"Once the hacker gained access to Honan's iCloud account, he or she
was able to reset his password, before sending the confirmation email
to the trash. Since Honan's Gmail is linked to his .mac email address,
the hacker was also able to reset his Gmail password by sending a
password recovery email to his .mac address.
Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad
and Macbook Air remotely. Since the hacker had access to his email
accounts, it was effortless to access Honan's other online accounts
such as Twitter."
Every new technology has people, the pioneers, who buy into the vendors hype ... and pay a price for that.
We should learn from them.
- Hard-Learned Lessons from the Honan Hack (lumension.com)
- 60-minute Security Makeover: Prevent Your Own 'Epic Hack' (pcworld.com)
- Former Gizmodo writer Mat Honan's hacked iCloud password leads to nightmare (nextlevelofnews.com)
- Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls (macrumors.com)
- How Secure Is the Cloud, Really? (technewsworld.com)
The Navy's premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet
computers equipped with GoodReader software in August 2010,
unaware that the mobile app was developed and maintained by
a Russian company, Good.iWare, until Nextgov reported it in February.
OK so its not news and OK I've posted about this before, but ...
So the question here is: Why should software produced in the country where there are more evil-minded programmers be superior to software produced in Russia?
Indeed they do.
Its beginning to look like the point I've been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you're securing something.
For those new here, I've long recommended Rick Smith's excellent book on this matter:
"Authentication: From Passwords to Public Keys" ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html
Grandpa Rob Slade reviewed this, rather more kindly than some books he's reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In "Password Expiration Considered Harmful" Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.
I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, "But that was in another country and besides, the wench is dead"). I fat finger one time in four.
Some of it is practice. If you make people change their passphrases or passwords they won't flow from their fingers so readily.
My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I've used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don't even have to 'say' the passphrase in my mind so even a telepath couldn't "sniff" it.
Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).
My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I'm getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.
If you ask me, its crazy, unproductive and expensive.
To debunk the myth that frequent password rotation is a good idea, see Gene Spafford's blog entry on this. But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.
Tell me, now often do you change the lock on your front door?