Thought for the weekend…
This week the security world was hit by vulnerability after vulnerability after vulnerability. Or at least that’s what it felt like.
We’d barely finished with the news that another retailer, Kmart, had suffered a breach before Sandworm started burrowing through defences, POODLE ran amok and finally we ended the week being hit by DrupAgeddon!
In the middle of all of this were reports that Snapchat and Dropbox were hacked – a fact strongly denied by both. So what does that mean to you and me?
It’s further confirmation that the internet, and cloud particularly, is hostile – if we needed more corroboration.
Using Dropbox as illustration, the company is adamant that its systems weren’t breached, but that attempts were being made to break into user accounts from credentials liberated from ‘unrelated services’. How did that happen? Someone, somewhere, let their defences slip and a vulnerability was exploited – Heartbleed last year, ShellShock last month, or Poodle this week.
But that doesn’t mean we should run and hide behind our sofas. We just need to wise up and get cleverer.
The virtual skeleton key
Reusing credentials for numerous sites facilitates the type of attack Dropbox experienced this week.
As an analogy – which I always like to use as it helps my mum understand what I’m talking about, it’s akin to a set of keys being found in a car park and someone trying all the cars in the vicinity to find which it belongs to. Now, thankfully for us, car manufacturers tend to make one key that fits one lock. But if the set of keys fitted numerous locks, suddenly the finder of the keys has more than one vehicle to rifle through.
And that’s what happens when users use the same credentials for numerous sites online – create one key and then fit the same lock to everything. Not very sensible! Take that a step further and if the same username and password combo is used for both business and pleasure then suddenly the ‘loot’ on offer multiplies.
When I mention this to my non-tech friends, so I’m sure it’s the same within any enterprise, I’m often met with the response ‘how am I supposed to remember lots of different passwords’? Well, that’s fine but don’t come crying to me when your naked selfies get sent to your mum!
For those that do want to actively work with the security teams striving to protect dignity there are some simple tips.
Troy Gill, AppRiver’s senior security analyst suggests, “It is always a good idea to change your password whenever something like this comes along. If you are using Dropbox to store anything that you would not want shared publicly, then you should by all means enable “two step verification” in your account.”
However, for those sites where two-factor authentication isn’t an option a strong password is what’s needed. And it doesn’t have to be complicated to create a unique ‘key’ for a number of different sites. Combining a static element with a unique creation can be strong, yet really easy to remember. For example, say for an Apple account, and a Gmail account – you could add four digits to a word you associate with each, thus creating a unique code:
‘5793Fruit’ would be Apple’s password and ‘5793Spam’ could be Gmail – simples!
If you’ve not done it yet, I suggest you (or you request your users) remove any thing ‘explosive’ stored online (such as naked selfies) and then start changing the locks on all virtual doors.
Till next week, stay safe.
By Dulcie McLe
rie