want more tips? download perry's complete guide, which has
TRANSCRIPT
Driver’s Ed for the Info Superhighway
Perry Chaffee, VP of Strategy, WWPass
When we get on the information superhighway, too many of us are blissfully unaware of the hazards that
come with seemingly universal internet connectivity. All of us are responsible for protecting ourselves, but
how?
When we get on the actual highway there are plenty of things we’re aware we should and shouldn’t do while
riding in a vehicle as drivers or passengers. When we get online, many potentially dangerous actions often
seem harmless or even routine. Maybe that’s because using a computer, tablet or phone often seems less
dangerous than using a car, but consider this:
Automotive Highway Information Super Highway
License Required for everyone, and can be revoked if you break the law or endanger others.
Not required or enforceable, it’s nearly impossible to stop prior offenders from getting back online.
Insurance Required for everyone to cover damages which might be caused to others.
Not required / generally doesn’t exist.
Registration Required for all vehicles so owners are accountable for their vehicles.
Not required / generally doesn’t exist. It can be difficult to track down the owner of a computer or phone.
Inspection Required for all vehicles to prove that they meet basic safety requirements and are not a danger to others.
Not required -even if your computer doesn’t meet basic safety standards, you can still go online. Worse yet, people can weaponize their computers/networks and get online with you.
Law Enforcement Public roads patrolled by officers who by their presence deter criminals from doing things far more consequential than speeding.
Because it transcends geographic borders and carries a massive volume of traffic, it’s very difficult for law enforcement agencies to effectively police the internet.
Accidents You could total one or more expensive vehicles and cause serious bodily harm or death for yourself and/or others.
You could lose your life savings, destroy your credit, lose your home and/or property, lose your job, ruin your reputation, damage personal & family relationships, cost your employer billions, cause massive damages for or ruin the lives/reputations of millions of ordinary people. Though the outcome may not be as immediate or direct as an auto accident, your actions could ultimately lead to death either for yourself or others.
Longevity Actions and consequences usually happen in short succession and are reasonably well defined/understood.
Information is now far more persistent/permanent and can come back to haunt you years after the original event which set the action into motion.
Sources: https://www.theguardian.com/technology/2016/jul/10/pokemon-go-armed-robbers-dead-body http://www.dailymail.co.uk/news/article-3208907/The-Ashley-Madison-suicide-Texas-police-chief-takes-life-just-days-email-leaked-cheating-website-hack.html
Indeed, using the information superhighway can be even more dangerous, and it’s important that
the general public begin to recognize that and take action. Here’s where we can start:
1) Self-education & Situational Awareness:
In a recent article on LinkedIn, 19 Security Experts shared their top 3 tips and tricks for anyone to avoid some
of those hazards. Many of them were repeated from one expert to the next. The most common tip could be
summed up as “self-education and situational awareness –beware: trust no one.”
Advice: If terms like phishing, baiting, spoofing, social engineering, sniffing, keystroke logging, or brute-
force attacks sound unfamiliar to you, it’s definitely worth it to spend a few minutes on Wikipedia arming
yourself:
It’s also important to keep up with the times –especially with social engineering. As long as there’s value
online, people will be trying to find new methods to steal or destroy it.
Sources:
https://www.linkedin.com/pulse/50-internet-security-tips-tricks-from-top-experts-aurelian-neagu https://en.wikipedia.org/wiki/Security_hacker#Attacks
https://en.wikipedia.org/wiki/Social_engineering_(security)
2) Passwords:
Over half of these experts included advice like “create very strong &
complex passwords change them often, and never, ever reuse a password
on another site or account.” Since most websites currently use passwords,
that advice is applicable in today’s world. However, the average person
has dozens of accounts –many have over 100. Keeping track of all those
accounts and passwords is not reasonable for most people.
Passwords are fundamentally flawed. “Secure password” is an oxymoron.
If it exists, it can be stolen, no matter how “strong & complex.” There are
seemingly endless methods to steal them, and they can also be cracked.
Moreover, hackers who have already stolen hundreds of millions of usernames and passwords (and can now
try them to access many totally unrelated accounts), have also stolen lists of answers to various security
questions to go with them. This means that, even if you change your password and username on all your
accounts, you may still be at risk unless you also do something to address the potentially compromised
answers to those security questions. Basically, any business or website which isn’t using 2 Factor
Authentication (2FA) and/or Multi-Factor Authentication (MFA) is putting you at risk.
Lastly, in a significant number of incidents involving compromised credentials, the credentials were not
stolen but freely given. Social engineering & phishing is the primary concern, but in many situations it’s
because the victim was exploited by someone they knew and trusted. Don’t give your passwords to anyone.
Advice: Until websites develop an alternate approach, using a password manager is a reasonable way to
follow this expert advice. There are several to choose from, but be sure to select one which has 2FA and/or
MFA.
Just keep in mind that password managers can be and are hacked. They’re really a Band-Aid solution for a
critical problem. We need a dramatic paradigm shift (and soon!) but at the moment using a password
manager is better than nothing at all.
Also, using your browser as a password manager is a bad idea. It might seem convenient to have your
browser remember all your passwords –until someone accesses your computer remotely and uses that
convenience against you.
Sources:
https://www.linkedin.com/pulse/50-internet-security-tips-tricks-from-top-experts-aurelian-neagu https://www.linkedin.com/pulse/pesky-passwords-keeping-online-data-secure-timothy-robnett
http://www.itsecurityguru.org/2016/06/24/changing-your-password-regularly-wont-fix-the-problem-you-need-to-change-the-entire-password-security-system/ https://en.wikipedia.org/wiki/Password_cracking https://www.washingtonpost.com/news/capital-business/wp/2016/10/17/one-billion-reasons-why-the-yahoo-cyber-breach-matters/ https://www.schneier.com/blog/archives/2016/07/password_sharin_1.html http://forum.mensdivorce.com/viewtopic.php?f=2&t=12615
http://www.pcmag.com/article2/0,2817,2407168,00.asp http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571 https://www.wwpass.com/weak-passwords-problem-recent-data-breaches-usernames-may-much-bigger-one/
3) Usernames:
According to the 2016 Verizon Report, over 63% of data breaches were the result of compromised
credentials. There were 64,199 breaches reviewed in that report, and almost two-thirds of them were based
on passwords –and usernames. That part is critical, and almost everyone is overlooking it!
Many of us can probably remember taking a math class where we had to solve an equation for unknown
variables like “x” or “y.” It’s usually way easier to solve problems with only one unknown variable than with
two or more. To a hacker, your password is just a variable. Your username is another variable. If you use the
same username for all your accounts, you’re making it just as convenient for hackers as you are for yourself.
Even if you follow expert advice about passwords, by using the same username for everything, you’re still
vulnerable.
Now consider that many websites use your email address as your username. If a hacker knows your email
address, they probably know your username on half the sites you regularly use. They’ve already solved half
the equation, and unfortunately the other half isn’t too difficult to crack.
Sometimes security questions act as extra variables –but those often ask questions which can be answered
through a little social engineering. Moreover, many of those answers may already have been compromised
through previous breaches like Yahoo.
Advice: Use different usernames for different kinds of accounts. Don’t use the same usernames for banking,
shopping, or social media.
Also use different email addresses for different kinds of accounts. Don’t mix online banking with online
shopping, or social media. This has the added bonus of helping you to stay more organized.
Lastly, use 2 Factor Authentication (2FA) and/or Multi-Factor Authentication (MFA) everywhere possible to
help avoid username & password vulnerabilities.
Sources:
http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf https://en.wikipedia.org/wiki/Password_cracking
4) Privacy
Does your weather app really need access to your camera, photos and microphone? Think about that for a
second. Do you even know what apps on your phone have access to those things? Do you know what those
apps do with that data? How do you know they’re not saving photos you took last night to blackmail you next
year? It might sound paranoid, but how do you know they’re not spying on you?
Moreover, do you really understand what you’re giving up when you click that “Login with Facebook” button?
As soon as you use this feature on site XYZ, you’ve basically agreed to give Facebook all your private info
from site XYZ. Is that a good idea? -I guess it all depends on whether or not you want to help a ~$350 billion
publicly traded company spy on you. Many people view oil companies as giant, greedy, evil corporations
while giving Facebook thumbs up as a likeable, friendly, secret-keeper. Earlier this year, Facebook was bigger
than Exxon, and it could get much, much bigger. When oil was first discovered, people thought oil companies
were great… Sure, right now Facebook may not seem like a big evil corporation to many people –but who
knows what it will one day become.
