficult for us to avoid the spread of our personal data across a huge number of different interconnected systems, whether it be internet banking, on-line shopping or social media sites. |
| Having said all of that, given the number of high profile security failures by those custodians of our data, I have always done all I can to minimise the amount of data that I give to third parties. I do not use dropbox or a free email service. I do not have my data in iCloud and I have very limited info. shared on social media sites. | Having said all of that, given the number of high profile security failures by those custodians of our data, I have always done all I can to minimise the amount of data that I give to third parties. I do not use dropbox or a free email service. I do not have my data in iCloud and I have very limited info. shared on social media sites. |
| Seeing how cloud security works from the inside, there is no way I will trust these buggers with the stuff I can keep to myself. | Seeing how cloud security works from the inside, there is no way I will trust these buggers with the stuff I can keep to myself. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 10:50AM | 9 August 2012 10:50AM |
| The internet is NOT secure. It never will be. Please get used to it. | The internet is NOT secure. It never will be. Please get used to it. |
| Okay, will do. | Okay, will do. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 10:53AM | 9 August 2012 10:53AM |
| Such are the risks of solely using the cloud for personal storage | Such are the risks of solely using the cloud for personal storage |
| If you are happy for google to scan all your gmail content, put faith in the iCloud/skydrive as a reliable, always available storage medium or | If you are happy for google to scan all your gmail content, put faith in the iCloud/skydrive as a reliable, always available storage medium or |
| Link to this comment: | Link to this comment: |
| 9 August 2012 11:04AM | 9 August 2012 11:04AM |
| even having read the Wiki entry on cloud computing, I'm no wiser about what the heck it is | even having read the Wiki entry on cloud computing, I'm no wiser about what the heck it is |
| Seems fair. | Seems fair. |
| Take it on trust, it's new and improved AND tried and tested, massively cost effective for users AND massively profitable for service providers, and above all it's very very shiny. | Take it on trust, it's new and improved AND tried and tested, massively cost effective for users AND massively profitable for service providers, and above all it's very very shiny. |
| And it's great for getting column inches, most of which will be meaningless (as you discovered). | And it's great for getting column inches, most of which will be meaningless (as you discovered). |
| Some people with long memories will tell you it's 1960s/70s bureau timesharing remarketed for the modern era where shininess is far more important than usefulness. | Some people with long memories will tell you it's 1960s/70s bureau timesharing remarketed for the modern era where shininess is far more important than usefulness. |
| Others will tell you it's another excuse for business managers to abandon any responsibility for (and knowledge of) their IT systems. | Others will tell you it's another excuse for business managers to abandon any responsibility for (and knowledge of) their IT systems. |
| Beyond that, who cares what it is as long as it gets coverage? | Beyond that, who cares what it is as long as it gets coverage? |
| Meanwhile, your everything-in-triplicate backup system presumably also includes keeping at least one of those three devices in a different place from the rest? (One at work, one with a friend/relative/neighbour, etc) | Meanwhile, your everything-in-triplicate backup system presumably also includes keeping at least one of those three devices in a different place from the rest? (One at work, one with a friend/relative/neighbour, etc) |
| And not backing up to all three at the same time, but in some kind of (semi-)organised sequence, so if the master copy of something gets corrupted rather than lost, you don't overwrite all the previous copies at the same time? | And not backing up to all three at the same time, but in some kind of (semi-)organised sequence, so if the master copy of something gets corrupted rather than lost, you don't overwrite all the previous copies at the same time? |
| And occasionally testing that you can retrieve files? | And occasionally testing that you can retrieve files? |
| Then you're pretty good to go, whether it be cloudy or not. | Then you're pretty good to go, whether it be cloudy or not. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 11:07AM | 9 August 2012 11:07AM |
| The issue is education and understanding. Unfortunatley, it seems the most common way for lay peple to gain understanding is by suffering a huge data loss. | The issue is education and understanding. Unfortunatley, it seems the most common way for lay peple to gain understanding is by suffering a huge data loss. |
