Following on from our earlier post on the Heartbleed
bug we wanted to remind you of some of the lessons learned and also to remind
the reader of best practice regarding securing yourselves on the internet.
The Heartbleed bug again demonstrated that regardless of the
precautions taken when using the internet you can still fall foul of
information release or compromise from third party sites or systems. We no
longer (alas) live in a world where trust is implicit and ok.There was a time (not that long ago) that it was normal to leave your home unlocked and if a stranger asked a question or wanted information then it was ok to answer truthfully. We live now in a world where your information is valued and can be combined to infer more or to become more of a commodity. Your date of birth, place of birth, name of your pet or favourite colour can now aid an adversary to begin unpicking your digital and online identities. The simple passwords that proved to be convenient to remember and use across multiple domains and sites can now come back and result in widespread damage to reputations and credibility. Our online footprint can reveal the actual answers of most typical security questions to a skilled or determined attacker rendering the secrets anything but that.
With the notable exception of Government or Healthcare systems it now could be the time to begin lying on the internet; when I personally sign up for services I take a number of simple precautions that when combined offer more benefits than the truth has and these include (and are not limited to) -
Date of Birth – why does any non
official site want or need this information, I’ve not been truthful about
answering this question, varying the day, month and year frequently and without
any real method apart from not using the actual date.
Place of Birth – my Bank knows this,
my medical records and passport have this but why should a website want or need
the real answer?
Pet’s name – I use random values
when asked
Address – Unless I’m paying for
goods / services or expecting something to be delivered to my home address I will
use a fictitious one
The same goes for favourite colour, first car, school,
mother’s maiden name - anything that isn’t actually needed is changed and
rarely (if at all) the real information supplied. The sites I’m signing up with
don’t need the real information; they just want something they can validate you
against if you ever need to prove who you are. I make a note of the information
given to each site in a note section of the password manager I use, if I ever
need to answer the question of “Where did I go to school?” I can check the
corresponding details and answer “Third moon of Pluto” (assuming that’s the
answer I gave). The exceptions to this are things that I can control or have
more authority over (ie: phone or mobile numbers) as these can sometimes be
used for two factor authorisation or reset dialogue. If someone is able to
clone my phone or steal my handset then I have more to worry about than a
password at that point.
The most beneficial two tactics I employ on the internet are
using unique email addresses and unique passwords. Not everyone can use the
unique email addresses as it needs a suitable email setup to receive the mail,
the benefit of having it ensures that if I start getting unwanted 3rd
party email to a unique email address I know that either that email has been
sold to spammers or the service I used it with has been compromised; it’s a
good safeguard but needs extra effort to manage and check multiple addresses.
The most important single thing that anyone and everyone can
do on the internet is to use complicated and unique passwords. There are
downsides to this but the protection this one single action allows is worth it.
As Heartbleed and high profile breaches have demonstrated, regardless of the
steps we take to protect ourselves on the internet we can still fall foul if
servers and services are compromised or our data released. If a service or
server I subscribe to is breached and my data is released, it’s generally one
(unique) email address and one random password lost. I employ a password
manager to maintain the majority of my general passwords (this has the benefit
of assisting in the memorising of them and the input of the same), I don’t use
the password manager for my most important credentials, and these are
deliberately not written down anywhere nor saved anywhere where they could be
found; they are the exceptions. My password manager also has additional
security that allows me to use two factor authentications. I chose and use two
factor authentications wherever possible, anything that makes it harder for my
credentials to be usurped is worth using.
A typical password I use is limited only by my imagination
and the complexity rules of the site I’m signing up with, it’s not unusual for
me to use 25+ char passwords that include special characters, upper, lower case
and numbers and spaces. They are painful if I have to input them manually
anywhere (such as tablets or games consoles) but that annoyance is worth it
when I consider the value of the protection of complex passwords that aren’t
used anywhere else. If my password needs updating or changing it’s a simple
act; if that password or username/password combination is used on all sites the
risks of data loss or compromise isn’t something I could or would want to deal
with.
The Heartbleed bug will have a long lasting impact, the
depth of the problem is still being fully analysed, it’s not just websites that
were/are affected, the nature of the modern world means that there are embedded
OpenSSL instances in all sorts of unexpected and difficult to patch places
(home routers, firewalls, mobile phones and so on). I suspect there will be
ongoing attacks for years to come and it should be accepted that some of the
vulnerable systems and services will never be fixed or solutions made available.
You may be able to trust the online service / bank or the like but that won’t
be able to stop you being owned or affected by seemingly safe devices. We
cannot be certain where the OpenSSL Heartbleed bug can be found but we can do
everything else to minimise the problems caused if we unknowingly have our
information disclosed or released.
Anyone that still has an easy or common password needs to
rethink how they are potentially exposed if that information or password is
released. We in 2014 are still facing an ongoing problem of common passwords
breaking security and trust, if you can authenticate to anything using 123456
or password, qwerty or princess, trustno1 or admin or anything that isn’t
“complicated” and using all the characters’ available then you’re taking a
risk. I would like to see services and
sites ban people from using simple words or limit their choice to alpha numeric
alone with fixed max length under 10.
Complexity is good, length is beneficial. Simplicity in
passwords should be consigned to the yesteryear when it was ok to leave your
car or house unlocked and have a hope that your possessions and property would
still be there anytime afterwards. That age has gone, let’s make sure our weak
passwords don’t undermine the security in this modern world we live in. The
internet is a wonderful place to be but not one you should blindly trust with
anything other than unique throwaway information.
Jamie Duxbury, Senior Security Specialist
No comments:
Post a Comment