Much has already been said about last weekend’s dramatic and extensive expropriation and destruction of Wired writer Mat Honan’s digital life. Of course Honan was just one of hundreds of millions of digital identities which are compromised every year. The attention is a consequence of Honan’s popularity and the perpetrator’s level of effort. This can befall any of us or any institution to which we entrust our personal information.
Some good has already come out of this incident: Apple and Amazon have modified their over-the-phone customer service policies which ought to make it a bit harder to exploit the social engineering aspect of this attack. You will take the cue and do a little “health check” of your own practices.
Am I safe enough?
Nothing can guaranty safety, but some common sense steps can make you safer. I found Sean Gallagher’s “Secure your digital self: auditing your cloud identity” a reasonably sound set of guidelines and advice. It takes a little bit of work, but in exchange for a half a day this weekend you can adopt these recommendations. You will get the half a day back in peace of mind even if you are never hacked! The only burdensome part is making sure that you have distinct, strong passwords for every on-line account. (Of course, you will need a good, secure password manager / keychain to make this work.)
Am I a responsible IT provider?
If you write, design, buy or test on-line information systems, I believe that you have an ethical obligation to understand sound security practice. Here are three sites that I have found to be good starting points.
- The Open Web Security Project
- The US-CERT Publications List
- The CERT program at CMU’s Software Engineering Institute
If you haven’t already done so, I hope that you will explore these sites and incorporated the relevant technologies and methods into your work. Also, do your best to make sure that those with whom you work do the same!
Is this good enough?
All the guidelines, standards and controls in the world won’t help if we don’t actively employ critical thinking. How can the city of my birth or my mother’s maiden name (both public records) be answers to “secret questions?”
Perhaps the increased vulnerability that arises from authenticating to multiple accounts from a common source (whether Facebook, Google, or OpenID) is an unexpected consequence. But it’s hard to see that it ought to be called an unforeseeable consequence.
Sure, two-factor authentication makes technical sense for digital natives. But what about the elderly or the infirm? In a world where one needs to login to communicate to their family, manage their bank account and RSVP to the club meeting, we disenfranchise too many of our fellow citizens by rushing ahead with business and services that are ready for prime-time except for their security posture.
The New Humble Programmer 