| My point exactly. It's not good or bad, as some people would seem to state. It's just a resource - you manage risk or you don't. And that's about education. If you intend to make cloud based apps or storage part of your setup, you need to think about how critical the data is to you and how critical it is that you have access to it. And have a plan. | My point exactly. It's not good or bad, as some people would seem to state. It's just a resource - you manage risk or you don't. And that's about education. If you intend to make cloud based apps or storage part of your setup, you need to think about how critical the data is to you and how critical it is that you have access to it. And have a plan. |
| I don't use cloud storage personally, but I do have a strategy around online access from home as that is critical for me as I rely on a cloud based application / platform / eco system (for want of a better term). | I don't use cloud storage personally, but I do have a strategy around online access from home as that is critical for me as I rely on a cloud based application / platform / eco system (for want of a better term). |
| There are people who adopt technology too quickly - especially if it begins with an "i" - hence our intrepid iJourno lost his data. | There are people who adopt technology too quickly - especially if it begins with an "i" - hence our intrepid iJourno lost his data. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 11:40AM | 9 August 2012 11:40AM |
| If you intend to make cloud based apps or storage part of your setup, you need to think about how critical the data is to you and how critical it is that you have access to it. And have a plan. | If you intend to make cloud based apps or storage part of your setup, you need to think about how critical the data is to you and how critical it is that you have access to it. And have a plan. |
| Consumers can do none of these things unless they are told about them. Nobody is telling them. And nobody ever will. | Consumers can do none of these things unless they are told about them. Nobody is telling them. And nobody ever will. |
| Even if they are told many would beleive such contingencies are either too costly or too much of an inconvenience to bother with. | Even if they are told many would beleive such contingencies are either too costly or too much of an inconvenience to bother with. |
| Today theres a good chance that a family`s photo archive will have a big hole in them where some data was lost due to the wonders of the digital age. Its pretty sad really. | Today theres a good chance that a family`s photo archive will have a big hole in them where some data was lost due to the wonders of the digital age. Its pretty sad really. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 11:50AM | 9 August 2012 11:50AM |
| Others will tell you it's another excuse for business managers to abandon any responsibility for (and knowledge of) their IT systems. | Others will tell you it's another excuse for business managers to abandon any responsibility for (and knowledge of) their IT systems. |
| I think this statement pretty effecivley demonstrates that you have no first hand experience of these types of business decisions. | I think this statement pretty effecivley demonstrates that you have no first hand experience of these types of business decisions. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 11:57AM | 9 August 2012 11:57AM |
| I keep mine in an old Quality Street box, under my bed, secured with sellotape. Sometimes I forget the password, or even where I've left it. | I keep mine in an old Quality Street box, under my bed, secured with sellotape. Sometimes I forget the password, or even where I've left it. |
| But, hey, it works for me, sorta. | But, hey, it works for me, sorta. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 12:17PM | 9 August 2012 12:17PM |
| Unfortunatley Apple don`t tell you that on thier website. Might be helpful if they did. | Unfortunatley Apple don`t tell you that on thier website. Might be helpful if they did. |
| Why? They explain what iCloud does, and it's not a backup service. It's just a syncing service. Meanwhile there's a backup service built in to OSX that is so proactive you virtually have to deliberately opt out of using it. Literally, if you plug a new hard drive in Time Machine instantly asks you if you want to use it to back up to. | Why? They explain what iCloud does, and it's not a backup service. It's just a syncing service. Meanwhile there's a backup service built in to OSX that is so proactive you virtually have to deliberately opt out of using it. Literally, if you plug a new hard drive in Time Machine instantly asks you if you want to use it to back up to. |
