Lobotomy
If my Mini would be stolen or lost, I wouldn't worry a bit about a stranger prying about my data since its home partition is encrypted. Now, this feature isn't reserved to users of Linux. Apple, for example, gave it the catchy name FileVault and integrated it into Mac OS X since 2003.
Despite of the existence of this reportedly easy-to-use disk encryption, the celebrated iCloud offers the much-welcomed feature to remotely wipe the storage of any device with a WiFi connection, including iPods, iPhones, iPads, and, well, most Macs in general. The remote wipe removes all personal data from the device and locks it down subsequently, rendering it useless for anyone not in possession of the secret code to reactivate it.
Now, listen to the story of Mat Honan, a former writer for the gadget blog Gizmodo. Apparently, somebody took over his iCloud account, and soon after Mat was watching helplessly when his iPhone, iPad, and Macbook Air were all remotely wiped within minutes from each other. But his nightmarish experience was only the beginning.
Mat, having the trust of a puppie, had connected his iCloud with his Google account, and the latter in turn with Twitter and God only knows what else. The 'hacker', as Mat repeatedly calls the intruder, took the opportunity, deleted the Google account, and posted profanities in the Twitter channel of his former employer Gizmodo.
Mat initially speculated that the 'hacker' brute-forced into his account as it was secured by an 'only' 7 digits alphanumeric password. Contrary to this naive conception, services such as iCloud do not facilitate direct brute force attacks since they lock down after a few unsuccessful attempts. Hacking the iCloud itself would be, well, much bigger news than taking over the account of a rather insignificant individual.
In fact, Mat now claims to know what has happened: "They got in via Apple tech support and some clever social engineering that let them bypass security questions." I seriously doubt that. A keylogger seems a much more simple and likely supposition. See update below.
Can we learn something from this incident? Well, Mat's Australian colleagues know the answer: "… use super-secure passwords … use insanely secure (and unique) master passwords …". Whow! I'm deeply impressed. And the illustration they have chosen for this article further underlines the impression I got from this assessment.
Has Mat, poor dumb fuck incarnated, learned anything from this incident? After all, it must have had hurt a lot: "Because I’m a jerk who doesn’t back up data, I’ve lost at more than a year’s worth of photos, emails, documents, and more." My guess is that his future iCloud password will be 8 digits long. Or even 9.
Update: Unbelievable as it may sound, the access code for the iCloud account really was the last 4 digits of Mat's credit card which the hacker got from Amazon. So, I was wrong, and the hacker followed good old traditions by employing social engineering instead of a key logger.
And what can we now learn from that? I'll comment on this point in a couple of days in one my next entries.