4 Things You Should Tell Your Non-Infosec Friends

August 24, 2015

Last week, a dump of the Ashley Madison databases was posted online. I downloaded it to look through it. What struck me right away was the number of work e-mails people used for the service. You’re going to cheat and you decide to use your work e-mail to do it.

What is obvious to a security person is not always obvious to your friends and neighbors. So I thought I’d take the opportunity to write up 4 pieces of security advice we should share. I’m also working on a new site called “Secure Your Life” which is designed to help non-security people with common security problems. I’ll talk more about that at the very end.

Don’t Use Your Work E-mail For Anything But Work

This comes up first not only because of the Ashley Madison connection but because it is often the least talked about of the recommendations I have.

Employers scan and store every message you send and receive. Best case scenario, you have personal emails that your employer is storing for 7 years “just in case” something happens. They can always go back to these should an unrelated issue arise.

Worst case scenario is that your regulatory agency has a concern and asks for all e-mails related to the Cromwell merger and your ex-girlfriend June Cromwell’s emails get sent to the agency as well. Here is a quick list of bad e-mail practices that have come back to haunt people:

  • SEC starts an investigation and they pull all e-mail related to a topic. A topic that was talked about in personal e-mails.
  • Someone sends out a Super Bowl pool and their e-mail gets pulled as pools are disallowed by the company. An HR violation is filed.
  • Two employees having a torrid relationship email each other eventually using profane language. The language gets pulled by filters for review. Employee is fired.

The list goes on. Just keep your work e-mail in your work account. Keep your personal e-mails in your personal account.

Use a Password Manager

The entire password ecosystem is broken. Forget password hashes getting stolen. People just create really bad passwords. I’ve seen great videos trying to teach people to create really complicated passwords they can remember. I have 574 sites in my password vault. There is no way I could remember 574 passwords.

The answer is to use a password manager. My recommended choice is Lastpass. My focus on recommending a password manager is easy of use. Lastpass is really easy to use, available on all platforms and makes the process of creating and using passwords easy for anyone to do.

They also have an automated password changing functionality where they can change old passwords automatically. (You can imagine how long it would take to change 20 passwords, no less 574.)

Patch, Now

I can’t comprehend the number of people I know who decline automatic updates. Kudos to Google for Chrome’s automated update process.

Here are a few update tips:

  • Always have the automated patch and update processes turned on.
  • Turn it on not only for the operating system but for any application that supports it as well.
  • The day it asks you if they can be applied (probably because it needs to reboot your computer) do it. And reboot your computer.
  • Uninstall software you don’t use.

The Internet Is Like a Postcard

I think the purpose of the Ashley Madison breach was to disclose that they weren’t actually deleting users when they said they were. We blame Ashley Madison. Truth is, the internet is like a postcard. It’s open for everyone to see. If Ashley Madison actually deleted the accounts, there are still fingerprints in old e-mails and other traces of data on your computer and the computers of others.

Assume anything you can do online can be seen by others. So when you send something in an e-mail, assume anyone can read it. When you create an account on a questionable website, assume everyone can see it.

In almost the same context, I have no encryption on my home wireless network. (What?) None. If you’re driving by the house, feel free to connect and surf. It continuously reminds me that anyone can see what I’m doing.

How You Can Help

This November, as we get ready in the United States to hang out with friends and relatives, we also typically get asked advice and to fix, patch and repair technology. Along with that, I plan to release a new website called “Secure Your Life.” The idea behind the website is a site for non-security professionals to get advice on how to do the right things securely. It will have advice, checklists and tool recommendations. My hope is that the readers of this blog would point their non-tech friends to these articles as a short cut to explaining how to do it right. (And then get frustrated and say “oh, I’ll just do it.”)

If you go to the site today, you’ll see very little content. Hey, it’s not really starting until November. I want to invite security professionals to write the advice. If you’d like to contribute advice, a checklist or tool recommendation, click here to let me know and I’ll get you setup.