In the wake of Wired reporter Mat Honan's digital disaster, you should revisit your security strategy for "living online." Here are best practices for repairing the weakest links in your personal security.
Once upon a time, security was easy - or at least, relatively so. Windows might have a lot of vulnerabilities, but it's "the devil we know." And we knew what to do to protect it: Keep it patched, run anti-virus/anti-malware, use a firewall, follow some best practices. You could even reduce the odds of getting hacked, if only through security by obscurity, by using a non-Windows operating system.
In the words of a best-selling novelist, the world moved on. Today we do our computing in a multi-device, multi-platform world. Linux-based operating systems such as Android are proving to have plenty of vulnerabilities of their own. And as Mat Honan's recent experience with being "hacked hard" shows, using iPhones, iPads and MacBooks no longer protects you from having your accounts taken over and your devices wiped by an attacker.
What can you do to avoid being victimized? The first step is a change in attitude: You have to stop thinking of security as a Windows problem or an issue that only concerns desktop systems, and realize that all of your mobile devices are full-fledged computers that are connected to the Internet. Here are some basic principles for minimizing your risk in five crucial areas.
#1 Password protection
Despite all the talk about multi-factor authentication, a user name plus a password or PIN is still the most common method by which we authenticate ourselves to systems, networks, sites and services. Your passwords are the keys to your kingdom. Honan's attacker reset the passwords to his iCloud, Gmail, and Twitter accounts, locking him out. They remote wiped his phone, tablet, and laptop and posted offensive tweets on Gizmodo's twitter account, which was linked to his.
There are many different ways an attacker can gain access to your password: malware, key loggers, guessing, brute force, social engineering. If you have the choice to use two-factor authentication, do it. For most cloud services, that will be difficult or impossible. Basic tips for protecting your passwords include:
- You undoubtedly already know not to use your birthday, spouse's/kid's/pet's name, birthday, social security number or any word in the dictionary as your password - yet "password" and "123456" continue to rank in the top of the "most used password" lists when hacked passwords are analyzed. Most people use only alphabetic or numerical characters (not a mix) as their passwords. "0000" and "1234" are popular smart phone PINs.
- Have a strong, long, complex passphrase containing alpha and numeric characters and symbols that you can easily remember. Honan's password was only seven alpha/numeric digits. Most security experts recommend a minimum of eight, but more is better. In fact, studies have shown that length is the most important factor in increasing time required to crack a password. Here's an example of a passphrase: mYdoGlovEs20$steaKs. "My dog loves twenty dollar steaks" isn't hard to remember, and I've just capitalized the second, third, fourth and fifth letters of the words. Don't use my algorithm (which of course isn't the one I use on my real password); make up one of your own. Here's Sophos's Graham Cluley's method for coming up with a difficult password.
- Once you have your algorithm or "system" for creating passwords, use it to create a new password every so often. Honan said he had been using the same password for "years and years." You probably don't need to change your personal account passwords every 30 days (unless you're a high profile target) but it's not a bad idea to do it occasionally. Most important, keep up with security news so you'll know when a service you use has had a breach, and change your password after one occurs.
- Don't use the same password for all your different accounts. It appears Honan did that right, but I knew many people who were caught by the LinkedIn password leak back in June, and found themselves worrying not just about their LinkedIn accounts, but dozens of others for which they used the same password. So how do you remember all those different passwords? Again, that's where your "system" comes in. You can use the same system to create the different passwords, making it much easier to remember them. Another option is to use password management software to store them in encrypted form.
- Don't put your passwords in a Word document or other unencrypted or easily decrypted file. Don't put them on sticky notes (physical or virtual), don't email them to yourself or someone else. If you must record your password for fear of forgetting it, write it on paper and lock it in a safe.
- Trust no one and no device. Don't reveal your passwords to others, no matter how much you trust them. If you must let someone else access one of your accounts, change to a temporary password and then change your password again as soon as the other person no longer needs access. Don't allow websites and applications to store your passwords, especially for critical accounts such as banking, credit card sites, retail sites, etc. Don't enter your passwords from a friends' device or a public machine; there could be spyware or key loggers installed.
- If possible, don't use your passwords over public wi-fi networks such as those in hotels, coffee shops, airports, etc. If you must access an account over such a network, make sure the connection is SSL secured, or VPN into your home or work (trusted) network.
#2 Device settings
With the plethora of different computing devices in use, running different operating systems and different OS versions, it's impossible to include in one article instructions for setting each to be most secure. Here are some general tips for protecting mobile devices:
- Select your mobile device model(s) with security in mind. Find out beforehand which devices support remote wipe, file encryption, two-factor authentication, and other security features.
