Security Is Not Common Sense

Every single "computer guy" in the world has read up on the now-infamous Twitter hack and shook their head. The reasons are voluminous and mostly insulting. I assure you, the words "idiot", "moron" and "fucktard" have been uttered. And they've been uttered at the GDEU (Goddamn End User) who wasn't smart enough to protect themselves with strong password / security policy.

It had nothing to do with any of that. It was simply human factors - people being people, and a hacker smart enough to identify patterns in those people.

And yeah, most - if not all - seasoned internet veterans sneer and whisper to themselves about how stupid people have to be to fall into that trap. I know I did... And then I realized, no, it's not easy stuff. It's not even stuff you consider with any logical thought. My personal security policies are all ingrained at this point and happen by habit. I don't think "wow, I don't want to get hacked, so I'll come up with a new password for this service that isn't like any other" - I just do it, because it's what I do now.

And that's precisely what other people do when they do the things that can expose them to risk... Habits are habits. Normal people (read: 99.9% of us on the web) don't have the whatever-it-is that hackers / crackers have that make them insanely good at what they do - finding and cataloging information. So we don't reverse-engineer that particular process and dissect how easily we can be nailed.

I just wanted to offer some tips on how to protect yourself online that extend past "don't pick an easy password" and "don't respond to spam mail scams." That stuff you can find on your local news channel's website under "technology" during one of their quarterly exposes on how easy it is to get reamed online. This is stuff I've picked up along the way that, while being FAR from an uncrackable personal security policy, keeps you from being an easy target. After all, as this XKCD comic illustrates, if someone wants your information... They're GOING to get it:

Your job is to keep from being an easy victim. Here's how:

a) Get an actual mail client for your desktop/laptop and store your stuff there. Thunderbird is a good one. Mail.app on a Mac is another. Don't use Outlook unless your paycheck depends on its' use, and for God's sake, do NOT use Eudora. But whatever you use, DELETE EVERYTHING in gmail, Yahoo! mail, Hotmail or whatever mail client you use, period. Don't archive, DELETE. This includes sent mail. Leaving mail on your server is convenient, but puts access in a public place. Having it on your physical machine limits access to people who can actually touch your computer - and if they can do that, they've got you anyway, regardless of whether it's on a server or on your machine.

b) As the TechCrunch article above points out, the "Secret Question" is simply a single-channel narrowing of possible password guesses for hackers. Don't ever answer hint questions with real information, use fake crap only you'd know (Favorite pet? put in the name of a soda. Mother's maiden name? Put in your favorite car. Substitute something you can remember in all instances for those questions. It's a code only you know.)

c) Different passwords for work stuff and home stuff make life safer - if some hacker targets your corporate environment, they won't get your private info, and vice-versa. Kinda like an LLC for your data. If you can, further break up your passwords into bank stuff, contact /communication stuff, shopping stuff.

d) Make your passwords based on concepts and ideas, not anything that is directly associated with identifying you in any way whatsoever. This includes birthdates and names of signifigant others, but I'm going even further. Don't refer to anything you own - car model, favorite game, etc. And substitute characters all over the place - don't just make an "o" a zero, go a few steps further. Use symbols to replace entire syllables, like "sp@upon" instead of "spatupon".

e) Never Ever EVER EVER EVER fill out a form in email, ever. EVER. I would go so far as to say don't even click links in emails that point to any service at all with potential risk. I never click PayPal invoice links, Ebay links, Yahoo! Auction links or anything that ties back to any service through which money could be tracked. I never click on my bank's online statement links. It's simple - if it's a service you use, whatever they just emailed you about will be in your "recent activity" or "My (servicename)" info... Just open your browser and type the short url and log in there, you'll see what you need to see.

f) Those "fun" quizzes on Facebook and MySpace are actually info-gathering factories. My friend Peter wrote an incredible article on this - I don't know if you can read it from that link if you're not signed into Facebook, but the gist is that the most popular quizzes on Facebook right now actually reveal just about every "security question" you could possibly answer on a site:
2. WITNESS PROTECTION NAME: (mother and fathers middle names)
3. NASCAR NAME: (first name of your mother's dad, father's dad)
4. STAR WARS NAME: (the first 3 letters of your last name, first 2 letters of your first name):
5. DETECTIVE NAME: (favorite color, favorite animal)
6. SOAP OPERA NAME: (middle name, town where you were born)
7. SUPERHERO NAME: (2nd fav color, fav drink, add "THE" to the beginning)
8. FLY NAME: (first 2 letters of 1st name, last 2 letters of your last name)
9. ROCK STAR NAME: (current pets name, current street you live on)
10. PORN NAME: (1st pet, street you grew up on)
11.YOUR GANGSTA NAME: (first 3 letters of real name plus izzle)
12. YOUR Middle East NAME: (2nd letter of your first name, 3rd letter of your last name, first two letters of your middle name, last two letters of your first name, then last three letters of your last name:
13.YOUR GOTH NAME: (black, and the name of one of your pets)
14. STRIPPER NAME: (name of your fav perfume, fav candy)

g) Beyond online - if someone calls you claiming to be from a bank, collection agency, utility company, etc. and asks for ANY information, tell them to mail you. I can get your name, address and telephone number pretty easily. I call you. I'm from your local area's phone company - it seems that you have a repair scheduled today. "What? No I don't..." Well to verify, I'm going to need to get into your account - do you have your account number handy? Of course you don't... But you can just give me your social security number and I'll look it up. Reading this, of course you're thinking "no way would I do that." But you would. If you think your internet service or phone service was going to be shut down or impacted today, and you have a lot of work to do or need to shop or play Xbox Live, you totally would. Think in terms of reaction, not action. You didn't initiate this. You're just reacting. Be careful when you do.

Like everything else, this list could go on and on with every security tip known to man - but I think those few things go a very long way toward building a personal security policy that goes one step beyond the stuff you're plainly aware of and keeps you from getting nabbed from behind, so to speak. Feel free to share it with the non-internet-veteran in your life.