Preparing Your Kit

Whether it’s wildfires in California, storms hitting the Carolinas, or gas lines blowing up houses in Massachusetts, current events remind us that having a few extra supplies ready can make things much easier in case of an emergency.

The site ready.gov is a good starting point. The following list is from their page on building a kit (with comments from me). If your resources are tight, I’d recommend starting at the top of the list, and working your way down. If you get just one item per week then you will have a good, basic kit in less than three months. Remember, this is a long term planning task. It’s about spending time when you have it (before an event) so that you have resources when you need them (during an event).

These first three are excellent things to keep with you or near you every day.

  • Flashlight (Always good to have extra flashlights)
  • Cell phone with chargers and a backup battery (Having a USB charger and especially a charging cable for your phone is critical.)
  • Whistle to signal for help (A whistle is a great tool, and it can fit on a keychain.)

The next three are good things to keep in your room, apartment, vehicle, or house.

  • First aid kit (These range from tiny pocket-sized packs to briefcase sized full medical kits. If you raid it for band-aids and acetaminophen, remember to refill your supplies!)
  • Extra batteries (AA and AAA seem to be popular these days, but whatever you need, every time you buy one get an extra for your stash. Then you always have one when you need it.)
  • Local maps (Navigation systems are great, but your phone battery can die. No batteries are required for a good old map! If you go cheap and print your own be sure to laminate it. You want it to last should you need it.)

The rest complete a good starting point for a kit, whether it’s a small bug out bag for a dorm room or a stocking a basement.

  • Water – one gallon of water per person per day for at least three days, for drinking and sanitation (Bottled water is great, but having a purification method can be very useful, and it can be easier to carry. Options include filters like LifeStraw as well as water purification tablets of many types.)
  • Food – at least a three-day supply of non-perishable food (For a family this can be fancy prepper food with a shelf life of 25 years, or for smaller kits it can be a stack of energy bars. As you move from a simple emergency bag to a full house emergency kit the food requirements will change.)
  • Battery-powered or hand crank radio and a NOAA Weather Radio with tone alert (These start at around $17.)
  • Manual can opener for food
  • Wrench or pliers to turn off utilities
  • Dust mask to help filter contaminated air and plastic sheeting and duct tape to shelter-in-place
  • Moist towelettes, garbage bags and plastic ties for personal sanitation

There are lots more resources on this available from ready.gov, fema.gov, and other sites. Having even a few of these items can make it much easier to get through any crisis.

The Equifax Breach: Why it’s big, and how to stay safe.

Yesterday, Equifax admitted publicly that they were breached, and that personal information was exposed for 143,000,000 U.S. Consumers.  While this is not the largest data breach in number of records exposed, it is arguably the worst data breach ever due to the type of data that criminals accessed.  Whether or not you believe that your information was exposed there are steps you can take to protect yourself.

Why This Breach is Historic

This breach involved personal information, not just credit card numbers.  If a criminal gets hold of your credit card information you can cancel the card, and if they are able to make any charges you can dispute those with the credit card company.  It’s slightly worse if a criminal gets your debit card information. In that case you can get a new card, but you may have to fight with the bank to get your cash back into your bank account.

In this breach identity information was stolen.  If a criminal gets hold of your identity information it’s much harder for you to change that, and the criminal can continue to use it for years.  Even if you are able to change your social security number (which may require proof of criminal activity) many companies will continue to have your previous number, and may grant access to your information based on that.

According to the information available today criminals gained access to names, social security numbers, addresses, and other information for more than one hundred million people in the U.S.  In some, or perhaps most, of these cases the people who are now at risk never had any dealings directly with Equifax.  Even so, the failure of Equifax to protect consumers’ data now costs time and money of millions of people.  Time and money which will be required to protect people and/or to react to criminal activity committed in their name.

Even worse is the fact that Equifax has been breached before!

And they’re not alone.  Experian has been in the news for its own share of issues.

Because of the number of people who are now subject to identity theft, this is quite possibly the worst data breach in history.

 

What You Can Do

Even if you haven’t been breached yet, there are at least two things you can do to protect yourself and to prevent criminals from using your information.  Note: option 1 is more expensive and is optional if you complete all of option 2; however option 1 is the easiest over the long term.

Option 1: Sign up for credit monitoring.  You may choose to do this via Equifax for free, or you may choose not to place your trust in the company that has lost control of consumer data 5 times in 5 years.  There are alternatives.  (e.g. Lifelock, Transunion, Fast3CreditScores, Experian Identity Works, Privacy Guard ) Numerous sites are available for evaluating these.

  • Pro:
    • You will receive alerts when anyone attempts to open a new credit account in your name.
    • Some of these credit monitoring companies will help you if your identity is compromised.  Choose carefully.
  • Con:
    • This is more expensive than the $15 per year for a freeze. (assuming you only apply for one new credit account per year)

 

Option 2: Contact each of the four consumer credit bureaus (Equifax, Experian, Innovis, Trans Union), and request a Credit Freeze.  This may cost up to $15 per bureau, depending on your state of residency.

