Driver’s Ed for the Info Superhighway

Perry Chaffee, VP of Strategy, WWPass

When we get on the information superhighway, too many of us are blissfully unaware of the hazards that

come with seemingly universal internet connectivity. All of us are responsible for protecting ourselves, but

how?

When we get on the actual highway there are plenty of things we’re aware we should and shouldn’t do while

riding in a vehicle as drivers or passengers. When we get online, many potentially dangerous actions often

seem harmless or even routine. Maybe that’s because using a computer, tablet or phone often seems less

dangerous than using a car, but consider this:

Automotive Highway Information Super Highway

License Required for everyone, and can be revoked if you break the law or endanger others.

Not required or enforceable, it’s nearly impossible to stop prior offenders from getting back online.

Insurance Required for everyone to cover damages which might be caused to others.

Not required / generally doesn’t exist.

Registration Required for all vehicles so owners are accountable for their vehicles.

Not required / generally doesn’t exist. It can be difficult to track down the owner of a computer or phone.

Inspection Required for all vehicles to prove that they meet basic safety requirements and are not a danger to others.

Not required -even if your computer doesn’t meet basic safety standards, you can still go online. Worse yet, people can weaponize their computers/networks and get online with you.

Law Enforcement Public roads patrolled by officers who by their presence deter criminals from doing things far more consequential than speeding.

Because it transcends geographic borders and carries a massive volume of traffic, it’s very difficult for law enforcement agencies to effectively police the internet.

Accidents You could total one or more expensive vehicles and cause serious bodily harm or death for yourself and/or others.

You could lose your life savings, destroy your credit, lose your home and/or property, lose your job, ruin your reputation, damage personal & family relationships, cost your employer billions, cause massive damages for or ruin the lives/reputations of millions of ordinary people. Though the outcome may not be as immediate or direct as an auto accident, your actions could ultimately lead to death either for yourself or others.

Longevity Actions and consequences usually happen in short succession and are reasonably well defined/understood.

Information is now far more persistent/permanent and can come back to haunt you years after the original event which set the action into motion.

Sources: https://www.theguardian.com/technology/2016/jul/10/pokemon-go-armed-robbers-dead-body http://www.dailymail.co.uk/news/article-3208907/The-Ashley-Madison-suicide-Texas-police-chief-takes-life-just-days-email-leaked-cheating-website-hack.html

Indeed, using the information superhighway can be even more dangerous, and it’s important that

the general public begin to recognize that and take action. Here’s where we can start:

1) Self-education & Situational Awareness:

In a recent article on LinkedIn, 19 Security Experts shared their top 3 tips and tricks for anyone to avoid some

of those hazards. Many of them were repeated from one expert to the next. The most common tip could be

summed up as “self-education and situational awareness –beware: trust no one.”

Advice: If terms like phishing, baiting, spoofing, social engineering, sniffing, keystroke logging, or brute-

force attacks sound unfamiliar to you, it’s definitely worth it to spend a few minutes on Wikipedia arming

yourself:

It’s also important to keep up with the times –especially with social engineering. As long as there’s value

online, people will be trying to find new methods to steal or destroy it.

Sources:

https://www.linkedin.com/pulse/50-internet-security-tips-tricks-from-top-experts-aurelian-neagu https://en.wikipedia.org/wiki/Security_hacker#Attacks

https://en.wikipedia.org/wiki/Social_engineering_(security)

2) Passwords:

Over half of these experts included advice like “create very strong &

complex passwords change them often, and never, ever reuse a password

on another site or account.” Since most websites currently use passwords,

that advice is applicable in today’s world. However, the average person

has dozens of accounts –many have over 100. Keeping track of all those

accounts and passwords is not reasonable for most people.

Passwords are fundamentally flawed. “Secure password” is an oxymoron.

If it exists, it can be stolen, no matter how “strong & complex.” There are

seemingly endless methods to steal them, and they can also be cracked.

Moreover, hackers who have already stolen hundreds of millions of usernames and passwords (and can now

try them to access many totally unrelated accounts), have also stolen lists of answers to various security

questions to go with them. This means that, even if you change your password and username on all your

accounts, you may still be at risk unless you also do something to address the potentially compromised

answers to those security questions. Basically, any business or website which isn’t using 2 Factor

Authentication (2FA) and/or Multi-Factor Authentication (MFA) is putting you at risk.

