A few weeks ago a weird thing happened. I had powered my laptop all the way down and when I went to log in I couldn’t. It kept telling me my password was wrong. I was reasonably certain I was remembering and typing it correctly, but no matter how many times I tried I couldn’t get in. So, I logged in as a guest and started the Apple ID reset process and went on with my day. Except a few hours later my phone let me know through the double authentication process that someone was trying to log in to my account in Singapore. Yeah.
Then I read this NYMag story about how a hacker group that calls itself the Turkish Crime Family has demanded $100,000 in iTunes credits from Apple, threatening to randomly wipe the iPhones of users whose iCloud passwords and credentials have been compromised. I know, if this was the plot of an episode of the brief and preposterous run of CSI: Cyber, it would be laughed out of the writers room. The Turkish Crime Family? $100,000? In iTunes credits?
The truth is though, life is usually weirder than the last gasp of a once-great procedural empire that can’t even make it work with the dream team of Patricia Arquette, Ted Danson and James Vanderbeek. Maybe some criminals are just simple folks who can steal iCloud passwords, but lack the piracy skills to steal things one buys on iTunes. Or maybe iTunes credit is like catnip on the deep web. We may never know.
In any case, I got my personal cyber security reasonably locked down in the course of a few hours, mostly because I just can’t even cope with the idea of how annoying and time consuming it would be to fix. Here are my suggestions for a sort of online security spring cleaning.
Update your Apple ID
The Turkish Crime Family allegedly gave Apple until April 7 to cough up the iTunes gift cards (or $75,ooo in bitcoin). This whole deal may or may not be true, and they claim to have access to 300 million accounts, from which they’ll pick iPhones to wipe at random, so run those numbers. Still, better safe than sorry. Go and update your Apple ID (this is the same thing as your iCloud password) now–here’s everything you need to know about doing that and managing your Apple ID in general. And if you haven’t enabled two-factor verification, do so. Think of a good password and then write it down on an index card and put it somewhere with other important documents, because boy howdy is it a pain to recover an Apple ID account if you forget.
Get your passwords in order
Apple told Motherboard that whatever user information the Turkish Crime Family claims to have, they didn’t get it by breaching Apple security, they got it from other hacks to places like LinkedIn. If you’re using the same tired old password everywhere, or are using a password like 12345, qwerty, or Password! please cut it out. We can pay smart people millions of dollars to make the internet secure-ish, but it all goes to hell with your lazy password. Don’t believe me? This Guardian columnist got herself to deal with her password mess by imagining someone publishing her private online chats. Which reminds me, while you’re at it, set two-step authentication up on your email and Google accounts, too.
The best way to handle a lot of passwords, and to make them all different and random, is to use a password manager. There are lots of managers to choose from and they cost anywhere from a few bucks to around $50. I used LastPass, which of course, shortly thereafter cautioned users to not use its browser extension because of a structural flaw that could be breeched by hackers. I’m going to live dangerously and assume they will fix it before the Turkish Crime Family asks them for $150,000 in Starbucks gift cards.
The whole process will take something like two hours so listen to a podcast (holy shit S Town) and really do this. You’ll have to select a master password–get out that card your Apple ID is written down on and write this one down too. Make it a different password, please. If you do all this correctly, those are the only two you’ll need. You can think of two good ones, right? Ok, put the card back and continue.
LastPass or whatever other service you choose will generate strong passwords for every account you have, but you will have to do these manually, one at a time. When you install it in your browser, once you’re logged in with that master password, it will autofill all your info whenever you open a new password-secured site. If you download the app you’ll have all that info on your phone, too, which is very, very helpful if you lock yourself out of your Apple ID account, and thus your computer for a few days and have to log in as a guest, or if you end up using a different computer than usual. (If your phone’s screen lock is 1234 or 123456 please watch a few episodes of CSI: Cyber and get back to me. I’m sure the Turkish Crime Family will loan you a few iTunes dollars.)
See if you’ve been compromised
Still not convinced? Go to this site to see if your password and other data could have been accessed in a hack. Hint: If you are on LinkedIn, chances are good that the answer is yes. LinkedIn and Gawker Media both gave up my goods at some point.
- Reset your Apple ID if you’re an Apple user.
- Enable two-factor verification if you haven’t already.
- Install and use a password manager to protect your information.
- Take a look at whether or not you’ve ever been part of a hack.
- Secure your phone with a screen lock that isn’t consecutive numbers.
Two final tidbits
Want to take a deeper dive? Follow this Quartz guide to to setting up a Virtual Private Network so that your browsing is private.
Mad as hell about the bill ( S.J.Res. 34, to be exact) allowing the telecom industry to track users behavior on the web and mobile that the House blithely passed last week? I mean there’s so much going on it’s hard to keep up, but here’s the lowdown. Give (legal, yet creepy) data miners the finger with this random browser activity generator called Internet Noise. Read more about it and other similar services in this Wired story.