Security

Five ways to protect yourself in a multi-device, multi-platform world

In the wake of Wired reporter Mat Honan's digital disaster, you should revisit your security strategy for "living online." Here are best practices for repairing the weakest links in your personal security.

Once upon a time, security was easy - or at least, relatively so. Windows might have a lot of vulnerabilities, but it's "the devil we know." And we knew what to do to protect it: Keep it patched, run anti-virus/anti-malware, use a firewall, follow some best practices. You could even reduce the odds of getting hacked, if only through security by obscurity, by using a non-Windows operating system.

In the words of a best-selling novelist, the world moved on. Today we do our computing in a multi-device, multi-platform world. Linux-based operating systems such as Android are proving to have plenty of vulnerabilities of their own. And as Mat Honan's recent experience with being "hacked hard" shows, using iPhones, iPads and MacBooks no longer protects you from having your accounts taken over and your devices wiped by an attacker.

What can you do to avoid being victimized? The first step is a change in attitude: You have to stop thinking of security as a Windows problem or an issue that only concerns desktop systems, and realize that all of your mobile devices are full-fledged computers that are connected to the Internet. Here are some basic principles for minimizing your risk in five crucial areas.

#1 Password protection

Despite all the talk about multi-factor authentication, a user name plus a password or PIN is still the most common method by which we authenticate ourselves to systems, networks, sites and services. Your passwords are the keys to your kingdom. Honan's attacker reset the passwords to his iCloud, Gmail, and Twitter accounts, locking him out. They remote wiped his phone, tablet, and laptop and posted offensive tweets on Gizmodo's twitter account, which was linked to his.

There are many different ways an attacker can gain access to your password: malware, key loggers, guessing, brute force, social engineering. If you have the choice to use two-factor authentication, do it. For most cloud services, that will be difficult or impossible. Basic tips for protecting your passwords include:

  • You undoubtedly already know not to use your birthday, spouse's/kid's/pet's name, birthday, social security number or any word in the dictionary as your password - yet "password" and "123456" continue to rank in the top of the "most used password" lists when hacked passwords are analyzed. Most people use only alphabetic or numerical characters (not a mix) as their passwords. "0000" and "1234" are popular smart phone PINs.
  • Have a strong, long, complex passphrase containing alpha and numeric characters and symbols that you can easily remember. Honan's password was only seven alpha/numeric digits. Most security experts recommend a minimum of eight, but more is better. In fact, studies have shown that length is the most important factor in increasing time required to crack a password. Here's an example of a passphrase: mYdoGlovEs20$steaKs. "My dog loves twenty dollar steaks" isn't hard to remember, and I've just capitalized the second, third, fourth and fifth letters of the words. Don't use my algorithm (which of course isn't the one I use on my real password); make up one of your own. Here's Sophos's Graham Cluley's method for coming up with a difficult password.
  • Once you have your algorithm or "system" for creating passwords, use it to create a new password every so often. Honan said he had been using the same password for "years and years." You probably don't need to change your personal account passwords every 30 days (unless you're a high profile target) but it's not a bad idea to do it occasionally. Most important, keep up with security news so you'll know when a service you use has had a breach, and change your password after one occurs.
  • Don't use the same password for all your different accounts. It appears Honan did that right, but I knew many people who were caught by the LinkedIn password leak back in June, and found themselves worrying not just about their LinkedIn accounts, but dozens of others for which they used the same password. So how do you remember all those different passwords? Again, that's where your "system" comes in. You can use the same system to create the different passwords, making it much easier to remember them. Another option is to use password management software to store them in encrypted form.
  • Don't put your passwords in a Word document or other unencrypted or easily decrypted file. Don't put them on sticky notes (physical or virtual), don't email them to yourself or someone else. If you must record your password for fear of forgetting it, write it on paper and lock it in a safe.
  • Trust no one and no device. Don't reveal your passwords to others, no matter how much you trust them. If you must let someone else access one of your accounts, change to a temporary password and then change your password again as soon as the other person no longer needs access. Don't allow websites and applications to store your passwords, especially for critical accounts such as banking, credit card sites, retail sites, etc. Don't enter your passwords from a friends' device or a public machine; there could be spyware or key loggers installed.
  • If possible, don't use your passwords over public wi-fi networks such as those in hotels, coffee shops, airports, etc. If you must access an account over such a network, make sure the connection is SSL secured, or VPN into your home or work (trusted) network.

