projectz

Tech, Gadgets, Photography, Social Media and Poor Spelling

All this security is such a pain…

With any form of security I was once told there is a fine balance between security and usability because while it is possible to lock down and secure a system with air gaps, zero internet, footpaths and the like the basic fact of the matter is if the security is awkward and cumbersome to use it has already failed.

Want an example take your online banking system, it is potentially the most comparatively secure online system available at the moment you use. It will have pin’s codes and potentially a dual factor external key pin generation secure system. Lets face it its a right royal pain in the rear to get into your account. So despite the litigation safe security from the banks perspective if you had to do this for every account you had you’d be bored quickly.

Even within the confines of companies who should know better  things like single sign on are often asked for by people who have accreditations in security. Why? Because remembering all those passwords and security is a pain to deal with. Even if it is the world we live in now it doesn’t make it any better.

The internet is awash right now with guides telling you how to enable Google’s Dual factor Authentication, and there are quotes awash pretty much telling you if you don’t do it now you are a fool..

I am not going to disagree this service which has been around for a while is a huge leap forward in security If you’re not sure why all this fuss is happening read this Wired.com article about Online security. It covers what Google is doing. There are however a few things you need to bear in mind when you read this..

Mat Honan the guy who works for a popular online blog and was hacked last week and has sparked off all these column inches. Wasn’t hacked by Gmail currently the only mainline company to be pushing/implementing this Dual factor system. His password was not cracked, no one gained entry via dubios nature to his PC and took down his life.

Mat was hacked by means known as Social Engineering, using freely available information on the web, the hackers found his address via his webpage and the whois information, they used third party publicly available services to get other information such as the last 4 digits of his credit card and then picked up a telephone and spoke to a person at a company and gained entry to a non Google account, which lead to being able to get into his iCloud account via Apple using a similar method and from there it was game over.

There is more to this than Dual factor authentication, Mat like most of us when he setup accounts probably had those accounts setup to mail a password if he forgot it to the same mail box. So head over to gmail, twitter, facebook, dropbox, and tell them all you forgot your password and they mail links back to your mail account, probably your only mail account and the person now has access to your online life. Once you’ve gained entry to a mail box pretty much for the most part most peoples world is open to all.

Why is the internet like this? Simple it’s easy its easy for the companies as they don’t need people on phones resetting accounts its simple for you and me because we don’t need to call companies to reset the password on our accounts and as long as you’ve not been hacked its relatively safe

There is a well put analogy which describes the reality of Internet security you will never stop your account being hacked, it’s not if it is when. All you can do is put up as many walls as you can to make it as hard as possible.

Sure Google’s Duel factor authentication is a good idea, turn it on. Be warned however if you use gmail on more than just a web browser that usability vs security scale we referred to will weigh down on the security side a bit more as the second  after you enable that dual factor authentication every app on every device you have plugged into your google account is going to stop working. On your android phone, Ipad, iPhone, Windows 7 Phone, Tablet, Mac, Windows Mail Client it’s all going to fall over because it doesn’t know about dual factor authentication. Google’s answer to this is to setup a per device code, a one time password if you like for each application on each device you have which accesses a google account. If like me that is 40+ times that is going to take some time.

The benefit however is after doing all this work you will be able to tell the time and date each of those devices logged into google.

As we said this guy didn’t get hacked via gmail, he got hacked via iCloud which at time of writing doesn’t use authentication there are however things which you can do to build walls and making compromising your life harder.. A simple one is to setup a few mail accounts on different services and when you register with accounts use different email accounts. Spread the love. Don’t have those accounts all sending their i forgot my passwords back to the same account either.

Obviously don’t use the same password ever, not once, no where, every system you log into needs a different password every time no matter what. This can be managed i’ll explain how later Also don’t choose your passwords let the computer randomly generate them for you.

If you are able to as well don’t use the same debit/credit card for everything. much like the mail account spreading the love makes it just a little harder for this type of social attack. There are online sites what offer these services however speak to your bank they should be able to help with this.

So you’ve used multiple mail accounts and never the same password, unless you are related to Einstein you are not going to remember all these random passwords. So you need a password management system. Lastpass and 1Password are two good ones. Essentially you need to remember one strong password and then via Browser plugins you can login to the webpages using the emails and logins you setup. If you are really going down this route, use both spread the passwords as well..

As the internet moves forward better technologies need to be made available at a consumer level for the thing you have and the thing you know security model. Tokens, Biometrics and other such systems will no doubt be investigated trailed and used.  There is no magic wand to this and unfortunately as we have seen with the Google implementation it takes time to setup

Remember, this may all seem like a pain in the rear, security often is however how much more of a pain will it be when you are hacked and money leaves accounts, purchases are made on credit cards?

Advertisements

One comment on “All this security is such a pain…

  1. Pingback: What is Social Engineering? « projectz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: