Here’s the deal. My Twitter account didn’t get hacked because I did something stupid. It got hacked because someone else – most likely a developer of a third party app that hooks into my Twitter account – did something stupid.
The Times got hacked most likely because somebody on its payroll fell for a phishing email that allowed the attackers to infect the network with malware -- kind of like leaving a ground floor window unlocked for a burglar. Still, the attackers had to hunt around to find where the passwords were kept and then spend a few weeks decrypting them. Aside from the employee who got duped, the Times didn’t do anything stupid, but everyone who worked there paid the price.
Similarly, if you visit a site whose ads have been infected by a malware injection scheme, you’re the one who’ll be punished. Your security software and/or browser might catch it in time, or it might not. More likely the latter – security software is increasingly useless against zero-day attacks. But you don’t have to do anything stupid, you just need to be unlucky.
Twitter’s blog post about the hack is pretty chilling. Director of Information Security Bob Lord wrote:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.
In other words, these aren’t your father’s script kiddies. And the fun is only just beginning.
Unfortunately, Lord proceeded to spoon out the usual advice everyone serves up after a spate of hack attacks – keep your security software updated, choose complex passwords for every site using upper and lower case letters and numbers, blah blah blah.
You know what? The usual advice is wrong.
The solution isn’t to create a ridiculously complex password that looks like a ransom note for every single site you visit, or to install a password manager like LastPass or FastLane or RoboForms on every single device you use. Nor is keeping your pricey anti-malware package religiously updated going to do you much good.
Remember, Twitter’s own password database got hacked – and it wasn’t because they forgot to update their antivirus software. The New York Times network got infected by 45 separate pieces of malware, only one of which was detected by its Symantec security suite. Most “secure” passwords are only slightly harder to crack than insecure ones, especially when the attackers have all the time in the world to do it.