An Epic Mac Attack

Anyone feeling smug about the relative safety of their (or their IT clients') Apple devices should read about Mat Honan, a very unlucky Wired.com senior writer.

Yes, Apple iPhones, iPads and MacBooks are less likely to be infected than Windows or Android devices, but Honan's saga shows they are not immune. Apple devices are also less likely to pull in malware from infected Web sites, though these incidents are on the rise (see this recent article). One thing is for sure. Apple's iOS platform is no safer from the sort of social engineering attacks I've discussed in past columns.

It's nearly impossible to prevent such attacks, as Honan learned. Within just an hour, hackers managed to destroy his "entire digital life" by:

• Deleting his Google account.
• Taking over his Apple ID and iCloud accounts.
• Erasing years worth of gmail messages.
• Wiping his iPhone, iPad and MacBook.
• Wresting control of his social networks.
• Using his Twitter account to broadcast racist and homophobic messages.
• And manipulating both Amazon.com and Apple to help pull it off.

Honan actually interviewed one of the hackers and found out he wasn't even a "personal target." It was all done to wrest control of his Twitter account and spread defamatory filth. He was just lucky they weren't after his bank accounts too.

Playing Peter against Paul

Key to the caper, the hackers got part of Honan's credit-card number from Amazon.com and leveraged that (plus other personal data obtained on the Web) to trick Apple tech-support into unlocking his iCloud account. Honan issues a clear warning about this to both individuals and IT departments:

"Amazon tech support gave [the hackers] the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices."

Such inconsistent security is faulty security. And like most industries, ours is rife with standards that are implemented inconsistently by manufacturers, corporate IT departments and users. In addition, the Web actively entices us (or even requires us) to compromise our security. For example:

• Anytime an individual links ("daisy chains") one part of their online ecosystem to another, they succumb to the Web's enticements of convenience or reward. As much as Web sites promote this practice, we compromise our security when we log into Amazon through Yahoo or "like" our banks on Facebook. As Honan discovered, resourceful hackers can parlay such daisy chains and other bits of data about us to trick business contacts into releasing our IDs and passwords.
• Passwords themselves offer a fine example of being forced to compromise our individual and corporate security. Some firms with which I used to do business still forbid the special characters (like _*&!) that make passwords most secure. Such firms force their customers to use limited alphanumeric passwords that are easy to crack.

Cracked Fortresses

As long as we lean on technological tools alone (like firewalls, password policies/procedures, and MAM/MDM application/data-flow controls) our digital fortresses will contain many cracks. And these cracks will be invisible to both users and IT managers until they are breached.

Apple and Amazon are now reviewing their security procedures. But the unpredictable variety of identity attacks makes them nearly impossible to anticipate or prevent. So IT departments, company employees and their firms' external business partners must all work to limit the "damage spread" when any of their defenses are breached. To start:

• Back up data often on every digital device. How often depends on how much activity since the last backup one is willing to lose.
• Don't permit data-sharing sites like iCloud to be activated in the office, if they aren't needed in corporate applications.
• Use different email addresses and strong IDs/passwords on separate accounts.
• Shred any paper (including store and restaurant receipts) that shows names, addresses, emails, businesses with which one deals, or any part of a credit-card number.
• Discourage "daisy chaining" of Web sites in devices that are used in the office.
• Constrain and segment data flow and resource access within the organization (a-la MAM and MDM).

If your company or its employees aren't social engineered, hacked, malwared or infected within the next month (or week), you'll be lucky. If you don't think it's a real problem, here's what Honan had to go through to recover his information. And he was admittedly quite lucky to have the resources and the right connections to be able to recover a lot of valuable information.

But what if this kind of damage spread through your own organization? It could, as I'm sure Honan would be the first to admit.