Damn, poor dude. The remote wipe was a pretty big asshole move.
I'm pretty curious about the initial break-in on his .mac account. I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
There are a handful of takeaways from this:
- Backups, obviously. A lot of people here so far are mentioning online backup services, but those would be just as vulnerable to this kind of attack, since they're accessible online and use an email account for password resets. Online backup services and physical offline backups solve different problems and it's a good idea to use both.
- Since I haven't seen this mentioned anywhere else: I wonder if it's time to consider keeping a "secret" email account that's only used as the password-reset account for all of your services? Something that you never use for communication, never publish anywhere, something with its own entirely separate password.
- Be careful about owning multiple devices from a single vendor that provides remote access and other kinds of control to those devices. Mobile devices are inherently insecure; they shouldn't carry sensitive personal information, ever. There are a lot of really good reasons for going with a single vendor, and remote wipe is a really valuable tool in case of theft, but the downside is ... well, this.
- Use some kind of password storage mechanism. (I prefer something that's not tied in to a publicly-accessible service.) I've made a game out of memorizing horrible passwords, and can recall quite a few without any patterns or mnemonics or the like. Still, I use KeePass every day anyway.
And maybe most of all: I doubt there's a single one of us that has a moral high horse to ride on this. Everybody always has something better to do than set up a new backup system or dick around with something that will only maybe hurt them someday. I'm constantly harping on other people about backups, but only a couple of days ago got my development machine on our network backup system; I'm pretty anal about passwords, but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file that I've forgotten about, and there'll be a chance that I'll forget to change that particular password if I find myself having to suddenly change every single password for everything I've got access to.
+1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses. And every person or team is imperfect. Sure there are lessons to learn, but lets show some sympathy and ask the persons involved what they would improve, not assume that we understand everything and dictate what they should have done.
Except in this case we're talking about a solved problem. The simple rule - and is really is simple - is 3/2/1: three copies, two local, and one remote. Anything less is "backup", not backup.
Time Machine (a free utility that ships with OSX, not a military-grade absurdity) would have handled the full restoration of the laptop, which could then restore the wiped iPad and iPhone fully. He'd still have the email hacks to contend with, but at least he'd have his tools back.
It's not his fault that he became a target, and blame for the attack should be firmly limited to the agressor. But the severity of the consequence was clearly amplified by substantial incompetence and / or indifference on his part.
I recently tried a full system restore from Time Machine (from the Disk Utility in Recovery) on a zeroed out partition and it kept failing midway giving me a generic error. Ended up installing OS fresh and restoring files selectively inside Time Machine.
I've lost a lot of respect for Time Machine since then.
As a counterpoint, I have an office full of Macs and TimeMachine on a Synology NAS. Everybody lurvs it. I have done 3 full restores and 2 migrations with it (not even going to count the number of "oh, shit!" events). It couldn't be any simpler. As the office Mac expert I have to do very little except boot into recovery mode and get it on the network.
I'm not sure what your error was but it might have been for the best. If there was corruption in the backup image then you'd be complaining about how it restored a corrupt backup.
I also failed my TM restore but that was back in 2007 - it's since improved a lot, but I still keep a roughly 2-3mo old imaged disk - ie, SuperDuper/CarbonCopyCloner. This restore also takes only minutes, as you can boot from external.
I'm curious how remote wipe acts when a computer has multiple partitions or multiple drives (internal or otherwise); would a remote wipe with a connected USB drive for time machine nuke that too?
How is it even possibl? iOS devices back themselves up every time they are plugged into a Mac automatically, and it's really difficult not to have a Mac backup, time machine just does it automatically whenever it feels like it. I find that within the Mac ecosphere, it's hard not to have backups.
I backup gmail with gmvault to a thumb drive, which I suppose is beyond many non technical people, but I'm sure google will figure out how to restore his account without much difficulty.
I wish I knew how this person knew how his password was compromised, it sounds reasonably secure.
I suspect a lot of people ONLY have the devices, and have not spent the extra few hundred on any kind of backup. A Time Capsule? A third-party remote backup service? An external HD? That costs MONEY!