Lastly, in a significant number of incidents involving compromised credentials, the credentials were not

stolen but freely given. Social engineering & phishing is the primary concern, but in many situations it’s

because the victim was exploited by someone they knew and trusted. Don’t give your passwords to anyone.

Advice: Until websites develop an alternate approach, using a password manager is a reasonable way to

follow this expert advice. There are several to choose from, but be sure to select one which has 2FA and/or

MFA.

Just keep in mind that password managers can be and are hacked. They’re really a Band-Aid solution for a

critical problem. We need a dramatic paradigm shift (and soon!) but at the moment using a password

manager is better than nothing at all.

Also, using your browser as a password manager is a bad idea. It might seem convenient to have your

browser remember all your passwords –until someone accesses your computer remotely and uses that

convenience against you.

Sources:

https://www.linkedin.com/pulse/50-internet-security-tips-tricks-from-top-experts-aurelian-neagu https://www.linkedin.com/pulse/pesky-passwords-keeping-online-data-secure-timothy-robnett

http://www.itsecurityguru.org/2016/06/24/changing-your-password-regularly-wont-fix-the-problem-you-need-to-change-the-entire-password-security-system/ https://en.wikipedia.org/wiki/Password_cracking https://www.washingtonpost.com/news/capital-business/wp/2016/10/17/one-billion-reasons-why-the-yahoo-cyber-breach-matters/ https://www.schneier.com/blog/archives/2016/07/password_sharin_1.html http://forum.mensdivorce.com/viewtopic.php?f=2&t=12615

http://www.pcmag.com/article2/0,2817,2407168,00.asp http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571 https://www.wwpass.com/weak-passwords-problem-recent-data-breaches-usernames-may-much-bigger-one/

3) Usernames:

According to the 2016 Verizon Report, over 63% of data breaches were the result of compromised

credentials. There were 64,199 breaches reviewed in that report, and almost two-thirds of them were based

on passwords –and usernames. That part is critical, and almost everyone is overlooking it!

Many of us can probably remember taking a math class where we had to solve an equation for unknown

variables like “x” or “y.” It’s usually way easier to solve problems with only one unknown variable than with

two or more. To a hacker, your password is just a variable. Your username is another variable. If you use the

same username for all your accounts, you’re making it just as convenient for hackers as you are for yourself.

Even if you follow expert advice about passwords, by using the same username for everything, you’re still

vulnerable.

Now consider that many websites use your email address as your username. If a hacker knows your email

address, they probably know your username on half the sites you regularly use. They’ve already solved half

the equation, and unfortunately the other half isn’t too difficult to crack.

Sometimes security questions act as extra variables –but those often ask questions which can be answered

through a little social engineering. Moreover, many of those answers may already have been compromised

through previous breaches like Yahoo.

Advice: Use different usernames for different kinds of accounts. Don’t use the same usernames for banking,

shopping, or social media.

Also use different email addresses for different kinds of accounts. Don’t mix online banking with online

shopping, or social media. This has the added bonus of helping you to stay more organized.

Lastly, use 2 Factor Authentication (2FA) and/or Multi-Factor Authentication (MFA) everywhere possible to

help avoid username & password vulnerabilities.

Sources:

http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf https://en.wikipedia.org/wiki/Password_cracking

4) Privacy

Does your weather app really need access to your camera, photos and microphone? Think about that for a

second. Do you even know what apps on your phone have access to those things? Do you know what those

apps do with that data? How do you know they’re not saving photos you took last night to blackmail you next

year? It might sound paranoid, but how do you know they’re not spying on you?

Moreover, do you really understand what you’re giving up when you click that “Login with Facebook” button?

As soon as you use this feature on site XYZ, you’ve basically agreed to give Facebook all your private info

from site XYZ. Is that a good idea? -I guess it all depends on whether or not you want to help a ~$350 billion

publicly traded company spy on you. Many people view oil companies as giant, greedy, evil corporations

while giving Facebook thumbs up as a likeable, friendly, secret-keeper. Earlier this year, Facebook was bigger

than Exxon, and it could get much, much bigger. When oil was first discovered, people thought oil companies

were great… Sure, right now Facebook may not seem like a big evil corporation to many people –but who

knows what it will one day become.

