Beefing up your security

So something that comes up near weekly when I’m with customers is better security. So here I’m hoping to cover some of those tips and the reasons why.

So the first thing to know is what we’re protecting ourselves against. Most hacks are via one of four ways
a) A site you use is hacked, so then your email address and password (and other personal information) is on a purchasable list, that hackers can then use to access any other site that uses that same email/password combination.
b) You give the email/password combination away, usually via a phishing email or text.
c) Confidence scams. Basically an expansion on b), and often a phone call trying to trick you into giving further security details over the phone.
d) Someone is targeting you, and building up a database of information in order to scam you.

Once someone has your email and a password, they can just start a script going testing those now known email/password combos to find out what other sites they can access, then potentially use that to scam you, or to hack other accounts of yours.

So how do we protect ourselves:

Use a Password Manager

There’s a bunch of these, and they all have their own pros/cons, from iCloud Keychain, through 1Password, Lastpass, Enpass, Dashlane. I prefer not to use the iCloud keychain so even as a Mac guy, not to be tied into anything platform or even single browser based, plus most of the alternatives also alert you to any security weaknesses you may have and add other great features.

So why do I like and recommend them:

  • They help you generate strong passwords for every site you visit. You don’t realise it untill you start using a password manager, but once you do you realise between various utility companies, different insurance company each year, all those shops you use, online streaming services, a few forums. Next thing you know those few passwords you use are in use on several hundred sites. There’s no way half a dozen variances on your not very secure password is a secure way to secure them all.
  • They’ll only submit your saved password for the site they were created for. This is a biggy. Get a genuine looking email, click the link, fall for it, you’ve just given your email & password to the scammers. Password managers don’t. They’ll only enter passwords for the website it was created for, so when you click the link to a phishing site it, the password manager doesn’t recognise it as a site you use, so it doesn’t offer any passwords for it, so doubly protecting you. You can read more on this at Humans are bad at URLs…
  • They can also remember your security answers. Can you remember all these combos of favourite places/books, did you type it out in full or short hand it? No! But password managers usually have a section to remember all this extra information for websites along with your password. See also further down, lying.
  • Many will also let you check your passwords, telling you if any are duplicates, if they’ve been compromised through a site breach, so you know when, and where to toughen up your security.
  • Most can also remember all your licence keys for software. Small feature, but it means you’re no longer scrabbling for that email you filed somewhere, so the cost of a password manager can often be recovered by it saving you having to repurchase software you already own.
  • Synchronises between devices, and browsers. This means it doesn’t matter which device you pick up, or which browser you use on it, if it’s supported by your password manager plugin, the password manager will offer your secure password you setup on one device, on any of your other devices, in any of the browsers.
  • Multiple Vaults – this enables you to not only have your own personal vault, but a work vault, and even shared personal or work vaults, each secured with their own key, but typically opened with your single master key. This enables you to be able have your own accounts saved securely, but to share passwords securely with colleagues and family so for example your emails would be in the private personal/work vaults as applicable, but you might share a login to Tesco, or the stationery supplier for example which could exist in the seperate shared vault.
  • Synchronised authenticator for 2 factor authentication (2FA). One of the barriers to using 2FA is it is often tied to a single text number, or authenticator application on a single device. Hopeless if you’ve no signal, or sat at the wrong device, or a colleague holds the master device. Many of the password managers can also be an authentication application, and once setup, this then works across all devices signed into the vault.

There are some things to watch of course, many of these sync to an online cloud service, so to protect against a total loss situation, it would be prudent if you knew the password to your sync service, and that that is protected via two factor authenication with a spare number backup.

As they are such a step change in the way of working, personally when I first switched to a password manager I saved my old crappy passwords in it whilst I got used to how it worked & sync’d etc. Then after a week or so once I felt comfortable with it, I started going to all the sites, logging in, and then changing the passwords to something secure generated by my password manager.

Some people are wary as you’ve everything in a single vault, but, the vaults are 256-bit AES encryption, so as long as you use a decent password (how secure is your password?) to lock it and don’t leave that password lying around, then the data within is secure.

Emails should be securely protected

Who’s bothered about my emails? There’s nothing in there. Well you should be. Your email can reset the password for probably 80% of your logins, if the password to your email is breached, once a hacker is in your email, they can reset your passwords to anything that isn’t also protected by two factor authentication. We also leak so much data on social media, often answering security answers insecurely. So emails and social media should all be protected by individual passwords not shared by any other site. The same goes for anything with your credit card details saved, so Amazon, Paypal etc should all have their own password.

Also for this reason, any device signed in to your email should be password protected. If your phone/laptop/tablet is stolen and it just logs right in, and a thief can then sign straight into your email, again they can start password resetting accounts that are linked to your credit card…

Use 2-Factor Authentication

It’s not perfect*, but where available as an option, use 2-Factor Authentication, often shortened to 2FA, this means whenever you try and log into a site, you’ll get a text, or use an application (eg Google Authenticator or a password manager) on a second device personal to you so that even if a hacker has got your email address & password, they can’t access your account.

