Defending The Kingdom

As always, a company’s security is only as good as its weakest link. Often, social engineering is the easiest way in for someone who wants to steal passwords or account information. Password reset procedures are pretty bad, too (”What is the name of the street where you grew up”? Give me a break).

Here is a sad combination example. I doubt the companies discussed are outliers in terms of their security standards.

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

Any site that asks for a username and password pertaining to another site should raise red flags for you, but apparently contact scraping is getting results:

Once you enter your credentials, like your [email] user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

Nothing new here, but the tactic can be tough to spot. Facebook has nearly tricked me into giving up all of my email contacts a couple of times.

Here’s the story:

Who among us doesn’t love a good hack? After putting forth a $10,000 come-and-get-us challenge, it’s possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz’s Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.

Once again, it’s worth pointing out that there is no such thing as perfect security. You have to choose a level that is good enough. It can be uncomfortable to know and accept that your email address could get hacked, but there’s no way around it. All you can do is decrease the chances in a way that doesn’t cramp your style too much.

I advocate cramping your style a bit more than others in your category of “target juiciness”. If you have typical assets to protect, put just a bit more effort into security than the typical person. If you are atypical, put just a bit more effort into security than those with your level of assets.

If your secret question is easier to guess than your password, your password is effectively useless. From the abstract of a recent Microsoft research paper:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers.

Since you often need to provide answers to secret questions when signing up for online accounts, I suggest using strings like “lJOcK6gS”. You can employ something like Password Safe to generate those strings and store them.