When browsing the Internet, how safe do you think your information is? Before you answer, let me remind you about that time Sony was hacked and 77 million accounts were stolen. “Oh, but that was a long time ago,” you’ll say. “Companies are more responsible now.” You’re right, they are. Instead of 77 million, only 6.5 million LinkedIn passwords were leaked to a Russian hacking forum this month. Yay progress!
Unfortunately, these attacks are increasingly common and it seems you can’t go more than a few days without yet another data breach reported. Accordingly, the real headline here wasn’t the fact that LinkedIn got hacked, but rather the amateur methods they used to protect the one piece of information you use to identify yourself: your password.
LinkedIn, eHarmony, and Last.fm were all the victims of password disclosure this month, and all of them, astoundingly, provided next to no encryption. They had all been storing your passwords as unsalted SHA1 hashes, which these days is about as good as storing the passwords in plain text thanks to various pre-computation attacks. With this kind of negligence, it’s not surprising to see various lawsuits already being filed.
Whether you want to protect your personal email, your business training videos, or company information, trust that your information remains secure is important – and hard to come by. According to the Computer Security Institute, nearly half of the individuals surveyed had been the subject of at least one targeted attack.
Now before you go blaming me for spreading more FUD, the solutions to these problems are actually quite simple, so here are some ways to make yourself less of a target and keep your files safe:
Bad Fido: Tips to learn from Mitt Romney
Take the advice of presidential hopeful Mitt Romney: don’t trust your security to your dog. Your faithful pet might be doing a great job of protecting your home’s security, but he’s doing nothing for your Internet safety. Romney learned this the hard way when someone gained access to his Hotmail account simply by guessing the name of his favorite pet. Politicians and celebrities tend to get this one particularly wrong, but really anyone on Facebook could also fall victim. If someone can google your Mother’s maiden name, or look up your high-school mascot, you should probably stop using these security questions. Your confidential files will thank you.
Here’s another lesson that can be learned from Romney: Email accounts are particularly sensitive because Password Resets are sent there. The attacker didn’t just stop at Romney’s Hotmail account, but quickly moved to other services like Dropbox. Once an email address has been compromised, it’s trivial to reset the password for any other service associated with that email address. Are you using two-factor authentication in Gmail? You should be.
Switch it Up
And now for the lesson to be learned from the LinkedIn attack: don’t use the same password for everything. You might not panic if someone hacks your Twitter account with 12 followers, but when you’re reusing that same password, if any one of those sites are hacked, they all are. That’s why this LinkedIn breach has had such a big impact on corporate security. LinkedIn is a professional network tying your identity (and now, password) directly to the company where you work. Want to break into your competitor’s network? Scan the recent breach for someone’s password that works there, and log right in. Chances are, they’re using the same password everywhere.
It’s no wonder your company’s security team is quietly freaking out resetting passwords and auditing logs. With password reuse so rampant, they have to assume every account on their network was already compromised and take action accordingly. Do yourself a favor: switch up your passwords for every website, using tools like Lastpass and 1password to do all the work for you. Seriously — it’s actually more convenient than not using it, and it keeps you safer. In the biz, we call that a win-win.
Pick the Right Security Setting
Lastly, if you want to improve the security of your personal or business files, give some thought to where and how you’re storing them. Just because a site gives you a funny looking (i.e. hard to guess) URL to access and share that data, doesn’t mean it’s actually safe. Last year, researchers discovered hundreds of thousands of “private” files on sites like RapidShare and figured if they were able to do so, how many others had been doing the same thing? They decided to set up a Honeypot by uploading their own “private” files and seeing if anyone else accessed it. In just one month, their honeypot file was accessed almost 300 times, indicating this URL weakness is already being exploited in the wild and collecting files most users believe aren’t available for public viewing.
You aren’t alone in your quest for online security, and most sites with many different offerings (social media platforms included) currently allow users to set fine-tuned privacy and access controls for many different types of content. When these settings are available, all it takes is a little time and effort to make the simple changes needed to protect yourself.
What are some ways you protect your security online? Share them!