What's new, pussycat...
That whole brouhaha with Mat Honan's Apple/Amazon/Twitter hacking that created tsunami-sized waves in the web world the last couple of weeks had me getting a little concerned about my own cyber security.
It sucks what happened to Mat but there are things he could have and, as even he admits, should have done to protect himself and his data. The primary thing being not to use the same user ID and password everywhere. That practice led to the hacking of both my Hotmail and Gmail accounts nearly two years ago. That was the start of my move toward greater security, but I'm in the process of doing even more.
I'm killing online accounts that I don't actively use including social media.
I removed my credit cards from my Amazon account so they cannot be used against me like they were with Mat.
I've swapped out passwords on various accounts so they're not the same.
I'm using secure services to protect my passwords.
And I set up what's known as "2-step verification" to protect my Google account. Since Google is basically the lifeblood of my online existence (Gmail, YouTube, Google+, etc.), the safer I am, the better. The good thing is, I don't have any credit cards tied to Google.
Setting it up was easy... I change a couple settings in my account and then verify the change using two web accessible devices (my wife's MacBook and my iPhone, for example) to guarantee that I am the actual account holder.
The scary thing was being shown how many online services and apps to which I had granted access to my Google account for, say, logging-in purposes. I started rescinding approvals on those and then had to verify the "trusted devices" that could access the account using 16-character passwords randomly generated for me by Google. Then I had to do the same for all the apps I use like YouTube, Google+, Google Drive, etc., using six-digit passcodes sent via SMS that needed to be entered in the apps.
It's crazy. I've received more SMS messages from Google in the last few days than I've received from all other senders combined over the course of the last month.
It blows your mind when you realize how many devices you use to access your account and all the apps that are tied to it.
It's no wonder hackers can do stuff like this so easily. We MAKE it easy for them.
If you haven't done so, please consider rechecking and revising your own online security. We are living in a virtual world, and I am a virtual gir... wait, no. Boy.
If any of you took offense at my Twitter feed earlier today when @martymankins, @avitable, @DownWithPants, and I went to town coming up with the dirtiest possible news headlines to describe the conviction of three members (heh heh) of Russian punk band Pussy Riot for hooliganism by a Moscow court, well, I don't apologize for it. Not at all.
It was raunchy. It was offensive. It was completely uncalled for.
And the laughs I received from taking part in it were sooo needed.
Big thanks to Marty, Adam, and Brandon for brightening up my day if for only a few minutes.
This is why I keep apps turned off in FB. So many of the games and so forth that are tied into FB will share your info without regard to your privacy settings.
Posted by: claire | Saturday, 18 August 2012 at 11:42 AM
Scary, isn't it?
Posted by: kapgar | Saturday, 18 August 2012 at 11:59 AM
I turned on two-step verification for my Google account immediately after reading Mat's story the other week. I didn't even know they offered that to be honest. And I'm a HUGE fan of lastpass which generates and stores random gibberish passwords for each site I use. In the past I was terrible at that and used the same password everywhere - which if someone got ahold of, would give them the keys to my virtual kingdom. Last but not least I backup my computer via Time Machine every couple of days. Not a perfect solution by any means but I think I'm happy with it ;-)
Posted by: Kevin Spencer | Saturday, 18 August 2012 at 02:45 PM
I will definitely have to check out LastPass for password generation. That will help a bit. It's blowing my mind how many devices and apps I have to reauthorize with Google, though. Found another this morning. Wow. As for Time Machine, Katie's laptop does backup there, but we do it rarely. We don't do a lot of work on it where saved files are concerned. Most of those exist either on thumbdrives or are already saved to an external drive at home. It's a complex digital life we lead, isn't it?
Posted by: kapgar | Saturday, 18 August 2012 at 03:25 PM
I did the Google two level authentication the other week. PITA to start but then it's been okay.
But today for example, I forgot my phone and wanted to check my mail on my Kindle but I couldn't, I needed a code. Even if I'd ended up somewhere with a computer, I'd have the same problem, no code. You can print off some one time codes, but if I forgot my phone I'm certainly not going to have that slip of paper with me; I guess I could put it in my car somewhere...
