Think you’re not at risk? Think again…

So one of the most common questions I get when I talk to non-IT-security people about user security online is “Why should I care? I’m not a target.”

This is wrong on so many levels and in this post I’ll try to explain why.

“I’m not a target”

So to analyse why this is wrong we need to understand the fundamentals of why someone “hacks” others.

I’ve chosen to put a quote around hack as I think the word has been abused by media in recent years so that it now has lost its original value.

Just like I wouldn’t call someone copy-pasting an article a journalist, I wouldn’t call someone guessing someone’s password a hacker.

In this analysis I’ll focus on identity theft. That doesn’t mean there’s no other security risks or that I don’t know of other ways. It’s just because I know browsers tend to crash when they load a page with a couple of billion characters, and I doubt anyone would even want to read that much.

 

Hackers want all your information

It doesn’t matter if they get your cat’s name or your shoe size. When someone wants to pretend to be you, they’ll want to know everything about you.

So why would they want to pretend to be you? You’re not a very interesting person, you might say.

Maybe not, but you probably have something they can make money on. Bank account, Amazon account, Facebook, e-mail. The list goes on.

If they can get your bank account or Amazon account they can sell it to someone. If they can get your Facebook or e-mail account, they can phish for other people’s information that you know of, or sell it to spam networks.

In a world full of ads, companies pay for social media accounts that they can use. They can use your Yelp account to write fake reviews, post status updates on Facebook about how nice the staff at Bill’s restaurant are or how you recommend everyone to buy the new fake Chinese iPhone.

 

“I don’t use social media”

Fair enough. Let me tell you a story about a person I met not too long ago who got his information leaked.

This person once got a call from the police saying they had caught a criminal gang outside his house waiting for the mail. “Why?” you might ask.

Because they had applied for a credit card in his name. A card which would be sent out by mail along with its code a couple of days later.

 

But this couldn’t happen to you, could it?

Wrong.

Most countries publish their citizens’ most basic information such as full name, phone number, address and sometimes job and income.

If you live in the U.S. you can search for yourself on whitepages and if you live in the U.K. you can search on whitepages UK.

 

“I don’t have an address”

Okay. Some don’t have an address.

But you’re probably a citizen of some country.

Most countries in the world keep track of births and deaths. And while the thoroughness might vary from country to country, most countries at least write down all the names of the people involved.

For example, here in Sweden they file the baby’s parents’ names, the baby’s name, weight and height, give out the social security number and soon after, the dog tag (so that the baby in 18 years can receive his or her military uniform and be taught how to say “I surrender” in Russian (which for anyone wondering is я подчиняюсь.))

 

I’m not any of the above

Then you have a medical condition called “mortuus est“, often referred to as being dead.

The conclusion is that we’re all at risk constantly of being in the crosshair of someone with shady motives.

You might wonder what the point is of protecting yourself then. The answer is that while non of us are 100% safe from attacks, we can help limit the damage vectors and thus limit the number of people who have the skills, or ‘know-how’ to attack us. If you put in 30 minutes to change your passwords once in a while, you might save 30 hours trying to call around to companies where your identity has been used.

The amount of time one should put into protecting oneself is something one has to evaluate oneself, but the least you can do is to take 10 minutes to draft up your most basic vulnerability points online.

If someone would gain access to your Facebook password, would they be able to access your e-mail? How many other accounts could they reset the password on if they had access to your e-mail?

Patreon Security Breach

As you might know already, yesterday Patreon discovered they had been breached and personal information such as email addresses, shipping addresses, posts, names and password hashes were compromised.

Once again another security breach. There are both good and bad news to this though.

The Good News

The good news are that they used a hashing algorithm called bcrypt that’s fairly secure at the moment.
bcrypt is also not decryptable so you can’t turn the password hash back to a plain text password.

The Bad News

The bad news is that apart from the passwords nothing else was encrypted which means that you can expect to get spam mails in a near future on the email address you entered upon registration for Patreon.

Bcrypt also won’t be secure forever since computers become better and better at cracking hashes. MD5 was once considered safe but nowadays you just have to go on google with a hash to have it instantly decrypted into plain text.

