Hi there, Olivia here! Welcome to week one of my month of Security Diets for National Cyber Security Awareness Month—more on that here. If you’re reading this and asking yourself, ‘I wonder if she knew what she signed up for…’ the answer is… I’m finding out very quickly. While I knew the topics ahead of time, they’re proving to be more like icebergs than neat bullet points.
To kick Maintenance Week off, Tod gave me a slew of tasks to do to clean up my security footprint. One thing I knew going into this, but not to what extent, is that everything I do on the internet is a bread crumb back to me: automatically connecting wifis, passwords (especially ones you reuse, tisk tisk), and even sleepy unused apps. Naturally, the more of these you have hanging around, the easier it is for your data to be followed around the internet. Except instead of baguette babies, they’re actually small pieces of data that lead to larger and more important pieces of data.
Wifi: The password you know is not the only one you need
I thought that having a password required to connect to my home wifi was tip-of-a-tiny-hat and I’m good to GO for this topic. Turns out, there is also a password to get into the router itself, and that is the real attack vector. Sidebar: in an effort to avoid the jargon that has seeped in through x-years in infosec, “attack vector” is security speak for “a way to get into your network and start messing with your stuff.” You see, having the wifi password protected is important, but ends up mostly being to stop neighbors from poaching your Netflix speed. And here’s the fun, super scary part: most routers have default passwords, like “admin,” meaning that by going to a common router IP (like 192.168.0.1 or 192.168.1.1) anyone can enter that password and… reset the router, lock you out, see everything that’s connecting and go from there. Not exactly ideal.
I just moved into a new place, so had no idea the status of my home router. Neither of the above common router IPs worked, so via Network Settings, I found my router address. Feeling very accomplished already, noticed there was an option for “local login” and the password was not “admin” or “password.” Good news! But after consulting my roommates who also didn’t know the router password, we opted to reset the whole thing. Interestingly, the router site suggests writing down the password for safekeeping, which, while we know writing down passwords is usually a no-no, if you keep the password on a post-it on the router itself, you’re good to go. If someone’s physically looking at your router to get the password, they might as well just replace it.
While I’ve got you here, Network Settings, let’s check on my laptop’s preferred networks… and delete at least 10. There were FIVE from San Francisco alone, including a coffee shop, two were in-transit wifis, and a couple were from old apartments. As it turns out, these delightful autoconnects are just charming ways to expose yourself to attackers. Such an easy thing, and I almost feel lighter, like a real diet.
Even more passwords
I know I have ‘em, I know they should be ‘secure,’ but when I have so many, how can I be sure I’m not repeating (or so similar that they may as well be a repeat)? Like any glutton for punishment, I took a swing at the tip top of the extreme diet password keepers (and, naturally, the most inconvenient), KeePassX. 1. It’s local, AKA not in a browser like more common tools like LastPass. So you have to actually have it local, ie: physically with you, to access your passwords. 2. The passwords are generated for you, so are suuuper complex and unmemorable, meaning you need it locally to have any passwords. 3. Mobile versions of KeePass are also local, meaning that you’d be keeping passwords separately on your computer and on your mobile, and it’s difficult to sync between the two. AKA: a local password manager for a phone is kind of pointless.
While I thought #1 or #2 would be the biggest hurdles, turns out #3 was my real Achilles heel. I simply use too many of my accounts in mobile version (literally couldn’t think of one non-mobile account) to make do with a local password keeper. Well hand me the ace bandage for my heel, because luckily if you use unique, complex (lowercase, uppercase, special characters, numbers, avoiding dictionary words, including dictionary words with o/0, s/$ lookalike switches) passwords anyway, you should be good to go. The real benefit (to me) in using a password keeper is the memory thing – complex generally means hard to remember, ergo I reset my passwords all the time because they’re so good that I forget them. I was expecting a slap on the wrist for that, but it’s actually a pretty well-accepted practice as far as security goes. So here’s my takeaway from this one:
- I am too mobile focused for a local password keeper (sorry, Tod), but as a follow-up, will give a browser-based version like LastPass a try in the coming weeks. Stay tuned!
- Creating unique, complex passwords for all of your accounts is hard, but it’s okay if you reset them when you inevitably forget one of the 32 accounts you have!
- For most commonly used and entered, you’ll wanna remember those guys. My go-to is to use the first letter/ syllable of each word of a song lyric or movie quote that I know 100% (and won’t mind thinking about it every time I log in).
Updates! Do them!
While I typically rely on the little red exclamation mark to let me know to update something, these are not always reliable, shockingly enough. For example, when turning to the app and software updating of my phone, I had 61, yes, sixty-one, apps to update, and that’s after I deleted over a dozen apps that I don’t use. Forty-five minutes later I had freshy-fresh and more secure apps. Updating iOS is another one to check on more often than I do (there was an update just last week!), take a dance break while it updates forever, and carry on.
Last, but definitely not least – I’m still terrified to even do it, if that’s any indicator for how NOT least it is – is checking my back-ups. Sure, I logged into my iCloud and confirmed the settings on my phone for what backs up there and how often (check, check, and check). But… deep breath… Tod recommends factory resetting my phone and actually using my backup. His thinking is that, like insurance, it’s better to know that it works before you need it rather than finding out that it doesn’t work when you’re already in distress. Makes sense right? Except I’m not going to break my leg on purpose to check if my insurance works, so it’s kind of NOT the same, Tod! But alas, even if the analogy isn’t perfect, I get that it’s an important insurance-like step, and definitely qualifies as the extreme side of the diet.
However, Tod also recommends that this step is done in a home setting when the stress is low – to compensate for the sheer panic of intentionally throwing your phone, ostensibly the most appendage-like piece of technology that we all own – into worst case scenario. Given that I am traveling this week (more on the Secure Travelling Diet next week!), I am definitely not in a calm, easily able to fix it if all fails, environment. So add Reset-a-lago to the list of follow ups for next time.
That about wraps it up for Maintenance Diet Week, and I’m walking away with at least a smaller internet footprint, a few things I’ll keep doing moving forward, and a couple to try in the weeks to come. See you next week!