#2 Device settings

With the plethora of different computing devices in use, running different operating systems and different OS versions, it's impossible to include in one article instructions for setting each to be most secure. Here are some general tips for protecting mobile devices:

  • Select your mobile device model(s) with security in mind. Find out beforehand which devices support remote wipe, file encryption, two-factor authentication, and other security features.
  • Keep your devices under your physical control. Don't leave them unattended for "just a minute" at conferences or business meetings, even if you think others will watch over them. Don't loan them to others to use without your direct supervision. Don't loan them to strangers/acquaintances to use even with your direct supervision.
  • Protect your data in case of theft of the device. On laptops, enable BitLocker or other whole volume encryption programs. On tablets and smart phones, enable password/PIN protection. If your device offers two-factor authentication, such as fingerprint or facial recognition, use it. Install a mobile tracking and locking program. Enable remote wipe capabilities. Set your phone to back up your data regularly to a cloud location if you're comfortable with that. If not, manually back up your data to your computer regularly.
  • Turn off networks and services you don't need (wi-fi, Bluetooth, infrared, mobile networks, file sharing). If you have Bluetooth on, set it to undiscoverable mode. When you're in a known hostile environment (for example, a hacker conference such as Defcon), keep your phones and tablets turned off when you aren't using them and don't connect to the available wireless networks. If you must, change your passwords immediately afterward.
  • Set your email access to use an encrypted connection.
  • Make sure USB debugging is disabled on Android devices.
  • Make sure your iPhone backups are set to be encrypted.
  • Set a PIN on your SIM card so a thief can't use it in another device.

#3 Cloud service security

With so much of our computing experience moving to the cloud, it's important to understand what we're giving up in return for the convenience. First and foremost, you give up a lot of control.

What can you do about it? Carefully assess the data you put in the cloud. Don't store highly sensitive data there. Don't store the only copy of your data there; cloud backup is great, because it's there even if a natural disaster wipes out everything at your location, but it's only half the solution. Have a local backup of everything important, in addition to your cloud backup.

Carefully assess the cloud provider(s) you choose to use. Look into their records when it comes to security. Check out what they've published about their security practices and assurances. Do they encrypt data stored on their servers? What type of encryption do they use? Read their Terms of Service and privacy policies. Find out how they handle things such as resetting your password (which ultimately turned out to be the problem in Honan's case). Know what you're getting into.

Finally, understand that no cloud service (and certainly no free cloud service) is going to give you any guarantees about the security of your data. Breaches happen. A little over a year ago, Dropbox dodged a bullet when a bad authentication update opened a hole in the service that would allow anyone to access the data of any user, for a period of about four hours.

#4 General anti-malware

This is a catch-all category, with some tips for protecting your devices from the many different types of attacks that are prevalent today:

  • Always apply updates as soon as possible, not just to Windows machines but to all your devices. Run anti-virus and anti-malware software if available for the device.
  • Don't jailbreak/root your device. This allows you to install apps that require admin privileges, but it also makes your device more vulnerable.
  • Be careful when installing new apps. Read reviews, read the disclosures regarding what access you're giving the app to your data, and consider the source (app store vs. unknown website). Be aware that malware authors may name their apps the same thing as legitimate, trusted apps to trick users into installing them. Avoid apps offered for free that are normally paid apps. Be careful not to be taken in by fake security apps that are really malware; only get antivirus/antimalware apps from legitimate security companies. Don't allow apps to automatically update unless you are sure you trust the app developer.
  • Install app locking software on your device to prevent unauthorized access to specific apps that contain sensitive or personal information even if a thief is able to get into the operating system.
  • Be careful about visiting unknown websites that could surreptitiously download malware to your device.
  • Use the secure versions (https) of websites when you have that option.
  • Take the same precautions when reading email on your phone or tablet as when doing so on your computer (don't open attachments, don't click on links), and be aware that SMS text messages can also deliver malware.
  • If you use mobile connection sharing apps to allow your laptop or tablet to use the 3G/4G data connection on your phone, monitor the current connections to ensure others aren't connecting to your hotspot. Be sure to use WPA2 to secure your ad hoc wi-fi network.

