Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

How hackers held the NHS to ransom

NHS staff found their computer screens repleaced by a padlock and a demand for money. Eerily, a junior doctor warned about such an attack days earlier. 

On Friday, doctors at Whipps Cross Hospital, east London, logged into their computers, but a strange red screen popped up. Next to a giant padlock, a message said the files on the computer had been encrypted, and would be lost forever unless $300 was sent to a Bitcoin account – a virtual currency that cannot be traced. The price doubled if the money wasn’t sent within six days. Digital clocks were counting down the time.

It was soon revealed Barts Health Trust, which runs the hospital, had been hit by ransomware, a type of malicious software that hijacks computer systems until money is paid. It was one of 48 trusts in England and 13 in Scotland affected, as well as a handful of GP practices. News reports soon broke of companies in other countries hit. It affected 200,000 victims in 150 countries, according to Europol. This included the Russian Interior Ministry, Fedex, Nissan, Vodafone and Telefonica. It is thought to be the biggest outbreak of ransomware in history.

Trusts worked all through the weekend and are now back to business as usual. But the attack revealed how easy it is to bring a hospital to its knees. Patients are rightly questioning if their medical records are safe. Others fear hackers may strike again and attack other vital systems. Defence minister Michael Fallon was forced to confirm that the Trident nuclear submarines could not be hacked.

So how did this happen? The virus, called WannaCry or WannaDecrypt0r, was an old piece of ransomware that had gained a superpower. It had been combined with a tool called EternalBlue which was developed by US National Security Agency spies and dumped on the dark web by a criminal group called Shadow Brokers. Computers become infected with ransomware when somebody clicks on a dodgy link or downloads a booby-trapped PDF, but normally another person has to be fooled for it to harm a different computer. EternalBlue meant the virus could cascade between machines within a network. It could copy itself over and over, moving from one vulnerable computer to the next, spreading like the plague. Experts cannot trace who caused it, whether a criminal gang or just one person in their bedroom hitting "send".

Like a real virus, it had to be quarantined. Trusts had to shut down computers and scan them to make sure they were bug-free. Doctors – not used to writing anything but their signature – had to go back to pen and paper. But no computers meant they couldn’t access appointments, referral letters, blood tests results or X-rays. In some hospitals computer systems controlled the phones and doors. Many declared a major incident, flagging up that they needed help. In Barts Health NHS Trust, ambulances were directed away from three A&E departments and non-urgent operations were cancelled.

The tragedy is that trusts had been warned of such an attack. Dr Krishna Chinthapalli, a junior doctor in London, wrote an eerily premonitory piece in the British Medical Journal just two days earlier telling hospitals they were vulnerable to ransomware hits. Such attacks had increased fourfold between 2015 and 2016, he said, with the money being paid to the criminals increased to $1bn, according to the FBI. NHS trusts had been hit before. A third reported a ransomware attack last year, with Imperial College London NHS Trust hit 19 times. None admitted to paying the ransom.

Hospitals had even been warned of this exact virus. It exploited a vulnerability in Microsoft Windows operating systems – but Microsoft had been tipped off about it and raised the red flag in March. It issued a patch – an update which would fix it and stop systems being breached this way. But this patch only worked for its latest operating systems. Around 5 per cent of NHS devices are still running the ancient Windows XP, the equivalent of a three-wheeled car. Microsoft said it would no longer create updates for it two years ago, rendering it obsolete.

There are many reasons why systems weren’t updated. Labour and the Lib Dems were quick to blame the attack on lack of Tory funding for the NHS. It is clear cost was an issue. Speaking on BBC Radio 4’s PM programme on Saturday, ex-chief of NHS Digital Kingsley Manning estimated it would take £100m a year to update systems and protect trusts against cyber attacks. Even if that money was granted, there is no guarantee cash-strapped trusts would ringfence it for IT; they may use it to plug holes elsewhere.

Yet even with the money to do so updating systems and applying patches in hospitals is genuinely tricky. There is no NHS-wide computer system – each trust has its own mix of software, evolved due to historical quirk. New software or machines may be coded with specific instructions to help them run. Changing the operating system could stop them working – affecting patient care. While other organisations might have time to do updates, hospital systems have to be up and running 24 hours a day, seven days a week. In small hospitals, it’s a man in a van manually updating each computer.

Some experts believe these are just excuses; that good digital hygiene kept most trusts in the UK safe. "You fix vulnerabilities in computers like you wash your hands after going to the toilet," said Professor Ross Anderson, a security engineering expert at Cambridge University. "If you don't, and patients die, excuses don't work and blame shifting must not be tolerated."

It is not known yet if any patients have died as a result of the attack, but it certainly raised fears about the safety of sensitive medical records. This particular virus got into computer files and encrypted them – turning them into gooble-de-gook and locking doctors out. Systems were breached but there have been no reports of records being extracted. Yet the scale of this attack raises fears in future the NHS could be targeted for the confidential data it holds. "If it’s vulnerable to ransomware in this way, it could be vulnerable to other attacks," said Professor Alan Woodward security expert at the University of Surrey's department of computing.

In the US, there have been examples where ransomware attacks have led to patient data being sucked out, he said. The motivation is not to embarrass people with piles or "out" women who have had an abortion, but because medical information is lucrative. It can be sold to criminals for at least $10, a price 10 times higher than can be earned by selling credit card details. Dossiers with personal identification information – known as "fullz" on the dark web – help crooks commit fraud and carry out scams. The more personal details a conman knows about you the more likely you are to fall for their hustle.

Hospital data is backed up at least hourly and three copies are kept, one offsite, so it is unlikely any medical records or significant amounts of data will have been lost – although the hack will cost the NHS millions in disruption. A British analyst, who tweets under the name Malware Tech, became an unlikely hero after accidentally finding a killswitch to stop the virus replicating. He registered a website, whose presence signalled to the virus it should stop. Yet he admits that a simple tweak of the code would create a new worm able to infect computers.

Experts warn this event could trigger a spate of copycat attacks. Hacker may turn their eyes to other public services. Dr Brian Gladman, a retired Ministry of Defence director, and ex-director of security at Nato, points out that our entire infrastructure, from the national grid, food distribution channels to the railways rely on computer systems. We now face an arms race – and criminals only have to get lucky once.

"We’re going to get more attacks and more attacks and it’s going to go on," he said. "We’ve got to pay more attention to this."

Madlen Davies is a health and science reporter at The Bureau of Investigative Journalism. She tweets @madlendavies.

0800 7318496