{"id":15477,"date":"2013-06-28T12:40:02","date_gmt":"2013-06-28T19:40:02","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=15477"},"modified":"2015-03-26T16:17:36","modified_gmt":"2015-03-26T23:17:36","slug":"sabotaging-your-security-efforts","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/sabotaging-your-security-efforts\/","title":{"rendered":"Are You Sabotaging Your Own Security Efforts?"},"content":{"rendered":"

You\u2019re conscientious about security, right? You\u2019ve got anti-virus software<\/a> and a firewall; you\u2019re using encryption and strong, unique passwords with two-factor authentication set up on your accounts. High-five! Gold star! You get a cookie for good data-protection! But wait, there\u2019s more to this equation than there may appear. Could you have followed the spirit of the security advice and still be shooting yourself in the foot?<\/p>\n

On the obvious side, if you have all these security pieces in place but you never activate them, it\u2019s not going to do you much good. If you click through every warning on your firewall without ever looking at it, it\u2019s not going to be doing as much for you as you might think. If you disable real-time protection on your AV software, likewise, it\u2019s going to be quite a bit more limited in its ability to protect you. But there are less obvious ways that you could be sabotaging your security efforts.<\/p>\n

There were a couple of good articles this week discussing ways people undo their security without realizing it \u2013 specifically, using backups. The first is about how people backing their texts up to web services negate SMS for two-step authentication<\/a>. The second is how backing up iMessages to iCloud negates the protection<\/a> given by encryption. But backups are also part of a good security strategy, right? Oh man, so confusing. I know security advice can seem really conflicting sometimes. So, let\u2019s break it down and see what\u2019s up.<\/p>\n

The SMS Issue \u2013 When is 2-Factor Authentication Not Two Factors?<\/strong><\/p>\n

SMS backup is problematic, partly because two-step authentication is only a small improvement over single-step authentication, and also because it is\u00a0not quite two-factor authentication<\/a> to begin with.<\/p>\n

The idea with two-factor authentication is that the \u201cthing you have\u201d should be something separate than the thing you\u2019re accessing a resource with. Because you can access most web-services with your mobile phone as well as your computer, it\u2019s a less-secure method of authentication than using a dedicated dongle. And when you back up your SMS to your webmail, you\u2019re making it so you can access your texts on both your computer and your phone. So an SMS activation code becomes simply another \u201cthing you know,\u201d rather than a separate \u201cthing you have.\u201d One factor. Whoops.<\/p>\n

The iMessage Issue \u2013 When Are Our Messages Encrypted?<\/strong><\/p>\n

The iMessages issue butts up against the limitations of encryption<\/a>. Encryption is meant to protect data only when it\u2019s not being used. That is to say, when the data is in transit or when nothing (and no one) is accessing that data. But the problem is, by allowing backups of your messages, you\u2019re creating more access to that data. If you forget your password, Apple has to give you a way to retrieve it, which opens up ways for other people to retrieve it too.<\/p>\n

The ArsTechnica article also brought up another issue with regards to encryption, which is something we talked about other day<\/a> too. There can be considerable clues to what you\u2019re up to in the metadata<\/a>. Metaphorically speaking, while having an encrypted file called \u201cAll my illegal activities\u201d may not be admissible as evidence in a trial against you, it\u2019s certainly going to put you under much more strenuous scrutiny whether or not it\u2019s warranted.<\/p>\n

So, What Does That All Mean?<\/strong><\/p>\n

Well, for better or worse, it means you need to think about the consequences of your actions in security as in life. There\u2019s always a tradeoff between convenience and security. The more accessible your data is, the more difficult it is to protect it.<\/p>\n

Backing your data up in the cloud is less secure than backing it up on a hard drive that you keep locked in a safe, where only you have the key. It\u2019s simply safer if you are the only person with access to the device that holds your data. If there\u2019s a bunch of people at a company that is contractually obligated to make sure you can access your data however you\u2019d like, that\u2019s less safe. Not necessarily unsafe, mind you, but less safe. And every time someone backs up their data to a web service that has minimal protection in a way that negates other security measures, somewhere there\u2019s an attacker wringing their hands with glee and a security wonk that\u2019s quietly weeping.<\/p>\n

Further Reading:<\/strong><\/p>\n