60-minute security makeover: Prevent your own 'epic hack'
Issue: Having multiple email addresses with same user name
Threat: Using the same prefix -- firstname.lastname@example.org and email@example.com -- was one factor that led to hackers knowing Honan's Apple ID user name. (Me.com is an Apple service.) Because they knew his Gmail address, they were able to see a partially blacked-out me.com address on the Google password reset page and guessed the rest.
Defense: It's easy enough to vary your email user names across domains going forward; this makes it less likely that someone can social engineer a password reset for your account. It may be tough to change your email user name on addresses you already use, however.
Time: 5-10 minutes to change an existing address that you're not using much, but significantly more if you have to notify (and perhaps remind) people who know the old address. Best to keep this rule in mind for the private address you're setting up in the step above.
Issue: Using lax Google authentication
Threat: Hackers saw the partial information for Honan's me.com address when entering his Gmail address into Google's password reset page because he hadn't turned on two-step verification. They were also able to reset his Google password after hacking into his Apple account because access to his me.com address was the sole thing anyone needed to change his Google password.
Defense: Turn on Google's two-step verification, which requires entering an additional code sent to your mobile phone before an account password can be changed -- or even for logging in from a new device or browser. Plus, anyone trolling for information won't be able to see even part of your recovery email address. In addition, hacking into your alternate email address wouldn't be enough to change your Google password and seize control of your account. This type of two-factor authentication makes your account safer from other types of hacks as well, such as a compromised password.
While having to enter an additional code sent to your mobile phone may sound onerous, it's a lot less of a hassle than being hacked.
To enable two-step verification, go to the drop-down menu at top right under your email address to get to Account settings, then select Security from the left navigation and click the Edit button next to "2-step verification." Google provides more information on two-step verification here.
Time: Enabling two-factor authentication from your browser: 2-3 minutes. Signing in using new authentication with other browsers, devices and mobile apps: 1-2 minutes each. You'll need to do this once every 30 days on each desktop/laptop browser you use with your Google account.
Issue: Storing credit cards at online retailers
Threat: It seems harmless enough to store your credit cards on a site where even if someone breaks into your account, only the last four numbers are visible. But it turned out that the last four digits of the credit card stored in Honan's Amazon account was the last piece of ID hackers needed to breach his Apple account. While it appears that Apple has since suspended this policy and Amazon has changed its credit-card security policies as well, the last four digits of a credit card on file is probably a key piece of identification at other online destinations.
Defense: Don't store credit cards anywhere you don't have to, even if it takes some time to type in the number for each purchase.
Time: Deleting already-stored cards: 2-3 minutes per account.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts