One day we looked at a number of books about risks in IT, social engineering, viruses and the history of hacker groups. Today we’ll try to move from theory to practice and see what each of us can do to protect personal data. In the media you can find a large number of basic tips: from using password managers and two-factor authentication to attentive attitude to letters and potential signs of phishing.

Undoubtedly, these measures are important as the basis of cyber hygiene, but you should not be limited only to them. We talk about less obvious points regarding information security when working with Internet services.

Passphrases instead of passwords

Managers for working with complex passwords eliminate the need to remember them. However, a password manager is always a compromise between usability and reliability. Developers sometimes have leaks. For example, in 2015, hackers stole LastPass email addresses and user security questions.

With this in mind, a number of information security experts (including representatives of the FBI office in Portland) prefer an alternative option for working with authenticators – passphrases. They are easier to remember than alphanumeric passwords with special characters.

At the same time, they are considered more reliable – back in 2015, a specialist in the field of computer science Evgeny Panferov mathematically proved that in order to strengthen protection against brute force attacks, it is necessary to extend the identifier, and not increase its complexity due to numbers, lattices and asterisks . This concept was also illustrated by the author of the xkcd comic about developer workdays.

Engineers from the Electronic Frontier Foundation (EFF) also support the idea with passphrases. They even suggested an unusual way to generate them – using dice. The EFF compiled a list of 60 thousand English words, comparing with each a specific sequence of numbers that appear on the cube.

Just select six words to get a random identifier of 25-30 characters. It is recommended to roll the dice because the human brain is not able to generate a random sequence of numbers. We subconsciously strive to choose numbers that have any meaning for us. Therefore, back in 1890, the English psychologist Francis Galton wrote that dice is the most effective “random generator”.

Password rotation is not needed

We all faced the requirements to change the password for an account once a month or six months. But the head of Spycloud’s security company, Ted Ross, says such a rotation is pointless.

It encourages users to only slightly modify passwords and reuse past identifiers. All this harms the security of your account. Also considered at the US National Institute of Standards and Technology (NIST). They are developing a new password management framework. By the way, it has already been implemented in Microsoft – since last year, Windows has ceased to require users to regularly come up with new authentication data.

Identifiers should be changed only if they are compromised. There are special tools to verify this fact – for example, the familiar service Many Have I been Pwned. Just enter your email address, and it will show if the email has been “exposed” in any leaks. You can also set up notifications – in case of a new “drain”, a notification will be received.

Passwords leaked to the network should be replaced for accounts that have not been active for a long time. But it’s better to delete these accounts altogether. Left unattended, they can cause a compromise of personal data. Even a small piece of information will help attackers to collect the missing information about the “victim” in other services.

On some resources, the procedure for closing accounts is not so simple. Sometimes you have to communicate with technical support, and sometimes – for a long time to look for the desired button in the interface. However, there are tools that can simplify this task. For example, JustDeleteMe is a directory of short instructions and links for disabling accounts. This is an extension for Chrome that adds a special button to the omnibar. By clicking on it, a page opens to disable the account on the current resource (if possible). Then it remains to follow the instructions.

Work with documents on a special OS

Approximately 38% of viruses pose as dock files. Today it is one of the most common vectors of hacker attacks. You can protect yourself from malware distributed in this way if you open suspicious documents in cloud editors. EFF experts note that in this case, you can almost certainly prevent the installation of malware. But this method is not suitable for confidential documents – there is a risk of making them public. For example, in 2018, personal Google documents of users got into the public domain – they were indexed by a search system.

Engineers from the Electronic Frontier Foundation say that one way to protect yourself from viruses in PDF and DOC is to install a special operating system (you can in the cloud of an IaaS provider) to read electronic documents, for example, Qubes. In it, the actions of the OS and the user are performed on separate virtual machines. Therefore, if one of the components is compromised, the malware will be isolated and will not be able to access the entire system.

(NOT) automatic update installation

Information security experts – for example, engineers from Tech Solidarity and FOSS Linux – recommend setting up automatic installation of security updates for operating systems and applications. However, this view is not shared by everyone.

A significant part of hacking IT systems can really be avoided if they are updated on time. A striking example is the leak of personal data of 140 million US residents from Equifax. Attackers used the vulnerability in the Apache Struts framework (CVE-2017-5638) related to an error in exception handling. A patch for it appeared two months before the attack on Equifax. But automatic updates can lead to not the most pleasant consequences. There are situations when fresh “patches”, solving one problem, create another. In 2018, Microsoft had to stop the distribution of a new version of the operating system due to an error deleting users’ personal files.

We can conclude that updates should be installed as soon as possible, but be careful. Before you use a patch, you should study its behavior, read reviews and make a decision based on the information you’ve found.

 

Privacy Preference Center