Get best of the week

We analyze recommendations for the protection of personal data and information security - what you should pay attention to

The other day we looked at a number of books about risks in IT , social engineering, viruses and the history of hacker groups . Today we’ll try to move from theory to practice and see what each of us can do to protect personal data. On Habré and in the media you can find a large number of basic tips: from using password managers and two-factor authentication to attentive attitude to letters and potential signs of phishing.

Undoubtedly, these measures are important as the basis of cyber hygiene, but you should not be limited only to them . We talk about less obvious points regarding information security when working with Internet services.


Photos - Bianca Berg - Unsplash

Passphrases instead of passwords


Managers for working with complex passwords eliminate the need to remember them. However, password manager is always a compromise between convenience and reliability. Developers sometimes have leaks. For example, in 2015, hackers stole LastPass email addresses and user security questions.

With this in mind, a number of information security experts ( including representatives of the FBI office in Portland) prefer an alternative option for working with authenticators - passphrases. They are easier to remember than alphanumeric passwords with special characters .

At the same time, they are considered more reliable - back in 2015, an expert in the field of computer science Evgeny Panferov mathematically proved that to strengthen protection against brute force attacks, it is necessary to extend the identifier, and not increase its complexity due to numbers, lattices and asterisks ( p . 2 ). This concept was also illustrated by the author of the xkcd comic about developer workdays.


Photo - Erik Mclean - Unsplash

E-Frontier Engineers (EFF) support the idea with passphrases. They even suggested an unusual way to generate them - using dice. The EFF compiled a list of 60 thousand English words , comparing with each a specific sequence of numbers that appear on the cube.

Just select six words to get a random identifier of 25-30 characters. It is recommended to roll the dice because the human brain is not able to generate a random sequence of numbers. We subconsciously strive to choose numbers that have any meaning for us. Therefore, back in 1890, the English psychologist Francis Galton wrote that dice is the most effective “random generator”.

Password rotation not needed


We all faced the requirements to change the password from an account once a month or six months. But the head of Spycloud’s security company, Ted Ross , says such a rotation is pointless.

It encourages users to only slightly modify passwords and reuse past identifiers . All this harms the security of your account. Also considered at the US National Institute of Standards and Technology (NIST). They are developing a new password framework. By the way, it has already been implemented in Microsoft - since last year, Windows has ceased to require users to regularly come up with new authentication data.

Identifiers should be changed only if they are compromised. There are special tools to verify this fact - for example, the familiar service Many Have I been Pwned . Just enter your email address and it will show if the email has been "exposed" in any leaks. You can also set up notifications - in case of a new "drain", a notification will be received.


Photo - Nijwam Swargiary - Unsplash

Replace passwords leaked into the network should be for accounts that have not been active for a long time. But it’s better to delete these accounts altogether. Left unattended, they can cause a compromise of personal data. Even a small piece of information will help attackers to collect the missing information about the “victim” in other services.

On some resources, the procedure for closing accounts is not so simple. Sometimes you have to communicate with technical support, and sometimes - for a long time to look for the desired button in the interface. However, there are tools that can simplify this task. For example, JustDeleteMe is a directory of short instructions and links for disabling accounts. This is an extension for Chrome that adds a special button to the omnibar. By clicking on it, a page opens to disable the account on the current resource (if possible). Then it remains to follow the instructions.

Work with documents on a special OS


Approximately 38% of viruses pose as dock files. Today it is one of the most common vectors of hacker attacks. You can protect yourself from malware distributed in this way if you open suspicious documents in cloud editors. EFF experts note that in this case, you can almost certainly prevent the installation of malware. But this method is not suitable for confidential documents - there is a risk of making them public. For example, in 2018, personal Google documents of users fell into the public domain - they were indexed by a search engine.

Engineers from the Electronic Frontier Foundation say that installing a special operating system can be one way to protect yourself from viruses in PDF and DOC.(possible in the cloud of the IaaS provider ) for reading electronic documents - for example, Qubes . In it, the actions of the OS and the user are performed on separate virtual machines. Therefore, if one of the components is compromised, the malware will be isolated and will not be able to access the entire system.

(NOT) automatic update installation


Information security experts - for example, engineers from Tech Solidarity and FOSS Linux - recommend setting up automatic installation of security updates for operating systems and applications. However, this view is not shared by everyone.


Photo - Rostyslav Savchyn - Unsplash

A significant part of hacking IT systems can really be avoided if they are updated on time. A striking example is the leak of personal data of 140 million US residents from Equifax. Attackers used the vulnerability in the Apache Struts framework ( CVE-2017-5638 ) related to an error in exception handling. A patch has appeared for hertwo months before the attack on Equifax. But automatic updating may lead to not the most pleasant consequences. There are situations when fresh “patches”, solving one problem, create another - more serious . In 2018, Microsoft had to stop the distribution of a new version of the operating system due to an error deleting users' personal files .

We can conclude that updates should be installed as soon as possible, but be careful. Before "rolling" a patch, it is worth examining its behavior, reading reviews and making decisions based on the information found.

Next time we continue to talk about unusual recommendations that will help protect IT systems from intruders. We are also interested in listening to what solutions you use to increase information security - share them in the comments.

We at 1cloud.ru offer the Private Cloud service . You can rent a virtual infrastructure for your projects. For new customers - free testing.
We use enterprise-class equipment from Cisco, Dell, NetApp. Virtualization is built on the VMware vSphere hypervisor.

More articles:


All Articles