Art & Logic has worked on an increasing number of security and privacy-related projects in recent years. Through my consulting work on these projects, I’ve gotten to know several security consulting firms — very smart folks like the Citadel Information Group and Digital Maelstrom. If you want to make yourself too anxious to sleep at night, take a security expert out to lunch and ask them about all of the ways in which your personal information is vulnerable at home, work, and on the internet. It will be an eye-opening experience! You’ll hear about encryption standards, key management, multi-factor authentication, SQL injection, DDoS attacks, men in the middle, attack vectors, AppSec, OWASP, Pen Tests, social engineering, black hats, white hats, grey hats and one hundred different terrifying data breaches (Target, Sony, Anthem, Home Depot and the like).
IT security is a dense and complex field. We are all beholden to the countless cyber defense specialists who work tirelessly to keep our information safe. They can never be wrong while the opposing team — cyber criminals — need only be right once in awhile to cause devastating consequences. We can all help by being a little less dumb in our day to day use of our computers and mobile devices.
Let me give you a real example. A consulting client of ours — a very smart and successful businessman — called me in a panic because his WordPress-based website had been hacked. It was a particularly embarrassing hack. His site spotlighted the work of a number of prominent artists. All their images on the site had been replaced with pornography. Fortunately, we were able to track down the offending malware and restore order quickly. However, when we turned our attention to finding the vulnerability that the hacker exploited, we were initially stumped. The site was hosted at WP Engine – a high-end WordPress hosting company that goes to great lengths to secure their customers’ installs. All themes and plugins were up to date. All security patches had been applied. Best practices had been followed. It was only when the client shared his admin password with me (over the phone) that we discovered the vulnerability. His password was just the domain name!!! To clarify, it was like being able to log into www.randomsitename.com/wp-admin with the password “randsomsitename”.
This got me thinking about things that I had been doing (or not doing) that were undermining my own security and I’m embarrassed to report that there were more than a couple. Here are some simple, common sense security tips that came out of my own self-audit:
Passcode lock your phone. As obvious as this sounds, a lot of people prefer the convenience of accessing their phones without a passcode. I had my “come to Jesus” moment when I left my iPhone at a grocery store. A kindly clerk was able to locate my home phone number and call me from my iPhone to tell me he would leave it for me at the customer service desk. He could have almost as easily called to thank me for donating the money in my bank account to him (¯_(ツ)_/¯ I like the convenience of storing passwords in the iCloud keychain). (As a side note: use a 6 digit passcode. 4 is good. 6 is better. And don’t use “1-2-3-4” or “8-8-8-8” or “1-2-1-2” or the last 4 digits of your social or your birthday or . . . you get the idea).
Don’t use the same password all the time. Check out these "pwned" websites. It’s a list of all the data breaches that have exposed usernames and passwords. Literally, millions of people have had their favorite password dumped into publically available databases that hackers can search for free and without consequence. My personal email address is in there and so I conclude that hackers have the password I used for just about every account I signed up for in the 2000s. Obviously, I don’t use that password anymore. If you have a favorite password, change it and don’t ever use it again.
Use a Password Manager so you can have a different password for every account. One of the best ways you can protect yourself is to use strong passwords – long strings of random gibberish sprinkled with hard to remember funny characters. But of course you can’t just use the same one over and over again (see the above point). They really all should be unique for each account. The only way you can implement that practically is to use a Password Manager. I’m a MacOS / iOS user so the iCloud Keychain is convenient for me. There are other, perhaps better, ones as well.
Memorize one really long, strong, password and use it to password protect your laptop or desktop computer. This hasn’t happened to me (yet), but imagine a scenario in which I forgetfully leave my laptop at Peets (where I like to start my day). You already know I use iCloud Keychain to store my account info. Without password protection, whoever finds my laptop can access just about anything of mine. They can take my money, read my email, examine my browsing history, and listen to songs I haven’t finished writing. I shudder thinking about the consequences of my laptop falling into the wrong hands.
Don’t email account credentials, credit card numbers, or any other sensitive information. Sometimes it’s necessary to communicate account credentials and other sensitive information to other people. Email is often the most convenient way to do it, but email is notoriously insecure unless special provisions are made. It’s better to call the person and tell him or her the information over the phone. If you must send the information electronically, try breaking the information into pieces and using different bands for each piece (e.g. emailing the username and texting the password rather than just emailing both). Also, and this ought to go without saying, don’t write your passwords down on a sticky note and put them on your desk, your bulletin board, in your desk drawers, etc.
Take some time to educate yourself. There’s a lot of complexity and nuance to privacy and security in our ever-expanding digital universe. It’s not something any of us can ignore any longer. As a starting point, I’d suggest spending some time on the Electronic Frontier Foundation’s website. You’ll sleep better.