| But I also realise that most of us are way, way more savvy about this stuff than the average computer user, be they a Mac or PC user. Maybe the very first thing a new computer should do when you power it up for the first time out of the box is ask if you want to set up a backup. | But I also realise that most of us are way, way more savvy about this stuff than the average computer user, be they a Mac or PC user. Maybe the very first thing a new computer should do when you power it up for the first time out of the box is ask if you want to set up a backup. |
| Actually, I think OSX does that too. | Actually, I think OSX does that too. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 12:19PM | 9 August 2012 12:19PM |
| I do all that and back up to local hard drives and back up to BackBlaze. Can't be too careful. | I do all that and back up to local hard drives and back up to BackBlaze. Can't be too careful. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 12:21PM | 9 August 2012 12:21PM |
| But really, am I the only one who looks at the picture above and wonders what elements of it made it the first choice to illustrate an Apple article about illegal hacking etc? | But really, am I the only one who looks at the picture above and wonders what elements of it made it the first choice to illustrate an Apple article about illegal hacking etc? |
| Link to this comment: | Link to this comment: |
| 9 August 2012 12:30PM | 9 August 2012 12:30PM |
| I think this statement pretty effecivley demonstrates that you have no first hand experience of these types of business decisions. | I think this statement pretty effecivley demonstrates that you have no first hand experience of these types of business decisions. |
| What evidence leads you to think that? | What evidence leads you to think that? |
| What is outsourcing in its worst (and all too frequent) form, if it is not business managers abrogating any responsibility for delivering a viable IT platform relevant to the needs of their business? | What is outsourcing in its worst (and all too frequent) form, if it is not business managers abrogating any responsibility for delivering a viable IT platform relevant to the needs of their business? |
| When someone at board level says "The outsourcer has broken their SLA, it's not my fault, they promised it would be OK, can't we sue them", it is no way to save a business from disaster. | When someone at board level says "The outsourcer has broken their SLA, it's not my fault, they promised it would be OK, can't we sue them", it is no way to save a business from disaster. |
| Not saying a local IT capability would have been any better - what would have been better would be clued-up senior management, knowing they would be rewarded if things went well, and held accountable if things didn't go too well, and understanding the requirements (if not the details) of the IT their business needs, and a bit about what is available within the industry. | Not saying a local IT capability would have been any better - what would have been better would be clued-up senior management, knowing they would be rewarded if things went well, and held accountable if things didn't go too well, and understanding the requirements (if not the details) of the IT their business needs, and a bit about what is available within the industry. |
| Sometimes outsourcing (or offshoring, which is pretty much the same by a different name) is done for good reasons. Whether it really delivers the promised business benefits is a different question altogether. Just ask RBS. | Sometimes outsourcing (or offshoring, which is pretty much the same by a different name) is done for good reasons. Whether it really delivers the promised business benefits is a different question altogether. Just ask RBS. |
| Cloudy "solutions" will be no different. They're just shinier (for now). | Cloudy "solutions" will be no different. They're just shinier (for now). |
| Link to this comment: | Link to this comment: |
| 9 August 2012 2:25PM | 9 August 2012 2:25PM |
| I don't think much of the blame can reasonably be laid at Amazon's door - the only data the hackers got from them were the last 4 digits of a credit card. Those digits aren't supposed to be secure - they're for ease of identification only (that's why those digits are the ones not starred out on receipts). Using those digits for any purpose other than "remind me which card I used for this" is a security hole. | I don't think much of the blame can reasonably be laid at Amazon's door - the only data the hackers got from them were the last 4 digits of a credit card. Those digits aren't supposed to be secure - they're for ease of identification only (that's why those digits are the ones not starred out on receipts). Using those digits for any purpose other than "remind me which card I used for this" is a security hole. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 2:30PM | 9 August 2012 2:30PM |
