By Gavin Reid, Vice President/Threat Intelligence, Lancope
For National Cyber Security Awareness month there a couple of relatively easy-to-do things that I highly recommend if you want to improve your personal cyber safety. These important protections are easily available but not well documented.
One of the biggest cyber security problems impacting users today is the reuse of easy to guess passwords across multiple sites. All it takes is for one site to be compromised and the hackers can then use your password to log into others. This process is often automated and run against all sites. To help combat that ensure that you have a *unique*! password for each site. No one can remember multiple unique complex passwords so invest in using a tool like roboform or 1password to manage these passwords and keep them safe. Once you have installed a good password manager go back to each site you use and replace your common password of “petname123″ and let the password manager create a long and complex password for you like “yott2&uv0ugs7.” Save that password and go on to change the next one. Set a complex password that you DO remember for your password manager. It’s only one and it can be recalled from memory.
Don’t be afraid of the cloud! Losing all of your newly-created complex passwords to a hard drive crash would be a terrible loss. Make sure you sync your password file in the cloud to be able to access them across multiple devices (phones, tablets, laptops) and always have a backup. Roboform has its own cloud storage built in and 1password uses Dropbox or iCloud. Your passwords are encrypted withAES encryption so even if someone somehow broke into the cloud provider and stole your password list, they cannot decrypt your passwords without the one complex password you committed to memory.
The next step to ensure you won’t be an easy victim is to set up two-factor authentication for some sites that are more important to your personal cyber security like Gmail, eBay and PayPal.
You may not have thought about it, but your personal Gmail account ties many things together. For example if you use Gmail as your email address for your Amazon account, if someone hacks your Gmail they can force a password change to access your Amazon account. Similarly, your bank and many other systems may use your email as a way to allow for password resets.
Criminals can also use your Gmail account to send out legitimate looking email requests for emergency help to all the people in your address book like the email below:
How you doing? I made a trip to London (United Kingdom) unannounced some days back, Unfortunately i got mugged at gun point last night! All cash, Credit card and phone were stolen, i got messed up in another country, stranded in London, fortunately passport was back in our hotel room. It was a bitter experience and i was hurt on my right hand, but would be fine. I am sending you this message cos i don’t want anyone to panic, i want you to keep it that way for now!
My return flight leaves in a few hours but Im having troubles sorting out the hotel bills, wondering if you could loan me some money to sort out the hotel bills and also take a cab to the airport about ($1,550). I have been to the police and embassy here, but they aren’t helping issues, I have limited means of getting out of here, i have canceled my credit cards already and made a police report, I wont get a new credit card number till I get back home! So I could really use your help.
You can contact the hotel management through this telephone number (+449444045232), you could wire whatever you can spare to my name and hotel address via Western union:
Name: John Hastings
Location: 201 Bunaby Street, Chelsea,
Your Gmail account plays an important part in your overall internet safety. It is very important you set a strong password and enable two-factor authentication. Here is how to do it:
- Login to your Gmail account then go-to the following URL
- Click on “Get Started” then “Start Setup.” Enter the number for your phone and verify the number by entering the numeric code that Google sends to the phone by either text message or voice call.
- You can also choose to use the smart phone app Google Authenticator, which you would register through the same wizard shown above. To install Google Authenticator click here for iOS or here for Android. Either way works and will stop people from easily taking over your personal email (and of course your online identity!).
PayPal and eBay
If you use either of these services, they are high-value target accounts for crime. PayPal is especially problematic as it links directly (in most cases) to your bank account. EBay accounts, on the other hand, are often hijacked then used fraudulently to sell nonexistent items, leaving the account owner to work out the mess. I highly recommend you protect yourself by setting up two-factor authentication for both accounts.
Setup instructions for PayPal:
Go to https://www.paypal.com/us/cgi-bin/webscr?cmd=_register-security-key-mobile
This will give you the option to set up a secondary authentication method. You have three choices, pay a small amount and they will ship you a small fob that will provide one-time passwords to use as a secondary authentication for your account (i.e. a hacker can’t get into your account by just guessing your password or resetting it). The second choice is a more convenient one if you have a smartphone. You can download the Symantec VIP Access program for smartphones. Or you can just have PayPal send messages to your mobile like we did with Gmail.
When you get the token software installed on your smartphone, authenticate it to your PayPal account and register its unique ID. Now when anyone wants to use your PayPal account, they will have to have both your username and password and the one-time token password your phone or fob would generate. Note: you can also tie this token to your eBay account.
There was a lot of work to do to get to this stage. It is unfortunate that this process is obscure and not built-in or easier to enable. I am sorry to say that there is one more step if you use Gmail with any applications that auto-check email. I have several, such as the Microsoft Outlook client for Mac. These applications do the authentication automatically. For convenience with only a small security risk I can use Gmail to set up application- or device-specific passwords. These fixed passwords can ONLY be used by the same app on the same device. You can do this by editing the “authorizing applications & sites” button in the Gmail account settings.
When you click edit, it will force another authentication then allow you to set up, manage and track application-specific passwords.
So that’s it. I wish it was easier, but these are a couple of steps that can make your internet identity much harder to abuse.