When it comes to modern advancements in tech, many a consumer is leery about trusting what they don’t understand. Or, worse, they don’t understand what may be hidden in the legalese of EULAs. But figuring out how to differentiate the good tech from the exploitative is a topic for another time. I want to warn you that your habits are potentially more harmful to you than anything else you face regularly. I’ve chosen a few simple things that are easy to get wrong. I have also asked a hacker for his insight. I’ve been intentionally basic so we casual users of tech can understand it. Let’s find out what they can teach us about basic online security.
What’s wrong with my P@s$w0r|)?
I know I should have “strong” passwords. I know they should have several characters. And I even know that I shouldn’t reuse them. But adhering to so many strict rules (and each site seems to have its own requirements) is tough! Is it really all that important that I have a unique string of characters that make little sense? How can I remember them all?
JAMES: First, I would recommend a passphrase over traditional complex strings. For example, 11TrunkGoatLucas%# over G2h7W7^aoNrRI0. Without question the random string is more secure than the passphrase; but not that is not to say that the passphrase is not more than adequate to meet our needs. However, it is nearly unusable without a password manager. Before you begin to question my credentials as a Security Professional due to recommending what could be a mathematically less secure solution let’s discuss the point of a password. Additionally, I’ll address the entirety of your curiosity. The purpose of a password is to protect your access for a period of time. This plays into why we ask folks to change their passwords every few months in combination with a required expiration time.
Well-designed password policies match expiration periods with required complexity in such a way to ensure that if passwords are stolen they would be useless to an attacker by the time they were cracked. For example, let’s say that if a 14 character complex password takes 5 months to crack we would set a policy that passwords must be changed every 3 months. By doing this we can feel confident that if someone had their encrypted password stolen at any time during its use it would be unlikely that an attacker could crack it and use it for evil before the credentials were changed. Lastly, when you add a second factor of authentication such as Google Authenticator we raise the bar substantially for attackers.
I often forget to log out of a website.
How big an issue is this? Like I mentioned before, remembering so many passwords is a pain. I prefer to let my browser remember me. It’s frustrating to rekey my login and password every time I want to access some website. Is this bad? I log out if it’s a public computer or a shared one if someone I don’t trust uses it. But other than that, is it really problematic to stay logged in?
JAMES: Great question. First of all, you are absolutely right in that if you are worried about an un-trusted person using the same computer as you, you should absolutely sign out of any site or application before physically walking away from the computer.
To understand why this matters for remote attackers we must get a bit technical for just a moment. When you sign into a website you are presenting some form of credentials to that remote website via your web browser. When you successfully “prove” your identity with a username and password the website will issue a token to you. A token, in this case, is really nothing more than a random and unique string of characters that it tells your browser to use as its “badge”. Your browser will continuously send this token, or cookie, to the server with every request. The server checks its records and will match this token to a list of users. This token is valid for a certain amount of time (sometimes days) OR until you log out. Remote attackers are able to steal these tokens through various attacks.
See where this is going? If not, that’s OK! We are here to learn. If you don’t log out, you are extending the period of time that someone could use those stolen credentials and impersonate you. To put this another way, if you logged in and started doing some banking and I was able to steal those credentials I would be able to use the site and access your bank accounts until you logged out! I would agree this is a low probability—but it does happen. As a low probability high impact scenario, it is certainly worth your time to select the logout button when you are done.
I’ve heard I shouldn’t have certain apps on my phone.
Facebook. Facebook Messenger. TikTok. Pokémon GO. I’ve even heard that the Bible app can be a security risk. What makes some apps so risky? How can casual users like me identify which apps are potentially harmful without waiting around for someone to give us a warning? I’ve long since removed Facebook and Messenger and I’ll be honest, using a mobile browser for Facebook leaves a lot to be desired. And forget trying to access your messages without Messenger. Facebook clearly wants its users to have these apps installed on their devices.
JAMES: Applications can be a risk when they take advantage of permissions they are granted. Once an application is on your phone and has permissions to things like your contacts list it is able to do things like pull back a list of your associates which can be used for less than ethical means in advertising or outright surveillance. Another example is some apps in the past had access to viewing photos and they were shipping back those images to servers outside the control of the user; a creepy scenario to say the least. A telltale sign of mal-intent is when applications want permissions that don’t make sense! For example, let’s say you download an application that simply gives you a “Thought of the Day” and that application asks for permission to access your photos, contacts, and emails.
This doesn’t make sense!!
I would not recommend this application be installed and be allowed to exist on my phone. If you are curious about permissions for an app on an iPhone you would go to Settings and scroll down, way down, to where applications start to get listed. Select the App in question and review the permissions the app has. Feel free to turn them off; sometimes they will break the application and other times they will not. On Android phones, it will tell you at the time of install, and after installation, you can find it by going to Settings > Apps > the app in question. For a more in-depth examination of an application’s practices, it would require a much more detailed forensic analysis.
Wrapping Basic Online Security.
The answer to password security was particularly enlightening. Clearly circumventing IT’s policy of password changes by updating “ThisIsMyPassword10” to something like “ThisIsMyPassword11” is a terrible idea! I should stop that.
And, as James said, logging out of some sites may only expose you to a small risk. But a small chance of having your bank account hacked is not zero chance. In a previous life, I worked in banking. Trust me, you don’t want someone accessing your banking account. Logging in each time you visit is inconvenient but not nearly so bad as losing your money to thieves. If the attackers manage to also steal your identity…well, you’ll be sorry for your habits and your kids will still wonder what’s for dinner. If I were to draw an analogy, I’d say that you likely lock your doors at night. No reason not to log out of websites and be careful what access you grant to apps.
Thanks, James, for helping a muggle like me understand why these security measures matter. Clearly, our habits hinder or help unethical hackers. We should practice good awareness with online browsing, password management, and what access we grant apps we download to our devices.
One last thing. A note from the author on this column’s featured image. I intentionally chose a stereotypical hacking photo because I want to erode the mystique that hackers tend to be enshrouded with by the layperson. Please, forget the stereotype of hooded hackers maliciously tapping into your computers from their mothers’ basements. These people are at your barbecues, little league games, and weddings. They look like ordinary people. In fact, on the surface, there is often no difference between an unethical hacker and one who keeps them out.