Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

Facebook: If you don’t use it, why have it?

Today at work I was lucky enough to attend an InfoSec session, and the speaker was very knowledgeable. The target audience was a less tech-savvy crowed, and mainly focused on teaching the basics of how to avoid the “human” factor in getting taken advantage of on-line.

One of the things that came up, is something I’ve been thinking for quite some time. Regarding social media sites and the myriad accounts that most people have. Technology is a great thing, and the access to information we have today is simply amazing, but with all the access, all the smart phones, all the computers, and websites you have also increased your on-line footprint, and made yourself a much larger target for ID theft, Scamming, or any other possible attack.

Some of the points I’ve touched on before:
1. Don’t use public wireless networks
2. On your phone, disable wifi. Use the 3g/4g data, because most phones just connect to an open wireless without warning
3. Be careful what you put on your public facing profiles
4. Don’t simply click links in emails, open your browser and MANUALLY go to the site.

But the final point that finally sank home with me, was regarding Facebook and other sites like LinkedIn. Most people use those sites to connect with “trusted friends”, but don’t stop to think who else can access that information. With the recent hack of LinkedIn, millions of users user-names/passwords/email etc was leaked to the public simply because someone got bored and wanted some excitement (it will be plenty exciting for them in prison, but thats another story). But just think for a second, how likely is it that many of the users that were compromised, don’t log in and use the service? Now their account is compromised along with all the personal information therein and they will never know. It begs the question:

If you aren’t going to use a service, why have an account at all?

The simple answer is, “Don’t” why leave personal information out there? By default most sites will simply only “deactivate” your account, and will still retain all your data. You will need to hunt for the permanently delete, but its there, sites are required to have it, just not required to make it easy.

So today, I finally did what I’ve wrestled with for some time, and DELETED all the accounts I never use. There is no need for extra accounts, if someone wants to reach you, they likely already know how.

Just some more food for thought.

Media and Government think Hackers are stupid

Tonight my wife and I were running some errands, and as I usually do, I was listening to talk radio. During the local news break, they ran a headline about the Thrift Savings Accounts for congress being hacked, and the newscaster sounded surprised to report that the motive did not appear to be for identity theft.

I’m sorry, but when the fuck did Identity theft become the ONLY thing hackers do? does nobody know anymore that “Knowledge is power”? When it comes to fighting a war, or trying to leverage a target to your will, having knowledge to use against them is much more important than stealing that enemies identity.

Identity theft is for chumps, and script kiddies who are BEGGING to get caught. I find it supremely insulting that all hackers are criminals, but now they are dumb criminals. Does it not even cross reporters minds that you can use the identity information for things like blackmail, threatening to give the data to your targets enemies.

I just had to vent about this, because it was a very upsetting headline, with about 30 seconds to convey how surprised they were that hackers would want banking information for something other than identity theft