I just saw in the news the other day that cloud based note and document storage service Evernote was recently hacked into and potentially as many as 50 million user’s account details compromised. While Evernote has since responded that no sensitive password or financial information was taken it did decide that the potential problem was large enough to force all users of the service to reset their passwords, (I reset mine yesterday). It also joins a growing high profile list of companies that have had their security compromised in the several weeks and months including, Microsoft, Apple, The New York Times, Facebook & Twitter. So what the heck is going on here?
Well in several of these high profile hacks over the last few months the companies involved have claimed that Chinese bases hackers with connections to the military have been targeting their networks for the purposes of attempting to suppress investigative reports into alleged financial dealings by family members of Chinese Prime Minister Wen Jiabao. (Original report here)
While stories of possible cyber espionage like those alleged to have taken place against the New York Times are extremely troubling because of the potential chilling effect on free speech when dealing with issues surrounding China, more immediate threat for web developer in the commercial space comes from organized crime. There are several pieces of information that hackers to a commercial website will attempt to lay their hands on, the first and most lucrative are customer’s credit card details. The next stop on the priorities list are personal account details such as user names, passwords email addresses & any other personally identifiable information. This information is often then packaged up and sold onto others that will use the personal information they obtain to apply for fake identification, apply for credit (posing as the victim).
So while all of this might seem a bit on the gloom and doom side of things (reaching for the tin foil hats) I want to end on a positive note, so what can we as developers do to lessen the chances of client data being compromised? Well remember that the type of security your clients will need will greatly depend on the information being stored. For myself I prioritize client data as follows: Highest, financial information, very high account accesses (usernames & passwords), pretty high, personal information such as names, emails date of birth etc. While it may not be possible to defend against every conceivable type of threat out there in the wilds of the internet a properly designed hierarchy to security can prevent an annoyance for users like needing a password to be reset from turning into a disaster; getting a phone call from your bank saying you have no money.
Another week rolls on by in the world of web development. I want to talk today about security on the internet, how secure is it really for our own personal web surfing and as web developers for the websites we build for our clients. What got me thinking about this was last week for my security and quality assurance course I was tasked with researching a series of websites and the potential security vulnerabilities that those types of sites would need to be secured against. Now after several hours of research on the subject I had enough information to write and submit my assignment.
The following morning I received a scary notification from Google stating that my account someone had attempted to hack into my account from Florida and change my password. Now for some added context here, in the four years since I opened my first Google account I had never had any problems with security or attempted hacks. So while it may have been a coincidence, it seems that merely conducting background research on the most common types of hacking and the methods to prevent them have somewhat partially compromised my personal security online.
So I was left asking myself, how the heck am I supposed to be able to find out how to defend myself and my websites against hacks without being compromised in the process? After doing some additional digging it turns out there is actually quite a lot average internet users can do to lessen the chances their online accounts will be targeted. One of the easiest things to do is remove any cookies your browser stores for extended periods on your computer. Cookies are pieces of web code that allow visitors to a website to store any settings they have with a given website for use when they return later. If there are holes in the security of the cookies they can be hacked (as was the case with me) and personal information can potentially be stolen. Additionally all modern browsers come with some form of privacy mode that doesn’t store user information once the browser window has been closed. In Chrome this is called incognito browsing, and both Firefox and Internet Explorer have similar modes available in their options menus.
For people and organizations that need even higher levels of security & privacy, several of my classmates told me about different browser all together called TOR that keeps users communications secured by relaying them to different servers around the world which makes it much harder for somebody watching your Internet connection to learn what sites you visit, and it prevents the sites you visit from learning your physical location.
One final takeaway to remember with all of methods to enhance your online security, while they will make you a much harder target to find and track; but at the same time remember that none of these steps outlined is by any means full proof.