In the last few weeks, we’ve seen security vulnerabilities or leaks of three prominent web service companies pop up across the Internet.
MySpace.Com was hacked back in 2013, and a cache of user information appeared on the black market last week. This included the usernames, e-mail addresses, and at least one SHA-1 hashed password of over 360 million users. Despite the fact that the passwords being stored were encrypted with the SHA-1 algorithm, the implementation of doing so was weak (no salting) which makes cracking the database trivial for anyone with either the proper computing resources or a couple of Bitcoins rattling around in their piggy banks.
LinkedIn.Com was compromised in June of 2012, and was obtained by a number of security watchdog sites last month. This hack released only e-mail addresses and passwords, but affected over 167 million users. As with MySpace, LinkedIn stored its passwords with SHA-1 encryption and no use of salts.
TeamViewer’s service itself seems to have been compromised within the last week, according to user reports. Users with strong passwords and two-factor authentication have reported unauthorized activity on their TeamViewer-enabled machines to the TeamViewer subreddit. While the company blames this malicious activity on password re-use (a serious error for any security-conscious Internet citizen), users are unconvinced due to the bypassing of two-factor technologies in conjunction with a possible recent DNS hijacking of the TeamViewer domains. This information has not been substantiated with anything except user stories, but it’s certain that TeamViewer will have to approach these claims in a more public light if these activities continue.
So how do you, as a regular user, take care of yourself and your identity on an Internet that seems to be swarming with bad guys?
- Use Complex Passwords
Passwords should be as long as possible, and include upper and lower-case letters, as well as numbers and symbols. Try not to use common words or phrases (“ILoveYou123!” and variants thereof are unfortunately common passwords). Also stay away from information about you; using a birthday or anniversary may be tempting but is also easy to guess with a little information from your public Facebook page.
- Don’t Reuse Passwords
I mentioned above how password reuse is a huge problem, and the MySpace and LinkedIn examples drive home why. Companies make mistakes, and if users aren’t careful with their own security practices, a password leak of these magnitudes can mean a determined attacker can steal Facebook or e-mail accounts and damage reputations, or break into banks and steal funds.
- Use a Password Manager
The security community can be split when it comes to password managers. Some people swear by all-local products such as KeePass, which has been around for years and has versions for major operating systems and mobile devices. Others prefer a cloud-enabled solution like LastPass, which allows their password database to be entirely portable to any device without managing a flash drive or other storage device. If you’re not sure which is best for you, ask this; are you paranoid about security? Use KeePass; it lets you keep total control of your passwords. Would you prefer to have more portability with your passwords with no effort? Use LastPass; your passwords are encrypted/decrypted on the system you access them from, so the service never sees a decrypted password sent when you sync data to the cloud service.
- Enable Two-Factor Authentication Where Possible
Two-factor authentication is one of the best security features to come out of the advent of broad smartphone use. This technology allows the service to send a text, call, or notify an app on your phone to double-check that you are the person trying to log into that service. It’s difficult to intercept without a potentially complicated hack of the service itself and can serve as an early-warning device for if your password is compromised. And finally…
- Subscribe to a Data Breach Notification Service
Data breach notification services proactively alert users if their e-mail address has appeared in a recent hack automatically. This gives the user the earliest possible warning that something could be compromised in one of their accounts, so they can change passwords and/or verify that their account is secure. Two of my favorite services for this are Have I Been Pwned? and LeakedSource.
As people put more and more personal information online, the stakes continue to get higher and higher for a user to lose control of their online identity. So take a look at a few of your accounts and see if you can improve their security with one or more of the steps above, and stay safe.