Just how hackable is your digital life?

When Wired News reporter Mat Honan had his digital life hackedand subsequently, virtually wiped outin August, the significant loss of data he endured wasn't the scariest part of the experience. Much more terrifying was the method by which hackers drilled into his digital accounts.

Using clever social engineering exploits, the hackers posed as Honan and succeeded in extracting key bits of personal information from Amazon and Apple customer support. With the critical data in hand, the hackers then locked Honan out of his Google account, commandeered his Twitter stream, seized control of his Apple ID number, and wiped his computing devices clean.

It was momentarily life-wrecking, at least.

If a hacker wanted to ruin your lifewhether by identity theft or by a simple Honan-esque data wipehow difficult would that objective be to achieve? The answer is that it's likely a lot easier than you think.

Are you an easy target?

According to a recent Harris Interactive poll commissioned by Dashlane, a company that manages passwords and personal data, most online Americans are concerned that their personal data might be used online without their knowledge. Approximately 88 percent of the 2208 adults surveyed cited being at least "somewhat concerned," and 29 percent claimed to be "extremely concerned." In addition, three out of five respondents were worried that they were vulnerable to being hacked.

John Harrison, a group manager at Symantec Security and Response, says that people should be concerned, because they're sharing more than they think they are.

Because social networks, public records, and high-profile security breaches are so prevalent, a lot of potentially sensitive information is just floating around the Internet.

"Each piece of information adds to the puzzle," Harrison says. "We don't throw everything out there at once, but it eventually comes together. For example, you may not put your full birthday on Facebook, but it's not difficult for someone to find out what year you graduated from high school and put two and two together."

In other words, you may not think you're sharing too muchjust a snippet here and a snippet therebut to a hacker, you're building an easily harvested online profile.

Protect yourself the easy way

If you use the Internet in any meaningful waysending email, uploading photos, frequenting social networks, shoppingyour online profile is likely already floating around in the ether. And even if you haven't been online all that much, bits of your personal data may be available for online viewing via digitized public records. An interested person could readily find out if you have a mortgage, for example, or if you've recently gotten married or divorced.

You probably know that a typical five-character, dictionary-word password is easy to hack, and perhaps you rely on something far less penetrable. But you probably don't have the time or bandwidth to memorize a complicated mix of numbers and letters. So here are a few quick, easy-to-implement security tips that will drastically reduce your hackability.

Search for yourself. Before you start worrying, it's a good idea to get a handle on how much information about you is out there by searching for yourself. Type your name into Googleboth with quotation marks and withoutand with relevant keywords, such as your address, phone number, email addresses, job title, company, and alma mater.

See what you find, and try to look at the information the way a hacker would. Is there enough data there for someone to piece together your life? If so, you need to take steps to improve your personal security.

Use passphrases instead of passwords: Passwords are a tricky security issue. The best passwords are computer-generated mixtures of letters, numbers, and special characters (such as exclamation points and question marks). Unfortunately, the resulting alphanumeric strings are also extremely difficult for most people to remember. But since most passwords are hacked via brute-force methodsthat is, by having a computer go through all possible combinations of characterslonger passwords are more secure simply because they take longer to discover.

For example, an Intel Core i7 processor takes just hours to crack a five-character password, but it takes more than 10 days to crack a seven-character password. That's why security experts recommend using passphrases instead of passwords. See Alex Wawro's password primer for pointers on building a good passphrase.

Stay updated: One of the easiest ways to prevent intruders from compromising your computer is to make sure that you're always running the latest version of all your PC applicationsincluding your antivirus program.

"Drive-by downloadsmalware that downloads to your computer when you click on a malicious linkoften work by exploiting known bugs in software," Harrison says. "These bugs are usually fixed in updated versions of the software, but that won't help you if you're still running the old version."

Prioritize accounts: You may not be able to remember complex passphrases for every account you have, and that's okay. According to Doug McLean, senior director of product marketing at McAfee's Global Threat Intelligence, the average online American has more than 100 accounts, not all of which are important.

Instead of creating different passwords for every account, create unique ones for only the important accountsemail accounts, online banking accounts, social networks, and other accounts that contain sensitive information. For relatively trivial accounts, such as message boards, it's fine to use an insecure, hackable password.

McLean also suggests creating a "junk mail" email address for accounts that you don't really care about. You can use this junk email address to sign up for message boards, contests, and newsletters. Then, if one of the junk accounts is compromised, hackers won't have your real email address or your real passwords.

Lie: Speaking of junk accounts, be careful about what information you give away to random websites. Sure, your bank needs to know your home address, but does a message board really need to know your zip code or your full birthday? If you can't get past a screen because the website wants you to give up too much information, Harrison suggests that you make things up. After all, he notes, message boards are notoriously hackable, and they really just want to verify that you're over a certain age.

Protect yourself offline: According to McLean, offline identity theft is still much more common than online identity theft. The reason: Email addresses have passwords, while mailboxes, dumpsters, and lost wallets do not. To protect yourself offline, McLean suggests that you get a locking mailbox (if you don't already have one), shred all important bills and documents before you throw them away, and never carry your Social Security card with you.

Use a password manager: Though password managers require a little setting up, they're worth it if you're worried about the integrity of your passwords or passphrases. Password managers such as Dashlane, 1Password, and LastPass not only store all of your passwords in a neat little encrypted program that you can unlock with a master password; they can also create secure, computer-generated passwords that even you don't know.

In choosing a password manager, it's important to pick one that's compatible with all of your devices, including your phone and tablet. Dashlane, 1Password, and LastPass are compatible with Windows, Mac OS X, iOS, and Android; and LastPass is also compatible with Linux, BlackBerry, Windows Phone, WebOS, and Symbian. Password managers can store form data, so you don't have to park credit card information on the Web.

Freeze your credit report: Freezing your credit report is the single most effective way to prevent identity theft, according to McLean. If you're over 30 and you're not getting married or divorced, you probably won't be applying for new credit cards, loans, or mortgages, so you don't need your credit report to be readily available.

To freeze your credit report, you must contact each of the three major credit bureaus (Equifax, Experian, and TransUnion), fill out a form, provide proof of identity, and pay a small fee (around $10, depending on your state). You'll then receive a PIN or password that will allow you to "thaw" your credit report (either temporarily or permanently) if you ever need to use it. Temporarily thawing your credit report usually takes less than a minute, McLean says.

Credit report freezes are free in the United States for victims of identity theft.

Even a little security goes a long way

McLean suggests that taking minimal security precautions is like outrunning a bear: You don't have to be faster than the bear; you just have to be faster than your friend who's also being chased.

Hackers are smart, but they're also somewhat lazy. So unless you happen to be a high-profile target, a hacker will likely give up if your data defenses prove to be too difficult to breach. Mat Honan's hackers even admitted that their attack was nothing personalthey simply wanted to break into his Twitter account because the three-character handle "@mat" signified the property of a Twitter superuser. Nothing more, and nothing less.

Ultimately, even taking small security steps, such as creating an eight-character password instead of a five-character password, can protect your personal information just well enough to convince hackers to move on to the next digital door.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah Jacobsson Purewal

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts