Nick Hardiman takes a look at the threat landscape of our increasing dependence on the cloud as repository for our data and personal information.
The Internet is the repository for human knowledge in the 21st century. The relentless knowledge capture process has touched us all. If you stick your name into a Google image search, you will probably see many photos of you, mixed in with pictures of random strangers and movie stars.
Knowledge about you - the collection of information about you that has been added to the Internet over the years - is valuable. Protecting this knowledge from abuse by advertisers, vandals and thieves is a work in progress. Many mistakes leak information and create vulnerabilities. If it all goes wrong, multi-factor authentication can lessen the damage.
The case of Wired journalist Mat Honan getting his entire digital life hacked away by a motivated attacker illustrates a worst-case scenario for the rest of us, and even if you're not a high-profile tech journalist with enemies, you could still face a lot of inconvenience, if not more serious consequences, by ignoring some of the basic security measures that ultimately led to Honan's disaster. Some of it was due to social engineering of entities he couldn't control, but he admits, a lot of the damage could have been mitigated if he had followed best practices himself.
Where is the threat?
Damage is not usually caused by maths geniuses typing on clever computers that go bleep. The Lockheed Martin break-in a year ago was clever, but sophisticated criminals like that won't waste their time on us average guys. The damage we suffer is caused by the Internet equivalent of opportunist bag snatchers. If they see an opportunity, they will take it. If that opens up more opportunities, they will take them too.
The greatest risk of eavesdropping on your Internet conversations comes from the bored people who sit next to you, who can see what you left on your unlocked phone, and the patient people trawling the web collecting personal details. The risk is not from gang members wearing boilersuits in computer rooms, tapping into lines. The only people with the resources to record conversations crossing the Internet are government-sponsored, and they are not looking for your trivia.
Personal mistakes lead to information leaks
We rough analog humans don't really fit well with the digital world we have invented. We often use our new tools incorrectly. Remembering multiple logins is a problem so many people use the same password for many services. That's a mistake. My country's domain names all end in UK, not GB. That's a mistake by committee. Exposing your personal life on Twitter and Facebook is a mistake. Reading e-mail over a café's Wi-Fi, tweeting when drunk, and phoning when angry are all mistakes.
Does that matter? Making mistakes is pretty normal. We all do it. What's important is how you deal with your mistakes.
Business mistakes also lead to information leaks
Apple tech support gave a journalist's password to a hacker. Apple is dealing with its mistake by ignoring the people who talk about it. It has however stopped their call centre making password changes for the time being.
That's also pretty normal. Mistakes are not good for business and so are often played down in the business world. Acknowledging a mistake can earn an enterprise a good slapping by the market, so playing down all problems is probably a financially wise choice. The marketplace is not a no-blame culture. When RSA was broken into in March 2011, they kept quiet except for publishing an open letter. When customer information was taken from Citigroup in June 2011 the company kept quiet for weeks. Some break-ins get huge publicity. Comodo certificates were stolen in March 2011, a serious blow for e-commerce. Sony produced a FAQ and refunded customers when PSN and Qriocity suffered the largest identity theft ever in April 2011.
Single and multi-factor authentication
Three factors are used in the world of security to prove you are you.
- One factor: usually something you know, like a password. If you know the password (or can convince a technician to change the password to something you know), you're in.
- Two factor: usually something you know and something you have, like a password and some clever kind of keyfob password generator.
- Three factor: something you know, something you have and something you are. Some laptops and USB sticks have fingerprint scanners built in to uniquely identify you.
AWS and other companies in the business world work with two factor authentication. Customers often use two factor authentication for banking. A bank card for withdrawing cash comes with a PIN (Personal Identification Number), so that's two-factor authentication: something you have and something you know. It's not foolproof: if you use the year of your birth as a PIN and start lying about your age, you still are not well protected.
Minimising damage with unique passwords
Many website accounts are protected by single-factor authentication. When you log into your favourite website, you can see a padlock on your web browser indicating the whole conversation is encrypted and so protected from any evil recording devices in the Internet.
You use one thing to log in - usually a password. That's the single factor. The more you use the same password, the more valuable that password becomes.
A strong password - one that is so weird no-one can remember it - stops the casual hacker and password cracking programs like John the Ripper, but also stops the user doing any work.
A technician can overwrite any password, weak or strong. Password protection has its limits.
Here's a good procedure for managing passwords.
- Install a password manager, like KeePass or RoboForm.
- Figure out a personal password policy that you have a chance of remembering, such as making each password based on your initials, the initials of the website and some unusual characters.
- Take each new password and add it to your password manager.
It takes way more effort than using the same password for everything. The pay-off is the removal of that sinking feeling when you realise a stranger can use your eBay and PayPal accounts.
Minimising damage with multi-factor authentication
Adding in a second and perhaps even a third factor to your password makes abuse less likely, but it's not yet a realistic option for most people. At this point in the Internet's life, multi-factor authentication is limited to only the really, really important areas - banks use it to stop theft, organizations use it to identify their members and some AWS customers use it to protect their business assets.
It's not very popular because it takes time and money for a service provider to set up and for a customer to apply for. Most public sites don't offer it as an option.
Go to the sites that are important to you and search for two-factor authentication. You may get lucky. For instance, Facebook offers Login Approvals - a system using mobile phones for confirmation.In summary,
- All people and all organizations make mistakes, creating opportunities for exploitation.
- Don't link different accounts with the same password. Opportunists are happy to work their advantage.
- Don't use weak passwords. Come up with a memorable scheme for making strong ones.
- People aren't built to remember hundreds of passwords. Use a password manager.
- If you can face the challenge, set up multi-factor authentication. Password protection has its limits.