It’s been more than two years since I last posted, so I’m trying to remember which buttons to press to make this happen. Life has a tendency to get in the way, and it’s much harder to start doing something than stop – when it’s good for you, of course – when it’s something bad for you, usually the reverse.
I occasionally get ideas of things to write about, but they’re starting to back up in my head, and the easiest way to address them is to write about them. I’m reminded of the forward of the book Illusions, where the author describes not liking writing, but occasionally having ideas which will simply not go away. In my case, it’s more like a backlog of random thoughts in my brain, but the rough idea seems the same.
A few months ago, in July, I had the pleasure of joining my friend Jackie Porter on a livestream, in which we discussed online safety, and how to protect yourself.
As intro music, Jackie selected the song Rasputin, which anyone who lived through the 1970s will remember well. I liked the song well enough, but for some reason I “remembered” that the artist was ABBA, rather than (of course) Boney M. After banging my head against the desk for a while, I sighed and updated my memories of the song.
Jackie selected the song, both because it was fun and nostalgic, but also because the person on whom the song was based, Grigori Rasputin is a legendary character who is usually considered a colossal con-artist. He’s generally best known as being the prophet (or charlatan, depending on whom you ask) who held enormous influence over the family of the Russian Emperor (Nicholas II), but also for the accounts of his death. One of the stories described him as eating poisoned cakes, drinking poisoned wine, then being shot, drowned, and shot again. In reality, it appears that he was shot in the head – usually effective, though perhaps a bit less poetic.
With regard to online security, I think it’s important to establish the appropriate context through which to investigate the issue. As a brief introduction for a non-technical audience, I find it useful to break things into two main categories, and describe some clear strategies for improving your current level of safety.
Hacking can be described as focusing on “technical” attacks, where an attacker gains access to your accounts or data through some technological means. I’ve written about passwords, password re-use, and Multi-factor Authentication before, and that pretty much covers the baseline defences for most people. To summarize, use long passwords, use different ones for every site/service, and take advantage of MFA whenever possible. If you’re not taking these basics into account, there’s little point in worrying about complex technical attacks – bad actors always tend to use the simplest tools to get the job done.
Scamming, in contrast, is more about the human than the technology. While scams are enabled and enhanced by technology, the core idea is simply to convince someone to do something they shouldn’t. The key defence is to slow down, think, and remember. “On the Internet, nobody knows you’re a dog”, and the person on the other end of the text, email, or call is not necessarily who they claim to be.
In well-run companies, there are financial processes around authorization and approval for spending money. Usually, this involves things like requiring an invoice, two-step approvals, and higher-level approvals for amounts which exceed a defined threshold. We discussed a recent AI-enabled case where a finance employee was instructed to transfer $25 million to a bad actor. In a well-run company, there would be established policies for entering the transaction into their financial system and likely getting multiple levels of approvals.
In this case, the finance person was likely pressured by the fake CFO to break policy and process the transaction, which is the core point. The best course of action would likely have been to agree on the call, set up the transaction, then call the CFO to confirm the details and/or notify them that everything is ready. When the real CFO asks what the person was talking about, the scam fails.
I think the biggest challenge for most people is that they are inundated with endless stories of hacks and scams, with all sorts of different techniques, and don’t have enough information to categorize attacks in a realistic way, leading to anxiety and uncertainty. The key message, though, is that the basic defences are broadly effective.
On the hacking side, if all your passwords are reasonably strong, you will be safe from the majority of password cracking attacks (with the caveat that the service you are using might not follow good practices, but there’s little you can do about that), while if you use a different, unique, password for every service, you will be safe from credential-stuffing attacks. If one service is attacked and your password compromised, you just need to change that password, and don’t need to worry about any others.
If you simply do not trust incoming calls (call back to a known number, if in doubt), and refuse to be pressured by a stranger on the phone, you will be safe from a wide variety of scams and social-engineering attacks.
Taking public health as an analogy, if you were to consider how to deal with different strains of influenza (four species, with continual variations due to mutation), COVID-19 (thousands of variants), and other respiratory viruses as separate issues, you’d be effectively paralyzed by the magnitude of the challenge. Fortunately, though, social distancing, mask wearing, and washing your hands are effective against a very wide variety of respiratory infections – so much so that flu rates dropped dramatically during COVID. If you think of online safety as similar, do the basics and don’t worry so much about all the noise.
Cheers!
As a side-note, I found a password “strength checker” online, and tried an experiment. For amusement only, but I think it’s illustrative of the value of long, complex passwords and pass phrases. In general, the longer the better, but truly random is best.
Using https://www.passwordmonster.com/, I tried several variations on a pass phrase:
Long is better than short, but simple sentences can be problematic (“isthisagoodpassword”: 2.86 seconds)
Spaces make the password longer, which can have a significant impact (“is this a good password”: 1 year)
Mixing case is a big improvement. (“Is this a good password”: 9 years)
Special characters are also a big improvement. (“Is this a good password?”: 804 years)
But again, truly random is best. (“gjW&r{c;#VKbXPE8q"-^`N”: 51 million trillion trillion years)
And, for fun, long and random – like you would get from a password manager. (“E;ms#2$d&ph?fxqV[UY+98vSBkaNAjGRH)'_Qkw<`.MTFyWnP5”: 182 million trillion trillion trillion trillion trillion trillion years)
Maybe that one is good enough?
Cheers!
Comments