Advice: Demand privacy with all your votes! Demand it at the ballot box! Demand it with your wallet!
Demand it when you decide which apps to download and which services to use! You’re the only one who
cares about your privacy. If you don’t protect it, no one else will. You may not think you’ve got anything to
hide, but millions of victims of identity theft had similar opinions.
Also, assume your electronics are spying on you and look for ways to stop that.
Sources:
http://www.makeuseof.com/tag/how-to-protect-yourself-from-unethical-or-illegal-spying/ http://www.computerworld.com/article/2474851/android/android-google-knows-nearly-every-wi-fi-password-in-the-world.html http://thenextweb.com/insider/2015/08/15/how-the-government-can-spy-on-you-and-what-you-can-do-about-it/ http://time.com/money/2902134/you-say-youd-give-up-online-convenience-for-privacy-but-youre-lying/ http://fortune.com/2016/02/01/facebook-value-exxon/ http://money.cnn.com/2016/04/28/investing/facebook-trillion-dollar-market-value/ https://www.phone.instantcheckmate.com/dialed-in/ways-hackers-can-use-your-smartphone/ https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point http://www.vocativ.com/271029/pew-survey-digital-privacy-online/ http://www.bloomberg.com/news/articles/2016-07-20/the-not-crazy-person-s-guide-to-online-privacy http://www.techtimes.com/articles/161364/20160527/how-to-stop-your-phone-from-spying-on-you-privacy-tips-from-edward-snowden.htm https://www.theguardian.com/commentisfree/2015/feb/10/six-ways-tech-spying-how-turn-off
5) Single-Sign-On (SSO)
That “Login with Facebook” button –and other equivalents like Google, Twitter, LinkedIn, SalesForce all
provide the capability of signing onto all your accounts by signing on to just one account.
That’s a very convenient thing for a hacker to be able to do. Before people started using those methods to
login, hackers could potentially need to steal or crack multiple passwords to get access to all your accounts.
By using the wrong SSO provider, you’ve done them a favor I’m confident they’ll return in kind.
SSO is convenient, and with the right provider it can also be secure. However, unless the SSO provider is
using 2FA and/or MFA, you’re creating a new vulnerability for someone else to exploit.
Right now the Facebook login asks for a username and password –but even their CEO can’t keep his safe. If
Mark Zuckerberg had his credentials stolen, what makes you want to trust Facebook with all of yours?
Advice: Using a password manager is better than using popular social media sites for SSO. If you’re going to
use SSO, make sure that a non-SMS based 2FA and/or MFA is a part of that process.
Sources:
http://www.computerworld.com/article/2989143/security/the-perils-of-single-sign-on.html https://www.theguardian.com/technology/2016/jun/06/mark-zuckerberg-hacked-on-twitter-and-pinterest
6) Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
Don’t let the big words scare you –there are many ways you already do this.
Authentication is the way we determine someone is who they claim to be. There are many ways to do this,
but they all fall into one of three categories:
(1) Something you have – ID/Credit/Debit Card, Phone with Software Token, Hardware Token, etc.
(2) Something you know – Username, Password, PIN, Security Question, etc.
(3) Something you are – Biometrics, Fingerprint, Retina Pattern, Voice, DNA, etc.
Websites that only require a username and password are only using one factor –and that’s not secure. Adding
additional factors can improve security if done correctly.
First, it’s important to learn the difference between two-factor authentication (2FA) and two-step
authentication (2SA). Many companies intentionally try to confuse the two in order to provide a greater
sense of security. Two-factor requires something from two of the categories above while two-step only
requires different things from the same category but breaks them into separate steps, possibly on separate
pages.
If your bank required you to login by inserting your debit card into a reader, then asked you for your PIN, that
would be 2FA. However, if they merely ask you for a username and password, then ask a security question on
the following page, that’s just two-step authentication. With 2FA, a hacker would need to steal your card to
get in. With 2SA, they only need to guess your username, password, security questions, etc.
Second, many sites presently use text messages as a 2nd Factor, but the National Institute of Standards and
Technology recently declared that practice unsecure. Among those presently using SMS as a 2nd Factor:
Third, many authentication tools are built on the same username and password system they’re intended to
help fix. It’s another Band-Aid solution for a critical problem. Yubikey is an excellent example of this. Their
key allows 2FA, but the underlying tech just replaces your username with a serial number on a hardware
token.
Advice: Use strong 2FA and/or MFA everywhere possible. If you’re using a website or service that doesn’t
have MFA, take a minute to contact them and recommend that they start using one. Organizations often
adapt what they’re doing based on user feedback, but they’ll never know what you don’t tell them. I’ll make it
even easier for you –just copy & paste this into your message:
“Hi there,
I like your website and think what your organization does is awesome. I’d like to think you care about my
security and privacy just as much as you care about winning my business. However, I feel unsafe using your
site because you use obsolete security measures like a username & password, and don’t offer any form of 2
Factor Authentication (2FA) or Multi-Factor Authentication (MFA) to protect users like me. Many huge,
prominent companies are being hacked because they’re not doing enough to protect us, but I’m hoping
you’re an exception. Please let me know when I can start using MFA to sign on to your site.
Thanks!
-Concerned User”
Sources:
https://en.wikipedia.org/wiki/Authentication https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/ https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920/ http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html
7) Software Updates
They’re annoying, but there are plenty of even more annoying things. Sure, you might need to restart your
computer or put your phone down for a few minutes, but if you put off important updates long enough, a
hacker might turn your device to a useless brick and create plenty of other problems for you.
Think of it like getting your car an oil change or putting air in the tires. Of course there are other things you’d
prefer to do with your time. Once you’ve had the experience of waiting for a tow truck on the side of the
highway, I think you’ll agree that the keeping your car maintained wasn’t as inconvenient as you thought.
Now apply this perspective to all your electronics.
Advice: Check for software updates regularly and install them as soon as possible after they’re available.
Those updates often patch critical vulnerabilities so the longer you wait, the longer you’re at risk.
Sources:
http://about-
threats.trendmicro.com/RelatedThreats.aspx?language=tw&name=Gateways+to+Infection%3A+Exploiting+
Software+Vulnerabilities
8) What you don’t know will kill you…
Most people, if they found a piece of candy on the street, wouldn’t pick it up and eat it. That’s pretty gross and possibly dangerous. But you’d be amazed how many people are happy to plug an unknown thumb drive or CD into their computer. Trust me, doing that is an excellent way to have a very bad day. Same with some of these other common practices: -Connecting to Wi-Fi when you aren’t absolutely certain who is providing it. Even if you think you know, it’s super easy for hackers to set up an evil twin Wi-Fi network, so be careful… Don’t allow your phone or computer to automatically connect to anything but your trusted home/work network. -Download the photos & attachments from emails when you don’t know and trust the sender. Actually, even if you do know, those could still contain viruses. If it’s suspicious then call and ask them what it is first… Use an endpoint security solution like anti-virus to scan the attachment before opening it. Better yet use a tool like Bromium to spin up a Micro Virtual Machine (VM) and open the file on the VM. If the file is malicious, it can either destroy your computer or a VM that you can just close –your choice. -Clicking a link your bank sent you and giving your credentials to a spoof site. If your bank sent you a link, don’t click on it. Open your browser, go to their website manually, and login to navigate to whatever it is they want you to see. If your bank calls you to notify you of identity theft, tell them you’ll call them right back, then go to their website, look up their help desk number and call it. -Leaving NFC turned on when you’re not using it. -Leaving Blue-tooth turned on when you’re not using it. Also: When you’re not using your webcam, cover it up. When you’re not using the USB ports on your computer, physically block them. Physical security is a thing. Try not to ever step away from your computer or phone in a public place. If you absolutely must, make sure that:
You’ve locked it or (better yet) turned it completely off.
Someone you know and trust is physically there watching it until you get back. Advice: Doing all these things is not paranoia, it is “common” sense.
