Data Breach Alert In Mozilla Firefox

Mozilla is looking at how it can alert users of a data breach when visiting a site that has been breached:

Firefox operator Mozilla is looking at adding a feature into the browser that would alert users if their credentials have been involved in a data breach, by integrating with Troy Hunt’s haveibeenpwned.com breach database.

Its functionality at the moment – the tool is currently being prototyped – involves a notification bar that appears to users when they visit a site registered in haveibeenpwned.com as having been breached.

Nice move. Not what I had in mind yesterday, but a good step in the right direction.

Data Breaches

We are at a time in history when data breaches are becoming more prevalent and more frequent. Equifax was compromised for 143 million people. Uber has been in the news this week for hiding knowledge of a data breach of 57 million customers for over a year (the rotters; if only the fines in GDPR were based on market value not annual revenue), and of course the 500 million odd user Yahoo breach (added to the earlier one billion user data breach). It is probably fair to say that if you alone know your personal and sensitive information, you are now in the minority. Someone will have access to personally identifiable data on you.

There are some things we the people can do. Use different user names and passwords to get access to the various services we access, thereby reducing the impact of account compromise in one service on the others. Although that’s pretty hard to do practically, especially if we are supposed to change our passwords or pass phrases for every service every month. With the increased number of services we all access, that’s not a very realistic expectation.

We could delegate the task of remembering passwords to a password manager, and we should, but if these get compromised (ahem, Lastpass), we are back at square one. And even with a password manager, changing passwords is still a manual process that can’t be done automagically on schedule for all consumed services by the password manager. The user with 100 services would still have to go through and manually update all services monthly. It’s not going to happen.

We could use two-factor authentication, and we should, but it’s a bit binary in its approach: always ask before allowing access, or trust this browser, computer, device, or session. If the same person uses the same device to access the same services from the same location, there are probably few red alert signals. But if those factors diverge, there could be weird anomalies that need an additional layer of checking.

In the enterprise IT security space there are intelligent security tools that look for anomalous usage of enterprise login credentials, assessing various threat factors to decide if additional access and authentication information should be requested before allowing access to requested services. For example, if the user is logged in via a device in one country, and a second login is requested by a device in another country, that is a signal that something could be amiss, and therefore a higher level of access checking is enforced. Likewise for login attempts at weird times of the day or night. Or from weird devices. Each login attempt is risk assessed before approval or denial (with the appropriate alerts to the powers that be for denied attempts).

I wonder if those enterprise oriented tools could be used at cloud scale – or at Internet scale – to pay attention to any use of personal and sensitive personal information?

Or what about this idea: what the credit card companies can do with artificial intelligence for identifying fraudulent transactions for credit cards, we the people could use for identifying fraudulent use of compromised personal data or account credentials?

Disaster Recovery – Personal Planning

A friend had his laptop stolen last week, and he is now scrambling to recover his work (data and documents) and get back to work. It prompted me to get out my disaster recovery plan and review how I would recover from device loss, theft, or a ransomware attack.

While the loss of a device would be an annoying interruption and cost money to replace, my approach is to ensure that my data is easily accessible to me again, and that I can simply get up and running with a new device. Something like: plug in, connect to key services, and begin working again.

Three core principles:

1. No data exists solely on any one device. All devices should only ever be an access point to the data I’m working with, meaning that the data is stored in a central location and accessible from any device I choose to use. With the range of cloud services we have available for a low cost – Dropbox, Box, OneDrive, iCloud Drive and similar – this is easy to set up and use. Data is stored locally on a device in a designated folder, but synchronised automagically to whatever cloud storage service I use.

2. Data is backed up continuously in my office. A password-protected backup drive is connected to my laptop, and takes snapshots of the whole device throughout the day. If necessary, I can recover from a lost or compromised device by connecting a new device to the backup drive.

3. An emergency rescue kit is available somewhere. In order to get back to work as quickly as possible, create an emergency rescue kit with a written plan of recovery and a list of key services and passwords (in full or in code). You could carry this around on an encrypted thumbdrive (don’t forget that password), or put it in a separate cloud service in an encrypted form (don’t forget that password).

And one additional principle that I’m considering:

4. Data is backed up continuously away from the office. Use a cloud service to create regular backups of key devices, thereby creating a second level of backup that’s not located in the same office. While principle 1 above deals with core data and documents, principle 4 creates a backup of everything on the device.

In combination, this means:
– laptop stolen while away from office – recover through 1, 3 or 4
– office compromised, laptop stolen – recover through 1, 2, 3 or 4
– office compromised, laptop and backup drive stolen – recover through 1, 3 or 4
– cloud service compromised – recover through 2, 3 or 4
– laptop stolen, backup drive fails, cloud services fail, online backup fails – oh well, let’s start again with a smile

I hope I don’t have to put this plan into action, but it’s there just in case.

What have I missed? (I haven’t talked about strong passwords, benefits of passphrases vs. passwords for services that support that, two-factor authentication, etc.)

What’s your plan of action?