Thoughts on the Amazon / Apple hack

Wed 08 August 2012

Just thought I would share this harrowing tale of how Mat Honan basically got his info deleted off all his devices and personal e-mail accounts within hours:

A few thoughts on this:

  • The guy basically got all his info wiped from his Mac and iPhone, using the same mechanisms to keep the devices safe from data theft.
  • The "entry point" here was the victim's Amazon account; the attacker made his way from the victim's amazon account into his .me account and from there to his gmail account. He wiped the Mac and iPhone, changed the .me password and gmail password, then hit the guy's twitter account.
  • The target of this "Apple hack" that cleared out irreplaceable photos and files actually didn't have anything to do with his his photos, files, or even work data. The real target of this attack? The guy's twitter account. Why? 'Because it looked cool.'
  • The attacker exploited two different "security philosophies" to gain access. In a nutshell, one company was using the last four digits of the victim's credit card to secure his data; however, it's a fairly common practice to show the last four digits of credit cards in order to identify the card without giving away the whole number.

The moral of the story? Think security no matter what or where your systems are. I realize how silly this sounds, and how daunting this can be. Ultimately, we all have insecure practices, especially in a day and age where the boundaries between technologies that are used for work and home are so blurry.

This story will make you think twice about relying on the cloud -- but the reality of it is that it shouldn't take you this long to start thinking about it. You may surmise that this could happen to you and stop using .me, gmail and the like... Don't! Because you're taking away the wrong message. It's not because it's on the cloud that it's insecure. It's because we tend to mistakingly rely on other companies to do the thinking for us.