Tech Talk: Security depends on sound strategy [St. Cloud Times, Minn. :: ]
(St. Cloud Times (MN) Via Acquire Media NewsEdge) Aug. 09--Computer and account security has been in the news over the past few years, but it's become an especially hot topic of conversation this month amid reports that a Russian hacker group may have amassed 1.2 billion stolen login credentials.
Hold Security, a cybersecurity firm founded by Alex Holden, announced online (http://bit.ly/1oAdnUy) that a Russian "cybergang" had used a botnet of machines to acquire username and password combinations from compromised systems at an extremely high rate. Hold Security is not releasing names of affected websites or users, opting instead to promote its security offerings by selling that information to those at risk for a service subscription fee.
The report doesn't detail which sites were hacked, other than mentioning the victims ranged from "leaders in virtually all industries across the world" to small, personal websites. This, coupled with Hold Security's plan to monetize the victim information, make the hack frustrating to follow. It's impossible for users to know which login credentials might be affected.
Strong passwords are the basis of any good personal password plan -- truly strong passwords, that is, not pseudo-strong passwords that contain common names and a few numbers.
To create truly strong passwords, stay away from dictionary words and basic number schemes. Also avoid common letter/number replacement patterns, like "b@ll" for "ball." These types of passwords are easy for password crackers to solve.
Keep your passwords long, but manageable. Ten to 14 characters is a good range before the password is unwieldy and hard to remember. Mnemonic devices sprinkled with extra numbers and symbols work well, as do random words and letters interspersed with unrelated symbols.
Limit your damage
Experts say to never reuse your password and to use a unique password for each service you authenticate to. This is great advice but not realistic. Almost every important Web service requires a password; remembering a unique, strong login for dozens or hundreds of active accounts isn't reasonable.
I suggest identifying which services hold your most important data, the information that would seriously affect you if compromised. These services include financial websites and online vendors or platforms you're currently storing active payment information (credit cards, bank accounts, etc). Use actually strong, unique passwords for these services. This keeps the accounts free of collateral damage should other services be compromised.
Next, group together accounts that you use but wouldn't affect you beyond a small annoyance if they become compromised. Use a different password (even a common one) for these. That way, if your account on a personal hobby message board gets compromised, the thieves only have access to other, less-important sites, not the good stuff.
Password managers, such as LastPass and KeePass, can help make managing several strong passwords easier. Be advised that if you use a password manager, your master password should be uber-strong, since losing access to that gets the thieves the farm.
Watch for phishing
Hold Security says the cybergang isn't selling the accounts yet but is using its access to social media and messaging platforms to spam the contacts of the victims with malicious software.
Compromised accounts of the magnitude Hold is talking, if true, could wreak havoc. Be extra cautious clicking links and attachments from all parties, even those you know, since you can't always be sure the person (or bot) behind the message is actually the contact you know.
Email is a simple tool, but the stakes for clicking the wrong thing are high. At best, users might install some simple malware that redirects their browser to unwanted websites. At worst, a malicious attachment can run software that encrypts important files or adds the affected computer to a larger botnet of distributed-computing chaos.
This is the opinion of Times Digital Products Specialist Andrew Fraser. Follow him on Twitter @AndrewFraser.
(c)2014 the St. Cloud Times (St. Cloud, Minn.)
Visit the St. Cloud Times (St. Cloud, Minn.) at www.sctimes.com
Distributed by MCT Information Services
[ Back To TMCnet.com's Homepage ]