August 8, 2012

On Keeping Your Digital Life Secure

Michael Harper for redOrbit.com - Your Universe Online

There´s an old saying about a fence which was once widely universal, suggesting that these safeguards only kept the good people off of your property or out of your house. Though a bit pessimistic in nature, the truth contained within is hard to deny: Those who are inclined to engage in some sort of criminality will do it, fences be damned.

So, in a world where simple key combinations are translated to ones and zeros to build a hedge of privacy around our most valuable information, it´s still entirely true that those prone to villainy will find some way to break through or, in some cases, hurdle these digital fences.

Like any wrong-doer, these cyber criminals have a variety of reasons for infiltrating someone else´s space and stealing their information. Some do it simply to make away with whatever they can: Banking information, credit card number, other passwords, etc. Some try to take a “benevolent” approach, saying their misdeeds are actually helping others as they shed a light on these privacy issues, hopefully causing the business at fault to spring to action. For example, the hackers who broke into Yahoo´s servers claimed they did so as a “wake-up call, not a threat.” In a glaring contradiction, these hackers then posted the passwords online for all to find and do what they would with them. Suddenly, the theft turned from plain protest to malevolent misdeed.

The Hackers Are Agile

So far in 2012, we´ve seen some high-profile password leaks from music-streaming services, gaming services, professional networking services and online dating services as users´ personal information is put in extreme jeopardy. Some quick, back-of-the-envelope calculations show that, all told, some 14 million people have had their passwords cast about in the wild, wild web. (There could be some users who had multiple passwords compromised, of course“¦.)

These users likely have no reason to assume their passwords will ever be completely safe again, as stories break nearly every month about new hacking attacks and new government concerns about possible cyber-terrorism. Is there any way to protect ourselves and our information when it doesn´t exist outside of zeroes and ones?

“I really wish I could say that the problem is going to go away, but everything I see shows that's unlikely to happen,” says Alan Brill, the senior managing director for Kroll Advisory Solutions.

“The perpetrators of these crimes - and that's what they are - are very agile.”

Not only are these hackers agile, they also learn very quickly and are often very knowledgeable about new ways to break into systems undetected. Without constant dedication and vigilance, businesses and individuals alike are left vulnerable to attacks from cyber criminals. The instances we´ve seen with sites like eHarmony and LinkedIn are relatively minor, as the users who had poor password protection were also the ones who had their accounts compromised. Though it´s not entirely likely too many people saw direct harm come from these attacks, they were placed in danger, especially if their usernames or passwords were shared amongst other sites, such as banking sites or email accounts.

At worst, hackers could completely take over your accounts, have full access to your credit cards and therefore access to your identity.

It´s Never Too Late

But this is common knowledge, is it not? Are these recommendations for tighter security controls now falling on deaf ears? When news broke about the recent Yahoo password dump, EuroSecure took a look at the plain text passwords and found some shocking, if not all too common information.

Of the 442,000+ leaked passwords, the top ten were all predictable numeric sequences or dictionary words, such as “123456,” “123456789.” “Sunshine,” or the old standby, “password.”

And yet, for all our efforts, we´re only as secure as the hacker´s ability to break into our accounts. As pessimistic as it sounds, we´re all open and vulnerable to anyone who wants in badly enough.

Take for instance, the recent tale of Gizomodo writer Mat Honan.

A tech-savvy guy, Honan made sure to use a strong, if not a bit outdated password to protect his Apple ID. A 19-year old hacker, using the alias “phobia,” however, was able to break into the securely built walls without the use of brute force or clever cyber cunning. Phobia simply broke in by calling the offices of Amazon and Apple, pretending to be someone he wasn´t, namely, Mat Honan.

With just a few pieces of Honan´s information, this teenaged hacker was able to completely lock down Honan´s digital life, wiping his iPad, iPhone and MacBook Air and locked up his email accounts, all for the sake of taking over his 3-letter Twitter handle. The frightening element of Mr. Honan´s story is the fact that the company policies of both Amazon and Apple allowed this to happen. Apple confirmed twice to Mr. Honan that they only require “the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file” to verify someone´s identity.

What´s disappointing and down-right sad about this tale is Mr. Honan hadn´t performed any sort of backup and, as such, lost priceless photos of his newborn daughter.

Mr. Brill´s comments only serve to further prove what we´ve already seen this year: hacking attacks are here to stay and will probably begin to effect many more individuals in the coming months and years. Therefore, now is as good a time as any to brush up on some very important online safety and security protocols and, more importantly, implement a few safety standards if you´ve yet to do so.