Advice: Demand privacy with all your votes! Demand it at the ballot box! Demand it with your wallet!

Demand it when you decide which apps to download and which services to use! You’re the only one who

cares about your privacy. If you don’t protect it, no one else will. You may not think you’ve got anything to

hide, but millions of victims of identity theft had similar opinions.

Also, assume your electronics are spying on you and look for ways to stop that.

Sources:

http://www.makeuseof.com/tag/how-to-protect-yourself-from-unethical-or-illegal-spying/ http://www.computerworld.com/article/2474851/android/android-google-knows-nearly-every-wi-fi-password-in-the-world.html http://thenextweb.com/insider/2015/08/15/how-the-government-can-spy-on-you-and-what-you-can-do-about-it/ http://time.com/money/2902134/you-say-youd-give-up-online-convenience-for-privacy-but-youre-lying/ http://fortune.com/2016/02/01/facebook-value-exxon/ http://money.cnn.com/2016/04/28/investing/facebook-trillion-dollar-market-value/ https://www.phone.instantcheckmate.com/dialed-in/ways-hackers-can-use-your-smartphone/ https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point http://www.vocativ.com/271029/pew-survey-digital-privacy-online/ http://www.bloomberg.com/news/articles/2016-07-20/the-not-crazy-person-s-guide-to-online-privacy http://www.techtimes.com/articles/161364/20160527/how-to-stop-your-phone-from-spying-on-you-privacy-tips-from-edward-snowden.htm https://www.theguardian.com/commentisfree/2015/feb/10/six-ways-tech-spying-how-turn-off

5) Single-Sign-On (SSO)

That “Login with Facebook” button –and other equivalents like Google, Twitter, LinkedIn, SalesForce all

provide the capability of signing onto all your accounts by signing on to just one account.

That’s a very convenient thing for a hacker to be able to do. Before people started using those methods to

login, hackers could potentially need to steal or crack multiple passwords to get access to all your accounts.

By using the wrong SSO provider, you’ve done them a favor I’m confident they’ll return in kind.

SSO is convenient, and with the right provider it can also be secure. However, unless the SSO provider is

using 2FA and/or MFA, you’re creating a new vulnerability for someone else to exploit.

Right now the Facebook login asks for a username and password –but even their CEO can’t keep his safe. If

Mark Zuckerberg had his credentials stolen, what makes you want to trust Facebook with all of yours?

Advice: Using a password manager is better than using popular social media sites for SSO. If you’re going to

use SSO, make sure that a non-SMS based 2FA and/or MFA is a part of that process.

Sources:

http://www.computerworld.com/article/2989143/security/the-perils-of-single-sign-on.html https://www.theguardian.com/technology/2016/jun/06/mark-zuckerberg-hacked-on-twitter-and-pinterest

6) Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

Don’t let the big words scare you –there are many ways you already do this.

Authentication is the way we determine someone is who they claim to be. There are many ways to do this,

but they all fall into one of three categories:

(1) Something you have – ID/Credit/Debit Card, Phone with Software Token, Hardware Token, etc.

(2) Something you know – Username, Password, PIN, Security Question, etc.

(3) Something you are – Biometrics, Fingerprint, Retina Pattern, Voice, DNA, etc.

Websites that only require a username and password are only using one factor –and that’s not secure. Adding

additional factors can improve security if done correctly.

First, it’s important to learn the difference between two-factor authentication (2FA) and two-step

authentication (2SA). Many companies intentionally try to confuse the two in order to provide a greater

sense of security. Two-factor requires something from two of the categories above while two-step only

requires different things from the same category but breaks them into separate steps, possibly on separate

pages.

If your bank required you to login by inserting your debit card into a reader, then asked you for your PIN, that

would be 2FA. However, if they merely ask you for a username and password, then ask a security question on

the following page, that’s just two-step authentication. With 2FA, a hacker would need to steal your card to

get in. With 2SA, they only need to guess your username, password, security questions, etc.