I do have all of my passwords as unique now. That's kind of a hassle, but I'm getting used to it.
If my password keychain synced between my iPhone, iPad and Macs, it would make it WAY easier for me...
Posted by: Gary LaPointe | Saturday, 18 August 2012 at 05:19 PM
I was told you can use Password Safe (app name pwSafe) and an in-app purchase is the ability to sync amongst devices via Dropbox. I've bought it all but haven't set it all up yet.
Posted by: kapgar | Saturday, 18 August 2012 at 07:36 PM
thank you so very much for the wake up call!
Posted by: hello haha narf | Monday, 20 August 2012 at 11:00 AM
I did the Google 2-factor thing last week as well, but I installed their Authenticator app so that I didn't have to deal with the SMSes. Very nice -- just launch it an there's the current code, along with a timer showing how long until the next code.
My biggest problem with it is the number of embedded browsers used by various apps (even from Google) that end up requiring an additional code, since they (presumably) don't have access to the cookie from Safari (talking iOS here).
Also, the GMail app logged me out the other day when I had a poor network connection, which required me to re-enter a code when I logged in again. I'm surprised they haven't updated that app to be a registered app instead of code based, though I'm not sure I fully understand whether or not that's applicable.
Another thing I find less than optimal -- I appreciate the added security that comes from not letting you view your use-specific 16-character passwords, but I have found that I prefer to reuse those for related services on the same device. This works fine if I set them all up at once, but if I forget one until later, then either it gets a separate entry or I have to reset all of the others. I suppose I could save the 16-character codes in 1Password, but that doesn't seem worth the effort.
(In case someone things I'm sacrificing security by reusing these codes, I'm talking about, for example, setting both the POP and SMTP password for an email program. When I set it for Mail.app on my iMac, I only set the POP account and then had to go back and set it for SMTP later. I think I revoked the first once to avoid having two entries.)
Similarly, it would be nice to have these grouped by device such that I could revoke all of the codes for a particular device. I don't see much of a use case for revocation, other than maintenance, that wouldn't be on a per-device basis.
Apologies for using your comments to write my own blog post. Perhaps I'll just link to this comment on my blog. :-)
Posted by: Ren | Monday, 20 August 2012 at 11:11 AM
Happy to help!
Posted by: kapgar | Monday, 20 August 2012 at 12:39 PM
Link away. You basically wrote a supplemental post as it is. ;-)
Posted by: kapgar | Monday, 20 August 2012 at 12:41 PM
That was so scary what happened to him. Big eye-opener. I already back up all my stuff on my computer at home and use various passwords for different accounts. I've also done the two-step verification thing. I do need to cancel some accounts I don't use anymore though.
Soooo scary.
Posted by: Marie | Monday, 20 August 2012 at 01:30 PM
The bad thing is just trying to remember all the accounts we've established over the years so we can go in and close them out.
Posted by: kapgar | Monday, 20 August 2012 at 03:01 PM
You are most welcome for the Pussy Riot raunch-fest of headline suggestions. I laughed hard and long at what we came up with. ;-)
As for Mat Honan's hacking story, I've read all of his posts so far and his whole ordeal. I think the thing I learned most from that was to make sure that security question, credit card numbers and related accounts have different sets of rules, not stored online (which I do have one card in my Amazon card, which is not the same as what I have on file at Apple or other places). It's the social engineering that is more of a concern than something brute forcing a password. Also, in Mat's case, a 3 letter twitter account name was like dangling candy in front of a child. And in that case, you really need to be more details and careful in your account details you have/use.
I have 2 backups I keep on just about everything I create. It's overkill, but I sleep better at night.
Posted by: Marty Mankins | Tuesday, 21 August 2012 at 03:07 PM
Overkill isn't necessarily a bad thing here.
Posted by: kapgar | Tuesday, 21 August 2012 at 06:09 PM