Security in 2017 (was "OK, the list *really* needs to be fixed")

Richard Gaskin ambassador at fourthworld.com
Tue Jan 3 13:07:32 EST 2017 

Bob Sneidar wrote:

 > DON'T CLICK THE LINK!

Amen, brother. A wise default.  Click nothing in an email unless you're 
certain it is what it claims to be.

This article was eye-opening for me:

   The human attack surface, counting it all up
   Humans have become the primary attack surface for cyber criminals.

<http://www.csoonline.com/article/3149510/security/the-human-attack-surface-counting-it-all-up.html>

...which includes this gem:

"Ninety-one percent of attacks by cyber criminals start through email..."


As app devs we're making ever-fewer solo apps with isolated islands of 
information, increasingly supporting collaboration with client-server 
systems.

Protecting our users' data is of course a priority, but often what's 
more important to the attacker are the passwords and control of the 
server itself.

This requires all of us in this profession to take a fresh look at not 
only each individual part of a system, but the ways they connect to one 
another.

Email plays a central role in much of what we do, and refining our 
practices with how we use it can help mitigate risks to things that may 
not immediately seem related.

Last year I moved my email credentials from the main hard drive to an 
encrypted USB thumb drive. There are tutorials on the web for doing this 
with most email clients.  With that, stealing my laptop doesn't grant 
the thief access to my email; they'd also need to steal my thumb drive, 
and also have the password to that drive.

This year I want to take this further. I just turned off automatic 
login; next I'll encrypt my home partition.  I'm exploring options to 
run browsers exclusively in containers to isolate them beyond their 
sandbox.  I'm upgrading my password hashing and salting.  I'm replacing 
my SSH keys with longer ones.  And I'm reading more about these things 
for new things to add as I go.

Risk can never be eliminated, but it can be mitigated.  And as we've 
seen with the DDoS attack on the east coast in October, and the email 
hacks over the summer, much of the risk we face can be avoided with only 
a little diligence.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com

More information about the use-livecode mailing list