The lessons in Mat Honan’s terrible, horrible, awful day

Send to Kindle

Wired columnist Mat Honan recently published an article detailing how his iPhone, iPad and laptop were all wiped clean – just because some hackers wanted to get control of his “cool” 3-letter Twitter handle; @mat. Since coming out, Mat’s story has been the talk of the tech news circuit. The Security Now podcast even postponed its normal schedule to dedicate an entire episode to discussing Mat’s experience.

Mat has done an excellent job telling his story, including acknowledging his own mistakes that contributed to the hackers’ ability to take over his digital life. And many others have added their thoughts, but most of the discussion has been quite long and can be difficult to parse for the average person. I’d like to take a moment to call out the 3 key lessons I feel we can take away from what happened to Mat:

1. The myth that you “don’t have anything worth stealing

I hear this frequently when I talk to people about adopting better security practices. The concept goes something like this:

I don’t keep any of my financial information on my computer. I’m nobody important. There’s nothing of value to anybody else on my computer.

And it’s completely wrong. The hackers who deleted Mat’s only pictures of his daughter didn’t care about his memories – they just wanted his Twitter account. Why? Because they thought an account with so few letters was cool. I’m willing to bet Mat never thought his account was valuable enough to be worth stealing either.

The truth is; if you have a computer you have something of value to hackers. If nothing else, the computer itself is something they can use. Once they gain control of it they can use your PC to attack other computers, run software to crack passwords, pretend to be you, etc, etc.

2. Trust. No. One.

If you listen to people who talk about security and privacy you will eventually hear the acronym T.N.O: Trust no one. It might sound paranoid, but in reality it’s just common sense. Obviously, we must trust others to a certain extent or we would never be able to make it through the day. The idea of T.N.O., however, is awareness. Every day we are enjoined by websites, startups, corporations, ads, etc. to

Sign up now!

Link to your Facebook account!

Upload your address book so we can find your friends!

Technology is a wonderful thing. It has the ability to give us unprecendented freedom to learn and see and create. But freedom comes with a price – responsibility. No matter how well intentioned the site you’re giving your information may be, no matter how much you may trust them, accidents can and will happen. T.N.O. says

  1. Think seriously about whether you really want or need to provide this information.
  2. What are the consequences when – not if – they lose control of this information?
  3. What can you do to maintain control and/or protect yourself?

 

It’s all about control. Are you willing to give up control of your personal information? Your identity? If not, then make sure you take steps to protect it.

3. Back up your stuff

This one has been mentioned in almost every discussion of the Wired article, and even by Mat himself, but it’s important enough that it bears repeating. No excuses. If you’re not already doing so, establish a regular backup routine. Ideally, follow the 3-2-1 rule:

  • 3 copies
  • on at least 2 different types of storage (hard drive, online, CD/DVD, The Cloud, etc.)
  • with 1 copy off-site (online, at a family member’s house, etc.)

 

Backing up your data speaks to numbers 2 and 3 under Trust. No. One. above: If you do lose control of everything can you get it back?

Be responsible

As some have noted, it’s important to note that the hackers who broke into Mat’s phone, computer and accounts did not crack his passwords. The techniques they used were all social engineering – they convinced support personnel that they were the rightful owners of Mat’s accounts. While having a strong password, and a different password for each separate account, is important protecting ourselves doesn’t stop there.

Just as you prepare for a potential earthquake, tornado or hurricane make sure you’ve prepared for the hacker that makes it past the harried tech support employee who maybe didn’t sleep well the night before.

Security best practices in the real world

Send to Kindle

I recently had a discussion with a co-worker regarding physical security. Our two departments share a small building with 9 offices. Each of us has a key to the building, a key to our own office, and a key to a shared storage room nearby. This co-worker was gathering feedback for a proposal he was putting together with the following goals:

  • Reduce the number of keys we have to carry.
  • Potentially provide access to both the building and the offices with a single key (for each employee).
  • Increase access to resources by having more people able to gain access to more spaces.  (For example; getting a book from the office of a co-worker that is on vacation.)

