After close to a year of non (or limited) employment, I recently started a new job as one of those near-mythical "IT Security Professionals", working for a smallish (~750 employees), localish (servicing 4 states in the US), Internet Service Provider. This is mostly new to me (aside from a very short stint at an App-sec company in Maryland last year). My only legitimate qualification for this position is my inherent paranoia.
After only a couple weeks on the job, my manager left for a two month trip to Europe. Now, I've always been interested in computer security and I learned a lot of things from a year of contract work (mostly that eating alone sucks), but not enough to prepare me for being the only guy protecting a couple million users from getting hacked. Luckily, my boss is back, and I've started to settle into the role.
Two of the best things about my new job is that (1) I have a budget set aside for training and learning how to do that job (something that was promised by my previous employers, but never followed-through on), and (2) my role in increasing "Security Awareness" in my company. I have time to read and learn built into my job description--AWESOME! The second, especially, is rather fun (for me at least). Twice a month I write up and send out reports to the IT department on what's going on in the company (infections, security breaches, mitigation, etc.), what's going on in the wider world of computers (new viruses, news-worthy break-ins, further Snowden leaks, etc.), and what I'm learning (password cracking, social engineering, network hardening). While the first in that list is, of course, confidential, I've decided to regularly (not promising weekly, but however often I can remember to) share some of the more interesting things from the later two categories.
If I'm really on top of things, maybe I'll share what I'm reading and thinking on the gaming-side more frequently as well.
So, here are a few things from the last week that justify my paranoia.
- Even with the screen off, your Android is sharing the location and identity of every network you use to anyone who is willing to listen. This is easily remedied by turning wifi OFF when you are not connected to a network you know and trust (I was already doing this before learning of this, now I know I wasn't crazy).
- Even if your password is completely random, if it is less than 10 characters long it is guaranteed to be cracked in around 30 minutes. But, we all know that your password isn't random. Here is a video (rather long) detailing all the tricks that will let even your long passwords be cracked easily. Of course, it also then becomes a useful list of "don't do these things." Note...my LinkedIn password is in the small minority of ones that have never been cracked.
- Two-factor authentication is not as secure as you think it is. Even everyone's favorite online shopping aid, Paypal had their TFA cracked. All the more reason to have a decent password (see #2 above).
- I have a new favorite Linux distro.
- I am using the wrong phone. There are now phones out there for the paranoid and privacy conscious and those who don't care how paranoid you are.