Last week, the big story in social media (and infosec) was the theft and subsequent publication of a whole mess of internal documents from Internet phenomenon Twitter. While the purloined documents did not contain any earth shattering information, the incident was pretty embarrassing for Twitter and raised some questions about the wisdom of using cloud applications such as Google Docs for corporate applications. Further information has been released as to how the documents were filched and there are lessons in this for all of us.
Authentication questions are not secure enough to protect passwords. Think about all of the information about you out on the Internet… your Facebook page, your postings to web forums, mentions on school and social organizations’ web sites. This information can be used to guess correct answers to those questions used to protect your passwords. My advice? Make up “special” answers that have no basis in reality – just be consistent about them. Maybe your first school was the Jupiter Academy of Space Sciences or your first pet was a Tapir. Using a set of “special” answers gives you another level of password protection for your real passwords.
Using the same password for all sites is a recipe for disaster. I know… we all have a zillion passwords to remember and asking you to have a separate password for each site you visit is a pain. But think about it… if I get hold of the password you use for Facebook, can I also access your bank account and your email? There are some really good tools to help manage a plethora of passwords. My personal favorite is Keepass, which runs on PCs, Linux boxen, and Macs. Keepass keeps your passwords (get it?) in an encrypted file which you can carry with you or store “in the cloud” safely since it is encrypted. (You need a password to open the password file – make sure it is unique!)
Old email accounts can come back to haunt you. One of the tricks used by the attacker was based on the fact that web email providers sometimes recycle accounts which have not been used in a long time. In this case, the Twitter employee had listed a Hotmail account as their backup email address for Google Mail. This meant that when the attacker answered the password reset questions correctly, the new password was sent to the hotmail account. Just one problem… the Twitster had not used the Hotmail account in a really long time, so it expired. The attacker simply signed up with Hotmail for a new account with the same name and voila… the password was his (or hers).
The overriding lesson here is that the “best” hacks are not the result of amazing technical skill – they are the result of a moderately smart attacker taking advantage of the openings we leave for them. YOU are in control of your online security – if you are going to get hacked, at least make the SOB work for it!