Online Security Post-Stratfor

January 9, 2012

Elementary precautions: Kandahar Air Field, August, 2011

Say what you will about Stratfor's lax security and the hackers who exploited it, but events of the past fortnight have certainly focused my mind somewhat on the security - or otherwise - of my online information.

The first thing I did after hearing about the Stratfor hack was to cancel my credit card. The next thing was to spend a few hours changing passwords for other online accounts. For years I'd been skating on the info-sec equivalent of thin ice, deluded by thinking that I was a small fish and unlikely to become a victim, as long as I practiced common-sense precautions (not clicking on links in emails apparently from my bank but written in poor English; not assuming that the mails telling me I was due a tax refund or had won millions in a lottery I'd never bought a ticket for could possibly be anything other than a scam; not responding when an email arrived from someone I knew claiming that they'd been mugged while abroad and needed money). But I'd become complacent, prioritising ease-of-use over self-protection. It's something we all do, to some extent, but it's a pattern we have to change if we want to be able to continue to use the internet to conduct any form of business, or just to protect our own identities and privacy.

I viewed my Stratfor subscription as similar to any of the other information resources I access. Some of them publish printed magazines that arrive through the post, others supply digital information that I access through the web, email or apps. Almost all of them were bought online, and almost all of them will therefore have required me to create an account, as with any online retailer - security for which is provided solely by a password. When I'm making those purchases or setting up those accounts, the very fact I'm doing so online means I'm thinking first and foremost about convenience: if I didn't mind additional effort, perhaps I'd write cheques that I put in an envelope and took down to the post office to send, or go to a shop to buy the magazine or book or CD in person. As a result, when I create those accounts, I've almost always chosen a password that's easy for me to remember, because the transaction is as much about speed and simplicity as it is obtaining the goods or services.

Since Christmas, though, I've been jolted out of my complacency. I've gone back to the online accounts I've created that contain important information - financial or personal - and made sure that I've replaced those easy-to-remember passwords with ones that will be harder for a brute-force computer attack to break. I'm sure that it's not a perfect defence - in the same way that stronger doors and better locks will only make life more difficult for the determined house-breaker, I'm sure that stronger passwords will not prevent someone who really wanted to obtain it from gaining access to my information: but if it's relatively difficult, maybe the opportunist will give up and look for easier pickings elsewhere. This is the best I can hope for, realistically.

Of course, what this means for me in practical terms is that the internet becomes less convenient. I'm going to forget those passwords so, unless I use an automated keychain system, I'll have to either concoct some elaborate aides memoire, or write some of them down - both of which bring considerable extra hassle and a different set of security issues to manage. Using Tor will help me make sure my web browsing is private, but it makes the internet slower and to use, and proper self-protection involves other time-consuming steps, such as not opening PDFs and other downloads while online.

I've also closed those accounts that no longer have much use for me. Apologies, therefore, to anyone trying to contact me on LinkedIn: I'm no longer there (though everyone I was connected to on it I'm in touch with some other way, and this site comes top of web searches for my name, so it's not like I'm going to prove difficult to find through not being on it). I got nothing out of it - I think it's probably a service that works better for people in salaried employment who can use it to network, while its value to a freelance seems very limited - so why remember one more complex login for a service that doesn't deliver?

I'm also already finding myself much more reluctant to set up new accounts online, and will probably choose not to bother with sites that require a user account if they're not essential to me. I'm also going to be much more careful who I make payments to online. If my credit card information isn't stored when I use the card in a physical shop, there is no reason whatsoever for an online company to retain it in their database - yes, it's a bit more hassle for me if I have to make an annual payment manually, but at least I can be sure that if/when the company's servers are compromised, they won't have my credit card details on file. I know nobody can guarantee data security absolutely - and I wouldn't trust anyone who made such a promise: but I'm not going to hand over my personal or financial information to companies that don't at least take basic steps to help reduce the risk of customer data breaches. 

* The FOD referred to in the photograph means "Foreign Object Damage" - damage caused when stones, coins, nails, pens or other items that can end up getting stuck in vehicle tyres or dropped by careless pedestrians get sucked into jet engines. Similar signs are common at all military and many civilian airfields.


Unfortunately you DO rely on one company to store your banking account information: your bank! Banks too are subject to attacks.

The real question is when biometrics will really come embedded in every telephone set, keyboard, ATM, etc. Then the world will be a step closer to "Minority Report" (billboard addressing you with your name, access to public transports)...

posted by: phyzz: 10 Jan, 2012 10:26:19

Thanks phyzz,

You are of course absolutely correct. I'm not saying it will be possible to avoid any and all financial transactions online, but I'm definitely trying to minimise unnecessary exposure to risk. It's worth noting that most banks (all in my direct experience - and I'd be surprised if there were any who didn't) operate at least a two-stage verification system, so you're not reliant solely on a password but on a secondary question or input. I'd actually feel happier using online retailers who adopted increased security, be it secondary required information, asking not for complete password input but a random selection of specific characters from a password or phrase, etc.. My suspicion is that many retailers are wary of introducing multi-stage authentication because they believe they'll lose business as a result. If that's the case then they're gambling customer data security against increased profit. That makes them the sort of company I don't want to do business with.

The Minority Report-style future is definitely on its way - I've noticed a lot of websites serving ads relevant to browsing history, which is another reason to use Tor. The biggest worry I have about this is the same one touched on in the post above - that perceived convenience will be the priority and security will be an afterthought, and may be deliberately downplayed so as to make transactions as "frictionless" as possible. The reason I cancelled the credit card account that was compromised in the Stratfor hack, rather than just get a replacement card, was because the card issuer has decided to only issue new cards with contactless payment technology included, and I am not interested in having a card with what looks to me to be a built-in security flaw that's touted as a benefit. I'll use other companies that still give me the option of not having that kind of card - if enough people refuse to accept these "innovations" maybe an alternative will remain in place, but if we all just accept the gradual erosion of our privacy and security, we'll never be given the option.



posted by: Angus Batey: 10 Jan, 2012 11:29:54

Biometric identification is indeed a popular solution to authenticate identity. However, there is a flaw in that it (fingerprint, iris pattern, etc) is still stored on a computer as a digital file. If that file is compromised by a hacker, how do you go about getting a new eyeball from the IT department?

posted by: Michael: 10 Jan, 2012 17:38:13

Click here to add your comment.

Comments will be subject to approval and should not be defamatory, obscene, racist, in breach of copyright, or contrary to law. Neither Angus Batey nor the site host is reponsible for any views expressed here.





photo gallery


mailing list