WYSIWYG 2: How do we protect our data?
Hey all,
Fresh off the security breaches from last week’s edition, we have even more data compromises to report. This week’s edition gives companies a reminder not to keep data they don’t need, always perform an audit, and – well – humans make mistakes. I'd like to know what you think are the bare minimum things you think we should do to protect our data?
Mozilla actually took a try at providing an easy to understand blog post on it but has since taken the post down to rework the content.
Here are 5 quick things from me:
- Don’t use the same password across different applications
- Don’t install untrusted software, browser extensions, or add-ons
- Enable 2FA/MFA authentication
- Use very long passwords
- Use throwaway email addresses, phone numbers, and even identities
DD Perks attack ??
Dunkin' Donuts, or should I say Dunkin’, disclosed this week that one of their security vendors notified them that third-party attackers have been using usernames and passwords obtained from other companies’ security breaches in their DD Perks system. This could have exposed names, email addresses (username), and DD Perks account numbers and QR codes.
Urban’s online database had no password ??
Urban, a UK-based massage startup that offers “wellness that comes to you,†leaked its entire customer database. This was because their database was left online without any password protection. Due to the recent European-wide GDPR rules, Urban may face steep financial penalties of up to four percent of its global annual revenue.
Quora data breach ?
Quora disclosed that over 100M users had their account information compromised. This exposed user data such as names, email addresses, encrypted (hashed) passwords, data imported from linked networks when authorized by users, public content and actions (e.g. questions, answers, comments, upvotes), and non-public content and actions (e.g. answer requests, downvotes, direct messages).
Quora also mentioned that questions and answers that were written anonymously were not affected by this breach. Fortunately back in March 2017, Quora made changes to their internal systems to no longer connect user accounts with anonymous content they contribute. This beach would have exposed a lot more private content those changes were not made.
Security breaches can be as a result of company negligence in protecting and maintaining where they store their data or it can be user error such as using the same username and password combination over multiple applications or even leaking it via social hacking. Do you think we need a new way to identify ourselves outside of traditional ways of doing so (such as passports and social security numbers)?
– Chris
WYSIWYG details weekly points of interest around software development and the SWE life.
Corporate Communications: Emerging Technologies (AI, cloud computing, semiconductors, etc.) | High-Risk Applications (privacy, security, compliance) | Interesting Conversations
6 å¹´Given how hard it is for professionals to get security right on the software engineering side (see https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3,? https://gist.github.com/TheZ3ro/fb521a3cde0c91fcb350, etc.), I'm not sure that anyone can provide good universal security tips beyond "don't reuse passwords," "don't share too much info with too many sites," and "use MfA (if it's available)."?