Secure Your Digital Life

I can’t tell you the number of times I hear people tell me

there’s no need to worry about being hacked – why would anyone ever be interested in me

Well that’s true they are not, but they are interested in your accounts, your identity, and your money and they get to that through your accounts and passwords. Banish the notion of personal “presumed security” – the sense that you are just one person amongst billions of targets and as such your risks are so low so as not to be a concern. That was true when the attacks were limited by geography, proximity and even numbers of hackers, but with the internet where everyone is connected, and all resources are available immediately and the use of automation and even Artificial Intelligence it is not anymore. What follows below is some details of why this is the case including some examples, tools you can use and some of the background to why I have selected the methods and tools that I have done. But for those that want the TL;dr I present two initial sections – the abbreviated getting started to securing your life, the longer more detailed step by step explanation

Quick Start Incremental Steps to Securing Your Digital Life

1. Think up a complex password
2. Download and install LastPass and the LastPass Authenticator
3. Set up LastPass

Longer Form Incremental Steps to Securing Your Digital Life

Here’s the longer list of steps to securing your digital life with each of the steps detailed below

1. Select a Password Manager
2. Create a Complex Password
3. Setup Your Password Manager
4. Setup Authenticator App
5. Switch on Two Factor Authentication (2FA) for your Password Manager
6. Install Password Manager Add ons
7. Log In to Your Online Accounts
8. Prioritize Online Accounts to Update
9. Switch on 2FA for Your Other Accounts
10. Update Your Credentials in your Mobile Devices
11. Only Change Passwords When Needed

1) Select a password manager – I recommend LastPass because their free version is a better option than 1Password and cost (especially recurring fees) is often an inhibitor to people starting to use a product (here is one of the many comparisons of the password managers)
2) Think up a really good long and complex and easy to memorize password for your LastPass vault. The longer this is the better. I recommend writing it down (legibly) on a piece of paper you lock/secure in a safe place – perhaps where you keep your families certificates, passports etc.
Struggling to come up with a password here are some ideas

Star Trek Fans

Think of something you love and make a phrase replacing characters with obvious alternatives. For example for Star Trek Fans:

So your original phrase might be:

StarTrekOriginalSeries+DeepSpace9-MyFavoriteShows

That’s 49 characters
Now make it complex by replacing characters with alternatives that are easy to remember change i to !, S to 5, O to zero and add a complex unusual at the end
So the password becomes:

3tarTrek0riginal3er1e3+Deep3pace9-MyFav0r1teShows#

Note – This is not a password I use, and it should *not* be your password, it’s just an example of a technique, create your own
Another example comes from my good friend and colleague Joe Bormel that you may find useful. Takie the first letters of a favorite line from a favorite poem, song, phrase to form a password. So for example

“Do not stand at my grave and cry;
I am not there. I did not die.”

becomes

Dnsamgac-IantIdnd

And then put a favorite digit string at the end, with a dollar sign or percent or some other non-letter character for good measure
This now becomes your master password for your password vault in LastPass
3) Setup your password vault in Lastpass using the master password
4) Download and install the LastPass Authenticator for your mobile device
This is the same concept/technology as “Google Authenticator” but the specific advantage is that Lastpass offers the ability to backup all your accounts to their secure cloud. As and when you change your device this will save you hours of time that it takes to recreate all these accounts when you update or change your device (speaking from experience)
5) Switch on two-factor authentication (2FA) for your LastPass vault using the handy dandy LastPass authenticator. Added bonus the automation of this makes logging into your vault with authenticator very simple.
6) Download and install the password manager for your desktop, browsers, mobile device, and operating system. Install the main application for your operating system and then depending on versions may need to add browser extensions which work to identify fields and offer to auto-fill userID’s and passwords from your vault when you go to sites that you have stored passwords for.
7) Now go to each of your accounts from a web browser and enter your credentials to log in. Lastpass will automatically store these in the vault for you but you should use this as an opportunity to change your passwords to complex passwords. Lastpass will autogenerate a random password with the right mix of character based on options. I recommend a minimum length (where the account allows) of 12 characters with as much complexity as allowed (some don’t allow the “special characters”). I recommend copying (Ctrl-C) the password so you have it in your copy buffer (and if you use copyclip to store previous copies you’ll have a list going back 20 instances) incase Lastpass does not automatically update the password in the vault. Mostly it is very good and pops up saying do you want to update the password in the vault automatically but when it does not go in manually need to do so yourself before you forget the password has changed and no longer have a copy of the password in your copy buffer.
8) Start with your email accounts – they are all big targets, then move on to financial etc
You don’t have to do them immediately and can just change others as you access them
9) I also recommend switching on 2FA for all your accounts as well – some accounts are very good implementations, others not so much so ymmv but start. Where possible use the authenticator but if text message is the only option use that (twitter for example)
10) Update your credentials on your phones and all your I-devices as they will now all be “logged out” as you have changed the password
11) Now you only need to change a password on an account when forced (which is stupid btw) or when a breach occurs. Lastpass also makes changing password easy

