There was a fair bit of talk last week about a study that compared security advice from security experts versus security advice from people who are at least somewhat interested but don’t live and breathe this stuff.
There were significant differences in the answers, and a lot of security professionals panned the non-expert advice. I don’t think the non-expert advice was necessarily bad. Mostly it was out of date.
Continue reading Five things security experts do vs. five things non-experts do
One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.
I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.
Continue reading Final thoughts on the Houston Astros’ database
Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.
The lesson, as with many security tools, is to proceed with caution.
Continue reading All-in-One WP Security and Firewall plugin can be spectacular, but be careful
Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Continue reading Worried about the wrong things? It’s always the wrong thing.
So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.
Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.
Continue reading Don’t e-mail yourself a list of all your passwords and bank account numbers to yourself from work
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
Continue reading You’re telling me someone gave a stranger his password?
This week, numerous celebrities, mostly female, had their Apple accounts hacked and intimate photos stolen and leaked. There are several things we all need to learn from this.
We don’t know yet exactly what happened, though I’ve heard several theories. One possibility is that the celebrities’ accounts were hacked recently. Another is that someone who’s been collecting these photos through various means was hacked.
The incident probably was inevitable, but it’s also entirely preventable. I can think of three things that led to it. While this discussion may seem purely academic, there are misconceptions many people, famous and not, have and need to get rid of.
Continue reading This week’s photo leak is a reminder of the need for good passwords
On Slashdot, a newcomer to the IT field asked a really good question: What do you do to avoid seeing things you’re not supposed to see?
Clearly, some people do it better than others, but it seems to me it’s a fact of life that eventually you will see things you’re not supposed to see. How you handle it is the bigger problem. Continue reading IT personnel and knowing things they aren’t supposed to know
I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful.
Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to verify) facts. Things like what house you lived in in 2001 and what you paid for it. Better yet, your favorite baseball card and what you paid for it. Or maybe the address and phone number of your favorite long-gone pizza or BBQ joint. Think along those lines.
T206Wagner$0.50 was a reasonably good password before I published it here (you paid 50 cents for one at a garage sale! Right?) only because it contains an unverifiable fact. I guarantee T206Wagner$1M (the value of the most valuable baseball card in existence) is in all the password lists these days.
This isn’t especially great advice, but it’s something that there’s half a chance people will be willing to follow, and it pretty much forces passwords to have a nice mix of character types and to be at least 12-16 characters long. I don’t think it forces enough non-alphanumeric characters, or a wide enough variety of them, but left to choice most people won’t put any of them in. It would become lousy advice if very many people chose to follow it, but I know few will, and most people will continue to use the weakest passwords a site allows, so it’s adequate for a while.
The most important thing is to make it personal. What I paid for favorite baseball cards is easy for me to remember. If you never collected baseball cards, think of something along those lines that’s easy for you to remember, with a spin that’s hard for someone else, computer or otherwise, to guess.
Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit.
Timing is critical. If a site upgrades to a new version after you change your password, you have to change your password again. That’s why some experts are saying to wait, and others are saying change right now.
Here’s a list of sites that are affected or potentially affected. My recommendation: Change any passwords for any sites on this list listed as affected. Hint: Yahoo, Google, and Facebook are on the list. If at any point in the near future you get e-mail from them saying you need to change your password, change it again.
To clarify: Changing your password right now won’t hurt, but it might not be enough either. To be safe, you may end up changing some passwords twice, so be ready for it.
Another clarification: If you’re using 2-factor authentication, don’t bother changing the password. An attacker has to catch the password after it’s been sent, but if you’re using 2-factor, you’re not sending the password (you’re sending other stuff–and that stuff changes to prevent replay attacks), so you’re good.