So, we had a bit of a week, didn't we?
September 12
On Monday, iMore learning Apple would announce the next iPhone on Wednesday, September 12 and release it on Friday, September 21, along with the iPad mini, and perhaps more. That's later than the first four years, when new iPhones hit in the summer, but earlier than last year when the iPhone 4S didn't put in an appearance until October. It is, however, right around the time Apple used to announce the new iPod lineups, and put everything in place for the traditionally massive holiday quarter. And that certainly seems like the new sweet spot for the new iPhone.
No doubt we'll have more on this over the next week, and the weeks leading up to the event.
But in the meantime, iPhone and iPad mini aside, what other devices are you hoping to see updated next month?
What's the best way to steal someone's password?
You ask for it.
It's a cliche but it's true. We've talked recently about security and the importance of really strong passwords (and 1Password has a great guide to creating your own). But what do you do when it's not the password itself that's guessed or brute force attacked? What do you do when it's just given away?
That's what happened to Wired's Mat Honan this week when a hacker apparently called up Apple Support and, using what's called a social engineering attack, conned them into resetting Honan's iCloud password and giving him access to Honan's account. What happened next was a nightmare, including Honan's iPhone, iPad, and Mac getting wiped, his Gmail, Twitter, and Gizmodo's twitter account getting hijacked, and his life turned absolutely upside down.
There are several takeaways from this:
- Apple has to enable multi-factor security for iCloud, and never -- not ever -- give access to someone who calls them (hang up and call back on the registered phone line, okay?).
- On systems that do support multi-factor security, like Google, use it. I hate the idea of giving Google my phone number, but I hate the idea of having my life stolen more.
- Always make sure you have local and cloud backups of all your machines, always. It's not that expensive, and it's much cheaper than losing priceless photos, videos, or having to waste time starting from scratch.
What happened to Honan was terrible, but if any good at all could come from it, it's a reminder for all of us to review our own security and backups practices and make improvements wherever possible.
I'm using 1Password to generate strong, unique passwords for every site, and I lie like crazy when it comes to security questions. I also store almost my entire home directory on Dropbox for online backup, and use SuperDuper and a Time Capsule for local backup.
How about you?
Reader comments
Editor's desk: Hold your iPhone dates close, your iCloud account closer
On the topic of off-site backup, I too have been using Dropbox for file syncing/backup. Read the timeline of this guy's story this morning and it got me to thinking. If someone got access to my online Dropbox account they could easily delete my online backup, which, with Dropbox functioning the way it does, would kill my local copy too.
Kicking around the idea of switching over to Crashplan as a result. On top of eliminating that potential risk that exists with Dropbox, it is also significantly less expensive.
I prefer Lastpass over 1password by far and use Spideroak for off-site backup.
Rene, aren't you concerned about the security of having your entire home directory on DropBox?
Of course. Security vs. convenience. Right now it's more convenient for me to have all my computers accessing a synced document store. I'm paranoid though, so that's always in the back of my head.
Apple just bought AuthenTec for their fingerprint reading and authentication technology. For $365 million. Looking forward to seeing that technology in all Apple products.
There is no technology in the world that can protect against too-trusting support staff granting access.
Agree. But how about this:
Caller: "I forgot my password."
Apple Support: "Did you forget your fingerprint too? Call us back when you remember which finger."
"That's why I'm calling! I just came back from the hospital. I broke my hand in a mountain biking accident so my entire right hand is in a cast (boo-hoo, it hurts so much!). Please please can you help me? I need to put the movie from my on-helmet cam on Facebook. Please?"
See how easy that was?
I use dropbox but not for an off-site backup. In fact, dropbox is not a secure off-site backup at all. Since all the files are stored and synced on each local machine which has the dropbox widget installed, you're one hack away from losing your data. Heck, you don't even need a hack. Just leave your desktop, laptop, iPad unlocked, some jackass could easily ruin your day.
That's true whether Dropbox is syncing the content or not.
Backups: 1) SuperDuper to external USB drive, 2) Time Machine to external USB drive (same one), 3) Crashplan, 4) testing Dolly Drive. iPhone and iPad backups on my Mac, not iCloud.
Passwords: typically 20 characters, mix of upper, lower, numbers, symbols, generated and remembered by LastPass. If someone gets my LastPass master password, I'll be worse off than Mr. Honan.
Dropbox: I use dropbox, but encrypt sensitive documents with AppSense DataLocker (https://sabonrai.wordpress.com/2012/08/01/datalocker-review-great-free-a...).
Also, I don't use the same email account at any service. I have my own domain name with unlimited disposable email addresses and a catch-all function so I don't even have to create the email addresses before I first use them.
What's wrong with giving Google your number?
I have never used google shopper, or given google my credit card number, but an improper charge was done, and I had to shut down the card, and have another reissued, also the problem of resetting information. I do not trust google now. How they got my information, I will never know, and I check my account on a regular basis, that is how I found the charge.
I can't speak to how they got your info but I'm sure they didn't seek it out, most likely from a merchant you patronized.
But...my point is with the information they have...when have they improperly used it?
Any bit of personal data is better not to give than give. I don't want Facebook having it either (though they insist on it to do things like generate Facebook buttons...!).
Your phone number is the single piece of ID any marketing company would kill to have. They can tie an incredible amount of things together with it.
I agree with your premise but Google has yet to do something with data that alarms me so I have no issue giving them any of my info, sans social security (lol).
Apple just gave up this guy's password because someone called and asked them to? Seems more like an Apple staff training issue than a user issue to me.
It is and it turned out to be an Amazon issue as well.
'There are several takeaways from this'
The most obvious being: Does this Honan story not seem just the tiniest bit contrived? Coincidence upon coincidence added to coincidence. Wired reporter (good story material), Gizmodo link (need I say more), hacker contacts him (as they do), iCloud problem (shortly after launch). The obvious question is, aside from generating this story, what benefit did the hacker derive from all this? Assuming Honan to be an innocent victim, what parties would have enough info on him to engineer this situation and benefit accordingly?
Some men just want to watch the world burn.
I thought brute force was not very likely as reported at first. This makes more sense. Maybe now this type of attack will get some attention because the same thing has been happening for years to Xbox LIVE gamertags and Xbox LIVE support being tricked as well. Time for everyone to have a 2 step authentication.
re: "Editor's desk: Hold your iPhone dates close, your iCloud account closer"
I've been replaying this title in my mind for a while, now. Is that supposed to be "...Hold your iPhone DATA close..."?
Inside job from within Gizmodo? They'll do anything for a few more ad clicks.
95% (or more) of hacks are the result of social engineering, and there's nothing that can be done about it.
I work as a linux consultant, and I can tell you...there's no depths of stupidity that can't be explored by people and exploited by criminals...and no amounts of education, negotiation or contractual obligation will fix that hole...civilisation makes it so we are decent humans and decent humans do what they can to help those in need...and social eng is nothing but exploiting that.
So...yes, it's sad, but...humans being humans can't be fixed.