April Security Newsletter
I don't know if you've been watching the tech news space recently, but if you have, you've probably at least seen mention of the fact that Facebook apparently stored some user's passwords in plaintext. Plaintext, of course, means that it was done with absolutely no encryption or hashing, so if someone had access to those password stores, they would have the password without any additional computation needed. And while Facebook is not outright stating the number of affected users, "some" of course can potentially mean "hundreds of millions" of users. You know, "some." Have a read through Facebook's official blog post on the subject.
And this seems like as good a time as any to talk about what to do when things go wrong. Unfortunately, in 2019, that is a when and not an if.
The Burden Is On You
First and foremost, if you are not already familiar with it, please keep the following link bookmarked and check your email accounts on it semi-regularly: https://haveibeenpwned.com/
This website, while it may not have the most professional sounding name, is one of the largest free and public databases of known data breaches and the data they contain. By typing in your email address, you can get a summary of what, if any, data breaches that email may have been compromised in, and a summary of the different data types that may have been compromised by that breach.
I feel like I'm repeating this over and over again, but the best tool of security is knowledge. Not just knowledge of how to minimize risk, but what risks you have already fallen on the wrong side of. It's important to know that your old email password is now in the hands of bad actors, rather than just assuming it might be. It's no secret that humans as a whole are pretty bad at doing objective risk assessments, and for most people, might can mean that it isn't, and maybe it's okay to use it for just one more account.
Tools like this can take a lot of the guessing about if and when your data might have been compromised, and this one outlines the process for mitigating the risk associated with these events, and it links to some tools that might help.
Where to Start?
But let's go a little deeper into that process of mitigation. The first step is to be honest with yourself, look at the types of data that were lost. Is it a password or a phone number? Is it information that can be used to identify you on any of your other accounts? Do you have or can you create something to replace it? Especially with phone numbers, it may not be easy to outright replace, as more and more companies are using phone numbers as a fallback form of identification, and many two-factor authentication implementations only use SMS as the secondary channel of authentication. If, like with your phone number, you can't easily change it, it would be wise to reach out to your service provider and advise them of the issue, and ask if they have a monitoring or security service you can subscribe to. Hopefully, it will be free, but service providers vary. Additionally, reach out and add additional security to all of the accounts you can. Add an additional point of authorization on two-factor authentication. Google is relatively good about multi-factor, but unfortunately, not all other companies are following their lead. In those situations, it might actually be best to turn off two-factor completely, or see if they offer an alternative to SMS. But please keep in mind that turning off two-factor is not a good or long-term solution, just one you might consider if you have good reason to believe that your mobile phone might be compromised in some way.
For every data breach, even if passwords are not in the list of compromised data, it might be worthwhile to change your passwords regardless, both on the email account linked to the compromise, and all the services that email was used to create.
The last step, and probably one of the hardest, is to prepare yourself for the consequences of the breach. It is entirely possible that bad actors might not successfully use the data they have until years after the initial breach, and unfortunately, the responsibility for dealing with whatever actions they take will likely fall solely on your shoulders. Make plans for what you need to do should one of those accounts be compromised. Try to have alternative ways to access your accounts should they attempt to lock you out. Reach out to service providers to research your account recovery options and their fraud prevention and mitigation policies.
And lastly, remember, this situation is not right. This isn't what anyone wanted when the internet was first prototyped, when it was first used to communicate, or perform online transactions. We are in this security hellscape because of the choices people have made. Sometimes those choices are made out of ignorance or simple negligence. Sometimes those choices are made with ill intent. But much like with the Facebook plain text passwords, all of these situations can be tied back to a choice that someone made. It doesn't really matter why, in the long run, but it does matter that we pay attention to the reasons these things went wrong, and that we all take steps to prevent them in the future. That might look like pushing for enhanced security regulation for online services. It might look like doing research into a service before you sign up, and maybe being willing to pay a little extra for added security. It might look like doing research into the tools available to you to help manage this ever-changing problem. But no matter what it looks like, remember, this is all down to choices we have made, and that includes our choice to use these services in the first place. Stay aware, stay educated on what you need to do, but also push for companies who take these things seriously, who don't plan on a future where when they lose your data, you're on your own to deal with the consequences. Also, push for legislation to ensure that companies have to take more responsibility for the data they are collecting. Push for technology to better prevent these breaches and track down the culprits behind them. This is where we are today, where each of us is required to horde our personal information, knowing each and every interaction we've ever had might have leaked any of it, but it doesn't mean that this has to be the future tomorrow.
You should't have to do it alone.
As always, I want to reiterate that we are on your side here at Armor. We're just as frustrated by the current state of security online as you are. We ourselves have to deal with the same problems and broken expectations, and while we strongly believe that no one should have to navigate this minefield, we also want you to know you don't have to do it alone. Please, talk to us, let us know if you have problems. We work with these technologies every day and frequently see all sides of these problems. We can bring our experience with these issues to resolving your own.