Tuesday, November 8, 2016

Patch, Vault 'n Fob

   Well, I was trying for something catchy like Stop, Drop and Roll.  That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.

   Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.

   Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.

   Fortunately, the odds of your clothes catching on fire is low.

   Unfortunately, the odds of your software, browsers or accounts being compromised is very high.

   A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (DDoS) attack on Dyn, a DNS provider.  I won't go into the details here but I think I will cover DDoS in a future post.  Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do.  To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...
  1. Patch your stuff
  2. Use a password vault
  3. Use 2-factor authentication
      1. Patch your stuff

   While the use of smartphones and tablets is skyrocketing, most people still also use a traditional laptop or desktop computer.  These are primarily Windows computers, though the Mac marketshare continues to rise.  Patching the basic Windows or IOS operating system that runs the computer is pretty straightforward and should always be set to automatically update for home users.  Here's how for older Windows (it's the default in Win10) and Mac.

   But what about all the other stuff including browsers, productivity tools, media (picture and sound) tools, games, word processors, desktop publishing, etc - basically all the software that's not part of the operating system?  This is where many of the vulnerabilities and problems occur.  In fact, many vulnerable software products have not been from Apple or Microsoft but from Oracle (java) and Adobe (pdf reader and flash animation) and in web browsers.

   For patching my home computers, I use a software updater tool.  The tool I use is called Secunia PSI (PSI stands for personal software inspector).  The current version is 3.0, but I actually like the interface on their slightly older 2.0 version.  As always, I am not pushing any particular product and there are a bunch in this space including ninite, FileHippo and SUMo.  Here are two articles that discuss some of the alternatives.  It doesn't matter which one you use... just set up automated patching for all your home computers!

      2. Use a password vault

   I've written about this topic so many times I've lost count!  So rather than rehash that all here, let's keep it simple...  Use unique passwords for every account you have at home, make the passwords long and random and put them all in a vault!  There are many great ones out there including: LastPass (what I use), Dashlane and 1Password.  Get one and use it!

      3. Use 2-factor authentication

   There's just no excuse any more.  It's not hard and it's not complex.  And don't just believe me... listen to Betty White!

   Here's why it's important.  Passwords will get stolen (breached, compromised, whatever word you like).  Just ask Yahoo!... or ask them 2 years ago... or ask them 2 years before that!  But here's what's important...  the attackers aren't just grabbing your password.  "They" don't even know who "you" are.  The target is the big central resource with lots of goodies (passwords).  If you have 2-factor authentication enabled, "they" would not only have to grab your password (well, they have that!), but they would also need to either have your smartphone or have control of your smartphone, and... here's the key part, they'd have to be able to match the two - to know which phone corresponds to which of the millions of stolen passwords they have.  Now that's possible, but it's not easy.

   Since Google and Apple pretty much own that market, an attacker could steal your Apple credentials, and get into both your iTunes and email account to bypass your 2-factor authentication, but that is way too much work.  Attackers want to quickly monetize what they've stolen, so our goal is to make ourselves "expensive" to attack.

   Setting up 2-factor authentication is easier than ever before and is in use on many mainstream sites including Google, Facebook and Twitter.  Here's some info on sites offering 2-factor authentication.

   Let's be safe out there!  It's as easy as 1, 2, 3!

No comments:

Post a Comment