By now, there should be no one in the country who is not aware that a concerted effort is underway, on the part of Russian intelligence, to hack a whole lot of things.
It may seem that there’s nothing anyone can do - all these prominent people getting their emails hacked and exposed to everyone should know what they’re doing, right? So how can anyone protect their information?
Here’s the thing: nearly all hacking of emails happen because of basic errors people make in securing their data. Here are some tips:
Use secure passwords
You hear it all the time, but you’d be surprised both by how often people ignore the advice, and just how complex the passwords are that can be cracked these days.
“P@ssW0rd” is NOT a strong password.
In actual practice, a strong password is a cryptographically random string of 16 or more characters. For example:
But how can anyone create and remember passwords like that? It turns out, there’s a surprisingly simple way to do it, and it also solves the next problem.
Don’t reuse passwords
A common way people get hacked is by reusing passwords among multiple sites. If one site (e.g. Yahoo) has a weakness that allows hackers to obtain its password database, hackers can and will try the same, or similar, password at other sites. If you’ve reused passwords and one of the sites you’ve used your password is hacked, your accounts at other sites may be compromised.
Use a password manager
A password manager is a program that allows you to store, and generally create, passwords for multiple sites and programs. I’m fond of Lastpass, which stores all passwords in a common, encrypted “password vault”. Lastpass has clients for Windows, Mac, Android, iPhone, and Linux, all of which can access your unified password vault. The password vault is only decrypted locally. Lastpass also allows for the generation of cryptographically secure passwords.
One thing I really like about Lastpass is that it can fill in passwords in web browsers and programs. There’s a free version, and a paid version with extra features ($12/year).
Be very careful of "recovery questions"
Quite a few sites make use of so-called “recovery questions”. These are questions you can answer in order to gain access to your account if you forget your password. But given how much of our personal information is out there, recovery questions can be a major security hole. A little bit of background on you can go a long ways.
A better approach, for sites that require you to set recovery questions: use a password manager and generate random, cryptographically secure answers for the recovery questions, too. You might want to save the answers in case they’re required at some point.
Use 2 factor authentication
The basic idea of “2-factor authentication” is to make sure that, for example, if someone has your password, it’s still not enough to gain access to your accounts.
If done right, 2-factor authentication consists of something integral to you (usually referred to as “something you know”, but can also be a characteristic specific to you such as fingerprints, facial characteristics, etc.) and something integral to a device or object (also known as “something you have”).
2-factor authentication requires an attacker to both impersonate you and gain control of, or duplicate, a physical object.
Many email services, such as Microsoft’s Outlook.com and Google’s GMail, allow 2-factor authentication. The first factor is usually an account or application password that is used consistently, and the second factor is typically a short-term one-time password or authentication number that is sent to a device you have via email, SMS text, authentication app or some other means.
However, even typical 2-factor authentication is not foolproof; attackers can be very clever, and have developed means to either intercept one-time passwords, or fool people into providing them to the attackers.
That’s where FIDO comes in.
The FIDO standard is an industry-developed system for cryptographic authentication (the membership of the FIDO Alliance can be found here). At this point, it comes in two flavors: U2F and UAF.
U2F (Universal 2nd Factor) replaces the 2nd factor in 2-factor authentication with a physical secure token or key. The keys in question are typically USB devices; the FIDO authentication system queries the key, which replies using a cryptographic algorithm. Because the U2F token contains a private key that cannot be accessed directly, it cannot be duplicated, and communication/authentication cannot be spoofed. U2F tokens are also highly convenient, and typically inexpensive.
Currently, GMail accessed via the Chrome browser can make use of U2F keys for 2nd factor authentication. An expanding list of other programs (such as Lastpass) and services can also use U2F keys for authentication. They can even be used for logging in to Windows 10, if biometrics or passwords aren’t your thing.
UAF (Universal Authentication Framework) is a system that replaces the use of passwords completely. While less well developed as an available system than U2F at this point, UAF will allow users to quickly and easily authenticate using biometrics tied to cryptographic systems such as Intel’s Trusted Platform Module. UAF could also be seen as a 2-factor system in which biometrics and the device assessing the biometrics are the factors.
Microsoft’s Windows Hello (fingerprint or facial recognition) meets the FIDO UAF standard, and the Windows 10 browser (Edge) now has UAF authentication capabilities via Hello.
At this point in time, Apple is not a member of the FIDO Alliance. However, Apple has and is continuing work on similar authentication functionality, and the company that created its TouchID (AuthenTec) is one of the founding members of the Alliance. Several FIDO solutions are available for Apple products.
A common way to gain access to computers and accounts is by tricking people into installing malware (sent through email attachments or installed by links on compromised websites) or by fooling victims into giving up passwords or other sensitive data. Attackers can be very clever, tailoring phishing emails to the victim (“spear phishing”). As you can imagine, nation-state attackers can be even more so.
A really nice feature of the FIDO U2F and UAF systems is that users cannot be tricked into providing the second factor in 2-factor authentication systems – the cryptographic authentication data provided by U2F tokens and UAF systems is never directly available to the user, so can’t be inadvertently divulged to an attacker.
Even so, users, particularly those who might conceivably be targeted, simply must use caution before opening email attachments or clicking on unknown links. Obviously, security software helps. And locking down one’s computer such that everyday accounts only have user (not administrative) rights helps to limit damage from malware.
Nation-state attackers make extensive use of highly sophisticated phishing attacks, particularly by email.
Attackers can be very persistent, and surprisingly effective, at gaining access to people’s personal data. But in the vast majority of cases, it is simple user error, not clever hacking tricks, that allow attacks to succeed.
Addendum: the importance of securing email accounts
I wanted to add one note that recent events have really brought to the fore: in addition to “recovery questions” mentioned, above, a common way for services to allow users to access their accounts if a password is forgotten is via sending a “recovery email” to a specified email account.
John Podesta’s Twitter account was hacked in the last couple of days, and according to posts regarding the hack, it was done by people who still had access to his Gmail account (please, someone help him out!) and used Twitter’s “forgot your password” feature to send a recovery email to the Gmail account.
When we set up accounts for online services, it’s not always easy to keep track of what those accounts link to in terms of alternate ways to access the services. But being aware of it is essential. So keep in mind: in addition to recovery questions, if someone has access to email accounts that you supply for password recovery, they may have access to more than you think.