During our conversation, my co-worker requested that I stop being so abstract in my arguments and address more factual, concrete ideas of what could (or might) actually happen. The more I thought about it in the days following our conversation, the more I realized:

This is a common mistake when thinking about security.

It’s natural to want to better understand the threat by thinking in terms of real threats that need to be protected against, but what security researchers now know is that doing so puts us at a significant disadvantage.  If we’re focusing only on concrete, defined scenarios we are limiting ourselves to what is known (or can be guessed). Are you sure you considered every scenario a potential attacker might possibly come up with? Did you take into account every possible new technology/standard/practice? How about every policy change your organization might implement? History has shown us that even if your security measures start out ahead, this approach 1) will eventually be compromised by something you didn’t think of, and 2) quickly becomes reactionary – where you find yourself implementing new security measures in response to new exploits as they are discovered.

Follow established Best Practices.

Rather than relying on a never-ending game of cat-and-mouse (where each side is constantly one-upping the other) modern security efforts attempt to follow established security practices that are known to provide protection by their very design – regardless of the type of attack that might be leveraged against them. With this recent discussion around physical security fresh in my mind, I thought I’d take a moment to talk about a couple of those best practices. This by no means an exhaustive list, and if you’d like to know more I highly recommend the podcast Security Now (which also has transcripts, if you’d rather read than listen).

Security In Depth

The phrase security in depth is a paraphrasing of the NSA‘s defense in depth approach and refers to having layers of security. Frequently, I hear people say things like; “We don’t need to encrypt account information because our servers are behind a firewall”. Relying on a single security measure means you have a single point of failure. If that mechanism ever fails or is compromised – and statistically, the chances are it will be at some point – then all bets are off. Similarly, new attacks could be developed which bypass the firewall by being completely valid network traffic.

Security in depth means wearing a belt and suspenders – if one fails, your pants still stay up. Classic medieval castles are another great example of security in depth:

  1. A moat.
  2. The wall.
  3. Often, the streets inside a castle would be zig-zag so they wouldn’t provide a straight path to the palace at the center.
  4. An inner wall.

Somebody, someday will break in eventually – so you want to make it as difficult and time-consuming as possible to get to the valuable stuff. In the case of our offices, this is accomplished by both the building and the offices having doors – each with their own key.

Now, you may be thinking (as my co-worker was) that having two keys for two doors won’t offer any more protection if a thief steals my entire keyring, leaving him with both keys. That’s absolutely a fair point. But recall that it only addresses one scenario where keys might be compromised. What if I’m in an accident, the keys from my ring are strewn across the road, and a bystander surreptitiously picks one of them up? What if I leave my keys sitting out somewhere and a potential attacker makes a quick imprint of one? What about the potential scenarios I haven’t even considered?

Furthermore, there’s the problem that that one key could (potentially) open all of the offices – which brings us to…

Compartmentalization

When things are separated from each other, each in their own compartment, we say that they are compartmentalized. In a security context this typically also means that each compartment is isolated from the others. The benefit here is that if one is compromised the attacker doesn’t automatically gain access to the others. In the building/office scenario above, this means

  • A thief would only have access to the building and the office of the employee they stole the key(s) from.
  • A disgruntled employee would only have access to their own office.
  • The chances of a co-worker entering an office while the occupant is changing, or engaged in a private phone call are greatly minimized.

Certainly, we can scoff at some of these examples – say they’re extreme, not likely to happen, or that we can do other things to prevent them (like knocking on an office door before entering). But the point is; what of the scenarios we haven’t thought of? What about social engineering techniques that would never occur to us?

Modern security best practices shift the focus from trying to anticipate what kinds of attacks we might see to a more holistic approach that seeks to create an environment which naturally resists attacks.