Feeds:
Posts
Comments

Posts Tagged ‘keeping safe on the internet’

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.

THE BASICS, REITERATED

First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.

TO AVOID BEING HONANED — ACCOUNT LINKING

This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.

TO AVOID BEING HONANED — EMAIL

All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.

FINAL SUGGESTIONS

Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Read Full Post »

This is the second in a three part series on a highly revised approach to keeping yourself safe and sound when you’re on the Internet.  (If you missed it, the first part is here).  This is an entirely new approach, because the whole threat profile we face has been changing, and most of the recommendations passed out by presumed security gurus (including yours truly) are no longer appropriate or effective.  This post is going to describe the current threat landscape so that my recommendations on protecting yourself will make a little more sense; those will be in Part 3.

OK then, what does it look like out there?  There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!).  But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable.  Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now.  It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe.  This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption.  I’m not dealing with those here, either.

Personal threats, what we care about here.  These threats, at least the ones that you should worry about, can all be clumped into two main categories:

  • Attempts to steal money from you via account break-in, unauthorized credit-card charges, or (occasionally) malicious transactions aimed at disrupting your life, e.g. as caused by an errant ex-spouse;
  • Attempts to steal account numbers, passwords, and other personal or family data from  you by loading malicious hidden software onto your computer.  In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums.  Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops.  Just because these are high-order threats doesn’t mean that you can be excused to do nothing.  On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past.  What is it that has changed over the last increment of time that modifies our approach to personal Internet security?  Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against.  When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing.  If you let one of these things into your machine, you’re gone.  Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring.  And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore.  It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die!  When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face.  So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities.  Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft.  Five years ago this was almost unheard of.  People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real.  What happens now?  It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on.  The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks.  Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers.  Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks.  So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.”    Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses.  Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to.  “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on.  And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit.  I’ll cover them in Part 3.

Read Full Post »