Wired columnist Mat Honan recently published an article detailing how his iPhone, iPad and laptop were all wiped clean – just because some hackers wanted to get control of his “cool” 3-letter Twitter handle; @mat. Since coming out, Mat’s story has been the talk of the tech news circuit. The Security Now podcast even postponed its normal schedule to dedicate an entire episode to discussing Mat’s experience.
Mat has done an excellent job telling his story, including acknowledging his own mistakes that contributed to the hackers’ ability to take over his digital life. And many others have added their thoughts, but most of the discussion has been quite long and can be difficult to parse for the average person. I’d like to take a moment to call out the 3 key lessons I feel we can take away from what happened to Mat:
1. The myth that you “don’t have anything worth stealing“
I hear this frequently when I talk to people about adopting better security practices. The concept goes something like this:
I don’t keep any of my financial information on my computer. I’m nobody important. There’s nothing of value to anybody else on my computer.
And it’s completely wrong. The hackers who deleted Mat’s only pictures of his daughter didn’t care about his memories – they just wanted his Twitter account. Why? Because they thought an account with so few letters was cool. I’m willing to bet Mat never thought his account was valuable enough to be worth stealing either.
The truth is; if you have a computer you have something of value to hackers. If nothing else, the computer itself is something they can use. Once they gain control of it they can use your PC to attack other computers, run software to crack passwords, pretend to be you, etc, etc.
2. Trust. No. One.
If you listen to people who talk about security and privacy you will eventually hear the acronym T.N.O: Trust no one. It might sound paranoid, but in reality it’s just common sense. Obviously, we must trust others to a certain extent or we would never be able to make it through the day. The idea of T.N.O., however, is awareness. Every day we are enjoined by websites, startups, corporations, ads, etc. to
“Sign up now!“
“Link to your Facebook account!“
“Upload your address book so we can find your friends!“
Technology is a wonderful thing. It has the ability to give us unprecendented freedom to learn and see and create. But freedom comes with a price – responsibility. No matter how well intentioned the site you’re giving your information may be, no matter how much you may trust them, accidents can and will happen. T.N.O. says
- Think seriously about whether you really want or need to provide this information.
- What are the consequences when – not if – they lose control of this information?
- What can you do to maintain control and/or protect yourself?
It’s all about control. Are you willing to give up control of your personal information? Your identity? If not, then make sure you take steps to protect it.
3. Back up your stuff
This one has been mentioned in almost every discussion of the Wired article, and even by Mat himself, but it’s important enough that it bears repeating. No excuses. If you’re not already doing so, establish a regular backup routine. Ideally, follow the 3-2-1 rule:
- 3 copies
- on at least 2 different types of storage (hard drive, online, CD/DVD, The Cloud, etc.)
- with 1 copy off-site (online, at a family member’s house, etc.)
Backing up your data speaks to numbers 2 and 3 under Trust. No. One. above: If you do lose control of everything can you get it back?
As some have noted, it’s important to note that the hackers who broke into Mat’s phone, computer and accounts did not crack his passwords. The techniques they used were all social engineering – they convinced support personnel that they were the rightful owners of Mat’s accounts. While having a strong password, and a different password for each separate account, is important protecting ourselves doesn’t stop there.
Just as you prepare for a potential earthquake, tornado or hurricane make sure you’ve prepared for the hacker that makes it past the harried tech support employee who maybe didn’t sleep well the night before.