Sources:
http://miami.cbslocal.com/2014/09/23/how-hackers-are-using-free-wi-fi-to-hack-your-phone/ http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/ https://www.theguardian.com/technology/2016/jun/22/mark-zuckerberg-tape-webcam-microphone-facebook
9) Mitigate Offline Risks
Each year direct mailing companies turn whole forests into junk mail to fill recycle bins and trash cans around
the world. Dumpster diving is a form of social engineering, but if you move and don’t update your address,
the person who shows up behind you might not need to go to that extreme.
If you’d like to save a tree somewhere and simultaneously prevent someone from opening up credit cards or
taking out loans in your name, you might want to turn off the steady flow of junk mail that floods your
physical inbox.
Stealing someone’s online identity is like a solving a puzzle where each piece is a variable. The more variables
you give away, the easier you make it for them. The junk mail that goes to your physical mailbox can cause
just as many problems as some of the files attached to the spam that goes to your online inbox.
Advice: Update your address with USPS, your banks, employers, healthcare providers, and any other
important accounts every time you move.
Sign up for electronic delivery everywhere possible.
Opt out of senseless tree-murder.
Make sure anything sensitive goes through a shredder on its way to the recycle bin.
Sources:
https://moversguide.usps.com/icoa/home/icoa-main-flow.do?execution=e1s1&_flowId=icoa-main-flow https://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-mail-phone-calls-and-email
10) Drive only one vehicle at a time
Phones killed ~3,179 Americans and injured ~431,000 more in 2014. Phones are dangerous. To put that in
perspective, guns injured and killed a combined total 35,626 Americans during that same time. Guns are
obviously deadly, but phones are deadly too.
Put your phone down when you’re driving.
The internet is everywhere, data is everywhere, and satellites are spinning around in the sky beaming all the
things everywhere all the time. The Matrix is real, and your phone is connected to it. Remember that, and
don’t let the Matrix kill you.
There is literally nothing that can come from the little electronic box you carry around with you all day that is
worth endangering your life or the lives of others.
Trying to drive on the information superhighway while also trying to drive on the actual highway is more
dangerous than pretty much all of the stuff on this list combined. We often tend to worry about things that
are unlikely to happen to us and ignore the things that are much more likely. If you ignore everything else on
this list, at least do us all a favor and put your phone down while you drive.
Also remember that your body is a vehicle too –don’t forget to look where you’re walking. In 2014, over 3,500
emergency room visits were due to “deadwalkers.” Moreover, many criminals target people who are
distracted with their phones. Recently some even used Pokémon Go to lure victims into a trap.
Last week I watched someone cross a busy intersection on a bicycle, without a helmet, going the wrong way
in traffic, and while typing something on his phone. Don’t be that guy.
Advice: Identify the most important/dangerous thing you’re doing at any given moment and focus on that.
Don’t try to multi-task. If the text/email is really that important, then pull over and stop to focus on it. Watch
where you walk and pay attention to the world around you –the cyber world can be a dangerous place, but so
is the one you physically live in.
Sources:
http://www.distraction.gov/stats-research-laws/facts-and-statistics.html http://www.huffingtonpost.com/2015/06/08/dangers-of-texting-and-driving-statistics_n_7537710.html http://www.gunviolencearchive.org/tolls/2014 http://www.textinganddrivingsafety.com/texting-and-driving-stats http://listverse.com/2015/03/23/10-common-things-that-are-far-more-dangerous-than-the-things-you-actually-fear/ http://www.healthline.com/health-news/tech-texting-while-walking-causes-accidents-031014#1 http://www.wsj.com/articles/texting-while-walking-isnt-funny-anymore-1455734501 https://www.washingtonpost.com/local/trafficandcommuting/eyes-down-minds-elsewhere-deadwalkers-are-among-us/2015/09/27/a3ad1da2-51bb-11e5-8c19-0b6825aa4a3a_story.html https://www.bu.edu/today/2010/cell-phones-a-dangerous-distraction-at-night/ https://www.theguardian.com/technology/2016/jul/10/pokemon-go-armed-robbers-dead-body
About the Author:
Perry Chaffee is the VP of Strategy for WWPass, a cybersecurity firm specializing in Identity Access
Management and Advanced Multi-Factor Authentication designed to improve both security and by
eliminating Human Readable Credentials. Contact him today if you’d like to learn more.