- Keep your devices under your physical control. Don't leave them unattended for "just a minute" at conferences or business meetings, even if you think others will watch over them. Don't loan them to others to use without your direct supervision. Don't loan them to strangers/acquaintances to use even with your direct supervision.
- Protect your data in case of theft of the device. On laptops, enable BitLocker or other whole volume encryption programs. On tablets and smart phones, enable password/PIN protection. If your device offers two-factor authentication, such as fingerprint or facial recognition, use it. Install a mobile tracking and locking program. Enable remote wipe capabilities. Set your phone to back up your data regularly to a cloud location if you're comfortable with that. If not, manually back up your data to your computer regularly.
- Turn off networks and services you don't need (wi-fi, Bluetooth, infrared, mobile networks, file sharing). If you have Bluetooth on, set it to undiscoverable mode. When you're in a known hostile environment (for example, a hacker conference such as Defcon), keep your phones and tablets turned off when you aren't using them and don't connect to the available wireless networks. If you must, change your passwords immediately afterward.
- Set your email access to use an encrypted connection.
- Make sure USB debugging is disabled on Android devices.
- Make sure your iPhone backups are set to be encrypted.
- Set a PIN on your SIM card so a thief can't use it in another device.
#3 Cloud service security
With so much of our computing experience moving to the cloud, it's important to understand what we're giving up in return for the convenience. First and foremost, you give up a lot of control.
What can you do about it? Carefully assess the data you put in the cloud. Don't store highly sensitive data there. Don't store the only copy of your data there; cloud backup is great, because it's there even if a natural disaster wipes out everything at your location, but it's only half the solution. Have a local backup of everything important, in addition to your cloud backup.
Carefully assess the cloud provider(s) you choose to use. Look into their records when it comes to security. Check out what they've published about their security practices and assurances. Do they encrypt data stored on their servers? What type of encryption do they use? Read their Terms of Service and privacy policies. Find out how they handle things such as resetting your password (which ultimately turned out to be the problem in Honan's case). Know what you're getting into.
Finally, understand that no cloud service (and certainly no free cloud service) is going to give you any guarantees about the security of your data. Breaches happen. A little over a year ago, Dropbox dodged a bullet when a bad authentication update opened a hole in the service that would allow anyone to access the data of any user, for a period of about four hours.
#4 General anti-malware
This is a catch-all category, with some tips for protecting your devices from the many different types of attacks that are prevalent today:
- Always apply updates as soon as possible, not just to Windows machines but to all your devices. Run anti-virus and anti-malware software if available for the device.
- Don't jailbreak/root your device. This allows you to install apps that require admin privileges, but it also makes your device more vulnerable.
- Be careful when installing new apps. Read reviews, read the disclosures regarding what access you're giving the app to your data, and consider the source (app store vs. unknown website). Be aware that malware authors may name their apps the same thing as legitimate, trusted apps to trick users into installing them. Avoid apps offered for free that are normally paid apps. Be careful not to be taken in by fake security apps that are really malware; only get antivirus/antimalware apps from legitimate security companies. Don't allow apps to automatically update unless you are sure you trust the app developer.
- Install app locking software on your device to prevent unauthorized access to specific apps that contain sensitive or personal information even if a thief is able to get into the operating system.
- Be careful about visiting unknown websites that could surreptitiously download malware to your device.
- Use the secure versions (https) of websites when you have that option.
- Take the same precautions when reading email on your phone or tablet as when doing so on your computer (don't open attachments, don't click on links), and be aware that SMS text messages can also deliver malware.
- If you use mobile connection sharing apps to allow your laptop or tablet to use the 3G/4G data connection on your phone, monitor the current connections to ensure others aren't connecting to your hotspot. Be sure to use WPA2 to secure your ad hoc wi-fi network.
#5 Personal disaster recovery planning
Even after you take all of the precautions above, you may still be hacked. In the end, it turned out that Honan's predicament wasn't caused by what he did or didn't do, but was the result of social engineering at the Apple tech support end. The lesson to be learned here is that you cannot count on other entities such as service providers to protect you. You can do everything right and still get hacked because someone else fell down on the job. But you don't have to lose everything when it happens, if you've put a personal disaster recovery plan in place.
That means having the ability to track, lock and/or wipe the data on your mobile devices remotely, ensuring that important, hard to replace data and files are backed up to at least two locations, and not using the device for sensitive communications so that if all your preventative measures fail, the consequences will be inconvenience and annoyance, rather than catastrophic.