A Good Time To Think About Digital Security
Sep 05, 2014
The recent celebrity phone hacking scandal is a reminder that digital security is a vital component of our increasingly digital lives.
In mid-August Joe Aldeguar and I presented a session at the 2014 SAF Annual Convention that focussed largely on digital security. Just a few weeks later the celebrity phone hacking story became big news. We talked briefly about the timing - our session would have been more topical if we had presented it afterwards - but more about what had happened to the victims. The loss of privacy they suffered is terrible but, hopefully, it will convince other people to get more serious about digital security.
Since the story broke there have been a few theories floated about how the breach was accomplished. We had talked about securing against each of these during our presentation.
The Dangers of Open Wi-Fi Network and "Evil Twins"
An early theory was that the victims of the attack may have been compromised by using the same open wifi network at an awards show. Open wifi networks are convenient but inherently dangerous – if you don’t have to enter a password, which is really an encryption key, to join a wireless network there is a very good chance that the data travelling between your device and the wireless router is being transmitted unencrypted, as plain text, making it legible and accessible anyone within range.
This can be used in conjunction with something called an Evil Twin
attack. This involves the attacker creating an open wifi network that looks legitimate when it is actually designed to serve their own purposes. They might try and create something that is the exact twin of of the network at something like a coffee shop, or just a free network that looks legitimate – either way the goal is to get you on an open network transferring unencrypted data.
Of course if the site you are browsing uses ssl encryption (you can tell because the url will start with “https” instead of “http”) then you are protected, and most major sites do use ssl. This is a set in the right direction – just a few years ago this was not the case and it was shockingly easy to steal someone’s credentials from even major sites.
You can protect yourself from this kind of attack by not using open wife networks but a better solution is to use a VPN service like Cloak
. This app installs on your laptop or other mobile device and, as soon as it senses that you are using an open network, puts you on a VPN (virtual private network) that will keep you safe.
Weak Passwords/Recovery Questions
Another theory was that the breaches resulted from weak passwords that could be easily ascertained or guessed. In one case it was even suggested that the victim had sort of shared a pretty strong hint about their password with the media. Passwords need to be long, complicated and random. Simple substitutions or “mungeing” of passwords is not enough – “pass55w0rd” isn’t going to keep anyone out anymore.
To make it work you need to follow good password practices and use a password manager like 1Password
. There is more information in the handout from our session (see the link at the bottom of this port), and to learn even more consider reading the excellent Take Control of Your Passwords
by Joe Kissell.
Recovery questions, often used if you need to rest your password, are another problem. In the social media era it’s not that hard to find out the name of your pet, the name of your first car, or the street your grew up on – especially if you are a celebrity. If you have to provide answers to recovery questions you should lie and store the lie that you used in your password manager.
Think about your house. No stranger should ever walk up, try all the windows and doors, let themselves in and steal your valuables. And, if they did, you as the homeowner shouldn't be judged or blamed. But, given the world we live in, most of us are concerned that someone might try and steal from us, so we invest in good locks, maybe even security systems, and are careful about using them.
Digital security is no different. The victim shouldn't be blamed, but we should all remember to be careful and protect that which is valuable to us.
Instructions on how to move Google Authenticator to a new iPhone so you don't lose access to accounts with two-factor authentication enabled.
Asking security questions after password authentication is not just pointless, it actually makes things less secure.
How to hide/secure files on your Mac: An easy approach to protecting your data by securing, hiding, and encrypting selected files and folders in Mac OS X.
A look at how security through obscurity (hiding files) is doomed to fail in Mac OS X, plus a look at some easy ways to truly secure files on your Mac.
They might seem like flip sides of the same coin but the techniques used to show hidden files on a Mac are not the best solution for securely hiding files.
The incognito or private mode in your web browser can offer you some additional privacy but not as much as you may think, and you still need to be careful.
Does "http://www.alerts-safari.info" say "Your Apple Device has been locked, due to security reasons"? Don't panic, it's not – just don't call the number!
A short guide to SSH keys and Mac OS X: How to create, find, share and add SSH Keys (and deal with related SSH errors and warnings) on Mac OS X.
How to open Safari without automatically re-opening windows/tabs from the last session. This can save you if you ever run into ransomware.
Using Google Authenticator to increase digital security through the use of multi-factor authentication.