‹ Home

I blame my friends who work at three-letter agencies for the United States government. They are the ones who invited me to the Black Hat Technical Security Conference in Las Vegas to drink, have a good time, and learn how completely ignorant I was about online security.

Today, I am a changed person. What I previously deemed to be adequate, if not savvy, security precautions for my quotidian web use, I learned was the same as leaving a full camera bag with the top flipped open on the front seat of my parked car. Sure, the doors are locked, but it would take only the slightest initiative and about six seconds for someone to break the window and walk away with tens of thousands of dollars in gear. I know what you’re thinking. You would never do that. Okay, then take the quiz below. If you answer yes to any of these questions, I’ve got news for you: You’re way more vulnerable than you think.

• Do any of your passwords contain a word that can be found in an English language dictionary or in a dictionary covering pop-culture references from the last 100 years?
• Do you ever close a web window that is signed into an account of some kind without logging out of the account first?
• Ever log in to your bank or credit card account without first checking if the lock symbol is active on your browser window?
• Ever log in to your bank account or 401(k) from a free WiFi access point?
• Ever open an email when you’re unsure where it came from?
• Ever log in to a secure site from a borrowed computer?

Why we are the way we are
In spite of the news stories that circulate daily about online security breaches, we are surprisingly apathetic about the threats they pose to us personally. It’s like backing up your computer — it’s a secondary concern until you’re hit with disaster. Then, suddenly, you’re a convert to the church of redundancy.

Unfortunately recovering from a security breach is nowhere near as easy as recovering from a lost hard drive. With the latter you at least have an idea of what you’ve lost. You can lament it over a glass of wine and move on with your life. A security breach places the control of your social, financial, and photographic life in the hands of someone else. And the ramifications will potentially haunt you long after the initial breach.

Consider the following. A friend of mine had a huge falling out with a close friend, who guessed her email password and sent an inflammatory email to her entire address book. Most of the recipients realized her email address book had been compromised, but those who didn’t know her well were shocked. Ultimately she was able to contact everyone and inform them what happened — but you can imagine how things could have gone worse.

My friend, like many of us, never thought twice about the weak password on her email account. The convenience of an easy-to-type, easy-to-remember password took priority over other considerations. She could not fathom anyone using her email account maliciously.

This is what gets us into trouble. We’re good people and have an inherent problem thinking like criminals. It’s hard for us to see our online assets through criminal eyes and predict how to protect ourselves.

Squatting
A while back I was uploading images to the FTP directory of my web site when I was hit with a disk space error. An examination of my FTP server revealed dozens of unidentified folders, most filled with illicit pornography. My head spun. Given the nature of the material, I contacted my internet service provider, filed an official support ticket, and had them remove the files in case there were any legal protocols involved. A hacker had broken my FTP directory password and was serving up an entire website from my FTP directories for months without my knowledge. Oh man, I was pissed.

Unfortunately there was no way to trace the hacker. Moreover, and frightening to consider, if the authorities had found the illegal site before I did, I could have been arrested. An investigation would have revealed I had been hacked, but who needs that kind of grief?

If you’re utilizing a portfolio service like liveBooks that is monitored by a professional IT staff, you’re safer, but only if your password is strong. Weak passwords are the easiest way for a hacker to access to your account. If you do get hacked, liveBooks keeps a backup of your online portfolio going back a week onsite, and going back a month at a secure offsite facility. Recovery usually takes an hour. But don’t depend on those protocols unless you absolutely have to. Adopting safe practices is a lot easier and less expensive.

Good habits
So here we are at the basic security primer for photographers, or anyone else who spends most of their time online. This is by no means a definitive list, but it will help you think more carefully about your online habits. The information here was gathered from Black Hat, Craig Butterworth at the National White Collar Crime Center, and Carl Slawinski from Agile Web Solutions.

NEW HABIT 1 — Free WiFi: Never, ever, ever log in to your bank account or credit card account when you’re on a free WiFi access point. The reason you have to use a password to access most WiFi networks, especially your own, is because that password encrypts the information floating through the air between your computer and the WiFi hub. If the network is open, so is the information your sending over it.

NEW HABIT 2 — Passwords: The days of passwords drawn from kid’s birthdays, dog names, and Star Wars characters are over. I have seen a brute-force attack crack a weak password in minutes. With today’s powerful computers and free cracking dictionaries and rainbow tables available online, hackers can let computers run for days while they sort out passwords.

One of the most effective ways to keep your passwords strong, like ox, is to invest in a product like the highly regraded 1Password from Agile Web Solutions. I have been using the product for years, but only after my discussion with folks who make 1Password did I take my security to the next level.

