Nathan Strang

Your life is now in the cloud, security is more important than ever [gay geeks]

Filed By Nathan Strang | November 29, 2009 7:00 PM | comments

Filed in: Gay Geeks, Living
Tags: gay geeks, identity theft, Internet Security, life in the cloud, luddite security, Nerd 101, Social Networking

Before Facebook, before Twitter, before Ebay, identity theft required a bit more work. Every once in a while you'd hear a nightly news special on how someone could sift through your garbage, finding bits of pieces to your life, leading up to a nasty case of identity theft. The fix was simple: shred your personal data, and don't give it out to just anyone who asked.

Jumping back to now, our personal data is flying high above us in the imaginary "cloud." Every time you surrender some portion of your personal data to a social service (Twitter, Facebook) or trust it to an internet connected device (computer, iPhone), a hacker could very well get in and ruin your day.

The good news is the fix is the same as for the Luddites... the bad news is it's all your fault. Jump through for a lesson in "Safe Nerdin' 101."

iPhone

1128iphone.jpg

Alright, you have an iPhone and your best bud told you that if you jailbroke it you could pirate install any app you wanted (or something like that). Jailbreaking an iPhone is nearly painless these days, but there's one step that certain people have been skipping, namely the people who have been getting the iPhone worms that popped up in early November... when you jailbreak your iPhone (and only if you install OpenSSH from Cydia) you need to change the passwords for the "root" and "mobile" accounts.

Why? Because the password for your iPhone and nearly every other iPhone is the world is set by default to "alpine." Right now, the hacks are mostly harmless, and isolated to countries outside of the US with a higher percentage of jailbroken phones, but there is nothing to stop a seriously malicious data mining attack to emerge from all of this. It's ok, it's ok, the fix is really simple, but I must stress that most Jailbreak apps alert this security hole to you; if you neglect this step you deserve to have you data stolen. On the other hand, if your iPhone's firmware is intact and straight from Cupertino, you are safe from this type of exploit... but your password is still "alpine."

Windows

1128windows.jpg

If I had my way, I'd order that those free 3-month subscriptions to security suites like Norton or McAfee that come bundled with your new PC be outlawed. From my experience, I've notice that users will sign up for the trial, let it lapse, and continue without a subscription thinking they are still protected.

Don't get me wrong, Norton Antivirus is a great security tool, but any subscription based security tool becomes nearly useless once you lapse your account. The reason is that spyware, virii, and other exploits are constantly evolving, and security tools need to be able to get regular updates on the nasty buggers that will foul up your system. Sure, Norton will technically work without a live subscription, but will only be as effective as its last update, and some suites stop working all together after their trial lapses.

I used to tout AVG as the best anti-virus tool for no money (read: free). I still like it, and you can download it from free.avg.com, but I have to say that Microsoft recently released their own tool... and it works. Microsoft Security Essentials works just like the rest of them, scanning through your files and resources, looking for exploits and zapping them to oblivion.

I wasn't a fan of previous Microsoft security tools, but this one finally has everything you need, and none of the fluff. It's free, there is no "upgrade to a paid version" drama, and there isn't a lot to distract or confuse. It's now part of my post-viral-meltdown-security-reboot-pack. One does have to ensure that their copy of Windows XP/Vista/7 is legit however, or Windows Security Essentials won't install.

The Internet, All of it.

1128internets.jpg

I tagged my gay geek of a boyfriend to write this part for me. He's been a security risk analyst for a big global bank for some time, and I felt he could lend some professional advice

Phishing is Social Engineering at it's best: to pose as someone other than yourself and present a plausible scenario to gather the information needed for whatever nefarious purpose one might have.

A good example is those emails we all get from our favorite bank, big box store or auction site saying our account information is invalid and should log in with our personal data via the handy link they provided. We've all seen them, we all hate them, but how many of us can honestly say we've never gone to the site and tried to log in? Uhuh, right. If you ever find yourself in this situation, here's what you can do recover (hint: you might wanna start this process right after you realized you just gave all your bank info away, don't wait a week):

  • Change your password - I can't stress the importance of this one enough. If you use the same login/password for multiple services, change them all. Every one of them. We all know it's a bad idea to use the same password for everything but we all do it for convenience. The bad guys know this and therefore will try it out on everything else they have on you, so change them all.
  • Contact your bank, and let them know what happened. They can reissue a bank card, change your account number, and will watch your account for suspicious activity.
  • Check your credit card statements closely. We should be doing this all the time but we don't. If you see any anomalous charges look into where they came from.
  • Check your credit report from all 3 credit bureaus. It's free once a year, or about $10 per bureau if you've already looked this year. The peace of mind is well worth the $30 and contrary to popular belief checking on your own credit does not affect your credit score.

