Some time ago I gave the staff here a “brown bag” presentation on the shifting nature of security and how the triple threats of complexity, extensibility, and connectivity meant that threats to data security were going to be around for the foreseeable future.
A simple computer, like a hand held television remote, is easier to write clean code for and if security measures were needed (which they probably will be one day!) it should be easier to lock down than something extraordinarily complicated like this computer (which is currently running… 44 processes, that I KNOW of!). So, the complexity of a device, in part determines the vulnerability of the device to attacks.
Extensibility just means that you can add or remove software or hardware from the device. Taking away that ability is one of the keys to network security and is why most network admins limit user rights to install third party software. This doesn’t prevent stuff like buffer overflow attacks (which is a means of elevating user privileges) or brute force password cracks but it does prevent casual and even some intentional compromises.
Connectivity is the third rail; it’s the thing that powers most modern data safety issues. Since our computers are always connected to the internet, the opportunity for attack and the spread of infection increases exponentially. In the old days we had computer viruses, but to get them and transfer them you usually had to use a vector like a floppy disk (though IRC was a vector too). Now that we are all connected all the time, we are the vector.
All that is to say that (technologically) viruses, cracking, and hacking are going to be with us for the foreseeable future. In fact we are seeing that the attackers are jumping from device to device; as our cell-phone become more complex, more connected, and more extensible they are naturally becoming the new platform for attacks.
But technology is nothing compared to good ole-fashioned human interaction as evidenced by the now infamous crack of Sarah Palin’s email account. This cracker was able to get into her account by simply answering the secret question that her email prompted her for when he said that he had “lost” the password to the account. Since she’s a public figure and has given many speeches which include a lot of details about her private life she made the mistake of telling people where she and Todd met. This just so happens to be the secret question on her Yahoo mail, and the kid was able to crack her password, reset it and download all her mail.
But you don’t have to be a public figure to have this happen to you. You could have a disgruntled co-worker crack your email account, they probably know a ton about you and I’d be willing to guess that they know at least one of your “secret” questions. Do they know what your dog’s name is? Probably. You might even publish the name of your dog on your flickr account, or your daughter’s name, so on.
What I’m getting at is that security is important and keeping some things secret in this day and age is an important part of that security.
One other important way to keep passwords and the like safe is to never, ever, ever, give them out over the phone or via email. Sure, the guy on the other end of the phone might sound like he works for IT and he might even say something like “it looks like someone is breaking into your account, so we need to reset your password” but any domain admin worth his weight in Mountain Dew can reset your password to whatever he wants, without calling you first! So, never, ever, ever, give someone your password over the phone and, of course the same goes for giving out your password over email and so on.
The point of all this is that we are always going to be vulnerable, the nature of our technology makes it so by virtue of the fact that it is complex, extensible, and connected. But we are the real threat to data security and there are practical things that we can do that will make us less vulnerable.
- Update your computer
- Get a virus scanner
- Install a firewall
- If you use Windows, make your every day account be a power user and create a special admin user that you use to install software
- Change your email challenge questions to something more private
- Assume that email isn’t private
- Never give your username and password out to anyone, ever.
If you do those things you will be doing your part to ensure the safety of yours and others’ data.