I have no idea if you have heard about this. Sometimes there are things that I think are wide-spread news that others have never seen. (Of course, people are shocked when I don't know who won American Idol.) Recently, technical writer Matt Honan was hacked, hard. They destroyed all of the data on his laptop, his ipad and his cloud storage, apparently as part of the road to playing around with his Twitter account. The attack took advantage of his doing what we all do, having some alignment between our accounts in different places, and using the differences between the different organization's policies to get inside. Once they are in one, it's easier to get into the others. It's similar to the ideas in this World War II cartoon about keeping secrecy. (WARNING: This video is a reflection of its time and contains some caricatures which are inflammatory and frankly racist. I show it for its historical context and the lesson it discusses about how people can piece together bits of information. Not only does this video not express IBM's opinions, it doesn't even express my own... but it does show how long these ideas of security have been around.)
Matt's story is unsettling. It is regretful on so many levels. I imagine that the companies involved especially regret that it happened to a technical writer.
So, what does it mean to you and me? It means that it's time to get serious about security. We have to get serious about our own security because if something slips it is our memories and our creations that are lost forever. That's just too hard to consider.
Security = inconvenience
The first thing we need to accept is that any level of security demands a certain level of inconvenience. I'm not talking about the security theatre that we experience at the airport. I'm talking about things like having to type in a password every time you want to use your computer. I'm talking about having to change your security codes periodically and making them long and complex. These things are requirements for modern security. Just like you have to take time to unlock your door and maybe disarm the security system, you are going to have to take a few extra steps.
The first step that I have taken is to make all of my passwords a significant length. I've set them to 25 characters for all that can accept it. Anything that doesn't go up to 25 I take to the maximum it will take. I'm using a mixture of upper- and lower-case letters with numbers and special characters. I am enforcing my own policy of changing these at least every three months. I have made all of my passwords completely different from each other. This is a huge pain... but until there is some sort of biometric standard that will apply just to me, I have no choice.
Crank up the security
Do you have all of the verification policies turned on that are available? Do you grumble when someone asks to see your ID? Take a look at the options available to you and see what else you can do. For example, Google has a 2-step verification which authorizes access by device. When you use a browser, or certain other apps, Google will send a numeric code to you by phone. This code must be entered or you may not access your Google tools through that device. For things which cannot use this process Google creates an application-specific password for that application and device.
On my account, I had to set up my long password on my Google account and verify it in the browser, and separately in the browser on my phone. I also had to enter a separate password for the GMail app on phone, Thunderbird on my laptop and my instant messaging software. I only need to do this once, but I'll have to recycle them later on when I do my password revisions.
I need to review my options on Facebook. For now, at least, I have significant passwords on them. Of course, using truly secure passwords has caused me to need a password manager. I'm using keepass because it is available in Linux and Android and I have a way to share the database between devices. My database encryption password is also significant (20+ characters), and something I have to remember and type in each time I need to access the passwords. It will also need to change periodically, which will be a pain. Right now, though, I'm betting that I have less chance of someone hacking my password manager database than I do a company accidently dumping my information over the Internet or allowing themselves to be socially engineered into compromising my account.
Could we do better?
We could absolutely do better in our security! The standards and tools for doing good security are available. In many cases, regular application of what is freely available could make a difference. Key-based authentication with a biometric as the password would allow me to control my keys, have different keys for different purposes and never have to remember anything. The protocols for key exchange already exist. It could work.
It's not going to happen that way, though. There are too many people who don't want to understand these things and don't want to be bothered. Companies and governments do ultimately do what they are directed-- but often in a "malicious genii" sort of way. "OK. You wish for a mountain of gold, which falls from the sky and buries you."
We need to be more demanding about the protection of our accounts and identities. We need to be more tolerant of the process required to verify our identities and we need to be willing to actively participate in the process. I'm guessing that overall there is more money to be made by everyone for fraud than there is for security which works... which is a real shame.
I hope you'll consider what happened to Matt, and what you would do if it happened to you. Now... how are you going to prevent it, and how are you going to teach the others?