Hardly a day goes by that I don’t read the security news and shake my head. One article tells how thousands of records containing personally identifiable information were stolen from Another talks about password disclosures of hundreds of thousands of accounts to popular web services because of commonly exploited vulnerabilities such as weak passwords or SQL injection or cross-site scripting vulnerabilities that allowed criminals easy access into protected systems. Sometimes it feels like I am on a roller coaster that travels the same loop over and over again.
These days securing your information has become increasingly difficult. Not only does it appear in the databases of hundreds of marketers, banks, and online services, but your location, demographic info, and other sensitive details might also be shared without your permission via applications on your mobile device. Prediction: We aren’t far from real-time, location-based marketing. Think Groupon, but instead of an email with a “deal of the day,” try an SMS to your phone advertising daily dinner specials or sales as you drive close to those establishments!
What can we do? I’ll borrow steal a commonly used phrase: Think globally; act locally. In other words, there is only so much you can do to protect your sensitive information, but you need to do well the things that you can do.
I’m amazed that passwords are still the primary means of authentication for most online services. What amazes me even more is the simplicity of the passwords that people use. Passwords always have been the lowest barrier of entry to steal information. If they must be so common, we should do all we can to make them more than just a small speed bump to get to our data. What’s worse is that many people use the same password for every site they visit. This essentially gives criminals a single-sign on to every service once they know a single password. According to an analysis posted here the most commonly used password among the almost 200,000 that were decoded as part of the recent Gawker Media hack was “123456.” This was followed in second and third places by “password” and “12345678,” respectively. (Nice to know some people follow the advice to make their passwords at least eight characters.) If passwords are going to remain commonplace–and there is no reason to believe they won’t be–at least make your passwords difficult to guess. Use combinations of upper- and lowercase letters, numbers, and symbols.
Have you ever taken a look at the history of wireless networks that you connect to? I’ll bet the list is littered with free public WiFi hotspots from McDonald’s or Starbucks as well as airport and hotel networks. Of these public net, how many incorporate any form of encryption? Few to none. Some of the recent news about browser plug-ins such as Firesheep, which allows data thieves to “sidejack” your session on sites that do not encrypt their login cookies, should be enough to encourage you to always encrypt your wireless traffic, wherever you are. If you have a home server, there are several open-source solutions that allow you to configure your own virtual private network (VPN), and there are several commercial solutions that you can purchase for a few dollars per month that serve the same purpose. Ensure your data is encrypted whenever you are connected to a wireless network. If you don’t, you can bet that someone is watching what you are doing and where you are surfing.
Last but not least, share the least amount of information about yourself as possible. Social media sites, where personal privacy rules appear to have flown out the window, are a gold mine of information for any criminal to use in targeted attacks. Worms such as Koobface have made data compromise easy by using simple social engineering techniques: People will click links that lead to malicious websites, steal login credentials, and send messages to the friends and followers of the victims. Status updates may also be indexed and searchable by some of the most popular search engines. If you’ve posted something or otherwise made it known, someone can find it.
I don’t wish to paint a doom-and-gloom picture. But iin spite of what we have learned and the advancements that we have made in security awareness, we have lost sight of the fundamentals–the basis of everything that we know in security. Maybe the concept has become too complicated and causes some people to ignore the problem entirely? I hope that by breaking security into easy-to-understand concepts we’ll pay more attention to it. Right now cybercrime is way too easy for the bad guys–and they know it.
Security Too Hard? Think Globally; Act Locally
Hardly a day goes by that I don’t read the security news and shake my head. One article tells how thousands of records containing personally identifiable information were stolen from Another talks about password disclosures of hundreds of thousands of accounts to popular web services because of commonly exploited vulnerabilities such as weak passwords or SQL injection or cross-site scripting vulnerabilities that allowed criminals easy access into protected systems. Sometimes it feels like I am on a roller coaster that travels the same loop over and over again.
These days securing your information has become increasingly difficult. Not only does it appear in the databases of hundreds of marketers, banks, and online services, but your location, demographic info, and other sensitive details might also be shared without your permission via applications on your mobile device. Prediction: We aren’t far from real-time, location-based marketing. Think Groupon, but instead of an email with a “deal of the day,” try an SMS to your phone advertising daily dinner specials or sales as you drive close to those establishments!
What can we do? I’ll borrow steal a commonly used phrase: Think globally; act locally. In other words, there is only so much you can do to protect your sensitive information, but you need to do well the things that you can do.
I’m amazed that passwords are still the primary means of authentication for most online services. What amazes me even more is the simplicity of the passwords that people use. Passwords always have been the lowest barrier of entry to steal information. If they must be so common, we should do all we can to make them more than just a small speed bump to get to our data. What’s worse is that many people use the same password for every site they visit. This essentially gives criminals a single-sign on to every service once they know a single password. According to an analysis posted here the most commonly used password among the almost 200,000 that were decoded as part of the recent Gawker Media hack was “123456.” This was followed in second and third places by “password” and “12345678,” respectively. (Nice to know some people follow the advice to make their passwords at least eight characters.) If passwords are going to remain commonplace–and there is no reason to believe they won’t be–at least make your passwords difficult to guess. Use combinations of upper- and lowercase letters, numbers, and symbols.
Have you ever taken a look at the history of wireless networks that you connect to? I’ll bet the list is littered with free public WiFi hotspots from McDonald’s or Starbucks as well as airport and hotel networks. Of these public net, how many incorporate any form of encryption? Few to none. Some of the recent news about browser plug-ins such as Firesheep, which allows data thieves to “sidejack” your session on sites that do not encrypt their login cookies, should be enough to encourage you to always encrypt your wireless traffic, wherever you are. If you have a home server, there are several open-source solutions that allow you to configure your own virtual private network (VPN), and there are several commercial solutions that you can purchase for a few dollars per month that serve the same purpose. Ensure your data is encrypted whenever you are connected to a wireless network. If you don’t, you can bet that someone is watching what you are doing and where you are surfing.
Last but not least, share the least amount of information about yourself as possible. Social media sites, where personal privacy rules appear to have flown out the window, are a gold mine of information for any criminal to use in targeted attacks. Worms such as Koobface have made data compromise easy by using simple social engineering techniques: People will click links that lead to malicious websites, steal login credentials, and send messages to the friends and followers of the victims. Status updates may also be indexed and searchable by some of the most popular search engines. If you’ve posted something or otherwise made it known, someone can find it.
I don’t wish to paint a doom-and-gloom picture. But iin spite of what we have learned and the advancements that we have made in security awareness, we have lost sight of the fundamentals–the basis of everything that we know in security. Maybe the concept has become too complicated and causes some people to ignore the problem entirely? I hope that by breaking security into easy-to-understand concepts we’ll pay more attention to it. Right now cybercrime is way too easy for the bad guys–and they know it.
Go here to see the original:
Security Too Hard? Think Globally; Act Locally