What lesson can we learn from this?

Once again a big internet site has been breached.

Hopefully Patreon will bump up their security for the users but it almost always stays with that. They do it for the users and not for themselves.

The attackers gained access to Patreon and not it’s users. They need to go over their servers and hire a security firm to strengthen their servers security.

That said I have to admit Patreon have been far more transparent than most other companies are. Kudos to them!

I have reached out to Patreon to give more information on how the attack was done and what they’ll do to prevent further damage. I’ll update this post if/when they reply.

 

tl;dr

Patreon was breached and email addresses, shipping addresses, posts, names and password hashes were compromised. They used a hashing algorithm called bcrypt which is secure at the moment so there’s no real need to change all passwords on all sites just yet. You do however want to change it within a couple of years as computers get better and better which means it takes far less time to decrypt hashes.

Best practices against data-leaks

Google recently posted an article comparing how security experts and normal people stay safe online.

Here are my thought on how to stay safe:

1. Unique passwords

The most essential thing to not having all your data leaked is not reusing a password EVER.

By reusing a password and a site with that password gets compromised that means the attackers get access to all other sites where you use that password.

The most common way for people to ‘hack’ you is to find ‘data dumps‘ with your password and username and then try it on big sites such as Facebook or Gmail.

If you do it right it means it’s impossible for you to remember your passwords. Which brings me on to the next topic.

2. Use a password manager

Password managers such as 1Password and LastPass is something essential to our current digital lives. These programs won’t only store your passwords but will help you create new good passwords.

If you don’t have to use a password manager’s passwords you can use my password generator. It creates truly unique passwords which I guarantee no one will crack*.

3. Two Factor Authentication

The most common factor of authentication is using something you know, like a password. Two factor authentication or multi factor authentication means using two or more factors of authenticating.

The possible factors of authentication are:

  • Something you know (Like a password)
  • Something you have (Like a phone or the little RSA dongle you get from your bank)
  • Something you are (Like your iris, fingerprint or other things unique to your appearance)

@SwiftOnSecurity made a humoristic image about this:

swiftonsecurity-mfa

Image owned by @SwiftOnSecurity

 

If you want to know which sites support two factor authentication go to https://twofactorauth.org.

 

4. Stay updated to data-leak news

Knowing which sites have been compromised is essential for taking action in order to ensure your data is secure.

I recommend haveibeenpwned.com which will send you email notifications whenever your username or email is found in a data dump.

 

GateKeeper

What is GateKeeper?

GateKeeper is a small bluetooth dongle best fitting on a keychain. The bluetooth dongle talks to the little USB stick that you also get. (see picture below)

Just plug the USB stick into a USB port on your PC/Mac (preferably on the front, as it will need a good signal). You can then configure what the dongle will do on your computer, using the software that GateKeeper provides. Either set it to lock automatically, unlock automatically, or both.

GateKeeper Black

 

What do I think about it?

 

I really like the neat little gadget since I usually don’t lock my computer when I leave it. Here I don’t have to think about it. When I leave the computer it locks, and when I come back it unlocks without me doing anything.

That being said, I would really like to see an API and the source code for the software they provide, as well as a GateKeeper for Linux distributions.

A little more customization abilities would also be neat, since I’d rather have my computer shut down when I leave, instead of just going to the Windows login screen that could easily be overwritten .

I’ve talked to the guys behind GateKeeper and they’ve told me they’re working on an API. They did however not give me an ETA, so my guess is that it won’t be released.

Even though I’m not their primary target group, I have to say I find it very handy to have one. Even more than I thought I would.

I probably wouldn’t buy one myself at the moment, but I really think less tech-savvy people should buy one (and preferably those who don’t run Linux on their work computers).

It surely is a neat gadget, and I would love to see companies giving these out to their employees to prevent snooping in the office.

My GateKeeper

 

The GateKeeper also have other functionalities for phones but I have chosen not to dig too much into that.

 

Disclaimer: While I did receive a test sample by Untethered Labs, LLC (the people behind GateKeeper) I have no obligation to write something good about their product. These thoughts are my own and my own alone.