60-minute security makeover: Prevent your own 'epic hack'
Issue: Having multiple email addresses with same user name
Threat: Using the same prefix -- firstname.lastname@example.org and email@example.com -- was one factor that led to hackers knowing Honan's Apple ID user name. (Me.com is an Apple service.) Because they knew his Gmail address, they were able to see a partially blacked-out me.com address on the Google password reset page and guessed the rest.
Defense: It's easy enough to vary your email user names across domains going forward; this makes it less likely that someone can social engineer a password reset for your account. It may be tough to change your email user name on addresses you already use, however.
Time: 5-10 minutes to change an existing address that you're not using much, but significantly more if you have to notify (and perhaps remind) people who know the old address. Best to keep this rule in mind for the private address you're setting up in the step above.
Issue: Using lax Google authentication
Threat: Hackers saw the partial information for Honan's me.com address when entering his Gmail address into Google's password reset page because he hadn't turned on two-step verification. They were also able to reset his Google password after hacking into his Apple account because access to his me.com address was the sole thing anyone needed to change his Google password.
Defense: Turn on Google's two-step verification, which requires entering an additional code sent to your mobile phone before an account password can be changed -- or even for logging in from a new device or browser. Plus, anyone trolling for information won't be able to see even part of your recovery email address. In addition, hacking into your alternate email address wouldn't be enough to change your Google password and seize control of your account. This type of two-factor authentication makes your account safer from other types of hacks as well, such as a compromised password.
While having to enter an additional code sent to your mobile phone may sound onerous, it's a lot less of a hassle than being hacked.
To enable two-step verification, go to the drop-down menu at top right under your email address to get to Account settings, then select Security from the left navigation and click the Edit button next to "2-step verification." Google provides more information on two-step verification here.
Time: Enabling two-factor authentication from your browser: 2-3 minutes. Signing in using new authentication with other browsers, devices and mobile apps: 1-2 minutes each. You'll need to do this once every 30 days on each desktop/laptop browser you use with your Google account.
Issue: Storing credit cards at online retailers
Threat: It seems harmless enough to store your credit cards on a site where even if someone breaks into your account, only the last four numbers are visible. But it turned out that the last four digits of the credit card stored in Honan's Amazon account was the last piece of ID hackers needed to breach his Apple account. While it appears that Apple has since suspended this policy and Amazon has changed its credit-card security policies as well, the last four digits of a credit card on file is probably a key piece of identification at other online destinations.
Defense: Don't store credit cards anywhere you don't have to, even if it takes some time to type in the number for each purchase.
Time: Deleting already-stored cards: 2-3 minutes per account.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope...
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface. All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!