I have been meaning to write in this blog for the past few weeks, and as always life just get in the way. So I am finally sitting down to write some of my thoughts on “Why education is always the Key, in Security.” There are breaches and privacy issues that come up daily. Within cyber security there are many areas of concern, first lets talk about privacy. Services like Facebook, Google (Gmail), and Amazon know a ton of information about you and your daily habits. You may be completely ok with this, however, its your job and your right to know what information you are giving them. The old adage is that if the service you are using is free, then you are the product. This is especially the case with Facebook. Over the past few years they have been in the news from what they are collecting and selling to services using Facebook to manipulate or motivate people to a certain direction. The key issue is that Facebooks buisness has always bee built around collecting data on you and selling it. They own the rights to every post, every picture, and every like. Many users have chosen not to look at this business function. It is very important that every user of those services understand what they are giving up and allowing a company to sell. Also, fully understand, Apple, Amazon, and Google are storing all that data about you as well. Facebook is not the only “evil” technology company. Microsoft bought LinkedIn years ago only for the data that was stored.
Now onto cyber security hygiene. Passwords are a complex issue. After years are passwords being easily guessed or brute forced, it was recommended years ago that you have a very complex password with 2 capital letters, 2 numbers and 2 special characters. This will stop the brute forcing attacks, but it has forced people to using the same password for many different services. This has brought on a new form of password attack, called Password Stuffing. One thing to understand is there will always be breaches. When there are account breaches username, passwords, or password hashes are available to everyone. A good service to check if your passwords or usernames have been breached in the passed is haveIbeenpwed (www.have1beenpwned.com). This service was established by security researcher Troy Hunt. He has been in the cyber security industry for many years and is a trusted source. Going back to password stuffing, an example of how this is exploited is : An attacker has a known list of email addresses and passwords from previous breaches. They then run through those lists in an automated way against other services. This is how Dunkin Donuts was “breached” last year. If you use the same password for all services, an attacker can then use that information on other services that you may use. This “vulnerability” is unfortunately not something a company or service can stop. This is a user level vulnerability, the way to close this issue is for you to use different passwords for every service. This can seem like a very large and daunting issue. There are tools that exist that help with this, enter Password Managers. Password managers are digital notepads. They allow you to store passwords, notes, and other important information in an encrypted vault. These applications (apps on mobile devices) are usually locked by a master password or by biometrics. The benefit to these applications is you only need to remember one master password. There are two ways to use a password manager, have them simply store your passwords, or allow them to randomly generate your passwords. The second option is definitely the most secure, this will stop password stuffing. Some password manager software companies include, 1Password, Dashlane, or LastPass. These services allow synchronization across multiple devices, and have internet browser extensions that will you to automatically, or manually copy and paste your credentials into a website for login. Many password managers tie into haveibeenpwned directly within their application. If you have an Apple device, iOS 12 and above connect your password manager directly into the keyboard for each use. There is a setup and slight learning curve for moving to this password diadem, however, in the end it will allow you to be more secure and more informed.
No one will ever be 100% secure AND be able to use internet services. However, I feel education and understanding is key to accepting a level of risk exposure that you are comfortable with. And how comfortable you are with Facebook selling a picture of your newborn child to any company for their marketing program. :).