#5 Personal disaster recovery planning

Even after you take all of the precautions above, you may still be hacked. In the end, it turned out that Honan's predicament wasn't caused by what he did or didn't do, but was the result of social engineering at the Apple tech support end. The lesson to be learned here is that you cannot count on other entities such as service providers to protect you. You can do everything right and still get hacked because someone else fell down on the job. But you don't have to lose everything when it happens, if you've put a personal disaster recovery plan in place.

That means having the ability to track, lock and/or wipe the data on your mobile devices remotely, ensuring that important, hard to replace data and files are backed up to at least two locations, and not using the device for sensitive communications so that if all your preventative measures fail, the consequences will be inconvenience and annoyance, rather than catastrophic.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

8 comments
Tgneg
Tgneg

This was a very nice article. There is a lot that we can ALL learn from this experience. We ALL need to be more proactive about our personal account security. In the case presented, he can blame both of the big guys (A+A) who failed him, but he still needs to blame himself for failing himself. In this day and age we need to learn to stop throwing the blame on to others and step up and take the responsibility of our info. If you don’t trust the site don’t use it. We have heard a million times don’t use the same passwords, back-up you info and then there is two-factor authentication. 2FA has jumped into the spotlight over the last few months. It’s been around for a while but it is good to see some of the big companies like Google promoting this option. In this case, 2FA was an option that was made available to him and he did not see the need or want to take the time to set it, so it is his own fault. And the two A’s don’t offer it, and that would have limited to damage done. But the sad fact is there are millions of people just like him who are not taking advantage of this awesome functionality that is being offered to them by several sites. I really hope this serves as a wake-up call to companies and individuals alike, for the need to kick this complacent attitude about authentication and passwords. My advice is take advantage of the 2FA which allows you to telesign into your accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.

darksidegeek
darksidegeek

People tend to use the same passWORD because remembering many different WORDs is hard. But if you use the phrase-with-substitutions model, and yet have multiple passPHRASEs for all sites/apps, that too will be hard to remember. And as people have pointed out, when a certain app/site has restrictions on characters or lengths, it can blow holes in your "algorithm". The advice in the Sophos video was to use a password manager such as KeePass to remember all the phrases. But if you are using KeePass, why not rely on the program's ability to create high-entropy random passwords directly? No creativity needed to invent a sentence, no mental gymnastics required to do compliant substitutions, and no long-term memory to recall. At worst, you have to tweak the initial random value to fit the length/character requirements of the site/app, but after that, you are done. The rest is cut-and-paste (which BTW is also a defense against keyloggers). When it is time to refresh, simply use the generate-from-template to create another that is already guaranteed to be compliant. I live the KeePass religion and haven't had to remember a personal password in years. And you can secure your keys to the castle by using two-factor authentication to protect your KeePass database, which is something HIGHLY RECOMMENDED and I wish more actual sites were doing. (Following the Honan hack, Google is pushing strongly for users to enable two-factor on their account.)

chris
chris

Like many of us, I have more than 60 web accounts with usernames and passwords to manage. I do have a system for keeping them unique yet remembering them, but several either do not allow symbols, or even worse (and a policy I find unforgivable), limiting passwords to no more than 12 characters (a few limit you to even less). While I'm on a rant, let me mention the ones who send an email confirmation of your account signup, CONTAINING BOTH YOUR USERNAME AND PASSWORD IN PLAIN TEXT! #(

albayaaabc
albayaaabc

S.people how have using it, was stealing that be made by known the theory of how to be theifer ,like passward question ,and so on,being harder so not to be break.

tekitup
tekitup

Thank you for writting about this super important issue, as an IT pro I can't tell my clients enough about keeping their devices secured and use as much encryption as possible.

Dr_Zinj
Dr_Zinj

Unfortunately, there are a very large percentage of companies, applications, and security packages out there that still will not accept symbols in password construction. Which really cuts down on the hacking time needed to crack them. Honan was subjected to a cloud hack. His applications resided there. His data resided there. His vendors let him down. And his vendors have zero consequences to his being hacked because of their laxness, beyond the possibility of losing him as an irate customer. If you don't have physical possession of your data, then it isn't protected, and it isn't your data.

jdudeck
jdudeck

I've found that even a single non-alpha-numeric character in a password makes it pretty secure. In our office we all use at least one that is not a letter or number. I've been running John The Ripper for nearly a year now against our passwords, and it still hasn't found any of them.

betiryan
betiryan

Thanks Deb. I made almost all of your checklist. I'm avoiding the cloud for now and going with external backup plans.