First post – Security

Perhaps it’s fitting that the first post would be about Security. It’s not an existential threat, it’s every person’s every day concern now. Back in 2017, online threats still seemed targeted towards people with more risky online behaviors: registering credit cards on sites, clicking suspicious emails, using common passwords, and sharing security information between co-workers and family.

Strike 1: Equifax

After Equifax got hacked, that all changed. Hundreds of millions of records were stolen, and it included all of the types of information people used to secure their accounts. Everything from old addresses to names of parents and children, vehicles, credit card numbers and credit union names. All of it became available, and you’ll notice that the systems that used to ask “Do you recognize this loan?” or “Pick which of these addresses you previously lived at” are now purged of these questions.

Strike 2: LastPass

What can I say other than this was probably the BIGGEST hacking event to affect technology companies, ever reported. Why? Everyone used LastPass, its features were great, including auto prompting and sharing passwords. It also had ways to store other information supposedly in a secure vault. It worked across platforms. And it was RED. But unfortunately, a lone LastPass developer was system code that was years out of date, allowing a hacker to target their system and gain entry into various LastPass resources. Initially, we were told it wasn’t that big of a breach, only got some Development servers, only some meta, nothing of importance. But it slowly emerged that the hack was broad in scope, capturing almost all of the protected vaults. It didn’t necessarily catch passwords, but meta stored with passwords was in plain text. That means if someone typed their ATM PIN into a LastPass comment field with their bank password to be stored, that ATM PIN was available in plain text.

Strike 3: Artificial Intelligence

Although a few of my own experiences with AI have been less than stellar, the idea that AI could be exposed to a person’s online persona, and then systematically hack them is not unreasonable. The AI would be able to find and attack multiple endpoints; cloud services, backup email accounts, old payroll accounts where a password was re-used, the list is enormous when one considers their online footprint, and what it would look like under siege by a system that doesn’t get tired, and can devote as much time and energy as it needs. Eventually you receive a phone call from your significant other asking what the password is for the network router, and your entire life is hacked. How did the AI get your voice? It found a Facebook video you posted 3 years ago of a birthday party and sampled 3 seconds of you speaking.

There’s good news and bad news for the very bleak picture I’ve painted above: taking an active posture on your personal security. In almost every security discussion we have, we look to answer the following questions;

1 – What you know

2 – Where you are

3 – What do you have

I’ll provide an example of each and how it figures into your security profile.

What You Know

This is the type of information you usually memorize, write down, or store in a password manager. It consists of usernames, emails, passwords, passphrases, maiden names, former addresses.. all of the information you would use to verify yourself to a website. You use this information to log in to your bank, email, most apps. It is the most basic type of information, and the easiest information to steal if it’s stored online.

Where You Are

This type of challenge uses geolocation information from your browser, mobile device, network router, and other sources to determine where you physically are located. More advanced systems maintain a list of ‘known locations’ for the user. The system will flag and request additional challenges if the user is logging in from a new location, or if location services are turned off and the system can’t determine its location. Usually reliant on more Type 1 authentication, and is rarely used to deny access.

What You Have

Perhaps the best type of information is the information you have with you, and only you could have. This is usually a type of 2-Factor Authentication (2FA), and there are various models. The simplest model is sending a text message or notification to a previously authorized device. In this model you register a phone number during account setup, and the system sends a code to verify you have that phone with you. Later, the system may send a new message and ask for the verification code. In other models, the system uses an authenticator key, like a physical Yubikey, or an authenticator app on your smartphone. They are registered to the account, and later you must use the physical key to gain access, or provide the randomly changing code in the authentication app.

In most cases, What You Have will be the most secure method of maintaining your security profile. After a short time, the regular verification becomes annoying, and people may naturally remove the extra authentication to ease their lives. Opening up an authenticator app every time you want to log into Gmail can become tedious.

My solution is a hardware key, actually 2 keys, one acts as a backup. I also use the Microsoft authenticator app as a 3rd method. All of these rely on physical possession of one of the hardware keys, or my phone, to access an account.

It’s as easy as it can be, given the circumstances.

There’s a lot more that we do to secure your websites and manage your online security footprint. For more information don’t hesitate to contact me.

1/2/2024