Second, many sites presently use text messages as a 2nd Factor, but the National Institute of Standards and

Technology recently declared that practice unsecure. Among those presently using SMS as a 2nd Factor:

Facebook

Third, many authentication tools are built on the same username and password system they’re intended to

help fix. It’s another Band-Aid solution for a critical problem. Yubikey is an excellent example of this. Their

key allows 2FA, but the underlying tech just replaces your username with a serial number on a hardware

token.

Advice: Use strong 2FA and/or MFA everywhere possible. If you’re using a website or service that doesn’t

have MFA, take a minute to contact them and recommend that they start using one. Organizations often

adapt what they’re doing based on user feedback, but they’ll never know what you don’t tell them. I’ll make it

even easier for you –just copy & paste this into your message:

“Hi there,

I like your website and think what your organization does is awesome. I’d like to think you care about my

security and privacy just as much as you care about winning my business. However, I feel unsafe using your

site because you use obsolete security measures like a username & password, and don’t offer any form of 2

Factor Authentication (2FA) or Multi-Factor Authentication (MFA) to protect users like me. Many huge,

prominent companies are being hacked because they’re not doing enough to protect us, but I’m hoping

you’re an exception. Please let me know when I can start using MFA to sign on to your site.

Thanks!

-Concerned User”

Sources:

https://en.wikipedia.org/wiki/Authentication https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/ https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920/ http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html

7) Software Updates

They’re annoying, but there are plenty of even more annoying things. Sure, you might need to restart your

computer or put your phone down for a few minutes, but if you put off important updates long enough, a

hacker might turn your device to a useless brick and create plenty of other problems for you.

Think of it like getting your car an oil change or putting air in the tires. Of course there are other things you’d

prefer to do with your time. Once you’ve had the experience of waiting for a tow truck on the side of the

highway, I think you’ll agree that the keeping your car maintained wasn’t as inconvenient as you thought.

Now apply this perspective to all your electronics.

Advice: Check for software updates regularly and install them as soon as possible after they’re available.

Those updates often patch critical vulnerabilities so the longer you wait, the longer you’re at risk.

Sources:

http://about-

threats.trendmicro.com/RelatedThreats.aspx?language=tw&name=Gateways+to+Infection%3A+Exploiting+

Software+Vulnerabilities

8) What you don’t know will kill you…

Most people, if they found a piece of candy on the street, wouldn’t pick it up and eat it. That’s pretty gross and possibly dangerous. But you’d be amazed how many people are happy to plug an unknown thumb drive or CD into their computer. Trust me, doing that is an excellent way to have a very bad day. Same with some of these other common practices: -Connecting to Wi-Fi when you aren’t absolutely certain who is providing it. Even if you think you know, it’s super easy for hackers to set up an evil twin Wi-Fi network, so be careful… Don’t allow your phone or computer to automatically connect to anything but your trusted home/work network. -Download the photos & attachments from emails when you don’t know and trust the sender. Actually, even if you do know, those could still contain viruses. If it’s suspicious then call and ask them what it is first… Use an endpoint security solution like anti-virus to scan the attachment before opening it. Better yet use a tool like Bromium to spin up a Micro Virtual Machine (VM) and open the file on the VM. If the file is malicious, it can either destroy your computer or a VM that you can just close –your choice. -Clicking a link your bank sent you and giving your credentials to a spoof site. If your bank sent you a link, don’t click on it. Open your browser, go to their website manually, and login to navigate to whatever it is they want you to see. If your bank calls you to notify you of identity theft, tell them you’ll call them right back, then go to their website, look up their help desk number and call it. -Leaving NFC turned on when you’re not using it. -Leaving Blue-tooth turned on when you’re not using it. Also: When you’re not using your webcam, cover it up. When you’re not using the USB ports on your computer, physically block them. Physical security is a thing. Try not to ever step away from your computer or phone in a public place. If you absolutely must, make sure that:

You’ve locked it or (better yet) turned it completely off.

Someone you know and trust is physically there watching it until you get back. Advice: Doing all these things is not paranoia, it is “common” sense.

Sources:

http://miami.cbslocal.com/2014/09/23/how-hackers-are-using-free-wi-fi-to-hack-your-phone/ http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/ https://www.theguardian.com/technology/2016/jun/22/mark-zuckerberg-tape-webcam-microphone-facebook

9) Mitigate Offline Risks

Each year direct mailing companies turn whole forests into junk mail to fill recycle bins and trash cans around

the world. Dumpster diving is a form of social engineering, but if you move and don’t update your address,

the person who shows up behind you might not need to go to that extreme.

If you’d like to save a tree somewhere and simultaneously prevent someone from opening up credit cards or

taking out loans in your name, you might want to turn off the steady flow of junk mail that floods your

physical inbox.

Stealing someone’s online identity is like a solving a puzzle where each piece is a variable. The more variables

you give away, the easier you make it for them. The junk mail that goes to your physical mailbox can cause

just as many problems as some of the files attached to the spam that goes to your online inbox.

Advice: Update your address with USPS, your banks, employers, healthcare providers, and any other

important accounts every time you move.

Sign up for electronic delivery everywhere possible.

Opt out of senseless tree-murder.

Make sure anything sensitive goes through a shredder on its way to the recycle bin.

Sources:

https://moversguide.usps.com/icoa/home/icoa-main-flow.do?execution=e1s1&_flowId=icoa-main-flow https://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-mail-phone-calls-and-email

10) Drive only one vehicle at a time

Phones killed ~3,179 Americans and injured ~431,000 more in 2014. Phones are dangerous. To put that in

perspective, guns injured and killed a combined total 35,626 Americans during that same time. Guns are

obviously deadly, but phones are deadly too.

Put your phone down when you’re driving.

The internet is everywhere, data is everywhere, and satellites are spinning around in the sky beaming all the

things everywhere all the time. The Matrix is real, and your phone is connected to it. Remember that, and

don’t let the Matrix kill you.

There is literally nothing that can come from the little electronic box you carry around with you all day that is

worth endangering your life or the lives of others.

Trying to drive on the information superhighway while also trying to drive on the actual highway is more

dangerous than pretty much all of the stuff on this list combined. We often tend to worry about things that

are unlikely to happen to us and ignore the things that are much more likely. If you ignore everything else on

this list, at least do us all a favor and put your phone down while you drive.

Also remember that your body is a vehicle too –don’t forget to look where you’re walking. In 2014, over 3,500

emergency room visits were due to “deadwalkers.” Moreover, many criminals target people who are

distracted with their phones. Recently some even used Pokémon Go to lure victims into a trap.

Last week I watched someone cross a busy intersection on a bicycle, without a helmet, going the wrong way

in traffic, and while typing something on his phone. Don’t be that guy.

Advice: Identify the most important/dangerous thing you’re doing at any given moment and focus on that.

Don’t try to multi-task. If the text/email is really that important, then pull over and stop to focus on it. Watch

where you walk and pay attention to the world around you –the cyber world can be a dangerous place, but so

is the one you physically live in.

Sources:

http://www.distraction.gov/stats-research-laws/facts-and-statistics.html http://www.huffingtonpost.com/2015/06/08/dangers-of-texting-and-driving-statistics_n_7537710.html http://www.gunviolencearchive.org/tolls/2014 http://www.textinganddrivingsafety.com/texting-and-driving-stats http://listverse.com/2015/03/23/10-common-things-that-are-far-more-dangerous-than-the-things-you-actually-fear/ http://www.healthline.com/health-news/tech-texting-while-walking-causes-accidents-031014#1 http://www.wsj.com/articles/texting-while-walking-isnt-funny-anymore-1455734501 https://www.washingtonpost.com/local/trafficandcommuting/eyes-down-minds-elsewhere-deadwalkers-are-among-us/2015/09/27/a3ad1da2-51bb-11e5-8c19-0b6825aa4a3a_story.html https://www.bu.edu/today/2010/cell-phones-a-dangerous-distraction-at-night/ https://www.theguardian.com/technology/2016/jul/10/pokemon-go-armed-robbers-dead-body

About the Author:

Perry Chaffee is the VP of Strategy for WWPass, a cybersecurity firm specializing in Identity Access

Management and Advanced Multi-Factor Authentication designed to improve both security and by

eliminating Human Readable Credentials. Contact him today if you’d like to learn more.