  • Pro:
    • If a criminal attempts to open a credit account in your name they will be refused.
  • Con:
    • When you wish to open a new credit account you will have to do the following.
      • Ask the company from which you are requesting credit to tell you which credit bureau they use,  Equifax, Experian, Innovis, or Trans Union.
      • Contact that credit bureau and release the freeze.
      • Apply for the new credit account or loan.
      • Contact that credit bureau and request the freeze again – this will likely cost an additional $15.  If you do this less than once per season then this is much less than you will likely pay for credit monitoring.  It is of course less convenient.

Conclusion

Because of the large number of identities stolen (143,000,000) this is likely the worst data breach ever.  Whether or not your personal information was breached in this incident, there are steps you can take to prevent criminals from using your identity to commit crimes.

How to Get Control of Your Accounts

As we continue to use services of different companies, we end up with more and more accounts.  Getting control of all of those accounts can be a very difficult task.  Here we mention one method and explain an second one in detail. Both will work, but each one has strengths and weaknesses.

The list of accounts that each of us has gets out of hand very quickly.  Online banking, email account, store loyalty card, sports team registraion, etc.  There are two good ways of getting the accounts under your control.  One is electronic and one is not.

The electronic method can be very useful, but it has its own risks.  In the past some password manager sites have themselves been hacked, exposing their users’ passwords.  There are a few things to keep in mind about storing your passwords electronically.  It is similar to writing your passwords on a paper, with two exceptions.  First, the “piece of paper” lives in cyber space, and it can be sent to places you never intended.  Remember, if your password manager doesn’t save the file to the cloud then if you lose access to it (e.g. if it’s on your phone and you lose your phone) then you will not have access to any of your passwords.  If your password manager synchronizes to the “cloud” then your “piece of paper” is now copied onto multiple computers in multiple locations, and is exposed to attackers is those attacker break into any one of the locations where your “piece of paper” has been copied.  Second, while the “piece of paper” is protected by encryption, it is thus protected by three things.  (1) the strength of your password, (2) the encryption algorithm used, and (3) the secure programming abilities of the programmers who implemented the encryption algorithm.  You can control the first, and you can select the second, but you have little control over the programming abilities of the people who implemented your program. The best you can do there is to select a program written by an organization with a reputation for secure programming.  The easiest way to do this is to select open source programs that have been tested by the industry for many years.  My personal favorite here is PasswordSafe, but there are others.  Your best methods for protecting your passwords is to choose a good password for your password manager and to change all of your passwords every three to six months.

The paper method is especially useful for people who don’t trust their phone, their computer, the cloud, or any electronic device that can break.  Unlike hacking a phone, server, or network, hacking into a person’s house must be done in person, and that makes it far more difficult (though not impossible) to do.  Securing your passwords in this manner takes some doing.  First, you must have a secure location for storing your passwords.  A notebook in your desk is usually not the best location.  Who can get access to your desk?  Do you have an alarm system and video cameras recording when you are not at your desk?  A small safe is a good first step.  You want to take every reasonable step that makes it harder for someone to quickly grab – or simply photograph – your paperwork.  A small safe (sometimes called a document safe or a gun safe) locked inside a desk drawer, or physically connected to a wall is a good start.  If you live in an apartment where you can’t drill into a wall or floor to connect the safe, you can bring in a few long pieces of wood, place them in a closet, and then connect the safe to that.  You want to make it extremely difficult for an attacker to grab your safe, drop it in a back pack and walk away.  For the first six months that you own it you should open the safe daily or at least weekly.  This will make the combination easier to remember after the six month period.

Now that you have a “safe” location let’s talk about the paper.  Whether you use a pad of paper, individual sheets, or a notebook, you want to be sure that the whole stack goes into the safe.  You do not want to write your secrets on the top page of a pad of paper, rip if off, and place it in the safe.  An attacker could use a pencil to expose your password from the indentations made when you wrote them down.  Now this may seem extreme, but never give any attacker a gift.  Today you may not expect anyone to be searching your home for your passwords.  Five years from now you may have different friends who bring with them their friends on a visit, and now you have people you’ve never met inside your home.  Taking extra steps ahead of time can only help you prevent problems later.

Now, you have the paper and a secure location for storage.  You’ll want to start by listing all accounts that you can remember.  Ideally you want to save the location of the account (web site, cell phone, etc.) along with the username, the password, and the answers you gave to any “secret questions”.  (Remember each secret question can be answered like a password if you want, but you must save the answers you give.)  Another piece of data that can be very useful is the date when you set the password.  This will need to be updated when you change your passwords, but it will be very helpful if you ever have a problem with the account.  If you have an opportunity to use a phone number for additional security for the account then you’ll want to note that here.  It’s a good reminder that you’ll need the phone when you connect to the account.  As you remember more accounts (sports registration, gym membership, theater tickets, store loyalty card) you’ll want to add them to the paper.  For the first run take note of all the accounts you remember. Then keep the paper in the safe.  As you remember other accounts you can take note of them  – just the account – and keep that separate until you have an opportunity to sit down with the master list and add the new accounts.  That keeps your master list safe, since you don’t have it out all the time.

