Hacking and password security

April 8, 2015

Another day, another data breach. We have been inured to the news of corporations being hacked and our data being spilled out into the black market: Target, Home Depot, Anthem, Primera, American Express, Chase, Twitter…

These represent large scale, sophisticated hacks, in most cases, targeting personal and financial information. But they are by no means the only security breaches that take place and affect millions of people.

Individually we may be concerned about our bank account our email account being hacked. But as is often pointed out, we humans tend to worry about the wrong risks (stranger abduction rather than accidents as a threat to child safety, for example).  But every day many of us do something that puts us and our organizations in jeopardy.

We use weak passwords and we share them in plain text over email.

For the average individual, the chances of this vulnerability being exploited may be rather low and the impact can range from a relatively minor inconvenience to a major headache.

But for individuals that manage organizational media, the damage can be major. Take, for example, the recent hacking of Big Think’s Facebook page. While the details are not yet clear, it is very likely, from what I understand, that a hacker gained access to one of the page admin’s accounts. The hacker then made his or herself an admin and deleted the legitimate admins. Though Big Think was able to regain access to its page in less than 24 hours with the help of people who knew people at facebook, some damage is certainly done: thousands of people unliked the page, many more possibly hid or unfollowed it because of the offensive material the hacker posted.

Resource Media has firsthand experience with this kind of security breach. A month ago, our WordPress website was hacked, and the homepage taken over by political propaganda. We suspect we were targeted because our brand includes the word “media.” The organization had previously been fairly relaxed about password strength and sharing (despite my urging), and we still have work to do on the security front. Our website admin access is now restricted by IP address, and we are working to change our culture around password sharing.

Since many nonprofits share social media management responsibilities across staff, Facebook and Twitter are likely your areas of greatest vulnerability. Here’s what we want you to know: Your social media profiles are only as secure as the weakest passwords of your page admins, or least secure device logged in (eg: iphone without an access code lost in a taxi).

 

So What Can you Do?

We all have a responsibility when it comes to internet security. Here are the steps you can take:

 

Use strong passwords and don’t use the same passwords on multiple accounts.

We’ve all heard this advice before, and maybe you started changing your passwords and then you started to forget which you used where and gave up. Here are two solutions:

1) Use a password manager like 1Password, LastPass or Dashlane and never have to try to remember more than your master password again.

2) Develop a pattern for your passwords that consists of a common secure segment and a unique segment based on the site or service the password is for. Here is an example, your secure segment could be: “Emperor.Tomato1” and the site based segment could be “facE” for facebook, “twiT” for twitter, “gmaI” for Gmail. If one of those passwords gets compromised because a site or service is hacked, it is not obvious to a hacker (or their software, really) that the password for another site will follow the same pattern.

 

Do not send passwords in clear text:

Do not email usernames and passwords to other people in clear, unencrypted text. Yes, email is super convenient. But you if you need to exchange a password for a shared account, pick up the phone.  And when you request the password for a shared account, ask for it by phone. Lastly, if someone does send you a password in clear text via email, you should either change the password or advise them to do it.

Don’t send passwords in clear text by instant message, or SMS, either. These tools are also not guaranteed to be secure. Some people receive their SMS messages as emails (like people who use google voice), and many instant messaging clients log and archive chat transcripts.

 

Use encryption:

If you are in the business of exchange secure information, credentials and passwords regularly, you should consider learning to use an encryption tools like GPG (GNU Privacy Guard, a free and open source software tools suite to encrypt data). It takes two to tango, though, so if you are always sharing with new people who don’t have the same needs, getting them setup with an encryption tool can be challenging, and you might just want to fall back on the telephone.

 

Device Security:

Your digital devices should be protected with passwords, and special care should be taken to keep devices secure when traveling. You should not log in to secure sites from public, unsecured wireless networks (like those in cafes or airports). Hackers can easily intercept your data — including usernames and passwords — over unsecured wireless networks. If you travel a lot for business and need to be connected while on the go, get a data plan for your phone that allows you to tether other devices to it. While this might be extreme, and may seem expensive, how does it compare to having a your own organization’s or a client’s Facebook page hacked?

 

Triage:

Wondering if you are vulnerable? Search your email for “password” or “username” and see how many messages you have that include one or both. Change those passwords. Think about any password you have that is a single word, even if y0u h@v3 5ub5t1tut3d numb3r5 f0r l3tt3r5. Change them. Every time you log into a site or service with an weak password, take the minute change the password using either your new password manager, or password pattern that you develop, until you’ve changed all your passwords.

Gregory Heller