A couple of days ago I received a scary sounding email from Twitter. It started like this:
Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
My first thought was that this email was bogus – a phishing attempt to capture my Twitter log-on credentials. So I ignored it and logged on to my account directly from another device to see if there was any strange activity (at least, stranger than usual). There wasn’t.
Still, just to be safe, I changed my password to something more obscure and secure. Then I saw the news reports. I was one of the 250,000 Twitterati whose accounts had been hacked. There was a time when that might have made me feel special in a perverse way. But those days are gone. Increasingly, hacked is the normal state of being.
Last week, the New York Times published a detailed report of how agents most likely working for the Chinese government had hacked into its computers, located and decrypted its users’ passwords, and were roaming freely around its network like teenagers at a mall. A day later the Wall Street Journal published a me-too story, as did the Washington Post. Reuters and Bloomberg have also reported being hacked.
Yesterday I tried to dial up a story on ZDnet about how Anonymous had leaked personal details for 4000 bank executives, when I ran into this warning message in Chrome:
Turns out that NetSeer, an advertising network used by ZDnet, had been attacked by a malware injection exploit. NetSeer says its ad network was not affected, but any sites that carried NetSeer ads were automatically flagged as dangerous by Google.
Here’s the deal. My Twitter account didn’t get hacked because I did something stupid. It got hacked because someone else – most likely a developer of a third party app that hooks into my Twitter account – did something stupid.
The Times got hacked most likely because somebody on its payroll fell for a phishing email that allowed the attackers to infect the network with malware -- kind of like leaving a ground floor window unlocked for a burglar. Still, the attackers had to hunt around to find where the passwords were kept and then spend a few weeks decrypting them. Aside from the employee who got duped, the Times didn’t do anything stupid, but everyone who worked there paid the price.
Similarly, if you visit a site whose ads have been infected by a malware injection scheme, you’re the one who’ll be punished. Your security software and/or browser might catch it in time, or it might not. More likely the latter – security software is increasingly useless against zero-day attacks. But you don’t have to do anything stupid, you just need to be unlucky.
Twitter’s blog post about the hack is pretty chilling. Director of Information Security Bob Lord wrote:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.
In other words, these aren’t your father’s script kiddies. And the fun is only just beginning.
Unfortunately, Lord proceeded to spoon out the usual advice everyone serves up after a spate of hack attacks – keep your security software updated, choose complex passwords for every site using upper and lower case letters and numbers, blah blah blah.
You know what? The usual advice is wrong.
The solution isn’t to create a ridiculously complex password that looks like a ransom note for every single site you visit, or to install a password manager like LastPass or FastLane or RoboForms on every single device you use. Nor is keeping your pricey anti-malware package religiously updated going to do you much good.
Remember, Twitter’s own password database got hacked – and it wasn’t because they forgot to update their antivirus software. The New York Times network got infected by 45 separate pieces of malware, only one of which was detected by its Symantec security suite. Most “secure” passwords are only slightly harder to crack than insecure ones, especially when the attackers have all the time in the world to do it.
So stop focusing on secure passwords. Think about secure identities. By this I mean it’s time uncouple your real identity – the one you use in three-dimensional meat space -- from your online identity. You should assume your public accounts and even your corporate email are going to be hacked, and put all your effort into protecting the things that really matter: your banking credentials, your cloud data, the email account where your password recoveries are sent.
The simplest solution: Create an email address you use only for those accounts, ideally on a domain you own (and use only for that purpose). The $12 a year you’ll spend on the domain, plus a few bucks a month for some email inboxes, is well worth it. Use a unique address for each account you want to protect. Don’t publish it. Don’t share it with friends. Couple it with a looooong username you can remember, like a song lyric you’ve memorized. Or the first letters of each word in that lyric – like this: PYOABOARWTTAMS@noneofyourgoddamnedbusiness.com.
Can you identify that song? (I picked an easy one.)
Do the same for your password. Since you’ll only have a few to remember, it won’t seem quite so painful or impossible. And let the rest of your accounts go.
Is this a perfect solution? Hardly. Someone could eventually identify that domain and brute force that email address. But it will be a lot more work, and because the first thing they’ll use it for is spam, you’ll have a clue it’s been compromised when the first Cialis ads start showing up in your junk folder. Then you’ll know it’s time to pick a new one.
You might think, Twitter schmitter – who cares if someone has hacked my account? Well, that could be the first step in unraveling the rest of your identity, as Wired’s Matt Honan can tell you. That’s why it’s time to hide in plain sight, and to start separating your real identity from the ones you use on Twitter, Facebook, Tumblr, etc. Do it now, I’ll wait.
As a journalist, I’m kinda stuck. I need to be a semi-public person, because I need to give strangers an easy way to reach me in order to do my job. But you may not have to.
I’ll bet my readers have better ideas about how to deal with the “security is dead” problem. What would you do?
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld onTwitter and Facebook.
Now read this: