KISS Principle: Keep it Secure Simply

You're probably familiar with the traditional KISS Principle and if you're thinking of Gene Simmons or Ace Frehley, you're way off track. It has long stood for Keep It Simple Stupid.

I’d like to update this to Keep It Secure Simply.

What’s easier to simultaneously defend, one fort or twelve? Say you only have one fort. How many gates, doors, ramps and other access points do you want through the wall to defend? Since it is relatively easy to defend one door, this is why scaling over and sapping through / under walls was undertaken throughout history. Think of Helm’s Deep in Lord of the Rings! 

The less points you have to defend, the better you can focus your defenses, making attackers work significantly harder.

Now think about your digital life. Consider these questions:

  • How many exposure points do you have to defend? Look at your bookmarks. Look at your browser history for the last 60 days. Lots more there than you thought isn’t there?
  • How many of them are interrelated? Consider these two high profile cases where hackers were able one piece of data from one link into use at another and then another to completely undermine these unfortunate souls.
  • Could your digital life withstand such an attack? Sure, you can’t help an hourly-wage call center representative giving out more information than they should, but how far can the hacker then take a single piece of information and reuse it to move on and on? Here’s a couple tips:
    • Use two-factor authentication everywhere you can and if at all possible change providers from one service that doesn't offer it to one that does.
    • Don’t have your “password reset” email be your main email address. Better yet, create an email account that is for this purpose alone and of course with an email service offering two-factor access. Never use this “password reset” password to send an email.
    • If a site has you answer questions that you then answer to help recover passwords or access, please, please don’t answer the questions accurately! The answer to a question such as “Best friend in high school?” should be something like “strawberry” or “piggedypoo”, not Bob. A good password manager can help you manage this easily. See next bullet point below on password managers… they have many uses!
  • How many sites have you interrelated by using the same password? Yes, I know having a separate password for every site is impossible to remember without resorting to using patterns that then become apparent to attackers. If your online Chase bank password is “123Chase456” and your GoDaddy password is “123Godaddy456”, you really think those will hold up once one is compromised. Time to get with the 21st century and get a password manager that creates unique, complicated passwords for every site! Me, I’m a LastPass fan, but there are several good ones. Remember the two-factor tip above when choosing one!
  • Do I really need to buy this on this site I've never used before? Sure it may save you a couple bucks today, but why give more people your credit card and attendant information than you have to? You drive down to bad parts of town to get a deal?
  • How many of the services you use have more data than necessary? Couple tips:
    • If you can sign up with fake data and have the service be effective, do it.
    • Beware how much personal data you make public on social media, especially if you ignored my advice above in not answering challenge questions accurately. If the answer to the challenge question is “Best friend in high school?” is Bob, then how long would it take me to find this out on Google+ or Facebook?
  • How many are stranded and you don't even use anymore? Time to work through your bookmarks or password manager and either close them, edit down to a bare minimum what data they have (they still need your credit card #?) and / or change the password to something unique and complicated. Do I need to bring up two-factor authentication again at this point <grin>?
  • How many of them are necessary for you at all? If dey ain’t, den close ‘em down!

Yes, this KISS principle seems to fly a bit in the face of the traditional Keep It Simple Stupid version, but remember one of my Security Maxims: Being insecure is easier than being more secure. Since being secure isn't the easiest approach stupid, Keep It Secure Simply.

Remotely Ring, Lock or Erase your Android Devices

Remotely Ring, Lock or Erase your Android Devices

Did you know that you can remotely locate, lock and erase your Android devices?

Did you know you can do this with free, built-in functionality from Google without an expensive security app service?

Any device to which you’ve added your Google account will show up in a handy Android Device Manager (ADM) interface. You can access ADM from any browser or from the Android Device Manager app on any other of your Android devices

Let’s take a couple straightforward examples in increasing severity:

Read More

News to me! You?

Finally lifted my head from a busy day deeply involved in some hot to-do's for a client and took a peek at the news of the day. Since I didn't do a good job having a "real" blog post ready in time to post today and since these items are of interest to me I'm going to try and make them of interest to you. 

Also noteworthy is that this is the first blog post I'm crafting entirely on my recently acquired Chromebook Pixel. I'll be discussing that more in a future post.

News Item 1: Google Sells Motorola Mobility to Lenovo

Not really a surprise as this always seemed to me to have originally been a purchase to get at the patents to protect Google and their other Android using partners. They are sending off Motorola hardware bits to Lenovo with a nice tail wind of recent and well received devices. I certainly hope Lenovo builds on the successes here and leaves what seems to be working nicely well enough alone.

