Protect yourself before you wreck yourself: 5 security resolutions for 2013
By Meghan Kelly | VentureBeat.com,
On Dec. 31, people around the world will share resolutions to lose weight, become more productive, quit smoking, and read more often. But how many of them will resolve to secure themselves online?
We’ve seen cyber-attacks continue to increase in the last few years, and it’s not just the big guys like Google and Dropbox getting attacked. One of the biggest mistakes a company, or person, can make is to assume that they are too small to be a target.
Individuals are at risk, too: Consider the sad example of Mat Honan, the Wired reporter whose iPad, iPhone, and Mac were wiped because a hacker liked his Twitter handle.
But “securing your digital life” probably sounds like a daunting task, so we’ve put together five ways to get you, personally, on the road to a security-conscious state of being.
Hackers are like groundhogs. They like holes. Once they find a hole (or make a hole), they can crawl through your system, leaving backdoors and other points of entry to get back inside. But in order to do that, the hacker has to get in first.
When companies discover holes, it is their responsibility to patch them up and send out an update to their users. We do hear the stories of attacking companies such as Adobe for taking their time to patch known vulnerabilities, but it’s in a company’s best interest to fix the hole, protect its servers, and protect you.
The only problem is that so many people don’t actually update their software. And I don’t just mean the software on Macs or PCs but on phones as well. When you see that little update button come through, whether it’s on your computer or your smartphone, take the time and go through the process.
You can use tools such as Qualys’ Browser Check to make sure your browser and related plug-ins are up-to-date. Try it right now, you might be surprised to find that some of your plug-ins are old and insecure.
Your Facebook profile is an identity thief’s goldmine. It has your birth date, oftentimes your full name, your family members (their full names), your hometown, your current town, the schools you went to, your job, any groups you’re a part of, your political stance, your sexual orientation, your relationship status, and your photos. Anyone trying to answer a security question to get access to your bank account could likely find the answer on your Facebook profile.
You need to make sure you know exactly what is on there, and get rid of anything you feel could be used against you. If you’ve got 4,000 photos, go through all of them. If your posts were inappropriate when you first opened up Facebook, delete them. But don’t forget that anything you delete off of Facebook stays on its servers for some time, though the social network will eventually delete it completely.
You should also be aware of its privacy policies too. Facebook isn’t necessarily an evil, data-mining, privacy-upending machine. It’s a business that is trying to make money, and your data just so happens to be what it makes money off of. Get acquainted with what the Statement of Rights and Responsibilities and the Data Use Policy say, and “like” Facebook’s Site Governance page. Unfortunately, you’re not going to be able to vote on any of the policy changes anymore, but at least you can get to know them and provide constructive feedback to Facebook when you feel violated.
How many of you have the banking application Mint on your phone, but you don’t have a pin or pattern password protecting the phone itself? As Lookout Mobile recently said in a blog post, “Our smartphone knows more about us than perhaps anyone or anything in our lives.”
The Federal Communications Commission recently created a set of simple tips smartphone owners should check out based on the type of smartphone they have, whether that’s iOS, Android, Windows Phone, or even BlackBerry. The tips only scratch the surface of how you can protect your phone, but it puts you in a security frame of mind. Check them out and download some of the suggested security apps before 2013 — a year guaranteed to be filled with all new exploits and hacks — gets underway.
But protecting what’s on the phone isn’t always the problem. Sometimes it’s the apps you’ve already downloaded that are taking too much of your information. We saw this early in 2012 when Path, a social app, was found to be siphoning off users’ contacts without permission.
Bitdefender, an antivirus company, created the tool Clueful that tells you what your iOS apps are doing when you aren’t looking. I typed in Angry Birds Free to see what it does. Clueful reports that it tracks my usage, can display ads, could track my location, uses an anonymous identifier, and encrypts stored data. Good to know. If you’re trying to download an app you’re unsure of, however, it’s probably good to do a little more research.
One of the most successful ways hackers get your information is simply by tricking you into giving it up. Sometimes it’s a prince in Nigeria who is desperate to give you $50 million. Other times it’s less obvious, like an email faked to look like it’s coming from LinkedIn but is actually just trying to get your account information. When it comes to these “spoofed” emails, it’s always best to hover over any link in the email before clicking on it, so you can see the link’s true destination. (This only works on a computer with a mouse, not a phone or a tablet, obviously.)
You should also be very suspicious if a company is asking you for your username and password. Most companies guarantee that they will never ask you for a password or credit card information via e-mail.
But it’s not just emails that get spoofed. The websites that are often associated with those emails often take a digital polyjuice potion and pretend to be a trustworthy site as well. In order to catch these sites before you enter personal information, F-Secure‘s chief research office Mikko Hypponen suggests using Flag for Chrome or Flagfox for Firefox.
“It’s a handy extension which shows a flag in the URL bar of the browser, indicating the country where the website is hosted. This comes handy in more cases than you’d think,” Hypponen told VentureBeat in an email. “For example, if you follow a link that you think should take you to your bank’s website but the Flag shows the site is hosted in Uganda, you should probably close the tab.”
This is going to be the most painful resolution: knowing where all your accounts are online. You’ve likely set up an account for nearly every website you frequent nowadays. There’s the obvious ones like Facebook and Gmail, but how about your favorite retailers, Amazon, Groupon, Gilt, your local newspaper, your blogging platform? The list goes on.
It’s important to know where you accounts are because it’s important to know all the avenues a hacker may take to get your information. Look at Wired reporter Honan. Earlier in 2012, Honan’s iPhone, iPad, and Mac were all wiped after a hacker got into his Amazon account. The information there gave the hacker enough information to answer Apple’s security questions and access Honan’s iCloud account. There the hacker held the keys to Honan’s digital kingdom. Cyber-criminals often use a daisy chain to hop from one app to the next until they get to their trophy.
Start with your Gmail inbox and write a list of every website that sends you spam email, you’ve probably got an account on each one.
Once you know where all your accounts are, you should divvy them up into different password categories. At the beginning of my career Dave Marcus, a director at McAfee Labs, suggested the tier system to me. Put your most valuable accounts at the top with unique passwords for each. This should include your bank account, Gmail, and Facebook.
The second tier should have one, difficult password for all your semi-important accounts, and the last tier should have one easy password for all the accounts you could probably get rid of anyway.
Right now people are saying that passwords are the bane of Internet security. But no one has found the safest, but still consumer-friendly, way to replace them yet (though companies like OneID think they’ve got the right solution). So, until then you’ll just have to use easy to remember, but difficult to crack passwords such as passphrases. (Think of three random words that mean something to you and put them together, like “dogpeppermintsport,” and you’ll have a workable passphrase.)
There are tools to keep track of your passwords too, such as One Password and LastPass, but keep in mind that by using them, you’re putting all your eggs into one basket. While these services might help you remember your passwords, they are themselves protected by — what else — a single password. Eventually everything breaks, so be prepared.
Copyright 2012, VentureBeat
Related stories: - To thwart hackers, firms salting their servers with fake data - Health-care sector vulnerable to hackers - Special Report: Zero Day: The Threat in Cyberspace