Strike A Balance Between Convenience and Security

Where your privacy and digital life are concerned, there is usually a balance between security and convenience. For instance, one method, such as using one password across multiple sites, is incredibly convenient, but not very secure. On the other hand, creating multiple passwords for multiple sites, employing a rigorous backup routine and using multi-step authorization sign ins are very secure, but can seriously hamper your productivity. Says Mr. Brill, “The idea is to keep security at a reasonable level, and recognize that risk.”

The Federal Trade Commission offers some pointers, such as being selective about what information you share and who you share this with. The age old rule still applies: Don´t give out your information unless you´re certain the person or organization needs to have it. Furthermore, be careful not to click on rogue links or install any software that you aren´t entirely sure of.

Mr. Brill takes the suggestions even further, saying users should be sure to employ different passwords for every website they frequent. The passwords used should ideally be something that would give a hacker great difficulty to crack, should they ever try. Common dictionary words and names of family members or beloved pets make the least secure passwords says Mr. Brill.

“Better to choose something not in the dictionary, like "[email protected]$t". Combinations of words and switching some letters to numbers or symbols gives you a much better chance of not having your password cracked.”

In addition to choosing a secure password, there are other precautions you can take to ensure the safety of your private and sensitive information.

“Even at home, you have to recognize the risks and do the basics,” says Mr. Brill.

On the technological side, Mr. Brill suggests using a combination of a firewall and a constantly updated copy of an anti-malware software on every machine, in addition to encrypting your hard drive and wireless router.

“Also, you may want to get a credit card that you use only for online purchases,” continues Mr. Brill.

“If it gets compromised, you still have a card you can use for other purposes. Or, if your card issuer provides it, use one-time credit card numbers. They generate a number you can use for one transaction, and it then expires.”

Bank of America, for instance, offers such a service which “adds an extra layer of protection when customers shop online by creating a temporary credit card number.”

Back Up, Back Up, Back Up

While employing multiple secure, strong passwords and firewalls is a good first step, it´s also important to make sure your data is backed up an secure as well in the event that a hacker is able to penetrate your best defenses. After all, it´s frightening to know that a stranger has been in your house and has seen where you eat, live and sleep. It´s catastrophic, however, when a stranger breaks into your house and steals your valuable possessions or damages those items which are dear to you.

Peter Krogh, a commercial photographer in the DC area, suggests a very simple backup method which can be adopted by anybody living a digital lifestyle. In his 3-2-1 Rule, Krogh recommends keeping 3 copies of all important information, one primary backup and two additional backups. Each of these backups should be kept on 2 different forms of media, such as a disc and a hard drive. Finally, 1 copy of these backups should be kept offsite or offline, in the event something happens to the physical copies, such as theft or fire.

Making a back up isn´t a difficult chore, able to be performed by only the tech-set. It´s even incredibly affordable and comes with a great pay off: Peace of mind. At a glance, a 500GB external hard drive can be purchased from Amazon for around $70 or less. A larger, 2TB option costs around $100, a great value considering the irreplaceable nature of much of your information. The prices of these drives can fluctuate, meaning you´ll be able to find a good deal anytime you look. For Mac users, one of the most popular backup tools is a free app called SuperDuper! which can easily handle any backup chore you ask it to do. A popular choice for Windows users is DriveImage XML, which can also easily perform any backup tasks such as copying from one drive to another or restoring files on a different drive.

How the Normals Do It

In preparation for this piece, I reached out to several colleagues and friends both on and offline to ask them about their security practices in order to get an idea of how people, both tech-savvy and tech-averse, manage their online privacy and security.

One tech-minded person said they´ve recently implemented 2-step verification in Gmail, which puts an extra step in the sign in to protect against unauthorized access to a Gmail account. Another said they used a password storage service such as LastPass or 1Password Pro for Mac, which creates and stores secure passwords for multiple sites and services.

Using one of these services is an easy way to make sure each password you use is different and unique, and a main, universal password can be set to lock or unlock the other passwords.

And In the End“¦

What was interesting and slightly troubling, however, was realizing just how many of these colleagues and friends had no real safety and security protocol in place. In fact, half of the people I spoke with had no such “safety net” in place, using the same username and password for multiple sites and services and no backup routine.

I´d wager a guess that, like Mr. Honan, many have multiple, daisy-chained accounts, meaning if a hacker were to gain access to an email account or a twitter account, they´d be able to inflict some serious harm.

Employing these methods is simple to do, and should be exercised with the same care and attention given to personal safety. In the same way many of us wouldn´t leave our house without double checking to make sure the doors and windows are locked, we shouldn´t be leaving the doors and windows of our digital lives wide open as we enjoy our online lifestyles blissfully unaware.

It´s true that fences are only meant to keep the good people out, but it´s also true that an ounce of prevention is worth a pound of cure, and if you can take a few moments each week to make sure your digital life and personal information are locked up tight, you could avoid devastating situations like Mr. Honan or countless others.