In summary you want a secure location, physical or cyber, and you want to keep a complete list of all accounts.  We have suggestions on how to choose passwords and how to answers secret questions, but that’s for another time.

How to Answer Secret Questions

Many accounts permit or require users to answer so-called “secret questions”.  The idea is that you can provide answers to questions so that they can verify that it’s you answering the questions.  Unfortunately for most of these questions the answers are easily obtained by an attacker.  Here we discuss how to prevent those attacks so that your “secret answers” to their “secret questions” can actually be secret.

First of all let’s recognize that the answers to most secret questions can be obtained by a good researcher.  “Where did you attend high school?”  “Where were you born?”  “What was the model of your first car?”  In order to make your answers secret you must somehow provide an answers that’s more that just the real answer.  One technique is to use a password manager and to save the questions along with a randomly generated answer.  “What is your mother’s maiden name?” might be answered “dFr%@4d“.  As long as you have a secure, private place to store the question and the answer so that you can find it when you need to authenticate, this is a secure method of solving the problem.   However, most people would prefer to answer the questions in such a way that they can remember the answers.

A simple method for this is to have secret word. (For extra security you can have a different word for each account – but you will need to remember that word!)  For this example let’s assume that my secret word is “markers“. That’s my secret word for all of my personal accounts.  I will use that everywhere.  Therefore the answer to all of my secret questions will be prefixed with that word.  The answer to “Where did you attend high school?” changes from “Randolph High School” to “markers Randolph High School“.  The answers to “Where were you born?” and “What was the model of your first car?“, would be “markers Boston” and “markers Sentra“.  As long as I do not tell anyone my secret word then my answers are secret, and they can’t be hacked, even if an attacker knows the real answers through research.

In review, select a secret word.  One that you do not tell anyone.  Then use that word in front of the actual answers to any secret questions.  Suddenly all of your accounts are far more secure than they were before.

 

How to Choose Good Passwords

With our continued reliance on passwords, it is still a good idea to select good, secure, and memorable passwords.  It’s also very important to change them periodically.  We’ll cover some suggestions on selecting good passwords that naturally expire, and we’ll cover a bit about password safety.

There is no such thing as the perfect password, and there are many different ways that passwords can become compromised.  This does not mean that we should simply give up and use “Password” or “Excalibur” for all of our passwords.  It does mean that we should all choose passwords that are appropriate for the assets that they’re protecting, and we should all change our passwords periodically.

First of all, we should not have one password for everything.  If your password is compromised you do not want that to allow an attacker to gain access to every single account that you have.  A simply way to have different passwords for every account is to separate your passwords into two halves.  One half is a good password perhaps 6 to 8 characters.  The other half is unique to the account of that particular password.  For example, if your good half is “ILFit5!” and you are choosing passwords for your email and for your mobile phone online account then those two passwords might be “ILFit5!gmail” and “ILFit5!tmobile“.  Now you have two different passwords, but they are easy to remember (more about remembering that first half in a bit.)  While there might be some concern that a person who gets one password might see the pattern and use it for other accounts, this is not a risk we’re mitigating with this strategy.  What we are preventing is keyboard loggers, network sniffers, and stolen password hashes – all attacks that can be connected to automation – where the attacker wrote a program that grabs the username and the password and then tries it against as many other web sites as it can find.  In these cases there’s never any person reading the password.  It’s a program.  It just tries the same username and password all over the place.  You’ve now secured your account against these.

Now, for the “good” half of the password.  Let’s take a six word (or more) seasonal sentence.   For this example “I like flowers in the spring.”  We’ll take the first letters which gives us “I Like Flowers In The Spring”, or ILFITS.  Now let’s change the case.  I suggest using capitalization to emphasize the words that are important.  So let’s make it “I Like Flowers in the spring”, or ILFits.  Now let’s add a number or change something to be a number.  Since the s and the number 5 have similar shapes, let’s make that a 5.  Now we have “ILFit5“.  Finally we need a special character in the password.  Let’s add an exclamation point for emphasis.  This gives us a final password of “ILFit5!“.  This is too short to be the whole password, so it will need to be followed by a unique identifier. As describe above, using as different identifier per account is a good way to keep passwords different.  There are some web sites and other accounts that have very poor password requirements, and which don’t allow some special characters.  This is very frustrating, particularly for those of us in the security industry.  When you run across one of these I suggest having a different sentence.  Perhaps “Some websites don’t value my security”, or “SWdvm5“.

Passwords that are tied to the seasons automatically remind you to change them.  Each time I’m logging into my tmobile account I’m repeating the words (in my head of course) “I like flowers in the spring.”  If I’m still using that password during the summer, this password method reminds me when it’s time to change my passwords.  It’s a good idea to have a list of your accounts and their passwords either electronically or on paper, but that’s a topic for another time.

Remember.  Give your passwords two parts, and for the password part use a Six word Seasonal Sentence to remind you to change that part of the password at least four times a year.