You Are Only Paranoid if…

image

I just startled myself when I typed the date. Jeeze, how the time flies. One minute you are wondering about whether the Stones are really cooler than the Beatles, and then you turn around and you are bitching about how puny the Social Security check is.

So, no, I am not going to get to the assault on the other kind of Stone this morning, the District Boundary kind, and am going to beat the dead horse of cyber vulnerability again. Yawn. But hey, it is real. Now that the bad guys have the key to the kingdom in terms of personal information- Mother’s maiden name, father’s middle name, kid’s birthdays, social security numbers and the like being just a start- they can spoof live humans with things that supposedly only you would know.

So, with that gaping breach in our security, stronger passwords are even more vital. For the New Year, here are some of the things to consider. And no, I didn’t get to it yesterday and with the Army-Navy Club reception today downtown, maybe it is going to wait till tomorrow. I will kick myself if my bank account gets cleaned out tonight.

Passwords can be being hacked by social engineering, as I just described, but there are other “brute force” or “dictionary attack methods” routinely employed by the dirtbags. Here is the obligatory list of things you ought to fix if you want to have a fighting chance against both state and non-state asshats. Of course, the state actors (us or them) can have you through vast resources and superior computing power, which the problem with being identified as someone who has or knows something they might want. Shiver.

image

1. Do not use the same password for multiple important accounts. I have a default password for shopping sites and some things I don’t care about, but bad guys could easily find that and got on shopping sprees after adjusting the account address information. If you have a stored credit card you could be well and truly screwed. I do not store credit card numbers and will be setting up new passwords as I use the sites, a colossal pain.

2. Use a password that has at least 16 characters, use at least one number, one uppercase letter, one lowercase letter and one special symbol. I know, I know. That is why the Do Its Yourself password generator makes this a much easier proposition, though you have to get organized and assign an impossible to remember password to each one.

3. Do not use the names of your families, friends or pets in your passwords. Down through the years, this has been most helpful for situational awareness about what is really going on with the Boss. But that is wrong, of course. Just don’t. The bad guys have all that information already.

4. Do not use zip codes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, or other public record numbers. That “enter zip code” prompt on the pump at the gas station to compare the credit card with your billing address and ensure it is really you? It might hang up a bad actor for a nanosecond. If they have hacked your account number, expiration date and authentication code they can make their own cards.

5. Do not use any dictionary word in your passwords. One of the oldest hacking programs can run the contents of the unabridged dictionary past the log in screen until they get it. It is just a question of time, and not a lot of it.

6. Do not use something that can be cloned (but you can’t change) as your passwords, such as your fingerprints or retina scans. The biometrics angle was a hot security topic for a while, but smarter people than us have figured out a way to use it against us if they have stolen it from a bunch of incompetents like OMB, or worse, the IT idiots at the Interior Department, which has a reputation for being the worst in the Federal bureaucracy.

7. Do not let your Web browsers (FireFox, Chrome, Safari, Opera, IE) store your passwords, since all passwords saved in Web browsers can be revealed easily. I find that prompt “save password?” really irritating because I don’t want to. I imagine there is something in the tools menu to turn it off, and will investigate later, after several Bloody Marys at the Army-Navy Club.

8. Do not log in to important accounts on the computers of others, or when connected to a public Wi-Fi hotspot, Tor, free VPN or web proxy. So all those earnest young things at Starbucks or the local indy coffee house pretending to work? Yep. They are hosed. I like the Holiday Inn Express as much as anyone but I don’t do my banking from my room.

9. Do not send sensitive information online via HTTP or FTP connections, because messages in these connections can be sniffed with very little effort. You should use encrypted connections such as HTTPS and SFTP whenever possible. Encryption matters. Even some of those systems can be broken, if there is enough effort to put brute force against them. But the point is to make it difficult. One of the big shake-downs going around is a hack that encrypts your hard drive with a cypher system only the hacker can provide and they hold your data for ransom in Bitcoins. No kidding. That happened within the last couple months to a pal in the Pac Northwest. You may as well ensure that your data is encrypted as well, not that it would stop the human factors introduced Trojan Horse virus.

10. In that vein, if you are traveling, encrypt your Internet connections before they leave your laptop, tablet, mobile phone or router. Set up a private VPN on your own server- even Hillary got around to that eventually. That will serve to protect data and passwords from being snagged from the encrypted streaming data. Do not take any electronic device to China or Russia that has data you care about. It will be gone.

11. How secure is your password? If a hacker has stolen your username and the MD5 hash value of your password from a company’s server, and the rainbow table of the hacker contains this MD5 hash, then your password will be cracked quickly. Don’t know what an MD5 hash is? That is why we are all so vulnerable to those that do. The MD5 hash is a 128-bit value checksum for a file, analogous to the old check digit in military communications that confirms locational information was entered properly, but this is much more complex.

12. It’s recommended to change your passwords at least every calendar quarter. Lesser amounts of time for sensitive financial files. I know, major pain in the butt. With the DIY password generator, you can do it with a simple poke at your Excel spread sheet. Rinse and repeat.

13. Try to remember only a few strong master passwords and store other passwords in a plain text file encrypted with 7-Zip, GPG or a disk encryption software such as BitLocker, or manage your passwords with a password management software. It is worth doing some research on all of them to see how you can protect yourself.

14. Encrypt and backup your passwords to different locations so that if you have been locked out of your system or account, the passwords can still be retrieved. Physical copies should be someplace secure, like your guns or wall sage. A daily back up to an external hard-drive that is physically disconnected after the backup is another pain in the butt that could let you sneer at a hacker who has hijacked your files.

15. As we discussed yesterday, turn on 2-step authentication whenever possible.

16. Do not store your critical passwords in the cloud. Everyone says this is the future of computing but I would hedge my bets.

17. Access websites that have access to your financial institutions (like PayPal or your broker) from bookmarks you have entered to ensure you are not being directed to a spoof site that will steal your username and password and then clean you out. If it is a link at a merchant site, check the domain name carefully. This is analogous to checking to see if a sniffer has been attached to an ATM to steal your bankcard information.

18. For God’s sake, invest in the best firewall and antivirus software. Download software from reputable sites only, and verify the MD5 or SHA1 checksum of the installation package whenever possible.

19. Be careful when using online paste tools and screen capture tools, do not let them to upload your passwords to the cloud.

20. Put electrical tape over the camera lens on the computer that is watching you all the time and only remove it if you actually want to do a teleconference with someone you know. And the built-in computer? Don’t say anything around a device that you absolutely do not want to go to the world. That includes your internet-aware television.

21. The new Radio Frequency chips in the credit cards? Yep, they are vulnerable. I don’t know if the aluminum foil I keep in my wallet does anything or not. You should invest in an RF-shielded wallet and a cover for your passport. The bad guys are cruising around scanning you purse or back pocket looking for an easy payday.

Welcome to 2016. It is a brave new world.

Copyright 2016 Vic Socotra
www.vicsocotra.com
Twitter: @jayare303

Written by Vic Socotra

Leave a comment