How Not To Get Hacked
The four things you need to do right now to avoid the fate of tech writer Mat Honan.
3) Remote wiping is unnecessary. Turn off “Find My Mac.” Instead, encrypt your data.
Being able to find your lost devices sounds great. You paid a lot for that tablet, phone, and laptop. Why wouldn’t you want to locate it if it’s gone? And if someone else has it, wouldn’t you want to delete your stuff remotely so that they can’t monkey with your data?
In theory, sure. But the way that Apple implements its “Find My” system isn’t very secure. If a hacker gets into your iCloud account, he doesn’t need any other credentials to find your devices and delete all your data. That’s what happened to Honan, and it could happen to you, too.
Until Apple figures out a better way to protect against others wiping your data (perhaps by requiring a second form of authentication for remote wipes), you should turn off Find My Mac.
But what happens if someone gets your computer—how will you prevent unauthorized access to your data if your computer gets into the wrong hands? It turns out there’s a better security system than remote delete: It’s called whole-disk encryption, and it’s built into the Mac and some versions of Windows. You just have to turn it on. (Here’s how to do so in Mac OS Lion, and here’s how to do so in the Ultimate or Enterprise versions of Windows 7.)
Whole-disk encryption works by scrambling all of the bits on your entire hard drive; the only way to gain access to the data is by entering a password. (Here, too, of course, it would be better if two forms of authentication were required.) Turning encryption on slows down your computer by a tiny bit, but it’s not that big of a deal. And when your computer is gone, you can be sure that your data is safe—unless the hacker knows your password, your data will remain hidden to him.
4) Password recovery is a menace. Make sure your accounts aren’t daisy-chained together.
Lastly, you should examine how your various online accounts are linked through forgotten password request services. In particular, look up your various important email accounts, financial accounts, social networks, and other services. Each of these accounts will ask you for an email address where your password requests should be sent.
If they’re all pointing to one another, a single hack could let an attacker get into everything else. For instance, if Gmail is set to send password resets to your Apple account, and your bank is sending requests to Gmail, then all the hacker needs to do to wreak havoc on your finances is steal your iTunes password (which is probably not very strong, because you hate typing out a tough password on a touchscreen to download apps). With your iTunes password, he can get into Gmail through a password request, and once inside Gmail, another password request will let him into your bank. This is exactly what happened to Honan.
What should you do about this? I would create a single, secret, ultra-secure email address that you designate as the one place to send all password resets. What do I mean by ultra-secure? I mean a new Gmail account—something like email@example.com—with a very strong password and two-factor authentication turned on. Now go to all your other accounts and have them send password requests to this secret address. It’s important that you don’t use this address for anything else—don’t send mail from it, don’t use it to sign up for newsletters, don’t let anyone know that it has anything to do with you. As long as it remains secret, any password resets that are sent its way should be safe.
Nothing online is perfectly secure—determined hackers can get into anything if they really put their minds to it. But the guy who attacked Honan wasn’t some mastermind. He was a kid who just wanted to wreak havoc, and he happened to know about a few key vulnerabilities at Apple, Amazon, and in the systems that govern our online lives. But a few simple steps would have made his attack much more difficult. The stuff I’m suggesting isn’t hard to do. You should do it now.
Farhad Manjoo is Slate's technology columnist and the author of True Enough: Learning To Live in a Post-Fact Society. You can email him at firstname.lastname@example.org and follow him on Twitter.