Op-ed: Journalist’s nightmare provides teachable moment for cloud security
Mat Honan's unexpected crisis could go a long way toward inspiring more thoughtful cloud security practices.
Technology journalist Mat Honan, who has most recently written for Gizmodo and Wired, made headlines for all the wrong reasons last week. In an unfortunate case of life imitating art, Honan found himself the victim of the type of digital disaster he had come across countless times in his industry coverage. Within minutes, Honan's online identity was unraveled before his eyes as he helplessly watched hackers commandeer and corrupt his accounts.
Amid these regrettable circumstances, however, Honan has decided to do an admirable thing. Instead of retreating from the spotlight as he gets his affairs in order, Honan will chronicle his trying times with a level of candor and transparency he hopes will inspire thoughtful discussion and more vigilant data protection among consumers and business professionals alike.
Diagramming disaster
"In the space of one hour, my entire digital life was destroyed," Honan wrote in an explanatory post for Wired. "First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad and MacBook."
While the blame for such a catastrophic sequence of events can be cast in several directions, Honan began by pointing the finger at himself. In his reflection, the columnist suggested that his fatal flaw came down to a case of lazy password management. Despite the heightened awareness of data security fundamentals he carries around as an industry expert, Honan admitted to letting convenience win out over best practices.
As a result of password recycling, his accounts were effectively "daisy-chained together." Once hackers breached his Amazon profile, they were able find his AppleID and eventually break into his Gmail account as well. In fact, Honan suspects that the original goal of the hackers was to disrupt his Twitter account and embarrass him by posting crude messages. However, the interdependence of his security defenses likely left them with an opportunity that was too good to pass up.
"Had I used two-factor authentication for my Google account, it's possible that none of this would have happened," Honan suggested in his mea culpa. "Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location."
Not an isolated incident
As Honan dug deeper into the incident and started peeling back the layers of the response protocols practiced by Amazon and Apple, a number of suspicions were confirmed. Most notably, the columnist has charged Apple's tech support team with inadvertently giving hackers access to his personal cloud storage account after they had garnered a partial credit card number through a separate security lapse at Amazon.
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification," Honan wrote. "The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices."
Suddenly, Steve Wozniak's recent off-the-cuff prognostication of a cloud doomsday scenario doesn't seem so far-fetched.
In fact, InformationWeek columnist Dino Londis suggested that this incident has placed one very inconvenient truth at the center of the cloud security dialogue. Simply put, the rise of consumerization has triggered the lowering of protection standards. And while watching consumers prioritize convenience over security is not altogether surprising, vendors and IT teams have been following suit, to a certain extent, themselves.
Londis pointed to the popularity of Android devices as a prime example of this phenomenon. While the mobile operating system could hardly do more in planting the seeds of security doubt, the handsets are having no trouble finding their way into the office or attracting the attention of commercial application developers.
As more personal and professional computing tasks converge in virtual environments, the security of public cloud servers is more important than ever. This should be a pretty alarming realization, according to Londis, considering a pair of tech-savvy teenagers needed nothing more than a smartphone to outwit Apple and Amazon and destroy Honan's digital identity.
Taking out an insurance policy
There is little hope that cloud computing will diminish in popularity, or that its security loopholes will be closed in the immediate future. As a result, focus must return to the tried and true defense strategies that are already available.
According to Network World, the Honan hack could finally help two-factor authentication reach critical mass. Considering what's at stake, should account holders really be relying exclusively on eight-character passwords and a question about their favorite color to guard their online identities? Even before launching into a discussion of the affordability and feasibility of biometrics, something as simple as sending an SMS message to users has already proven effective for Gmail and likely would have protected Honan had he subscribed to the feature.
What's more, the writer's troubles could help restate the case for physical data storage strategies. While backing up files and photos in the cloud represents a convenient and effective means of disaster recovery, its success is still reliant on how well cloud identities are being guarded by service providers and users, according to Network World. Given the rate of public cloud breaches and Honan's elucidation of the misaligned security protocols observed by cloud hosts, virtual storage no longer seems to be a silver bullet. Instead, even your cloud backup should have a backup.
Cloud Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
Thanks for the article. There is a lot that we can ALL learn from this experience. We ALL need to be more proactive about our personal account security. In the case presented, he can blame both of the big guys (A+A) who failed him, but he still needs to blame himself for failing himself. In this day and age we need to learn to stop throwing the blame on to others and step up and take the responsibility of our info. If you don’t trust the site don’t use it. We have heard a million times don’t use the same passwords, back-up you info and then there is two-factor authentication. 2FA has jumped into the spotlight over the last few months. It’s been around for a while but it is good to see some of the big companies like Google promoting this option. In this case, 2FA was an option that was made available to him and he did not see the need or want to take the time to set it, so it is his own fault. And the two A’s don’t offer it, and that would have limited to damage done. But the sad fact is there are millions of people just like him who are not taking advantage of this awesome functionality that is being offered to them by several sites. I really hope this serves as a wake-up call to companies and individuals alike, for the need to kick this complacent attitude about authentication and passwords. My advice is take advantage of the 2FA which allows you to telesign into your accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
Comment by Tempist on August 20, 2012 at 11:23 am