Thursday, March 22, 2012

Safe and Secure Data (part 3): email, passwords and Paris Hilton's dog

Email is Not Secure

If the data you are sending is supposed to be private do not send it unencrypted in an email. Email can be secure, but it generally is not. Email suffers from two problems.

  1. You only can control part of the trip. Even if you set your email to be transmitted on a secure channel (SSL/TLS), that only applies on the trip from your computer to the mail sending server (probably not the receiving server). What happens after that is out of your hands. If you are worried about Homeland Security snooping through your files, then consider that the letter you sent across town in Vancouver, Canada could have quite easily gone went through a US server.
  2. Email is stored. A copy is stored on your computer, a copy on the recipient's. If you are using Yahoo, Gmail, or Hotmail then they store a copy. So that love letter (or banking information/ passwords)  you sent to someone you trust 5 years ago is sitting on some back-up drive or old computer forgotten about. In a readable form. It happens all the time that someone gets a hold of this old information.

Password Security

The number one thing you can do for your data security is to pay attention to your passwords. Some nefarious individual can get hold of your passwords and look at your personal information, run up your long distance bill, run up your credit cards. This can all happen within minutes of your security being compromised. Remember, the hackers are pros with computers. Their stealing is fully automated.

So, is your password easy to guess? Before you answer that, don't think that the approach will be: "Well I know Jane likes roses so lets try 'Red Rose'." Think that someone high speed password machine with a data base of a couple of million common passwords like: "password", "password123", "p&ssw0rd123", last four digits of your phone number, all of the words in Webster's  Dictionary, and it turns out lots of common phrases are suspect as well.  Don't be scared.  Just follow the rules:
  • Make your passwords long with a mix of case, number and letters.
  • Have multiple passwords: Use different passwords for banking, email, and low-risk situations like customer surveys. 
  • Change your passwords. 
REMEMBER THIS: when you type a password into a web-site or send it in a email, you have lost control of who has access to it!

Food for Thought

The News of the World phone hacking scandal in the UK shows how easy it is to get your personal information. The techniques are the same whether you are having your identity stolen, having your long distance bill run up, or just selling newspapers.
  1. Your phone is cloned, and then they use the default auto-connect to get to your voice mail.
  2. Your passwords are compromised by either:
    • Checking the phone's default password.
    • Answer the security question to get the password.
    • More techniques.
Obviously none of this may work.  But will it work for against you?

My personal favourite is a scam involving resetting Paris Hilton's mobile phone password by answering the security question. It turns out that Paris Hilton's security question was something like: what is the name of your dog? Yes that dog: the dog she has been photographed with countless times.

Disclaimer: This blog is about some security issues, not a recipe book on hacking. I know that some of the threats outlined don't work very well as stand-alone techniques, but they have been used to hack into private areas.