I personally haven't plugged my iPad into my Mac in ages. Then again I've also made damn sure it's backing itself up to the cloud. I'm not sure if this is the default setting. It should be, IMHO.
(And I gotta say, it's really freeing to know that even if all my possessions are destroyed, I will have lost at most a day or so of work.)
Backing up to the cloud isn't going to help in this guys situation. The malicious user had access to his iCloud account to remote wipe his devices, they would (did?) just as easily delete his cloud backups
I have apps in the App Store and have to deal with a certain level of technical support. You'd be amazed how few people still plug their iOS devices into the master computer.
Gmvault stores your Gmail password locally. An alternative is using an email client which can download your Gmail using POP3. Most clients let you choose whether to store the password. You can set up your own folders and filters if you email client supports it.
Gmvault uses mainly OAuth to authenticate you so there is no need to store any passwords. The token will only allow you to access your Gmail account via IMAP.
As an alternative there is a mode where you can use your Gmail passowrd and it can be saved but this is not recommended.
I had no idea about a Gmail backup solution. I just had a network of duplicate accounts which get copies of mails and password resets if my primary ever got hacked.
> +1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses.
In this case, the guy had ALL his shit wiped. Not a clumsy move at work causing months of extra work, or some dickhead hacker having some fun with your account credentials, no they actually thoroughly deleted a huge chunk of his personal data.
See it's like, if a pyromaniac burns down someone's home, maybe there were ways to prevent that, but you don't go blaming the victim then either. Some times the first thing is sympathy. There's times to be heartless and times to be not.
Remote-wiping all his personal stuff was so unnecessarily malicious, sympathy comes first. And besides, in this case, not having any non-remote-wipeable backups, the only thing you could possibly maybe blame him for is putting all his stuff in the cloud. Yeah no not smart, maybe, but it simply doesn't weigh up to the fact that someone actually went through the trouble of meticulously deleting all of it. Not stealing, or defacing, but deleting.
OK, so now I know that I need to hack your dns server or your registrar instead - then I'd just publish MX records for your domain and head off to all the "I forgot my password" links I can find.
It's turtles^h^h^h^h^h^h^hsecurity problems all the way down…
Yes. I am aware that there a further attacks, and I mention that in the blog post. There is still significant security value in doing what I'm doing though.
For sure - sorry if I gave the impression that I thought otherwise. There's a big win in making it impossible for me to trawl through all your old mail looking for "interesting" things. It's a very nice idea.
No it's not, but anyone who runs their own mail server can do it, and anyone who provides a mail service for others could provide it as an option. Hell, even Google could implement it, and add a simple "Upload your public key" option to their preferences page. Maybe doing it as one of their Google Labs things. Obviously, they could implement it in a much more efficient fashion than the implementation I provided.
I really like the idea, but what if someone hacks into your email server and just turns off the encryption step / reads the incoming traffic? I assume they won't have your private key in that case, but crazy-few sites require and check (or even allow?) encrypted emails as validation, so they could still masquerade as you until someone checked the numbers.
"There are obvious caveats to this solution though. If somebody gets root on my server or access to the network, they can sniff the emails on the way in before they're encrypted. This wont help them access historical email which was encrypted before they started though. Also, if somebody installs a trojan on my laptop it's game over; they can grab my private PGP key, and use a keylogger to get the password for the key."
There is no "perfect" solution. There will always be attack vectors. I just removed a few. Specifically, compromising my email account, or compromising one of my clients (in certain ways).
Two-factor authentication should make it much harder for somebody to break into your email account (secret or otherwise) and reset your passwords.
Instead of memorizing horrible passwords, have you tried making a non-horrible passphrase by rolling dice and picking words out of a dictionary? Arnold Reinhold calls it Diceware:
It isn't easy to develop these habits, but my data is priceless to me. I know that too well because I've lost some of it, and it still hurts. So I've made it a tradition to chip away at it on daylight savings sundays: update clocks, check smoke detectors, work on backups, shame friends into doing same....
While two-factor authentication may be a good idea to gain access to sensitive information, I'm not sure it would be practical to use it for remote wiping devices. Typically the device you would want to wipe is one of the two factors.
