The Biggest “Small” Personal Digital Security Mistakes

I recently read a friend’s post about her family’s catastrophic woes dealing with a hacked Apple ID account. Her story was so troubling that it inspired me to remind folks of some of a few small security things that slip through the cracks in our daily lives that can cause a profound impact on our personal digital lives. Even as dedicated IT professionals, there are minor, crucial details which may blend into the background as part of modern life.

Let’s briefly discuss five commonly-forgotten security best practices, and explore the potential real-life impact on our personal security if we neglect to perform them.

  1. Home Router Security

    What It Entails

    Home routers (should) receive security updates just like any other device. Unfortunately, these updates are often not applied automatically (because doing so will briefly interrupt internet service). Routers also blend into the background of our daily lives – they’re something we don’t notice until there’s a failure or outage. We should be routinely logging into our routers, ensuring that administrative passwords are strong, wireless networks are configured as intended, and applying any available device updates.

    Home routers should also be replaced with newer models once they’re not longer supported and updated by the manufacturer.

    Finally, I highly advise purchasing and installing a home router your family can manage and ultimately replace behind anything provided to you by your internet service provider.

    What Goes Wrong, if we Forget?

    Bad guys and gals know perfectly well that we forget about routers, and that millions upon millions of them are vulnerable around the world. This makes home routers a juicy target for many reasons. For one, they make a good launch surface for Distributed Denial of Service attacks. They also can pose a risk during targeted attacks against a household or individual, as any security they provide can potentially be circumvented if they are configured with a weak admin password or they lack security updates.

  2. Multi-Factor Authentication on Email

    What It Entails

    Almost every major global webmail provider provides an option to enable some sort of multi-factor authentication. Their first factor of authentication is typically a traditional password or passphrase. The second factor may be in the form of an authenticator app, a physical token (like a YubiKey or smart card), biometrics, or an SMS message code sent to a user during login. This means two (or more) verification steps are required to access an account, instead of one.

    While security experts may debate ad infinitum about which of these factors is the most secure (SMS is generally considered the weakest), everyone should be using at least two factors of authentication on his or her personal email accounts. Two-factor authentication is a really small inconvenience in exchange for notably increased deterrence against hacking. Instead of simply stealing or guessing a password, a hacker will have to evade or gain access to the second (or third…) form of required authentication to successfully log into the email account.

    What Goes Wrong, if we Forget?

    Your primary home email is far more integral to your daily life than you may immediately imagine. Consider all of the accounts you’ve registered with it over time. Social media, financial, software, online storage, games, home business, and even dating..? The parade of juicy personal information continues.

    It’s very likely, if you were to request to reset the password to one of those  accounts, a reset link or code would be sent to the email in question. Consider the control over all of your other accounts that this one email account and its associated password provides.

    Next, recall all the personal and business contacts who are referenced in your email correspondence and address book. It’s quite common for hackers to spread scams and malware by using a trusted email to send malicious or phishing emails to collected contacts.

    Finally, recall all of the sensitive correspondence you might have in your webmail. While I never advise sending sensitive photos or private medical, financial, or tax data via unencrypted email, the unfortunate truth is that the practice is common and sometimes outside our control. Could a bad guy or gal find your social security number, your bank routing number, sensitive medical data, or intimate photos by searching your mailbox? Could this put you at risk of extortion or blackmail?

    The bottom line is that your email is very likely a “key to your kingdom”. In a best case scenario, we should create separate, well-secured email accounts for both correspondence and sensitive account registration. At an absolute minimum, every email account we use should have two-factor authentication configured.

  3. Multi-Factor Authentication on Apple ID and Microsoft Accounts

    What It Entails

    A few years ago, our email accounts alone were the primary point of access to our online presence. This has shifted slightly with an increasing number of popular consumer services in “the cloud” and available by subscription. MacOS and Windows now highly encourage the use of their own centralized online accounts to manage computers, software, apps, phones, and tablets.

    Similar to email and social media, our Apple ID accounts and Microsoft accounts allow us to configure two-factor authentication. This will require anyone accessing these accounts to provide a second form of authentication to log into a new device.

    What Goes Wrong, if we Forget?

    Our iTunes accounts may have been created in an era where their sole purpose was purchasing $2 songs, but Apple IDs control far more than that today. Dependent on device settings, an Apple ID may provide the ability to purchase expensive software, access personal photos and videos, remotely track or erase devices, or even make system changes. Indeed, the theft of an Apple ID account can lead to a pretty dire situation in an Apple ecosystem.  While enabling two-factor authentication isn’t a silver bullet against a determined attacker, it’s an important deterrent and well worth the time and effort.

