Humanity is connected. For thousands of years we measured success on our ability to connect with other people. We created languages to connect through speech and alphabets to connect through writing. We express ourselves through art and music, and we see a reflection of ourselves in the creations of others. Technology has removed geographic barriers and accelerated communication in ways our grandparents could never have imagined. But we are only human, and as more of our lives are exposed through technology we still value our privacy.
Over the past decade we have moved large amounts of our lives to the internet; social interactions, commerce and banking, fitness and health. Yes. There is an app for that. These data repositories contain both sensitive and valuable information. We have seen data breaches at every level. Small business email servers. Social networks. Financial institutions. Federal government databases. As we store more information on the internet it becomes a bigger target for hackers and crackers.
So the media’s got you a little nervous. I can relate. I value my privacy above all else, but I don’t worry. I remain vigilant. As black hat hackers work to exploit weaknesses, white hat hackers work to keep us secure. Let’s take a look into the methods hackers and crackers use to access your information, and the steps you can take to keep yourself protected.
It can’t happen to me . . . or can it?
You might be surprised to know that your own friends and family can be your worst frenemies. Have you ever left your phone unattended for a few minutes only to find out hours later that your Facebook profile has been updated with a less than flattering post? Sure, this kind of hacking isn’t technically savvy, and it’s usually only aimed at bruising your ego, but potential ramifications are serious. Our phones contain our own personal information as well as the information of those we love most. We access our social networks, bank accounts, and work files through them. If you’ve ever lost your phone, you know how helpless it feels without it and how impossible it is to replicate all of the information. In this situation your friend pulled a funny on you. The next time you might not be so lucky… Please use the password features built into your phone. There’s one less thing to worry about.
But the things that keep us up at night are bigger than that. They creep in through the daily news leaving a trail of paranoia in their wake. A recent attack making headlines targeted Apple’s iCloud backup service. A sizable collection of private celebrity photos were spread around the internet very quickly in an event known as the Fappening. It is speculated that the hacker(s) accurately guessed passwords or password reset questions to gain access to these accounts. The more one knows about a target the easier it is to perform this type of attack. A quick search might provide a mother’s maiden name, the name of a first pet, and other personal information. This describes a simple form of a Dictionary Attack where a hacker enters common words, phrases, and patterns in an attempt to gain access to accounts. Hacker Bonus: If you use the same password for multiple accounts, how long do you think it will take the hacker to crack your other accounts?
Remember the Heartbleed bug?
The Heartbleed bug exposed a weakness in the Secure Sockets Layer (SSL), a standard protocol for transmitting sensitive and encrypted information over the internet. This bug allowed hackers to gain access to server keys, passwords, and unencrypted data. Heartbleed is a grab bag approach to hacking. In the most basic terms servers send a ‘heartbeat’ to one another prior to transmitting data. Three pieces of data are included in this packet; destination of data to be copied, source of data to be copied, and the amount of data that will be transmitted. The client tells the server it will send ‘x’ amount of data, so the server sets aside ‘x’ amount of space. In reality the amount of data sent to the server is less than ‘x’, but the server sends back ‘x’ amount of data to the client. The resulting data returned is a mixed bag of data. It might be nothing. It might be passwords or server keys. If you can’t control when a hacker gets your password, you can certainly control how long they have it by changing your password regularly, especially if you feel vulnerable.
When passwords can’t protect you
Other attacks don’t rely on passwords at all, at least not in plain text. Many people know that their passwords are encrypted into a cryptographic hash during transmission and storage making it more difficult for someone to intercept your actual password. Let’s put a little emphasis on the word difficult and note that I did not say impossible. There are several methods used for harvesting hashes including accessing user caches directly on a server and ‘sniffing’ for packets during transmission. Hashes may also be encrypted, requiring a brute force attack or algorithms to reveal actual hashes. Once a hacker obtains your hash, they can access accounts without a password for as long as the hash is valid. A hash typically remains valid until the password is changed or the hashing algorithm in use is changed. Salting hash adds an additional layer of security, slowing a brute force attempt by obscuring hash strings with the addition of random characters. Multiple tools are utilized to combat this type of attack including salting, firewalls, antivirus software, and user-rights management. Unfortunately for the average internet user, these types of attacks are largely out of your control. You can protect yourself by vetting online companies before you set up an account. It’s okay to ask a company how they protect user data. Be wary of businesses that are not forthcoming with security information.
How can I protect myself?
Privacy and security are sensitive topics. They make us uncomfortable and defensive, but my goal is not to instill fear. The benefits of technology greatly outweigh the drawbacks. In the wild west we armed ourselves and protected our families with the threat of force as a deterrent. We are grateful that we are far removed from that kind of savagery. But, I will ask you, “Are you doing everything in your power to protect the things that truly matter to you?”
Here is a list of items you can use to protect yourself. Similar lists are found everywhere from CNET, Ars Technica, Wired, Google, Microsoft, McAfee, and other tech media sources.
- CHANGE YOUR PASSWORDS REGULARLY, especially if you think you may have been hacked.
- Use a unique password for each important or sensitive account.
- Create strong passwords.
- Longer, random passwords are harder to crack . . . but harder to remember.
- Random passwords enhance protection against dictionary attacks.
- Longer passwords increase the time it takes to crack a password through brute force.
- Create a mnemonic pattern that makes seemingly random passwords easier to remember.
- Avoid using dictionary words or personal information.
- Longer, random passwords are harder to crack . . . but harder to remember.
- Don’t allow your browser to ‘remember’ your password.
- Be careful when accessing your accounts from public computers and devices.
- You don’t know what software is installed on the device.
- You don’t know the device’s security settings.
- You don’t know the network’s security settings.
- You don’t know who used the device before you or who might use it next.
- Consider using a password management solution that uses multiple methods of authentication.
Parting Words and Resources
Protecting your privacy is an evolving, ongoing process. Knowledge is power and you can give yourself the power to protect yourself. As a centuries old prayer mantra says: Have the serenity to accept the things you cannot change, the courage to change the things you can, and the wisdom to know the difference.