The Details to Securing Your Digital Life

First off some examples and background to the reason why securing your digital life is so important
Example 1: This post from Brian Krebs: What the Marriott Breach Says About Security, which highlights the fact that

The Bad guys already have access to all your personal data points that you believe are secret and that anyone you share this information will in all likelihood eventually be hacked and lose/leak

Example 2: This paper Weaponizing Data Science for Social Engineering, that demonstrated the ease and speed with which automation and AI can be used to successfully automate attacks
Example 3: Sextortion or an Equivalent – where they use credentials you have used but have been breached that are presented to you featuring your password in the email header and a clever ruse to persuade you why you should send them money (Sextortion Scam Uses Recipient’s Hacked Passwords)
Example 4: My own personal example of my cloned twitter accounts and months later I find my profile (family, life etc) had been cloned and used to cheat some poor woman out of ~70k. You can read all about that here

Examples of Hacking in Practice

Hacking is now AI-based but it still centers on social engineering as aptly demonstrated in this brief 2 ½ minute video to gain access to your accounts

This longer version of this (12 minutes) will give you a much deeper sense of the capabilities.

Your email is a gateway to your life

Mat Honan and his twitter account was such a prized possession hackers used a series of steps to own all his accounts and deleting some of his personal family photographs in the process. Some of the attacks are non-technical using “Social Engineering” that uses our basic human instincts, especially our desire to help people
I’ve had the opportunity to interview Chris Hadnagy (@TheHumanHacker), author and founder of “Social-Engineer” and TedX speaker

Still not convinced watch this video from CNN showing this kind of activity and how quickly and easy it is to obtain full access

Thanks to work from Troy Hunt (@troyHunt) who amongst other things set up the site “HaveIBeenPwned“) – you can hear his interview and read more from that here. In fact, you may have seen the impact of that if you get a notification like this

Which is checking the password you are using against the HaveIBeenPwned site’s database to see if that password has been reported breached. But if you have a password you use, especially one you use multiple times you should check this manually for yourself and see how many times it shows up in the shared resources hackers peddle in their forums, dark web and in places like pastebin. You can subscribe for notifications based on your userId/email for accounts that have been reported breached by going here. So any new breaches that he loads will trigger an email warning. You should also sign up for alerts for any emails on your own personal domain if you have one.  So, for example, I have an alert for vanterheyden.com which I own and have some emails associated with and use for some accounts.
You can go a step further and sign up for alerts on PasteBin with a free account, or just go to the site and do a single search to see if your email has been uploaded to the site . If you set up a free account, you can leave a search agent running looking for your main email addresses showing up in any data that is shared on PasteBin. You can set up 3 searches for free but do have to renew every 60/90 days or so.

Password Management

Stop creating or trying to use passwords manually. Use the tools available and have the system generate unique passwords that are only used the one time for the site/account you are creating or entering. This is true even for the accounts you “don’t care about”. For example, perhaps you don’t care if someone hacked your account on ancestry.com. But since many people re-use passwords one of the standard methods for hackers to use is to go after easy targets where security may be lax or non-existent, exfiltrate account IDs and passwords (oftentimes without being discovered) and then use that list to go after high-value target accounts with a technique called “Credential Stuffing”. They automate these attacks and even though the success rate is low it doesn’t matter if you happen to be the one it’s your account, money, life, photos etc that are lost.

Managing Passwords Going Forward

Use a password manager – there are a couple of primary players available in the cloud. I personally use LastPass and like their freemium model that provided more than enough functionality for me to work for years. Your main password needs to be secure! In case you think its enough to transpose 1 for “L”, this is standard fare and the password cracking tools look for these kinds of passwords as part of their regular attack list so it needs to be complex AND long. There is also 1Password but as best as I can tell there is no free option that is functional.
You can also use a manual process and store your passwords in a secure local vault file on your machine – there are a few of these tools: KeepPass is open source and DashLane another.  The downside is no autofill of your credentials and unless you are on a device that has an add-in/program with the access you cannot cut and paste the credentials

Is it Secure

So LastPass did get hacked back in 2015 but their design kept users data secure, including my credentials. No security is perfect but they did a pretty good job in my opinion and certainly a whole lot better than anything I could do on my own. It is a whole lot easier to remember one single complex password/phrase and keep that secure than multiple phrases, passwords or codes you write down or keep stored. I also have two-factor authentication turned on for this and many other accounts which makes breaking into my vault harder

Two Factor Authentication (2FA)

This is the principle of needing two things (typically your password and some other unique piece of data that only you would know or be able to access) to be able to access an account. There are many ways of achieving this that range from the basic use of a code sent by SMS text messaging to your phone (slightly less secure but still better than not using 2FA) and here’s some steps to protect against SIM Swapping, to applications such as the Google Authenticator app (iPhone or Android) and the equivalent (but better because it allows you to back up the data) from LastPass, with the added bonus of tighter and simpler integration with some sites

What did I miss? Do you have any experience or stories of success or failure in protecting your digital life that you can share – do so below.

Tagged as Cybersecurity, Hacking, Healthcare Security, Password Managers, Passwords, Security, Social Engineering