Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/11/2017
10:30 AM
Lance Cottrell
Lance Cottrell
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Systematic Lying Can Improve Your Security

No, you don't have to tell websites your mother's actual maiden name.

After any major breach, the entire security community clamors to weigh in. The headlines are filled with advice and suggestions as vendors advocate for their solutions and consultants push training. The response of breached companies is almost always the same: they offer free credit monitoring. I have plenty of thoughts on why that is ineffective, but the short version is that this approach is like putting up a sign saying that a bridge is out… behind you.

Predictably, the usual advice is offered about strengthening passwords, utilizing two-factor authentication, and the like. But what you really need to do to protect yourself from the effects of a breach depends on what information was revealed. Whether password lists, account names, credit card information, personal identifiers, financial information, or personal information, each of these can lead to different kinds of attacks that require different defenses. In light of this, I suggest a change that anyone can make, which is particularly relevant to the Equifax breach but is also generally effective. So, in addition to the methods listed above, I suggest taking advantage of one of the most effective and durable tactics: lying.

There are three kinds of attacks enabled by the Equifax breach. First, the financial and personal information can be used to open fraudulent lines of credit. The best defense for this is a credit freeze at all three credit reporting bureaus. Second, the financial information can help attackers target high-value individuals for other kinds of scams or attacks. For targeting, a combination of anonymity and paranoia are your best bet. Finally, the information exposed reveals details about the victims that are often used in security questions. This brings me to my point about lying — to avoid losing personal information via security questions, lie about the answers.

The fundamental problem with the security questions on websites is that they are asking for discoverable biographical questions. They might ask the name of the street where you grew up. Using the Equifax data, attackers can probably connect you to your parents. They will know the addresses where both you and they lived, and what your age was at the time, so they know all the likely answers. We also reveal many other answers directly through our social media posts, pet names, relatives, etc.

If you lie in your answers to these questions, your answer becomes much harder to guess. Saying I grew up on 3rd Street instead of 5th is a good start, but it is still a common street name. Saying my favorite color is "Saint Bernard" is much better. These answers are just free-form text fields — you can put in anything at all, including a pure random string.

Of course, the answers to these questions can be exposed as well. As with passwords, it is important not to reuse the same answers over multiple websites. On one website, my mother's maiden name could be "Blue Dyspeptic Wallaby," while on another it might be "Invisible Orange Planets Laugh Silently."

Now, if you think it is unreasonable to be asked to keep track of unique passwords for each account, you may be reaching for torches and pitchforks about now. The solution here is to use a password vault. There are many available with strong security and the ability to sync between all of your devices. My two favorites are 1Password and Dashlane. And no, I don't own stock in, or work at, either of them.

The trick is to take advantage of the notes field available in these applications. When you save a username/password, you can also put the security questions and answers in the notes field to make sure you keep track of all the different lies you have told. If you are asked for new answers to additional questions, simply add those to the note. With the vault syncing, you will have all the answers at your fingertips whenever you need them.

Like adopting strong unique passwords, this can seem like a monumental undertaking. After all, how many different accounts do you have? A quick glance at my vault suggests that I have about 1,000 of them. Don't worry — you don't need to change them all at once. A good practice is to start with just your most critical accounts: financial institutions and your password recovery email account.

Once you have those accounts protected, just make a point of using unique strong fake answers for each new account you create, and updating existing ones when you're prompted to change your password. From time to time, take a few minutes more to change some of your other important or frequently used accounts. After a short while, your security will be substantially improved. All through the ancient technique of lying.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid Corp. (then Abraxas) in 2008. Anonymizer's technologies form the core of Ntrepid's Internet misattribution and security products. As Chief Scientist, Lance continues to push the envelope with the new ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LokiTM
50%
50%
LokiTM,
User Rank: Apprentice
10/17/2017 | 12:53:11 PM
Re: Regret Providing All Real Information
These websites really make you feel like you have to answer the questions truthfully, so almost everyone does.
geriatric
50%
50%
geriatric,
User Rank: Moderator
10/17/2017 | 7:44:34 AM
I Like It!
I've been doing this for a while, though my tactics are not as elegant as Mr. Cottrell's. This should really be part of Security 101, it's that important to understand.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/17/2017 | 4:01:38 AM
Regret Providing All Real Information
How I wish I came across this post earlier. OMG! I provided all real information to those who asked. I really regret it now.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.