Currents: Water Sage's Blog on Water Rights and Water Data

November 17, 2017: What We Talk About When We Talk About Security
Aaron Edwards
What We Talk About When We Talk About Security

Equifax.  eBay.  Yahoo.  Target.  JP Morgan Chase.

These are several of the more infamous data breaches in recent years.  Cumulatively, these represent billions of users whose personal information has been compromised. That information includes things like credit card numbers, names, birthdates, addresses, social security numbers and of course, passwords.

If you’re like me, the Equifax breach was an eye opener.  Knowing that my personal information was likely stolen, and that at some point someone may try to open a credit account in my name, has me feeling a little violated.  While I have taken some modest steps to protect my credit rating, I am beginning to think about cyber security in ways I never had to before, both personally as web user, and professionally as a software developer who writes applications for the web.

History

In the days before the web, hackers had to work pretty hard to gain unauthorized access to a computer or network.  A company’s network was typically isolated from the rest of the world, or connected only in very limited ways.  The Internet was virtually unknown, and without the web it consisted primarily of a loose collection of email addresses, FTP sites, Bulletin Board (BBS) Services, and news groups.  It was pretty much all text-based, which was a good thing because we were all connecting using a dial-up modem with speeds about one percent of what is common with today’s broadband providers.

In September 1988 Time Magazine published a story on computer viruses.  In those days malware was arguably more innocent.  It generally only sought to destroy your computer, or its Operating System (OS) installation in any case.  You would download something off a BBS, or someone gave you a pirated copy of some software you were coveting, Lotus 123 or the like.  As soon as you ran the program, Bam! You don’t have a computer anymore, at least until you’d reformatted your hard drive and reinstalled everything.  You probably lost all of your data as well, unless you kept backups or had your drive partitioned.

As the web became more ubiquitous, viruses and other malware became more common, and infection vectors that were much more mainstream started to appear.  You could catch a worm or virus by downloading something off the myriad of file sharing applications that were out there.  Simply visiting the wrong website could get you infected with spyware.

More importantly, malware creators eventually got savvy to the huge commercial potential that their exploits created.  Instead of simply hosing your computer, malware would spy on you, collecting your passwords as you typed them. Or it might install a trojan, which would do nothing until a designated date and time, at which point it would coordinate with the thousands of other infected computers and do something like take down a government website or corporate network.  Ransomware came on the scene a few years back, in which you were told you had a virus and had to buy a particular antivirus to remove it.  Of course the “antivirus” was, in fact, the virus.

Today, security is arguably more tenuous than it ever has been.  This is due in large part to the huge number of malicious websites, bots and email scams out there.  But it is also a function of the Cloud, and the fact that we now store our most sensitive data in computer networks.  In the 1980s, they couldn’t steal your money because you didn’t bank online.  Now we pretty much do everything on the web, from banking to grocery shopping, to paying our taxes and applying for a passport.  All that data is out there, and it’s considerably less secure than you think it is.

Protecting Yourself – Security 101 for the Web User

Short of taking yourself offline, what are the best practices for individual users who want to keep their sensitive information secure?

Here is a list of seven practices you should be doing already. If you are not, it’s a great time to start!

Passwords, Passwords, Passwords!

Weak passwords are probably the single greatest threat to the individual user.  I myself have been guilty of this.  In the early years of the web, I used the same password for everything: ‘tigger’.  It was the name of my cat.  In those days, I assumed that someone would have to know me pretty intimately to guess this password, so I was safe.

It turns out that ‘tigger’ is one of the most common passwords in use, and that it can be cracked automatically in a fraction of a second.  These days it’s not individual hackers trying to guess your password, it’s automated software bots that are constantly applying brute force to the task.

Your only hope against these password cracking bots is to make sure it takes longer to crack your password than the attacker is willing or able to attack.  A 12 character password, for example, provided it’s not a dictionary word, will take about 200 years to crack with today’s technology.  10 characters will take 4 months, 8 characters will take 5 hours.  How long to crack a 6 character password like ‘tigger’?  About 0.29 milliseconds (https://www.betterbuys.com/estimating-password-cracking-times/).

Incidentally, substituting numbers or symbols for letters, for example t1gg3r, does not   significantly help.  The crack-bots know this trick, and it doesn’t even slow them down. It just amuses them for a while.

While remembering a 12-character password may seem like a painful proposition, there are ways to simplify the task.  One such trick is to string together random words, such as CarDogPastaYoga.  Mnemonics can also be employed.  Take the first letters of each word of a phrase or song lyric and string them together.

Probably the best thing you can do for yourself is to invest a few dollars into a password manager.  I personally use KeePass at work, and RoboForm at home.  With these types of applications, you only need to remember your Master password, and it will securely hold all your other passwords.

It’s important to note that you should never use the same password for all of your online accounts.  If someone is able to hack poorly protected website and get your password, they can now log into all of your other accounts, such as your bank.

These days, most websites won’t allow you to use an easy-to-hack password.  Although, there are still thousands of sites out there that will let you enter anything you want as your password, like ‘tigger’ or ‘cat’.

Opt-In to Two-Factor Authentication

Today, most banks and highly sensitive websites will offer two-factor authentication.  Two- factor authentication requires you to know something (your password) and to have something, like your mobile phone.  When you log in to a website from a new computer, the website will send you a text message with a code in it, which you must then enter on the website in order to log in.

Two-Factor authentication is an effective way to protect yourself, but it is not yet implemented everywhere, and those sites that do offer it generally don’t make it mandatory.  You should opt-in for it wherever it is offered.

Avoid Phishing Scams

I can’t imagine there’s anyone online today that hasn’t been hit by hundreds of these attacks. Most decent email services will filter these messages out for you, but not all of them.

With a phishing scam, you receive an email from your bank, eBay, Amazon, the IRS etc.  The email tells you that you need to do something on your account.  They may even call it a security patch.  So you click the link in the email, which takes you to your bank website.  Except it’s not your bank, it just looks exactly like your bank.  You attempt to login, and it notifies you that your credentials are invalid. Now, the hacker has your username and password for bank account.

Millions of users get hacked this way every day.  The answer? Don’t click the link.  Instead, open a new browser and type in the URL of your bank’s website.

Don’t Plug That Thing In!

If you don’t recognize a USB thumb drive you found lying around, do not insert it into your computer.  Thumb drives install their own software drivers the first time you plug them in, and it is possible to hack those drivers to also install spyware and keyloggers.  As soon as you plug in that thumb drive they own your system, and you don’t have any secrets anymore.

It’s actually a common and very successful social engineering practice for hackers to simply leave a thumb drive in your company’s parking lot.  Someone picks it up, takes it to their computer and plugs it into to see what’s on it.  Too late.  They now have access to your whole network as well as your individual machine.

Use a Limited Account

This is probably a bit more technical, but it’s very important and with a small amount of Googling, you can accomplish it in minutes.  Here’s the gist:

By default, most individual users are created with Admin level privileges. So, if that user hits a malicious website, a piece of malware can install itself on your system without any additional action by you.  This is of course OS dependent.

If you use a limited account (i.e. not an Admin) any attempted software installation, either by you or by a malicious website, will require you to provide an Admin password, which is an effective block against a rogue installations.

Keep Your System Updated

OS and Application manufacturers, such as Apple and Microsoft, are constantly updating their software to patch newly discovered vulnerabilities.  You should enable automatic updates to keep yourself safe.

Don’t Visit Sketchy Websites

I learned the hard way that if you Google “Free” anything, you are likely to get infected.  Something as seemingly innocent as “Free Fonts” will likely take you to a site that will try to infect your system with malware.  You often know when a website is potentially unsafe.  I strongly suggest you avoid those places.  It’s a bad neighborhood.

Conclusion

In my next blog, I will discuss the security best practices for web developers and admins.  The two aspects of security are entirely correlated.  If you have weak security on your web server, it will likely get hacked at some point.  You then risk exposing all of your users’ passwords.  Remember that many users may have weak passwords, and may use them on multiple websites.  So even if you encrypt your passwords in the database, hackers can still apply bots to crack them.  They would have gotten my ‘tigger’ password in under a millisecond.  With the 12-character password I use today, it will take them just over 200 years.