TDot’s Tips: Tighten up your digital life

Posted by T. Greg Doucette on Jul 16, 2010 in TDot's Tips | Subscribe

Hey everybody :)

Today was another mediation day in court as part of my volunteer work with the ADR Clinic at NCCU Law. My co-mediator and I only had two cases, but they both involved actions seeking protective orders to prevent one party from contacting the other.  The first case involved a lady being harassed by one (or more) of her fiancé’s ex-girlfriends, including being the target of a fake Facebook profile, a fake profile on some dating site, and so on.

The lady being harassed was justifiably upset, and had initiated a criminal investigation along with bringing every piece of documentation she had to the court hearing. But the ex-girlfriend accused of doing the harassment was adamant that she wasn’t involved at all — claiming that in fact another ex-girlfriend was impersonating her.1 :crack:

The whole hearing was filled with talk of IP addresses, passwords, email accounts and other Computer Science-y stuff.2 I’m convinced they were both being less-than-honest, but at least they got this particular issue resolved for now.

But given how much of our lives are now online, and how trivially simple it is to compromise our digital security, I thought I’d share a handful of easy tips to help you tighten up your digital life :)

Quick disclaimer: In computing, there’s no such thing as “total” security. Everything can be hacked with enough time, ingenuity, and computational effort — and anyone who tells you otherwise is lying to you ;) Your objective as a user is just to make sure that the time / ingenuity / effort that would have to be spent to compromise your security is worth more to the attacker than the value of what you’re securing.

====================
1) STRENGTHEN YOUR PASSWORDS
====================

Passwords are so ubiquitous online that even non-tech-savvy computer users often have several of them. The problem is that we have so many passwords on so many sites that they’re almost impossible to remember without making them simple, which also makes them easy to compromise.

There are a variety of ways hackers try to break passwords. “Dictionary” attacks use regular words as password guesses. “Brute force” attacks try every possible password combination. “Rainbow tables” are used to try and crack encrypted passwords. The list goes on.

You can limit the success of these attacks by making some really simple changes:

  • The longer a password, the better the security. This makes intuitive sense to most people but you’d be surprised by how many folks have passwords of only 6-8 characters. Your password should ideally be twice that long or more, which in turn requires far more effort on the part of hackers to figure it out.
  • NEVER use regular words in your password. Remember those “dictionary” attacks I mentioned? They use dictionaries of common words/names/places (often coupled with numbers) to guess a password. If you’ve only got regular words as your password, odds are good it will be compromised.
  • Use all available character sets. If you’re a user of the Latin alphabet (ISO 8859-1) you typically have 4 groups of characters you can use in fashioning a password: lower-case letters a-z, upper-case letters A-Z, numbers 0-9, and symbols like $ and @. The vast majority of passwords only use one or two of these groups, and that makes them much easier to hack. For example, someone with the 8-character password “thomas08” is only using two groups, so a cracking program only needs to try at most 2.1 billion possible combinations before guessing it correctly (since there are 26+10 possibilities for each character and therefore 36^8 possible passwords). That seems like a lot, but a typical brute force attack using just one computer can guess 30 million passwords every minute. So in the very best case scenario, where the password only gets figured out on the very last guess, this password will be cracked in a little over two months. But slightly tweaking that password to something like “tHom@s08” makes it far more difficult: now all four character groups are used and there are 94 possible options for each character in the password (26 lower-case, 26 upper-case, 10 numbers, 32 symbols) so a hacker needs to try over six quadrillion combinations (94^8 possibilities) — or guessing 30M passwords a minute for roughly 386 years.
  • Don’t re-use passwords across multiple sites. This common-sense principle is also frequently ignored. Password security not only depends on the strength of your password but also the strength of protection used on the website storing it. If something happens where Facebook or Google get hacked and your password is compromised, far more damage can result if you use that same password at other sites. Whenever possible, use a different password at every site you access to limit the problems caused by a security breach.

====================
2) TURN OFF UNUSED SERVICES
====================

Computers are useful even when they’re disconnected from the rest of the world, but the really fun stuff only happens when computers talk to each other. Accessing websites, sharing files, using Bluetooth accessories — each of these options uses a different “service” on your computer, basically opening a tunnel to the outside world through which other computers can communicate with your own.