If someone does get your banking or credit info and fraudulently uses your accounts you are not liable for the charges, however it's a pain in the ass and it will affect your credit score.

Banks spend millions and have teams of people whose job it is to ensure nobody gets into their systems to steal your identity, but it's your own responsibility to keep it secure when it's in your hands. There are some simple steps you can take to help prevent yourself from becoming the victim of identity theft:

  • If you wouldn't tell a stranger on the street don't tell the internet! Don't post your phone number on MySpace. Don't post your maiden name on Facebook. It may make it easier to be found by friends but it makes it easier for the bad guys to know where your neighborhood is.
  • Always look for the little lock icon on websites where you put any personal information (even your name). If you click on the lock icon it will tell you information about the website you are viewing, including who actually operates it. As long as that certificate matches the company you are expecting to find you are pretty safe (nothing is 100% of course).
  • Use strong passwords. No names, no pets names, no birth dates, a season with a year after it is just as secure as no password at all. Use seemingly random strings of letters and numbers. Anagrams work well. There are plenty of password generator websites out there, use one of those.
  • Watch out for Twitter/Facebook traps. Twitter's API allows websites to connect with the social network, allowing some pretty cool services like TweetStats and the game Spymaster but be careful about sites asking you to log in. If you need to give a site permission to play with your tweets, they will redirect you to twitter.com to give access. Make sure you see the lock icon, and the URL really is twitter.com. Same goes with Facebook.
  • Don't write your passwords down! If you must keep your passwords in one place there are utilities to securely keep track of all your account login data

Ultimately your online presence and security is your own responsibility. Do with it what you will, but do so with the understanding that nobody cares as much about your identity as you do.


Recent Entries Filed under Gay Geeks:

Leave a comment

We want to know your opinion on this issue! While arguing about an opinion or idea is encouraged, personal attacks will not be tolerated. Please be respectful of others.

The editorial team will delete a comment that is off-topic, abusive, exceptionally incoherent, includes a slur or is soliciting and/or advertising. Repeated violations of the policy will result in revocation of your user account. Please keep in mind that this is our online home; ill-mannered house guests will be shown the door.


I got caught by a phishing email recently. It wasn't connected to any financial data and I realized what happened and changed my password literally 30-90 seconds later. Then I changed my password in other areas I used the same password. I haven't noticed any ill effects, but do you know if I'm still at any risk? I mean, when phishers get a password does a computer program jump into action immediately or does a person have to receive it and use it (in which case I certainly would have beat them to the punch)?

More than likely the phisher will have a program running that tries every login/password on the list to see which ones still work. When working IDs are found the program will generate a list for the bad guys to sell.
If you've changed your passwords you are pretty safe from that same phisher.

If you're ever in doubt of the authenticity of an email asking you to log into your account - don't click the link - go to the site directly and log in.

Yeah, normally I catch that kind of thing more immediately, but it was for facebook and I don't have financial information on there -- or any potentially damaging info really -- so it wasn't on my mind. It was a friend request and I clicked the link to their profile to see if I recognized them. I thought it was odd when it asked for my password (on my home computer I'm always logged in) but then when it reloaded the login page rather then showing me the profile, I looked at the url and realized what was up.

A recent phishing scam in the UK posed as HM Revenue & Customs, claiming that a large but (for most people) believable tax refund was due and including in the email a link to a webpage masquerading as a PDF file - so a very clever scam. In my case, they "refund" was £860 ($1420) - which might have been plausible had I been employed for the whole of the 2008 financial year.

In short, phishing scams are now masquerading as government agencies as well as private companies - so if you get an email from any state or federal agency asking for that kind of information, search for the agency's phone number on Google or Yell and double check the information by phone.

Do you have any idea how much I laughed at the All Your Base graphic you made?

Oh I do... I figured some old message board geeks would either roll their eyes or roll on the floor over that.