Giving Up Bad Security Habits

Giving Up Bad Security Habits Brian Scriber

Brian Scriber
Distinguished Technologist and VP of Security & Privacy Technologies

Feb 18, 2016

During the season of Lent in my upbringing meant I was going to be giving something up. This year, instead of giving something up, I have decided to help those around me clean up their security and suggest you help a friend in turn.  Statistics show that you probably know someone who could use a hand modifying their most egregious electronic security habits - maybe we should term it "insecurity habits."  None of us are perfect but these three initial steps will help your friend.

1. Passwords

My favorite place to start!

  • Stop using the same password for every website and app. Yes, it's 2016, but I have just recently had a site send me my plaintext password when I tried to reset it.  That means that site is not storing it in hashed form and it means they are vulnerable to breach - along with everyone with an account on their site.  Should a hacker obtain one of your passwords, they will now be able to access multiple sites.
  • Use a password manager.  Your friend will have to remember one more quality password, but that's it.  Suggest to your friend that they pick one that can be installed on a smartphone and with strong encryption (e.g. AES 256).  Keep private information in this tool - don't keep your passport and social security numbers in notes since those records need to be secured.  Usually the password manager has a couple of extra fields for each account, these can be used to store the answers to the challenge questions like "What is your mother's maiden name?"
  • Use Strong passwords.  It's easy to remember, but password1 and similar others are easy to hit when running a password cracker.  Your friend has a password manager now, have it generate the passwords – this automation of a task actually takes one step out of the password dance.
  • Insist on two factor authentication.  When your friend uses critical accounts, including e-mail, (where do you think banks send the password reset links?), they should be requiring a code to be texted to their cell phone.  If they ever get a text when not logging into their account, they will know they have been attacked, if not compromised.

2. Mobile devices

Ten years ago this covered laptop computers and maybe a Palm Pilot, now it means so much more.  Your friend's fitness watch, even after pairing, is likely still broadcasting its identity in its communication - this is interesting because it means your friend can be tracked as he travels through the mall, or in a grocery store, even aggregating data from multiple sources to further profile them.  We can't stop everything, but there are a couple steps your friend can take here too.

  • Ask about security when purchasing devices. This serves a few purposes. First, it informs you about what the manufacturer is claiming - this is important for your friend's education now, and in the future he or she may need to show that the claim of security was made in a way that was communicated clearly. The second purpose is to have all of us drive the market. By asking salespeople about security features, it provides feedback that they in turn use to inform their wholesale representatives and provide retail reordering criteria. This information absolutely makes it back to the marketing departments, which in turn helps fund engineering efforts to protect all of us.
  • Update the operating system and firmware on devices. This is more important than most people realize. When a device has an old version of firmware, especially one that can be identified, that device is going to be targeted. There are suites of tools that can be used to attack once the operating system or firmware is known. Your friend may think “what do I have to hide?” but the truth of that is their identity, access to their device, access to their communications, access to their home in cases of physical security devices and access to their financial institutions are all at risk, and what they don’t know can hurt them.
  • Don't plug into USB charging ports directly.  USB Cables carry both power and data; it's the latter your friend needs to be concerned with. It may look convenient to plug into the USB port on the wall, or in the seat-back console ahead of you on the airplane, but you’re plugging into a black box that could be compromised or the port could be accessible to other networked devices. Once you plug your device in directly, brute force attacks are much easier. Use the power adapter for wall sockets, or find a device that lets you plug the USB into an adapter that strips the data lines off the USB and allows only power to pass through.
  • Set a strong access code. Just like passwords, above, your friend’s device shouldn’t have a password like 1234 or 1111. Convince them to use an alphanumeric code or complicated gesture. Particularly if their device has a biometric reader like a fingerprint scanner, there’s no reason for them to not have a password that is more difficult to guess.

3. Vigilance

Some of this may seem like common sense, but I can assure you and your friend that I continue to come across examples where simple social inertia (“that’s the way we’ve always done it”) plays a strong role in how we interact with each other. Take the fax machine as an example. Faxes are not secure. Healthcare providers need to stop using technology from the 1990s to transfer our “protected” health information.

  • Emailing important documents. In 2015 I went through a refinance of my home. During that process critical documents were emailed to me either in plain text or as unencrypted attachments. The expectation was that I was going to review them, complete them, sign them, scan them, and send them back via email. When I pointed out the problem, I was told that they receive thousands of documents this way and that the IT department said it was okay. It’s not okay. The underlying protocol for email can leave copies of your friend’s email on servers along the route and those copies can fall into the wrong hands. Additionally, if your friend’s email account is ever compromised, those documents in the Sent folder will be scanned in the search for financial data. Instead of emailing, have your friend ask the other party for a secure portal where you can upload the documents.
  • Social engineering and phishing. It is disappointing that we use cute terms like these for what’s really happening: fraud. Remind your friend to be alert when called on the phone to not give out confidential information such as whether or not they are at home or the names of their direct reports. When your friend receives an email with a link – especially from the bank, never click on the link. Instead, your friend should go to the bank site directly from a bookmark or typed into the navigation bar (even if the email link appears safe, it may have a URL with letters that look similar to our alphabet but actually use alternate languages/encodings to appear valid). Your friend should be aware to whom they are providing what information, and how do they know to whom they are speaking.
  • Storing credit cards. Simply put, strongly suggest that your friend not do this. It’s super convenient to not type it in, but your friend needs to know that if their account with that merchant is ever compromised, the attackers can change the ship-to address and order goods or services with the stored payment information. If your friend didn’t follow your advice, and kept the same password for multiple sites, they could also be vulnerable when one site gets compromised
  • Question the need for sharing data. This last awareness step is one of those things that we have all probably questioned, but we need to do it more. The company from which I’m buying a sweatshirt doesn’t need me to create an account for that transaction. If I do create an account, I’m certainly not going to provide answers to all of the challenge questions. They don’t need to know most of the information they are asking. Encourage your friend to push back whenever possible or to provide answers that don’t compromise confidentiality. This goes beyond online forms and includes merchants that want to know your friend’s zip code, phone number or email address. That data needs be shared only if your friend wants to communicate with the merchant.

Now that you’ve looked at these recommendations for your friend, maybe there were a couple things that stuck for you as well. Don’t forget to forward these suggestions to your friend so that you may help them out this year.

Brian Scriber is a security architect with CableLabs focusing on cryptography and security for the Internet of Things – he researches things like thermostats that can talk refrigerators into sharing usage data and joining their botnet. Follow Brian on Twitter.