Turns out, we should probably be giving our security a lot more thought. SRSLY.
Last week it was revealed how a hacker was able to exploit a security flaw in Amazon’s and Apple’s security protocols to gain access to someone’s email , iCloud account, wipe their laptop, iPhone and iPad, take over their Twitter account and more. Essentially erasing everything this person had on their computer and online accounts. This makes the Tech Guys Robot very very sad.
In effect, Apple required just a few small pieces of easily acquirable information about you in order to do a password reset on your account, over the phone. Having the strongest password an online generator could create is almost useless when someone can simply call up the company and with some social engineering, convince them to change the password to something of their choosing.
Until companies change their security protocols, social engineering techniques will prove useful in way too many circumstances. That’s why it’s important to do a security audit of your online presence. This means tracing your online accounts and how they are connected. Are there any failure points? In other words, if someone can access your email, what else can they then gain access to through it? If they figure out your password for one website, can they simply use this to login to another website?
Unfortunately, you’re not likely to find the results of a such an inquiry to be pleasing. In today’s interconnected world of cloud based services, there’s a high likelihood that you’ve inadvertently chained together access to numerous services via a single login. Most notably, your email account and your Facebook account. Google and Facebook have created wonderful integrations with thousands of other websites and services, allowing you to instantly connect to their service and share your login with one of those accounts.
It’s a wonderfully and terribly useful service. On one hand, developers love being able to allow customers to utilize an account that they already have to simply connect via an API and allow login access, account creation and in the case of Facebook, lots and lots of data. More data than most people will ever fill into a registration form. On the other hand, you’ve just tied those services together allowing access to one to spill over to the other.
The main reason that we love cloud services is that they integrate into one another seamlessly. If you’re an iPhone user, having all of your photos and videos synced to iCould is wondrous thing and you don’t so much worry about losing your phone and losing your contacts, etc. But imagine what happens if someone is able to gain access to your iCloud login information? They could not only delete your backups and data, but if you’ve installed certain apps on your mobile device or computer, they can use them to remotely wipe your devices. Your data gone in an instant.
Getting Setup For Success…
There are some things that you can do to lessen your chances of a security breach in the first place. I stress the word lessen. With just a few rules you can go a long way towards reducing the chain of services that someone is able to access should they gain access to a major account.
Use different passwords AND usernames for everything. Most people use the same password and it’s usually something very easily guessed by a computer running a brute-force attack. But don’t underestimate what much a good username can help. As creatures of habit, we like to be consistent with our usernames so it’s easier to remember. Although lots of sites use your email address, if you’re a Gmail user, you can actually insert dots into your email address and it will still work for sending messages to your account. (example: firstname.lastname@example.org could be: email@example.com, OR firstname.lastname@example.org) You can also append a plus sign and a string or words at the end as well. (example: email@example.com) Try it. Love it. You can also use it for easily filtering junk mail!
Use a STRONG password. I recommend using a service like: http://strongpasswordgenerator.com to create new, random passwords. They also have a nice guide to determining what constitutes a strong password. Your kid’s and dog’s names are not allowed. Just stop it.
Use Multi-Factor Authentication when possible. This just means using multiple pieces of information to successfully login to a service. This usually includes a password combined with either a USB key, fingerprint scan, or other outside service. One such service is Google Authenticator which is an app that can be loaded onto your mobile device and generates a new key every 30 seconds that you’ll need in order to login. It may sound like overkill, but depending on what you’re protecting, multi-factor authentication adds an enormous amount of extra protection on top of a strong password. I highly recommend using this in services that offer it. It’s currently gaining steam with many services.
Separate your accounts as much as possible. Avoid using single sign-on services, especially via Google and Facebook or OpenID. They are useful, but allow connections to be made to other services. Ask yourself this: “If someone gained access to this account, can they use or find any data to compromise something else?”
There are a lot of password managing services out there: Roboform, Billeo, Lastpass, KeePass, 1Password, etc. They can be useful, but again fall into the category of holding all of your eggs in one basket. If you choose to use such a service, you should certainly user multi-factor authentication. Most paid password archive services offer this and you’d do well to take advantage of it.
In the end, there’s no foolproof way to completely protect yourself. Given the opening example with Apple essentially only requiring information that anyone can gather rather effortlessly, to reset a password should be a wakeup call. As we become more dependent on online services and as those services continue to integrate together, simply being aware of the failure points is an increasing important piece of knowledge. We hate to do anything that might disrupt our workflow or add an extra step, but a few seconds of annoyance is but a pittance as compared to the immeasurable loss of your data, files and online accounts.
The one area that this post doesn’t go into is how to protect yourself from server-side attacks, like those carried out on LinkedIn and Yahoo. Unfortunately, most web services don’t open the books on the security practices that they use to ensure your passwords are stored safely and use methods to slow and thwart attackers from gain access to actionable information. For that reason, it’s difficult to tell how safe your login information is on a particular site. Still, your best defense is a strong, random password that isn’t shared with anything else. Allowing for every login to be pared away from yourself is a the best way to ensure you’re not held hostage in case of a breach. Plan ahead and be prepared.
Did I miss anything? Got something to add? Comment below with your favorite security tips, stories, and flame bait. Keep the ball rolling!