*The mobile sim isn’t secure, messages can be faked, hackers are using techniques to still intercept these messages, often via phone scams, but it’s better than no protection.

Hang up the phone

If you receive any calls/texts/emails from anyone saying “this is your bank/insurance/shop” never, ever, under any circumstances give them any security answers. Even if you’re 98% sure it is the bank or whoever, ask them which department you need, and call them back ONLY on known good numbers, find their website, find your card, and ring them back via your mobile, because landlines can leave a call open so even if you believe you’ve made a call to your bank you can be calling the scammers back on an open line. Do not call them via any unknown numbers sent in texts, or any numbers given over the phone, a number checking website where someone says they think it’s OK (it could be the scammers self reviewing). I’ve personally raised complaints with my banks over this, automated phone call “we suspect a fraud event on your account, please ring this number”, the banks are socially engineering you to say it’s OK to answer the phone and give away your passwords, and when it goes wrong, it’s then your fault.

A lot of these will start with known good information to you, often via a previous data breach, so they can sound convincing, but just hang up. Don’t engage with them, don’t worry about being rude. Just end the call.

Also remember Caller ID for numbers and names can be spoofed, so just because the number in caller ID or in the text tallies, this does not mean it really is who you or your phone believes it is.

Beware the top advert hits in Google

A less regular one, but I’ve seen a few circumstances of this, a year or so ago for example a unscrupulous company hijacked the Google results for “car tax renewal” so instead of taxing your car, people later found out they’d signed up for a vehicle information service for £6 a month and hadn’t in fact taxed their car. So watch the search results to the link, and ensure you click the link to the real site and not any unscrupulous advertising.

Use more than one email address

This has a two pronged benefit. Basically your email address is 50% of your password, so if you use a few different email addresses, any breach only gives away your login a small percentage of your logins, instead of 100% when they all use the same email.

The second benefit is it gives you a second alert of fake emails, a genuine looking Paypal email to the address you use for general shopping, well it’s quite clearly a phishing email. An email from a “friend” to say he needs £500 as he’s stuck in Thailand but he’s emailed the address you use for Paypal etc, again, obviously a scam… When those “I know your password send me bitcoin” emails started doing the rounds last year, the first one I got with my name, a very old password, and sent to an email address I’d used for a now defunct, but clearly had leaked its data before it went website for Nokia ring tones, so I knew where the breach was from, and all I had to do was triple check with my password manager that I definitely didn’t still have that password active anywhere.

Many online email providers will allow you to setup an alias so you don’t even need to have two separate email accounts, but instead just several aliases. eg Gmail you just setup aliases using a + after your username eg: myname+paypal@myemail.com, myname+shopping@myemail.com, myname+insurance@myemail.com etc. The only thing to watch is a few websites need you to be able to reply with the email address you’ve used, so you do need to be able to ensure you can reply from these aliases if required. The biggies though are Royal Mail, and any other support systems that use your email to validate it when you respond, so eBay, Amazon, forums. Personally I’ve got the Mail & Amazon ones set up to reply, everyone else I just log back into the apps/website and reply directly through those.

Your security answers can be lies

Date of birth, mothers maiden name. Except for bank/credit applications where they need these for identification purposes, for every other site all these answers can be LIES. I realise this can be difficult to keep track of, but, again this is where the password manager wins, make up a fake answer every time, and note them down in the password manager. They don’t even have to be valid answers, just a nudge to your security answer so for example the first place you flew could be – Blancmange/Trowell Services/oRbp6.HWi8s*ecw6 etc.

Personally, I’d keep year of birth within +/- 5 years of your actual DoB just so you don’t end up with a server somewhere that now assumes you’re 160 and deactivates your account.

Stop leaking information online

I know we’re all guilty of this to a point. But, be careful what you leak, think about what information you’re giving away, what you’re saying with it, or even what is showin in it. Clever passwords are no good if you basically leak your security information all over FaceBook every single week.

Also those quizes every other week about what’s your fairy/porn star name. Often these are at least one of your security question answers, which somebody could use over a period of weeks to build a profile up of you. So STOP filling them in. Or if you must, see above, LIE, pick the funniest answer.

Herefortshire Trading Standards had this to say…

Scammers then can, between a cheap subscription to a geneology website, and the cheaply purchaseable electoral roll data, soon use parts of this data to fill in the missing gaps in order to steal your identity.

