Ok, I know it's been some time since I posted...at least 5 months!! I have made a commitment that I will begin posting at least once, but hopefully twice a week. As a small consultancy firm with myself heading up both sales and commercial project management, not enough of my time is spend having "conversations" with customers like I used to as a sales guy working for other people's companies. So, I have decided that this blog is a good way for me to tell some stories and give my opinions on topics relevant to what our customers do day-in-day-out...and probably some irrelevant crap too! Although I do not have the 'blogosphere' prestige of some tech bloggers out there (many of whom I read daily and will share with others), I hope to generate a multi-way conversation from topics in this blog...so please sign in and comment/question or berate and insult me anonymously..at least I will know someone is reading!!
ANYWAY...on with what I was actually going to talk about.
Recently, and on two occasions, one or more of my online social media service accounts has been compromised. I am not sure of the method of attack used however I am sure of the intrusion because on both occasions postings and/or comments were published via those social media web services (and syndicated to other web services in one case) that were certainly not penned by yours truly.
The comments were the 'get-rich-quick', 'own your own successful small business for zero effort' type of thing I'm sure you have all seen or heard before. As I indicated in a genuine posting to all contacts via the compromised (and now password changed) accounts, owning a small business is definitely a bag of mixed blessings...and there is nothing "rich" or "quick" about anything!! :)
Although I had thought about the precarious nature of web services password many times in the past, these recent incidents brought the topic into stark contrast for me and I thought I would comment on the topic.
I have noticed over the years that I re-use the same password (or set of about 3 passwords) for varying web services and applications from things like Gmail through to Amazon accounts and Twitter/LinkedIn. I was aware that this presented a risk to security of my access to these services, particularly when most of them allow email address based login names/usernames or I have chosen fairly standard guessable usernames (e.g tdavoren, timdavoren, tdav, etc). The convenience of not having to remember multiple passwords therefore means that one breach with one particular web application opens me up to multiple breaches across different applications.
Some rogue tweets or postings via Social media are unlikely to be too damaging (for me that is...for larger PR reliant firms they may be), but the possible information leakage from other 'non-social' (i.e personal/private/secure) web applications is worth pondering...banking details, client information, sales prospect information, any kind of intellectual property.
This situation obviously calls for either stronger passwords (and a way to manage/track them...I swap browsers/computers all the time so browser solutions are no good) or for a two-factor authentication access method. I will be opting for the second...and I reckon most businesses considering any 'cloud' or web based platform or application will be doing like wise. The idea of 'something you know and something you have', whilst not entirely unhackable, is a significant improvement on just strong passwords.
Of course, you might think why haven't I done this already...well of course, the cobbler's son has no shoes right?!? We will be looking to use technology that we sell/integrate for a living to solve this issue....EMC RSA SecureID, Symantec Verisign, Microsoft Access Gateway or SafeNet are amongst the primary candidates.
Stay tuned.