News Item 2: Twitter Hack & Two-Factor Non-Factor

This is a long article and not all of it is all that interesting, but it does resurface the issue of the vulnerabilities of humans attempting to authenticate other human beings. The hacker in this case worked themselves through an increasingly familiar chain of services phone support personnel working standard social engineering tactics. It is long past time that companies (and it is always the same group of companies or is it just me?) need to develop a better procedure for validating a customer over the phone.

My apologies to my friends at IDology and other "generate questions from public database" companies, but asking these ridiculous questions about what my car payment is or what address I lived at back in the 80s is not the way to go. The information is too easy to get at if you've worked yourself up the chain of services such that you have all the information you need when you get to that point.

Oh, and asking for the last 4 digits of a credit card is just plain ol' moronic. These are the digits that don't even get masked on receipt printouts for cryin' out loud!

What would be better? Well, let me tie into the comment in the article by the hackee that even 2-factor authentication wouldn't have helped. Really? I have two-factor turned on with service X predominantly for use on the web, but guess what? That same two-factor authentication method will work just fabulously over the phone! They can ask me and I can tell them the one-time code. That causes anyone angst giving a customer service rep a code that is also used to authenticate me for login, then have me type the code in on the keypad and have the phone system which is listening ("your conversation may be recorded...") merely give a "yup that's the right guy" response to the customer service rep.

Anyway, as you can tell this one really punched a couple hot buttons with me!

News Item 3: Google Successfully Pressures Samsung To Dial Back Android Tweaks

Hurray, Hurray, Hurray! Samsung makes great devices and is doing some interesting things with camera hardware and other cool little things that I'd love to have. Problem is that having used their CheezWhiz UI and the plain Google Android UI, I want no Cheez!

It isn't just the UI, but also their custom Samsung apps. They are not good. I am not alone as you can see from this quote lifted from the article: 

In his Galaxy S4 review , Re/code’s Walt Mossberg wrote, “I found Samsung’s software often gimmicky, duplicative of standard Android apps, or, in some cases, only intermittently functional.”

I'm thrilled to hear Samsung is moving toward more stock Android and only time will tell if it turns out to be true. The sooner it is, the sooner it is likely I'll buy another Samsung device vs. my current commitment to all Nexus devices, all the time.

Hot topic: Browser extension / add-on security

A hot topic in recent days has been about security around extensions / addons in browsers. The terms "extensions" and "add-on" are interchangeable and amount to the same thing. Chrome uses the term extensions, IE and FireFox use the term add-ons. I'm a Chrome user so I'll use the term extensions from here on out.

Regardless the term, extensions can provide handy functionality to your browsing experience. To do so, they have to be granted some level of permissions upon installation to do whatever "handy thing" the extension promises. For instance, last week I discussed and recommended the Evernote Clearly extension. This extension allows for manipulation of the display of web pages. I feel comfortable in recommending this extension as I trust the Evernote folks to not do something else nefarious in the extension.

At the bottom of this post is a good article from Ars Technica discussing the latest kerfuffle and discussing the pros / cons of extension handling in the major browsers. It also has some links to more information about the issue that may be of interest.

What does ProTechCoach recommend?

  1. Regardless of what browser you use, stick with "major brand" extensions. I currently have 8 extensions installed in Chrome published by the following entities. I trust these organizations based on past experience, reputation and that they are large enough that if they do something purposely heinous, it will hurt their brand immensely.
    • Adblockplus, Bitly, Evernote, Google, Lastpass, Picmonkey
  2. Review your extensions and uninstall any you aren't using or don't know how they got there. You can always reinstall them later if something you really depended on suddenly isn't working. If you want to check if you are using them you can start by disabling them for a day and if you don't notice anything critical changed in your browsing experience, you can go ahead and delete them or re-enable them if you do realize why you had them for.
  3. I'm sticking with Chrome. As the Ars Technica article mentions, Chrome has made changes and more are coming in June to further secure extension handling.

Chrome’s regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but “simple and single-purpose in nature,” with a “single visible UI surface” in Chrome and a “single browser action or page action button,” like the extensions made by Pinterest or OneTab.

This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June.

Here's a quick video showing how to check and manage your extensions in Chrome.

Ars Technica: After Chrome’s recent extension drama, what browser has the safest add-ons?

Social Managers, how's your security?

Apologies for not keeping a post-a-day pace for the next week or two!

Thought I'd pass along this blog post from the fine folks at LastPass while I try to get back in the groove on my end. Lots going on simultaneously with your ProTechCoach, so my apologies if I can't quite keep up a post-a-day pace as I'd like. 

Some thoughts to prompt you to take the LastPass tips seriously:

  • To what level of security risk do you expose your clients in your security practices? Or would they be better characterized as mal-practices?
  • If an attacker hacks one account you control, at how many others could the attacker reuse those same credentials?
  • Can the attacker then lock you out of your and their accounts?
  • What value do your clients place on their reputation and how upset would they be to have it damaged?