Bought something, showing off your parcel & hidden the address, but that 3D barcode on the Royal Mail label contains the sender & recipient postcode & house number! A long read, but here’s when Tony Abbott (former Australian PM) shared his boarding pass online for example, which turned out to leak his passport number, DoB, phone numbers, so beware what seemingly innocuous data is being revealed when you share info. To be fair, I wouldn’t be surprised if we got to a point where home insurance is void when your last social post is “yay off on holiday for 2 weeks” so you’ve just broadcast your house is going to be empty, especially when you’ve also been showing off a nice shopping list of jewellery, bikes etc in the previous months…

Thought you’ve been smart and pixelised sensitive data in images? This can be recovered with software such as Depix, block it out, and ensure the image is flat (PDFs, PSD leave layers so the secure data is accessible underneath).

Personal information makes for crap passwords

If it isn’t already clear from the above, using your name, mothers maiden name, name of your significant other, children, pets, hobbies, work, favourite team, car, car registration, house number, anything to do with years of births of those, marriages, and all the rest. They’re all utterly lousy passwords. Admittedly they’re better than the most commonly used passwords (123456, qwerty, password etc), but ultimately still lousy as given 10minutes scrolling through your social media will have them all but 90% guessed.

Stop writing passwords out in full

I know a password manager isn’t for everyone, and some even turn to those password books, and if you do, a) invent some stronger passwords b) stop writing them out in full

So often I see these and it’s page after page of
Apple – myname@myemail.com – Password1
BT – myname@myemail.com – Password1!
Argos – myname@myemail.com – Password1

So anyone who picks up the book knows your full password system and your email in one page/photo of said page. If you just put

Apple – m…..@e……. – P______ 1
BT – m….@e…… – P_____ !
etc usually these are enough of a hint that you know that they are, your partner probably knows them, but also it’s useless to any Tom, Dick or Harry that picked the book up.

I would also implore you to use a variety of passwords and numbers, as nearly everyone still basically uses the word they started with, capitalised, with a 1 on the end, and an ! on the end of that to comply with the newer systems that require a special character. Those that think they’ve been really clever either use their house number of the last two digits of their year of birth or house number, again easily findable. So it’s worth remembering a bruteforce attack on a password can crack a dictionary word can typically be cracked in minutes, adding a number and a symbol (takes it to a whopping half hour).

Trying to cook up a stronger but simpler system, you could express your passwords and numbers, using just the first character of the word, and hints for the numbers.
A..HN!
C..LL
E..DM
so in this example the words used are Alligator, Crocodile, and Elephant, and the number hints are house number, last digits of landline, and last digits of dads mobile so these would be Alligator31! Crocodile27 and Elephant39 respectively. I should of course point out these aren’t of course the last digits of any of my numbers or addresses, and as I said abouve using such info is poor practice, but baby steps.

To make them much more secure, you could then use multiple words, and multiple numbers together, and also not following the forever used pattern of word followed by a number and a character on the end. So if you now used half a dozen words, with half a dozen numbers, in various locations, your password system goes from 3 or 4 guessable passwords, to a combination of over 1000 passwords, and hidden much more securely.

So for example DM-AE-LL* would tell you it was Dads mobile Alligator Elephant Landline* or 39AlligatorElephant27*

Run these through a Password Test website and it’ll show the difference this makes between a standard password, multiple words & numbers, and one generated by a password manager.

So we can quickly see adding a second word & number set, increases your password strength hugely, the password manager generated password still trumps and ultimately my recommended solution, but they’re both well into the realms of properly secure.

Don’t share logins/passwords together

This goes almost back to medieval times as a way to better security. How do you stop your strong boxes being broken into in transit? Stop sending along the man with the key to them…

But if you need to share your login for something (your better half needs it, or a colleague wants it), do not send them together in a non secure format. I received a nice secure zip file of passwords recently, the password for this, followed 30 seconds later in a second email, it doesn’t take much of a hack to put the two together. Instead send them via different methods, and without any reference in the passwords to what they are. So for example email “the login the email used is myemail@mydomain.com”, and twenty seconds later send a text saying nothing but the actual password, so they’re very difficult to link later. Impossible if you do the sensible thing and both delete the text once read

blank

Change hardware default passwords

First job, any new piece of kit in the building connected to the internet. Change the password. Nearly everything on your network will use the user admin, and 80% of them will use one of admin/password/12345/sky/netgear as the password, so anyone with access to your network can have access within seconds.

Don’t use default usernames either

Websites, servers, computers or otherwise online device (NAS, CCTV, doorbell?). Most of these will be installed with a default username of admin, or root etc, so again a great form of defence is to change this, as a bruteforce attack will spend all day trying the user admin and a thousand different password combos, so even with a weak password the device/website will be protected simply by not using admin as a user.

I hope this information helps, it isn’t conclusive, though for those that have got Password1 on a post-it stuck to their monitor probably looks like utter paranoia, but each year the hackers and scammers up their games, so we have to do all we can to stay as far in front of them as we can.