    Microsoft was a bit later to the game, as Windows 8 was the first heavily Cloud-integrated Windows operating system. However, Microsoft has followed Apple’s lead since then in integrating app purchases, online photo and document storage, and remote device tracking and management into Microsoft accounts. Convenience creates a single target for attackers.

    Treat these accounts as extremely sensitive, and use them only on trusted devices. If your device is stolen or accessed by somebody you don’t trust, change your password immediately on a secure computer. Understand that if they are stolen, the thief may have substantial ability to tamper with your devices until their access is revoked.

  4. Facebook Authentication and Privacy

    What It Entails

    Facebook is best known as a social media (and data aggregation) platform, but they provide another popular service we rarely twice about: Facebook Login. Across the web, Facebook Login has become a popular and sometimes mandatory mechanism for authenticating users to apps, services, and accounts.

    It’s far too easy for me as a security person to make the blanket statement, “never use Facebook Login”. Sites and apps often request far too much personal Facebook profile information with use of the service, and a password manager is far more trustworthy. However, Facebook Login does counter a lot of common security problems such as weak and reused passwords, and poor login security configuration on websites. For now, it legitimately serves a place to reduce poor security practices on the internet.

    If we choose to use Facebook despite significant privacy concerns, we should ensure our accounts are as secure and private as possible. Once again, two- authentication should be enabled. We should use a strong password, and restrict the public visibility of our personal information as much as possible.

    What Goes Wrong, if we Forget?

    We discussed some substantial privacy and security concerns regarding our email addresses being linked to more sensitive personal and business accounts. The problems with Facebook Login are similar – while it may provide an increase in security over weak or reused passwords, a hacker gaining access to our Facebook account could be catastrophic. So, increasing our Facebook account security is a must if we choose to use Facebook to log into other services and apps.

    Secondly, there is the matter of the information we share on Facebook. Common account security questions like, “What was your first pet”, and, “What was your high school mascot” are useless if the answer can be relatively easily located on your social media. While we’ll talk a little bit more about security questions in the next section, it’s always a good idea to avoid oversharing with the publicly-facing internet. The internet remembers forever.

  5. Always Lie (On Security Questions)

    What It Entails

    Whether the site wants to know your favorite band or your mother’s maiden name, it’s probably a good idea to make something up. Worried about forgetting your made-up answer? Store it in your password manager.

    What Goes Wrong, if we Forget?

    Password reset questions are an unfortunate relic of the past which are still used all over the internet and financial institutions to verify identity. There are two fundamental problems with this:

    A) The same questions are used (and reused) all over the internet.

    and

    B) The internet is full of interesting facts about our lives which we put there, and that are collected and posted without our permission.

    Not only is it likely websites you use will eventually be hacked into and your security question responses will be sold on the black market, but the most common questions are ones that can be answered with a little hunting and social engineering on the internet.

    It can feel difficult to lie to a formal institution or even to a commercial service about anything, but outside some government forms, there is rarely any law that says you must provide an honest answer to these security questions. It’s best to not tempt fate.



Categories: hacking, infosec

Tags: ,

5 replies

  1. One other item I would add, if you are using a password manager, is do not use the same username for all your website logins (if possible).

    Especially for Bank websites. It’s easy for someone to guess your username and they try to social engineer the Bank support number to get your password reset.

    Like

  2. What does one do, once it’s too late?

    Once your Apple ID is stolen, used to download developer tools, install fake certs, keys & passwords?

    What If you used a Samsung phone, and it was bricked, because you weren’t using an iPhone (see Heimdal)?

    I will punch someone if you suggest a clean install. Or changing my ID.

    Like

    • Hi Anastasia,

      Get your pillow ready.

      As I mentioned in the blog, this happened to an acquaintance of mine – ultimately resulting in a period of total remote access to laptops, phones, and tablets associated with the account. Unfortunately, due to the scope of access to the laptop, I did recommend a full reimage. That is usually the response to that level of attacker access in a corporate environment, too. Simply because, given remote access and administrative credentials to a computer for an period of time, it requires actual system forensics to determine everything that was done. I understand that reimaging is a huge PITA, but it’s really the only way to be sure if access to a desktop or laptop was gained. iPhones and iPads (non jailbroken) are somewhat more resistant to extreme tampering. If it was merely a lightweight Apple device you may be able to get away with carefully going through every installed app – though my firm recommendation is still to reset to factory.

      If you’re in a hospital or something and this is life or death, you could pay a forensics / security consultant to examine the system in lieu of clean install (read: not Geek Squad) – but they may still ultimately recommend a reimage.

      Like

  3. Thank you! 🙂

    Like

Trackbacks

  1. The Biggest “Small” Personal Digital Security Mistakes – tisiphone.net | Hacker News Info

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: