It's Time to Double Down on Security

Stepping into the digital realm introduces a whole host of security problems. It seems that every couple months, we read another headline about someone hacking a big-name company. The good news is that computer security experts are always hard at work creating new standards to improve security. The bad news is that most of us are not involved in creating these standards. What can we do in a world where data theft has become all too common?

Security Mirage

Back in 2010, computer-security expert, Bruce Schneier, delivered a TED Talk titled “The Security Mirage.” In it, he argued that “security is two different things: it’s a feeling and it’s a reality. And they’re different. You can feel secure even if you’re not, and you can be secure even if you don’t feel it.” People often place too much trust in online security. For example, just because a password text field replaces each keystroke with a “•” does not mean your password is secure. It’s easy to feel secure, but much more difficult to be secure. The feeling of security must match the reality of security. When this happens, data is much safer and companies are less likely to find themselves victim to the next cyber attack.

Learning From the Past

In the summer of 2012, Russian hackers breached LinkedIn and stole over 6.5 million passwords. They proceeded to post the passwords in plain text online for anyone to see. Before the hack, LinkedIn users felt safe. LinkedIn’s site had the tiny padlock icon next to the URL. This signifies that a site has a Secure Sockets Layer (SSL) certificate. For many users, they assumed, “LinkedIn is a professional social media site. I’m sure it’s secure.” Others didn’t even think twice about whether LinkedIn was secure or not. Users felt secure, but in reality they were not. LinkedIn stored user passwords on its servers in an insecure manner. This made it easy for hackers to steal them and post them online. LinkedIn failed to match that feeling of security with reality.

Responsibility for Both Sides

LinkedIn was responsible for leaking the passwords, but the breach exposed a second problem. Many people use the same password for many, if not all, of their online accounts. When hackers leaked the sensitive data, an individual had to scramble to update their password on LinkedIn. Unfortunately, it didn’t end there. They also had to update any other site where they used the same password. What does this tell us? Software companies are responsible for securing their user’s data. Individuals are responsible for using unique passwords for every account. The folks over at Agile Bits have a great piece of software called 1Password. We recommend it for managing passwords on all your accounts.

Companies:

  • Encrypt network traffic using SSL: While it doesn’t ensure 100% network security (see the mess that was ‘goto’ fail), it’s one of the easiest ways to add security to your app or website.
  • Hash/salt/encrypt your data, as necessary: While not necessary for all data, identify the data to protect and then do so.

Individuals:

  • Choose unique and long passwords: Unique passwords will protect your online accounts from LinkedIn-type breaches. Long passwords will protect you from hackers being able to guess your password. Whatever you do, never use any of these passwords for your accounts: Worst Passwords of 2014.
  • Exercise caution when entering sensitive data: When entering sensitive information (e.g. credit card, SSN, etc.), check to make sure the website has a valid security certificate. Most web browsers will warn you if they detect an insecure website, but it never hurts to double-check for yourself.

The need to build secure software and be safe online will continue to be an important issue. It’s up to software companies and consumers to ensure that the Internet is a secure place to explore, interact, and learn.