By Jason Perlow
With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, the risk of compromise is too great. We need a better solution.
So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.
This is the first thing that I saw:
Needless to say, I was not amused. At all.
Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use “strong” passwords, mixed alphanumerics with non-alpha characters. An example of this would be something like R1tch13R1c4386!
Not only that, but I don’t use the same password on all my services. My Google password is unique.
Today, as modern computing users, we’re inundated with passwords on all sorts on web and social networking sites. I use GMail and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use two separate blogging accounts, and I have logins on myriads of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.
It’s gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can’t possibly hope to remember them all and when they expire. And then of course you have to have them reset all the time with your new temporaries sent into your email if you forget them.
So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. Not only do I use strong passwords, but I use the Chrome browser as my standard on all my PCs, no matter what OS I use, arguably the most secure browser available today, and it’s the only one I access the GMail web interface with, using an encrypted connection.
I also use Linux as my primary operating system, with my Windows software running virtualized, each instance with antimalware and antivirus software running on them, and I don’t run Internet-facing web apps from those. My corporate applications and email are isolated in a Virtual Machine using an encrypted virtual hard drive.
So I have no idea how that account was compromised. My PCs aren’t the only devices that talk to my Google account. I have two Android phones, as well as an iPad. So the attack vector could have been from anywhere.
It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.
It could have been a “Brute Force” attack, although with “Strong” passwords that becomes more difficult. I also won’t rule out Google’s servers being penetrated directly, although that seems less likely.
The point is, it doesn’t matter. If someone like me can get compromised, so can anyone else, especially someone who isn’t keeping track of their online accounts and behavior as much as I do.
Let’s face it — passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than “poo”, but I’ll let Private Pyle do this for me.
So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.
This is the first thing that I saw:
Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use “strong” passwords, mixed alphanumerics with non-alpha characters. An example of this would be something like R1tch13R1c4386!
Not only that, but I don’t use the same password on all my services. My Google password is unique.
Today, as modern computing users, we’re inundated with passwords on all sorts on web and social networking sites. I use GMail and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use two separate blogging accounts, and I have logins on myriads of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.
It’s gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can’t possibly hope to remember them all and when they expire. And then of course you have to have them reset all the time with your new temporaries sent into your email if you forget them.
So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. Not only do I use strong passwords, but I use the Chrome browser as my standard on all my PCs, no matter what OS I use, arguably the most secure browser available today, and it’s the only one I access the GMail web interface with, using an encrypted connection.
I also use Linux as my primary operating system, with my Windows software running virtualized, each instance with antimalware and antivirus software running on them, and I don’t run Internet-facing web apps from those. My corporate applications and email are isolated in a Virtual Machine using an encrypted virtual hard drive.
So I have no idea how that account was compromised. My PCs aren’t the only devices that talk to my Google account. I have two Android phones, as well as an iPad. So the attack vector could have been from anywhere.
It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.
It could have been a “Brute Force” attack, although with “Strong” passwords that becomes more difficult. I also won’t rule out Google’s servers being penetrated directly, although that seems less likely.
The point is, it doesn’t matter. If someone like me can get compromised, so can anyone else, especially someone who isn’t keeping track of their online accounts and behavior as much as I do.
Let’s face it — passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than “poo”, but I’ll let Private Pyle do this for me.
No comments:
Post a Comment