(Which underlines the point that you need to do backups...)
Google's 2-factor auth comes with a list of onetime disposable keys one can use in place of not having their smartphone. I've had to use one specifically because I flashed a new Rom onto the Android device I was using before I thought about how I would setup the new Rom as a new device, which required me to log into my Google account. Almost the same idea as having the device get remote wiped unexpectedly. I keep a printed list of these keys in my fire safe at home with other important documents, like my birth certificate and passport.
Google will also call your home phone number and audibly speak a code to you if desired.
(Incidentally, you can backup and restore /data/data/com.google.android.apps.authenticator2/databases/databases via adb pull/adb push and you don't have to do the "painful" restore. It's slightly less secure, but I keep a copy on my SD card.)
Giant-flashing-neon-warning: if your phone's rooted (needs to be to pull /data), an attacker can pull it too. Use a passcode and enable full-device encryption (passcodes don't block recovery) to defend against this. If you're making full-image backups, wherever they're stored (on-device or elsewhere) needs to be secure too.
PS: even if you aren't rooted, if your device can be rooted w/o a wipe, should consider yourself just as vulnerable and enable FDE as well.
Yup, absolutely. I run FDE mostly just out of a personal policy that anything that someone can pick up and walk off with is encrypted, but this is a very good point.
The DB is a Sqlite3 database containing plaintext tokens and the account names they are used with, so while the attacker would still need your password, they can generate new tokens with that data.
Good policy upon losing any device that contains 2FA information is to use one of your backup codes to log into your account, remove the 2FA, and re-add it, thereby invalidating the old token secret. Thus, even if someone has your unprotected DB, they can't generate tokens for your account.
I think it's a bit hyperbolic to call it half the web. Only a small handful of sites cap password lengths. They might happen to be sites you use, but it's not nearly as common a practice as you seem to think.
I don't think you're correct. Anyone who's storing a password in plaintext is probably going to use a fixed-width field to do so. I'd bet half the internet stores plaintext passwords. A lot of the web is one-off e-commerce systems that no one should trust anything with.
> but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file
You really should consider using using whole disk encryption like FileVault or PGP-WDE. Encrypting a single directory or a home directory is not a good solution.
I use TrueCrypt. I put all the files I create into a single encrypted volume. I copy that encrypted file to a thumb drive and bury it in the backyard. I don't encrypt the entire hard drive, though, something I should probably do to protect the recycle bin and whatnot.
I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
This may not be the case. Computers are very fast at checking passwords, and if Apple doesn't deliberately slow the login process for all authentication scenarios it is easy to check a lot of passwords in parallel.
The secret email account only for password recoveries is a great idea. Same issue cloudflare had back when they were hacked.
I use Google apps for business for email hosting and even setup a secret email account that is used as the admin account (which can setup users and change passwords). I think most people that use google apps set up their primary email address as the admin account, but if that account gets compromised its incredibly easy to reset the password on every account on your domain.
Online backup systems should, generally, be ok even if temporarily compromised since they will keep copies of stuff even if you delete it. (Dropbox does this for FREE accounts.)
The problem is backing up big stuff -- I've got my working docs backed up the wazoo (I can even backup large multimedia/game projects to Dropbox) but my photo and media libraries are unmanageable.
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location..."
-- Dennis Huges, FBI.
The same goes for USB disks. I prefer to have one of my backup drives inactive most of the time and out of plain sight (in case of theft from my home).
Because he was a mac user, he should've been using Time Machine. It can be hosted on a network partition at your home so you don't even have to remember to plug in a backup drive. And in OS X 10.8, you can assign multiple disks and it'll keep them all up to date if they're accessible at the time. So one can be on your home network, another at your work network, and yet another on a physical drive that you can keep locked away in a safe or something. Just pull it out once a month to back up all your macs.
Echoing this, because it happened to me. And in that case I was very happy I backed up my most important things to some sort of "cloud" (a combination of GMail, creative portfolio stuff on a few webservers, projects I had sent to friends and a couple of those filelocker sites).
Additionally, SD Cards turn out to be some the most resilient data storage media I've personally witnessed. Probably helped it was encased in a camera, which was kaput, but the photos on it were fine, not even data-bent.
And a year later I found in a box of my damaged CDs some more treasures on a couple of really old DVD backups that actually still worked :D (I never bothered to really unpack the boxes of partially blackened and warped CDs--there's no need in the age of MP3, and after a while you've really seen enough boxes of sooty crap smelling like burnt plastic)
My basic lesson from this is: spread your data and risks around.
Though, none of that stuff was encrypted. Just the stuff I kept online was passworded and do friends count as a two-factor auth? :-)
Sorry to hear about your house fire. I wonder, would it be feasible to bury a small portable hard drive in the garden or something, and have a conduit running up near the house? It'd be cute to have a USB port on the wall which you plug your laptop into when you want to make a physical backup. No thief (or house fire) is going to trace down a USB lead that's poking out from the ground or wall.
It's taking Apple's "Time Capsule" branding to the extreme literal sense.
Hahaha! No idea if it'd be feasible (my apt is at 1st floor anyway, I have no garden), but it'd be cool as hell to load your backups onto a USB cable that goes underground :-)
Every week or so a potential client comes to us and describes, in one way or another, this general scenario. They ask "what if someone breaks into my server that I am backing up to you, and then using the SSH key, logs into my rsync.net account and wipes all of that out as well.
So for the last 6 years or so (we've been providing offsite backup since 2001) we have offered "pull backups" to our customers that request it. We give them our public SSH key, and we log in and rsync their data back to us.
Also, RE: the previous comment about not having your data consolidated to a single provider, we run an ad on reddit regularly making the same point:
One additional thing you can do is add a "command=..." parameter to your ssh authorized_keys file to limit what can be done with that key. For example, you can set it to run a script which only allows new files to be added to the backup, but not deleted.
Happy to see someone else not willing or not able to let files disappear in the cloud. For photo and media I keep them on two 500Gb usb drives, one at home and one at office, and keep them in sync with the wonderful tool unison.
I have redundant backups. Everything's gets backed up locally with Time Machine very regularly. Then nightly (or more, depending on volume) it gets shipped off to Backblaze.
It gives me quick responses if I need to restore something, but if my house blows up, I'm only $100 and a FedEx visit away from having everything back.
Best guess for initial break-in is phishing. I've always thought there should be a "sudo" light/display on the monitor that can only be accessed by the superuser, making attackers unable to completely mimic a dialog requesting secure access.
I'm pretty curious about the initial break-in on his .mac account. I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
There are a handful of takeaways from this:
- Backups, obviously. A lot of people here so far are mentioning online backup services, but those would be just as vulnerable to this kind of attack, since they're accessible online and use an email account for password resets. Online backup services and physical offline backups solve different problems and it's a good idea to use both.
- Since I haven't seen this mentioned anywhere else: I wonder if it's time to consider keeping a "secret" email account that's only used as the password-reset account for all of your services? Something that you never use for communication, never publish anywhere, something with its own entirely separate password.
- Be careful about owning multiple devices from a single vendor that provides remote access and other kinds of control to those devices. Mobile devices are inherently insecure; they shouldn't carry sensitive personal information, ever. There are a lot of really good reasons for going with a single vendor, and remote wipe is a really valuable tool in case of theft, but the downside is ... well, this.
- Use some kind of password storage mechanism. (I prefer something that's not tied in to a publicly-accessible service.) I've made a game out of memorizing horrible passwords, and can recall quite a few without any patterns or mnemonics or the like. Still, I use KeePass every day anyway.
And maybe most of all: I doubt there's a single one of us that has a moral high horse to ride on this. Everybody always has something better to do than set up a new backup system or dick around with something that will only maybe hurt them someday. I'm constantly harping on other people about backups, but only a couple of days ago got my development machine on our network backup system; I'm pretty anal about passwords, but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file that I've forgotten about, and there'll be a chance that I'll forget to change that particular password if I find myself having to suddenly change every single password for everything I've got access to.