If you’re not using a specific service, but the service is still turned on, it’s basically the equivalent of leaving a door to your house wide open. Someone may not come in and steal anything… but why take the chance? :P

Turn off all network services you’re not going to use. The exact details of how to turn things off varies greatly depending on your operating system so I’ll skip detailing it here, but a quick Google search on “turn off unused services” will get you results on how to turn things off in Windows XP, Windows Vista, MacOS X and more.

====================
3) BOOST YOUR WI-FI ENCRYPTION
====================

Wireless communication is rapidly replacing wired networks as the preferred choice for home and corporate users. Wi-fi networks provide far more flexibility in terms of how and where we can use a network, but it comes with a significant security tradeoff: electronic eavesdropping by hackers using readily-available software.

To limit the impact of eavesdropping, encryption algorithms have been developed to secure the data being broadcast over a wi-fi network. Unfortunately some of the most widely used algorithms — specifically Wired Equivalent Privacy (or WEP) — are also the weakest. The WEP algorithm is often the first choice presented to a user setting up his/her home router, even though it has been deprecated by the IEEE because it is inherently insecure. Any WEP-protected network can be compromised in 5 minutes or less with publicly-available software :surprised:

And once someone has access to the unencrypted contents of your wi-fi network, they get to see everything being transmitted by your computer (including websites, passwords, account numbers, and so on).

If at all possible, you should be using at least WPA2 security with a key that follows the same strong-password techniques I mentioned in #1 above. Even the most-secure WPA2 network can be compromised, but it will take so much time/effort that all but the most-determined hackers won’t bother to try.

====================
4) FACEBOOK: LOCK DOWN YOUR PROFILE WITH LISTS
====================

Despite all the outrage regularly heaped on Facebook (not without justification) the social network site deserves some credit for at least trying to have a robust privacy architecture. In addition to being able to restrict access to “Friends” or “Friends of Friends” or “Everyone”, you can also create lists to include whoever you designate — and these lists can, in turn, be used to limit access to parts of your profile.

For example, if you’ve got “friends” on Facebook who you don’t know that well, you can create a list like “People I Don’t Know”, put those folks on it, and then change your privacy settings so no one on that list can see things like your wall or your date of birth or your photo albums.

The reverse also works well: you can block access to sensitive info for everybody (like employers ;) ) and then allow access to selected lists with bona fide friends on them.

The whole process can be tedious and time-consuming, but can be a great help in protecting your identity.

====================
5) FACEBOOK: BE CAREFUL WITH REGIONAL NETWORKS
====================

While we’re on the topic of Facebook privacy settings, many folks join regional location-based networks (“Raleigh/Durham” for instance) without realizing the security implications.

Many of your profile’s security settings are configured by default to allow access to your friends and your networks. But since no email address is required to join a regional network, basically those settings enable literally anybody to join a regional network that you happen to be in, and then have access to your entire profile unless/until you lock it down.

I’ve never joined a regional network myself for that reason, but if you decide to join one make sure to adjust your privacy settings to limit what people in your networks can see.

====================
6) BE AWARE OF WHAT YOU SHARE…
====================

People like social networks because of the sense of intimacy they provide, and that in turn tends to create “overshare” — disclosing information that you’d never reveal if you noticed thousands of people were watching (which they typically are on Facebook and elsewhere).

For example, how many of you have your full date of birth (including the year) on your Facebook profile?

If you raised your hand, did you know that in many states someone’s name and full date of birth are the only things needed to access things like their full voter registration profile… which almost always includes a residential address? Most of us would never randomly announce our birthday in a room full of people, but we do it online without thinking. Complete DOB’s on Facebook profiles are a stalker’s dream come true.

This and other information gets shared with everybody every day on social networks. Be aware of what information you’re revealing publicly and how it can be used by others.

====================
7) …AND CONFIGURE PASSWORD-CHALLENGE QUESTIONS ACCORDINGLY
====================

Another example of the security implications of overshare: learning the answers to password-challenge questions.

Those of you who paid attention to the 2008 presidential elections may recall that Sarah Palin learned this the hard way. On most websites, if you’ve forgotten your password typically you can answer one or more “challenge questions” that are supposed to have answers only you know. Figure out the answer, and you get access to the password or the ability to create a new password.

One of the most common challenge questions: “what is your mother’s maiden name?”

Seems innocuous enough, until you notice that the vast majority of women on Facebook include their maiden names in their profile, and many of the mothers have their sons/daughters linked to their profile. I actually once fell into this category: I have my mom listed as one of my parents, but she has her maiden name as part of her profile. So because of that I had to go through several websites and change my challenge-response questions.

The same applies to other information as well. A close friend of mine once blew me off when I told him he needed to do a better job securing himself online, insisting to me that his information was secure and that he’d buy me a fifth of vodka if I could hack one of his accounts. The challenge question to access the website for his student loans was “What was the color of your first car?”… and his profile picture on both AIM and Facebook was him standing in front of his ’98 Wolfpack red Mustang.

Needless to say I enjoyed the vodka :D

Go through all of your challenge-response questions on each site you use, and make sure the answers are information that can’t be easily figured out from your publicly-accessible information on Facebook, Twitter, a blog, or any other sites you use. Otherwise you might be unknowingly giving access to your information to anyone who wants it badly enough.

====================
8) SEARCH FOR YOURSELF PERIODICALLY
====================

Don’t hesitate to occasionally do a search on your name to see if anyone is impersonating you or has compromised your information. We can get free copies of our credit reports each year to verify our financial health, but few folks realize they can easily check the internet to detect if their information has been compromised as well.

Besides, odds are good potential employers are going to do a Google search on you as part of their background check anyway. Shouldn’t you already know what they’re going to find? ;)

====================
9) LIMIT WHAT E-COMMERCE INFO YOU STORE ON VENDOR SITES…
====================

Along with your passwords being at the mercy of a website’s security, the same is true for any credit/debit card information you store with a vendor. Stories of vendor databases being hacked and credit cards being revealed are all over Google yet people still choose to store that information on vendor sites for the sake of convenience.

Don’t do it.

I know it’s annoying to go grab your credit/debit card when you want to make an online purchase, especially if it’s a website you use frequently. But the inconvenience that can be caused by your credit card being compromised by hackers is far bigger than the minor inconvenience of entering in a number each time you use it.

If you do choose to store credit card information online, see if your banking institution provides an automatic card number generator. These are slowly becoming more common with banks and essentially let you create a bunch of “temporary” card numbers linked to your real account, with different restrictions on how long they last or how much money can be charged to them. Using these temporary numbers limit the fallout if a vendor’s database gets hacked.

====================
10) …AND MOVE QUICK IF SOMETHING IS WRONG
====================

If, God forbid, you have the misfortune of having your identity stolen — or being harassed by your fiancé’s ex-girlfriends — make sure to move quickly.

Certain information about you is logged every time you do something online. For example, just by reading law:/dev/null or any other blog your computer has shared your IP address (the numeric address designating what computer you’re using to access the site), the browser you’re using, your operating system, and so on. Almost every single site you ever access, especially things like social networks or financial institutions, keep all this information in case it’s ever needed by law enforcement.

The catch is that a lot of this info is only stored for 30 days. If someone has hacked into your email or your Facebook account or something similar, you’ve got a narrow window of time to notify law enforcement to help catch the people responsible. And if someone has obtained your financial information, usually you have to notify your bank immediately to use any identity theft protection they might offer.

Theft of your personal information is one of those instances where procrastination is a certifiably Really Bad Idea™ ;)

***

Hope y’all find this info useful :) And if you have any computing security tips of your own, feel free to share them in the comments! :D

Postscript: I’d also like to thank professors Sammie Carter and Dr. Annie Antón for their respective Introduction to Computer Security and Privacy Policy, Technology & Law classes at N.C. State. Even though I was among their worst students, I promise I really did learn some things :)

—===—

Past TDot’s Tips entries:

  1. It was at least a plausible claim, as the criminal investigation had apparently implicated two other ex-girlfriends in addition to the defendant in this case :crack: []
  2. It was entertaining watching their reactions when they found out it was my major at NC State. []

Tags: , , , ,

2 Comments

Aaron Massey
Jul 27, 2010 at 6:43 PM

Just thought I would add a couple of tips to this.

Addendum #1: Don’t worry about writing down your passwords and storing the paper in a secure place (i.e. not anywhere near your computer).

Complex passwords can be hard to remember, but it’s better to have a complex password that’s written down than an easily-guessed password that’s not. Security expert Bruce Schneier has been talking about writing down passwords for years. The same advice applies to password challenge questions.

Addendum #2: Setup a Google Alert for your own name.

You can follow these instructions in just a few minutes and then you’ll be alerted every time you cross Google’s radar.


 
TDot
Jul 28, 2010 at 12:01 AM

I totally never knew you could set up Google Alerts, that’s hot


 

Copyright © 2019 law:/dev/null All rights reserved. Theme by Laptop Geek.
Find TDot on Twitter or on Google+.