| Why? They explain what iCloud does, and it's not a backup service. | Why? They explain what iCloud does, and it's not a backup service. |
| We know that. But its not explicitly stated on the website. The description they use sounds alot like backup to the layperson. Its a copy of the data that sits in the cloud and syncs with your devices. That sounds lot like some kind of backup to the layperson. | We know that. But its not explicitly stated on the website. The description they use sounds alot like backup to the layperson. Its a copy of the data that sits in the cloud and syncs with your devices. That sounds lot like some kind of backup to the layperson. |
| And to be fair, this certainly isn`t a problem exclusive to Apple. | And to be fair, this certainly isn`t a problem exclusive to Apple. |
| These providers should have a responsibility to point out to consumers the limitations of the services they provide, rather than the poor saps having to find out the hard way when they lose data. The same concept applies to hard drives in PC`s. | These providers should have a responsibility to point out to consumers the limitations of the services they provide, rather than the poor saps having to find out the hard way when they lose data. The same concept applies to hard drives in PC`s. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 2:37PM | 9 August 2012 2:37PM |
| The only difference is that you do not host or manage it. | The only difference is that you do not host or manage it. |
| Theres another difference, which may be lost on most consumers - you don`t easily know which country(s) your data is being hosted in and therefore you don`t know which laws (i.e. patriot act) govern it. | Theres another difference, which may be lost on most consumers - you don`t easily know which country(s) your data is being hosted in and therefore you don`t know which laws (i.e. patriot act) govern it. |
| More of an issue for the enterprise, I know. | More of an issue for the enterprise, I know. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 3:05PM | 9 August 2012 3:05PM |
| The hacker contacted Honan who agreed not to prosecute if the hacker told him how it was done. | The hacker contacted Honan who agreed not to prosecute if the hacker told him how it was done. |
| Apple/Amazon/teh law should prosecute. | Apple/Amazon/teh law should prosecute. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 3:58PM | 9 August 2012 3:58PM |
| [QUOTE] I have always done all I can to minimise the amount of data that I give to third parties. I do not use dropbox or a free email service. I do not have my data in iCloud and I have very limited info. shared on social media sites. | [QUOTE] I have always done all I can to minimise the amount of data that I give to third parties. I do not use dropbox or a free email service. I do not have my data in iCloud and I have very limited info. shared on social media sites. |
| Seeing how cloud security works from the inside, there is no way I will trust these buggers with the stuff I can keep to myself. [QUOTE] | Seeing how cloud security works from the inside, there is no way I will trust these buggers with the stuff I can keep to myself. [QUOTE] |
| These are wise words to live by. My first qu is always "and why would I want to give you this data"? | These are wise words to live by. My first qu is always "and why would I want to give you this data"? |
| Its astonishing how many www.newshoelacesonline.com type sites seem to want to know everything about you before letting you buy shoe laces from them. (message to those sites: if you are wondering about all the people who leave your site shortly after clicking "checkout now", that's why) | Its astonishing how many www.newshoelacesonline.com type sites seem to want to know everything about you before letting you buy shoe laces from them. (message to those sites: if you are wondering about all the people who leave your site shortly after clicking "checkout now", that's why) |
| Link to this comment: | Link to this comment: |
| 9 August 2012 4:34PM | 9 August 2012 4:34PM |
| Yes, I suppose the average person may think that's backup. | Yes, I suppose the average person may think that's backup. |
| Having said that, Apple's machines thoroughly pester their users to make backups with Time Machine - you get asked when you turn one on for the first time, and whenever you plug in an external drive the Mac doesn't recognise. So while I agree that iCloud may 'feel' like backup when it totally isn't, they're doing their damnedest to get people into the habit of local backups at least. | Having said that, Apple's machines thoroughly pester their users to make backups with Time Machine - you get asked when you turn one on for the first time, and whenever you plug in an external drive the Mac doesn't recognise. So while I agree that iCloud may 'feel' like backup when it totally isn't, they're doing their damnedest to get people into the habit of local backups at least. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 4:38PM | 9 August 2012 4:38PM |
| It obliterated eight years of Gmail messages. | It obliterated eight years of Gmail messages. |
| Do people really keep e-mail messages for eight years? | Do people really keep e-mail messages for eight years? |
| Link to this comment: | Link to this comment: |
| 9 August 2012 4:39PM | 9 August 2012 4:39PM |
| I don't think much of the blame can reasonably be laid at Amazon's door - the only data the hackers got from them were the last 4 digits of a credit card. Those digits aren't supposed to be secure - they're for ease of identification only (that's why those digits are the ones not starred out on receipts). Using those digits for any purpose other than "remind me which card I used for this" is a security hole. | I don't think much of the blame can reasonably be laid at Amazon's door - the only data the hackers got from them were the last 4 digits of a credit card. Those digits aren't supposed to be secure - they're for ease of identification only (that's why those digits are the ones not starred out on receipts). Using those digits for any purpose other than "remind me which card I used for this" is a security hole. |
| The way I read it they got the entire credit card number. | The way I read it they got the entire credit card number. |
| First they generated a fake credit card number that would validate on Amazon's computers when checked, using a naughty online service. | First they generated a fake credit card number that would validate on Amazon's computers when checked, using a naughty online service. |
| Then they rang Amazon and asked to add a credit card number to 'their' account, which they were able to do so long as they could provide billing address and email details for the account. Then they hung up. | Then they rang Amazon and asked to add a credit card number to 'their' account, which they were able to do so long as they could provide billing address and email details for the account. Then they hung up. |
| Then they rang back and asked to add a new email address to their account. To do that you need to supply a bit more information, such as a credit card number that's already on file, so they give the fake number they've just registered with Amazon. This works, and they add their own email address that they have access to. | Then they rang back and asked to add a new email address to their account. To do that you need to supply a bit more information, such as a credit card number that's already on file, so they give the fake number they've just registered with Amazon. This works, and they add their own email address that they have access to. |
| Then they can have their login information for the Amazon account sent to them at that email address. At that point they can log in and get the full, correct credit card number held on file by Amazon, the last four digits of which is all Apple wanted to reset the password. | Then they can have their login information for the Amazon account sent to them at that email address. At that point they can log in and get the full, correct credit card number held on file by Amazon, the last four digits of which is all Apple wanted to reset the password. |
| I may have misremembered the details but I think that's how the scam worked. Both Amazon and Apple were at fault, but I'd say Apple were worse for resetting a password on the strength of four digits which, like you say, aren't considered secure by pretty much any retailers as they're often printed on receipts. | I may have misremembered the details but I think that's how the scam worked. Both Amazon and Apple were at fault, but I'd say Apple were worse for resetting a password on the strength of four digits which, like you say, aren't considered secure by pretty much any retailers as they're often printed on receipts. |
| Link to this comment: | Link to this comment: |
| 9 August 2012 4:41PM | 9 August 2012 4:41PM |
| I expect it was less a case of "I'll keep these for 8 years" and more a case of "I never actually delete my emails from Gmail's web interface, so it's quite likely there's 8 years worth still in there." | I expect it was less a case of "I'll keep these for 8 years" and more a case of "I never actually delete my emails from Gmail's web interface, so it's quite likely there's 8 years worth still in there." |
| Link to this comment: | Link to this comment: |
| 9 August 2012 6:47PM | 9 August 2012 6:47PM |
| am I the only one who looks at the picture above and wonders what elements of it made it the first choice | am I the only one who looks at the picture above and wonders what elements of it made it the first choice |
| No, I had the same thought. Glad I'm not alone in this. Is it the sub who picks the photo? Clearly not the world's brightest. | No, I had the same thought. Glad I'm not alone in this. Is it the sub who picks the photo? Clearly not the world's brightest. |
| Link to this comment: | Link to this comment: |
| Comments on this page are now closed. | Comments on this page are now closed. |
| How Google, Facebook and Hotmail aim to stop holiday hacking | How Google, Facebook and Hotmail aim to stop holiday hacking |
| 5 Aug 2011 | 5 Aug 2011 |
| This is the peak season for having your email account hacked, so Google, Hotmail and Facebook have implemented a news system called 'two-factor authentication'. By Charles Arthur | This is the peak season for having your email account hacked, so Google, Hotmail and Facebook have implemented a news system called 'two-factor authentication'. By Charles Arthur |
| 16 Oct 2011 | 16 Oct 2011 |
| How an email hacker ruined my life and then tried to sell it back to me | How an email hacker ruined my life and then tried to sell it back to me |
| 7 Oct 2011 | 7 Oct 2011 |
| Email fraud came close to wrecking my life – and the charity I run | Email fraud came close to wrecking my life – and the charity I run |
| 24 Feb 2009 | 24 Feb 2009 |
| Gmail fails: Tech world grinds to a halt | Gmail fails: Tech world grinds to a halt |
| 7 Jun 2011 | |
| Apple iCloud: what the analysts say | |
| Kindle Fire: the tablet that knows your next move | Kindle Fire: the tablet that knows your next move |
| 2 Oct 2011 | 2 Oct 2011 |
| Jeff Bezos's announcement of Amazon's assault on the tablet market comes with an added twist, writes John Naughton | Jeff Bezos's announcement of Amazon's assault on the tablet market comes with an added twist, writes John Naughton |
| Turn autoplay off | Turn autoplay off |
| Turn autoplay on | Turn autoplay on |
| Please activate cookies in order to turn autoplay off | Please activate cookies in order to turn autoplay off |
| Edition: UK | Edition: UK |
| About us | About us |
| Today's paper | Today's paper |
| Subscribe | Subscribe |
| Wired's Mat Honan had his digital existence erased by hackers who took advantage of reciprocating security faults | Wired's Mat Honan had his digital existence erased by hackers who took advantage of reciprocating security faults |
| They are tent poles of the economy, companies so big that for many, it can seem hard not to do business with them. Now Apple and Amazon are moving like a pair of lumbering synchronized swimmers to plug gushing leaks in their online security policies. | They are tent poles of the economy, companies so big that for many, it can seem hard not to do business with them. Now Apple and Amazon are moving like a pair of lumbering synchronized swimmers to plug gushing leaks in their online security policies. |
| In the last 24 hours, Apple stopped processing password resets over the phone, and Amazon stopped accepting changes to account settings – including credit card numbers and emails – over the phone. | In the last 24 hours, Apple stopped processing password resets over the phone, and Amazon stopped accepting changes to account settings – including credit card numbers and emails – over the phone. |
| The reason? On Friday, reciprocating vulnerabilities in the two companies' security practices allowed hackers moving between Amazon and Apple to pull off an attack heard around the world – the technology world, at least. | The reason? On Friday, reciprocating vulnerabilities in the two companies' security practices allowed hackers moving between Amazon and Apple to pull off an attack heard around the world – the technology world, at least. |
| The hack exploded in the news because on Monday the target of the attack, Mat Honan, published a detailed, damning 3,500-word piece about it on the technology site Wired.com, where he works as a senior writer. | The hack exploded in the news because on Monday the target of the attack, Mat Honan, published a detailed, damning 3,500-word piece about it on the technology site Wired.com, where he works as a senior writer. |
| "Those security lapses are my fault, and I deeply, deeply regret them," Honan wrote. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's." | "Those security lapses are my fault, and I deeply, deeply regret them," Honan wrote. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's." |
| Neither Apple nor Amazon is commenting on the security changes, which were first reported in Wired. | Neither Apple nor Amazon is commenting on the security changes, which were first reported in Wired. |
| The attack erased Honan's digital existence and wiped clean the contents of his iPad, iPod and MacBook hard drive, including all his pictures of his one-year-old daughter. It obliterated eight years of Gmail messages. It culminated in the hijacking of his Twitter account, which was the hackers' goal in the first place – a coveted prize, according to a hacker whom Honan succeeded in contacting, due to its stylish three-letter handle, @mat. (Honan has since regained control of his Twitter account, and reports headway in Apple's attempt to recover his hard drive data, including the pictures.) | The attack erased Honan's digital existence and wiped clean the contents of his iPad, iPod and MacBook hard drive, including all his pictures of his one-year-old daughter. It obliterated eight years of Gmail messages. It culminated in the hijacking of his Twitter account, which was the hackers' goal in the first place – a coveted prize, according to a hacker whom Honan succeeded in contacting, due to its stylish three-letter handle, @mat. (Honan has since regained control of his Twitter account, and reports headway in Apple's attempt to recover his hard drive data, including the pictures.) |
| How did it happen? The short answer is that Honan made it easy for the hackers to guess the .Me email address associated with his AppleID by using the same email prefix for multiple accounts. His use of iCloud – which Apple aggressively promotes – meant hackers could remotely wipe all his Apple devices. | How did it happen? The short answer is that Honan made it easy for the hackers to guess the .Me email address associated with his AppleID by using the same email prefix for multiple accounts. His use of iCloud – which Apple aggressively promotes – meant hackers could remotely wipe all his Apple devices. |
| Honan's telling is a recommended read, not least for his description of the instant-message exchange he had with one of the hackers. In an act of journalistic aplomb, Honan pursues the hacker as a source to explain exactly why the hack was carried out and how it worked. | Honan's telling is a recommended read, not least for his description of the instant-message exchange he had with one of the hackers. In an act of journalistic aplomb, Honan pursues the hacker as a source to explain exactly why the hack was carried out and how it worked. |
| But the attack could not have happened without seemingly lax and interlocking security rules at Apple and Amazon. Once the hackers had Honan's Apple email, they needed only two other pieces of information to gain full access to his Apple kingdom: a billing address and the last four digits of a credit card number. | But the attack could not have happened without seemingly lax and interlocking security rules at Apple and Amazon. Once the hackers had Honan's Apple email, they needed only two other pieces of information to gain full access to his Apple kingdom: a billing address and the last four digits of a credit card number. |
| The billing address was obtained through a quick search for Honan's personal web domain on whois.com. | The billing address was obtained through a quick search for Honan's personal web domain on whois.com. |
| The credit card is where Amazon came in. Before the recent change in policy, all the hackers needed to crack Honan's Amazon identity – and view the last four digits of his credit card number – was a name, an email address and a billing address. They had all three. | The credit card is where Amazon came in. Before the recent change in policy, all the hackers needed to crack Honan's Amazon identity – and view the last four digits of his credit card number – was a name, an email address and a billing address. They had all three. |
| They got the digits. Then they called back Apple. | They got the digits. Then they called back Apple. |
| "At 5:02 p.m., they reset my Twitter password," Honan writes. "At 5:00 they used iCloud's 'Find My' tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack." | "At 5:02 p.m., they reset my Twitter password," Honan writes. "At 5:00 they used iCloud's 'Find My' tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack." |
| To learn how to protect against a hack like the one that hit Honan, click here. Two quick steps: make sure you use different passwords for different accounts and if you use Gmail, set up two-step verification for access to your account. | To learn how to protect against a hack like the one that hit Honan, click here. Two quick steps: make sure you use different passwords for different accounts and if you use Gmail, set up two-step verification for access to your account. |
| The new security rules at Amazon and Apple seem to have plugged the leak used by Honan's hackers. An attempt by Wired on Tuesday to replicate the hack failed, after similar attempts Monday had succeeded. | The new security rules at Amazon and Apple seem to have plugged the leak used by Honan's hackers. An attempt by Wired on Tuesday to replicate the hack failed, after similar attempts Monday had succeeded. |
| Do the security patches at Amazon and Apple go far enough? Unfortunately the hackers are likely to know before the rest of us do. | Do the security patches at Amazon and Apple go far enough? Unfortunately the hackers are likely to know before the rest of us do. |