Tuesday, August 7, 2012

Episode 22: When the rain from the cloud is just your tears

The tale of Mat Honan's remotely wiped Apple products has now been committed to the lore of the Internet. But this tale as with any comes with a proviso that has long been the anchor of the 'superhero' story; "With great power comes great responsibility." Our reliance on technology as the super-hero in our modern life has set us up for spectacular falls, akin to any great fallen-hero story-arch.

We have great power in our hands with our smart phones, mobile devices, cloud-enabled hand-held & remote technologies, & yet we wield these powers with little to no real responsibility. Mat Honan originally supposed that his accounts were brute force attacked (something he later retracted), but days later we learn they weren't. He was the victim of social engineering; the attackers rang Apple support, managed to pass through their security protocols due to "Apple's centralised single user account approach."

Blaming Apple is easy, but the fact is we are seeing further centralisation of our online lives with more & more of our accounts & services being linked together via our Twitter, OpenID or Facebook accounts. Each node we link in this way just increases our vulnerability. With security compromises of user databases on the rise, our entire 'digital life' faces compromise from any one of the countless services we interlink.

But that's not even the bigger risk. Publicising information about ourselves in such a carefree manner on social networking sites gives 'hackers' (calling them this when we make it this easy for them denegrates those who are 'real' hackers) less work to do when searching for information to use against us in a social engineering scam, when they wish to target someone.

The real threats as a result of our digitalisation is not our own personal Twitter, Facebook, LinkedIn, or Tumblr accounts - the real risk is our employers, & our businesses. As we increase the drive towards BYOD, our personal & business accounts become increasingly intermingled, something Honan discovered when his employer Gizmodo experienced as part of his account compromise, where tweets from Gizmodo were sent by the hacker.

Very few security breaches today are carried out by brute force. Most are the net results of social engineering, or end user stupidity - the breaches of Irish Department of Foreign Affairs systems by people linked to Anonymous earlier this year showed that stupidity really was the over-arching issue, with passwords such as 'Password1', which demonstrated two failures;
  1. A failure culturally within the Department of Foreign Affairs ICT to educate users about the security of ICT systems, & to ensure a clear understanding of the requirement to always operate a 'strong password' policy
  2. A failure of the users themselves to understand that given the sensitivity of information they handle from where they work, that security should always be to the forefront of their thoughts when working within ICT systems
Security breaches are often where 'hacker' opportunism meets 'end user complacency'. I have always maintained that the biggest threat to any business is not external, but at every level inside a business, even more so at executive level. Social Networking as powerful a tool as it is for good to be used by us, can just as easily be turned against us at a moments notice.

To protect you from yourself, there are a few simple steps I would recommend & suggest:
  • every time you "link" a social media account to another account or app, ask yourself "Am I really happy with this connection being made permanently? What's this company's history on security like?"
  • If you authorise an app to link to one of your social networking accounts, regularily review that connection - if you don't find yourself using it often, revoke access until it is absolutely needed again - don't leave authorisations blindly open
  • Who can view your social networking streams? How much information do the reveal about you? Perhaps the only people who should see your streams are those you know, & not the great wide world.
  • Are your personal passwords themed with your work password choices? If they are, address it immediately. 
  • Do you save passwords in your browsers, or directly in applications? If so, remove them. Then change your passwords.
  • Is your password comprised of a word with numbers, even with capitals? If so, this is hacker101 from a dictionary list. Even words where letters are replaced with numbers are straight from hacker101; i.e. 'l33t' should ring a bell with most.
  • Do you use the same password for multiple services? If so, this is a rookie mistake, & often how many online gamers accounts get compromised. Using the same password or variants of over & over is just putting you one step at a time closer to getting burned. Badly.
  • Ask yourself can anything I reveal or have revealed on my social networking sites help lead someone to one or more of my passwords? If your answer is 'yes' or 'I'm not sure', you've a problem you need to address.