How's this for a digital nightmare? Your Twitter account hijacked; racist and homophobic tweets posted in your name. Your Apple account breached; data wiped from your iPhone, iPad and Mac laptop. Your Gmail password reset by hackers and your Google account deleted.
That's what happened to Wired journalist Mat Honan recently. And while news coverage of his "epic hack" may be easing, you can bet there's an army of would-be imitators who, as you read this, are trying to duplicate that attack.
[ InfoWorld's Robert X. Cringely examined how Amazon and Apple aided and abetted the digital drive-by. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Honan was somewhat careless (especially having no backups of his wiped data) but also very unlucky. However, now that word of the attack has been widely publicized, it would be wise to try to protect yourself from these now well-known vulnerabilities.
The good news? It won't take long. And while you can't expect to create an impenetrable defense in an hour, you can implement some strategies to harden your own accounts.
Issue: Using public email addresses for account access, password recovery
Threat: It's hard to believe that attackers only needed Honan's email address to kick off the process of hijacking his Twitter and Apple accounts. But the attackers did indeed start with only Honan's Gmail address and billing address (available in many public records) to leverage lax security policies at Amazon and Apple and access his accounts.
Defense: Don't use a publicly known email address for your account login and password-reset contact info. Instead, use one or more separate addresses that you reserve only for this use and not for any other type of communication. This makes it harder for someone who knows your personal or business email address to use that information to gain access to other accounts.
Your ISP likely allows you to add additional email accounts. Alternatively, you can use an email service you trust to create a new account, or you can register your own domain and add a hard-to-guess email address (which you should not use as the contact address for that domain).
Really security conscious? Set up multiple email addresses so you've got different ones per account, or have multiple addresses that forward to one private box. This way, even if one account is breached, it won't help anyone gain access to another by knowing the email address you use there.
Time: Setting up a new address at your ISP or domain: 3-5 minutes. Setting up multiple forwarders to that address: another 3-5 minutes. Changing login/contact/password reset email address: 1-2 minutes per account. Suggestion: It will probably feel less onerous if you change contact addresses the next time you log into each of your accounts, instead of sitting down to do them all at once.