1Password generates strong passwords, which it stores for you. When you need the password, the application will enter it for you with an easy key stroke. The generated passwords are so convoluted that you’d never be able to remember them, but that’s the point. 1Password is also on the iPhone so you can take your passwords with you. The file that they use to store your passwords is heavily encrypted and would take a supercomputer 128 years to crack it.

NEW HABIT 3 — Bluetooth: A friend at Black Hat showed me his iPhone. The interface didn’t look like any iPhone I’d ever seen. He had hacked the operating system and installed a host of applications that you won’t find in the iTunes app store. He activated one of them as we were sitting in a Las Vegas bar and a list of every iPhone and Blackberry in our immediate vicinity appeared on his screen. Accessing their phonebooks was a button push away.

Bluetooth is a useful communication protocol for headsets and other devices. It has a limited range of about 30 feet, so there’s no reason to get too paranoid. But if you’re in a crowded public place and you’re not using your headset, turn it off.

NEW HABIT 4 — Email, certificates, and secure login: If you’ve ever noticed your web browser address bar, you’ll notice that it sometimes starts with “https” instead of “http.” HTTPS is a secure, encrypted protocol that also activates the lock symbol in your web browser. You’ll see this typically when you make any credit card transaction.

What you probably didn’t know is that some banks will ask you for your login and password on a regular HTTP page and then pass that information to the secure login screen. The problem is, when you enter your login and password in the fields of an unsecured page, it is getting transferred from your computer to the bank’s computer in the clear.

The best way to handle that is to look for the lock symbol and the HTTPS before entering any sensitive information. If the bank home page is not secure, navigate to the dedicated, secure HTTPS login page and then bookmark it. Gmail and other web-based email services are the same way. There are two ways to log in to Gmail — secure and nonsecure.

Have you ever seen a warning in from your web browser telling you that a site has an expired, unknown or invalid security (SSL) certificate? Have you ever said, I trust this site and continued on past the warning? That’s just dumb.

SSL certificate protocols exist to for a reason. If a nefarious hacker sets up what’s called a man-in-the-middle attack, they are presenting you with what looks like the web site you’re supposed to log into, but it’s not. It’s their page, and it’s just waiting to grab your login information when you type it in. If you come across a secure certificate warning DO NOT CONTINUE. I don’t care how inconvenient it is. Sometimes companies let their certificates lapse and an expired warning pops up. Let them know; they can fix it in a matter of minutes.

On the email front, most of us are pretty savvy about not opening attachments from people we don’t know. This includes MS Word documents, which can run macros that play havoc with your computer. Some of the people at the hackers conference told me that they go as far as never accepting Microsoft documents, making their friends save any documents in RTF format.

Lastly, if you get a message from your bank or credit card asking you to log in and update something, navigate to the site manually, never via the link provided in the email.

NEW HABIT 5 — Close the door and update your blog: This is a mistake everyone makes. After watching hours of your life get sucked down the Facebook black hole, many people forget to log out. It’s the same for other portals and networks that are mostly for fun. ALWAYS log out. If you walk in, walk out the same way, and close the door.

If you have a WordPress blog that you are self-hosting, keep up to date with the latest release. Two weeks ago there was a vulnerability discovered and worm was released that affected old versions of WordPress. The worm played havoc with thousands of blogs. If you’re not the type to maintain your WordPress or Moveable Type software, utilize a WordPress.com, Typepad, or Posterous account — they’ll make sure you’ve got the latest security patches installed automatically.

Hackers are misunderstood
There is a fundamental misunderstanding about who is a hacker. In the days before the media’s adoption and re-branding of the word “hacker,” a hacker was considered a righteous person. They were coders and application creators that shared their creations with the internet community. In fact the Macintosh computer that I’m typing on now was born from a hacker named Steve Wozniak. Since the media’s appropriation of the word, it has come to have a pejorative connotation. So a distinction has evolved to separate the good guys from the bad. White-hat hackers, being the good guys, and black-hat hackers being the criminals.

I mention this because not all hackers are criminals. Many of the people who call themselves hackers are of the original ilk. Curiosity about systems is not a crime, crimes are crimes. As nefarious as the Black Hat hackers conference sounds, there are a lot of good people there finding exploits and reporting them so they can be fixed. If it wasn’t for these dedicated folks, the internet would be in a lot worse shape.

Don’t be lazy
Most of the vulnerabilities that we are open to exist because we are lazy. We can’t afford to be anymore. Adopting simple good practices can truly protect your identity and wallet. So if doing anything I suggest here seems like a pain in the ass, it probably is. So is carrying my camera bag into restaurants and other inappropriate places, but at least then I can be absolutely sure I didn’t leave it on the front seat of my car.