Battle Protocols at the Gates (A Word on Login Forms)

When terrains get more and more unsafe, security checks will of necessity be multiplied. As I drive around certain regions in Sub-Saharan Africa, I encounter military checkpoints almost at every 3 miles. There are dos and don’ts at these checkpoints that guarantee the security of whoever it is that seeks passage. As cyberwarfare gets more intense, such checkpoints are also being multiplied, and thankfully so. If you’ve had to do anything of medium to high importance online today, you must have passed through one or two of these checkpoints, they are called login forms. Like physical gates, the most basic function of login forms is to keep the bad guys out and let the good guys in (just like we saw with passwords), and there are certain protocols that will improve your security as you seek to gain access at these gates.

A Day in the Life of a Surfer

Monday morning, just after coffee.

You need to get some transactions done—send some money to your mom, pay some bills and wire some funds to your suppliers—so you go online and “drive” up to your bank. As you approach the bank you meet the gates locked, and that’s a good thing, it will be unsafe to have it otherwise; so you’re greeted by a login form asking you to identify yourself. You pull out your ID and password (hopefully the classified ID, as we saw in a previous chapter), then they ask you what year your grandmother died and you tell them, and within seconds you’re in and attending to the things you came to do.

Next, you need to check on a few friends who live on Facebook, so you drive up there to say hi and again you’re greeted by locked gates. You enter your ID and password (hopefully not the same ID you used at the bank), but you consider a few things—you visit here quite often and wouldn’t want to keep doing this each time you come, so you tell the guys at the gates to keep them open and not border asking questions whenever you come visiting in the future with this particular vehicle (aka your device); you do this by clicking on “Keep me signed in” as you proceed to see your friends.

When you’re done, you decide to go to the bookstore and get yourself some copies of that good book on equipping every employee for cyberwarfare, so you drive up to Amazon and, as expected, the gates are locked and your ID and password is needed. With all the cyberwars going on, you’re already used to these checkpoints. You again supply your ID and password and are granted access. But as soon as you drive in, your browser throws up something interesting—“Save username and password for this site.” That sounds like a stress saver, you click Save.

Finally you decide to go to school and turn in your overdue assignments, so you drive up to Coursera, and yet again you are greeted by locked gates. But then you see this little button that says “Sign in with Gmail”. Looks like this will save you a lot of stress typing in your email and password, so you click on it and voilà! You’re in. You submit your assignments and you’re done for the day, it’s time to go back home.

Now let’s evaluate everything that happened at each gate.

At the bank

We don’t see any additional information being requested apart from your ID, password and the answer to a security question. That is all you used to gain access. You have your life’s savings in there, and you feel just an email and a password plus the year your grandma died is good enough to keep the bad guys out and let you in? The protocol at such gates should have an extra layer of security; you should enable what is called a Multifactor Authentication (MFA), either by having a one-time password sent to your phone or by generating it from a virtual or hardware token. In times of war, the eyes of rebel groups are where the money is, and you can be sure they are hitting harder on those gates than on any other.

At Facebook

By checking the “Keep me signed in” box, you told the guys at the gates to always let you in and never ask questions whenever you come around with that particular car (in this case the particular device you are surfing with). Now the danger in doing that is this: what happens when you hand over your car to someone else and she decides to drive to Facebook? Or what if a friend (or foe) finds your car keys and drives up to Facebook with it? If, for any reason, someone else is on your computer, the guys at the gates will see the car coming from afar, smile like happy storekeepers and let him in without asking questions, just as they have been instructed, and the intruder will have full access to act as you on that platform.

At Amazon

You told your browser to save your username and password. What you actually did was instruct the guys at the gate to keep a copy of it for future use. The implication of this is that if anyone else uses that browser to visit that site on that device, the guys at the gates will bring out a copy of your credentials and say, “Here, we already have what you need to get in.” That’s what happens when you visit a site and your email and password is already filled out on the form, just waiting for you to hit Enter. Not only will the intruder have full access to your account, she could also click the “Show Password” button at the gates if it’s available and then copy it out for future access on other browsers and devices.

At Coursera

You clicked on the button that said “Sign in with Gmail”. That is called Federated Identity, and it really takes off the stress of reaching down for your ID and password to gain access. But by using that button, what you are saying to the guys at the gates is, “Hey, the folks at Google know me, you can check with them and they’ll confirm.” So guys at the gates check with the folks at Google and the folks at Google say, “Yes, yes, we know him, we trust him.” Then they come back to you at the gates and say, “Boy! You sure are something! If they trust you at Google, then we trust you too. Go on in and enjoy your stay.” While this might not be altogether bad in itself, the issue is that at every point you do this, you are widening the circle of trust. So when you keep clicking this button at different gates in different places, the circle of trust keeps getting wider and wider. However, in the time of war, trust is a luxury you should be slow to share. No one needs a wide circle of trust at war; it only increases the odds of betrayal. Different platforms have their various levels of compliance to federated identity security standards, and your circle of trust would only be as strong as the weakest link in that circle; once that weak link is broken, there is no telling the level of lateral damage.

At Every Place You Visited

Finally, did you notice one common omission at all the places you visited? You didn’t logout from any of them; you left the gates wide open and drove away! Who in the world does that! Well, over half the world does that. Not locking your gates behind you in war-torn cyberspace is certainly dangerous practice, and you wouldn’t want to expose yourself by such act of neglect.

Now let’s wrap this up. There are battle protocols at the gates that you must be aware of as one who is unavoidably and inescapably involved in the ongoing war at cyberspace. Compliance with these protocols will make you more effective at dealing with the enemies at the gates who are trying to force their way in right after you. Apply these principles and your defence will be heightened. Let’s take our orders.

 

Marching Orders

  1. Wherever possible, enable multifactor authentication at sign-in, especially for highly sensitive platforms like banking portals.
  2. Avoid checking the box on the login form that keeps you signed in on platforms, it might not be convenient to keep signing in each time you come, but convenience is not what we seek at war.
  3. As much as possible do not store passwords and login credentials in your browser; always decline popups that come up right after you login with such suggestions.
  4. Keep the circle of trust as small as possible; don’t use the “Sign-in with [any 3rd party]” button indiscriminately.
  5. Whenever you’re done, logout; don’t just close the browser—LOGOUT. Any login without a corresponding logout is a risk factor.
  6. Change your passwords from time to time, especially on your two or three most sensitive platforms. For ease of management you can use the password generating framework we discussed in the post on passwords, and change your password every 30 days by adding the name of the month to the new password. So your Instagram password, for instance, in January will be something like this: A2A4ixmargatsni+JAN

February: A2A4ixmargatsni+FEB

March: A2A4ixmargatsni+MAR and so on.

Do this only for your most sensitive platforms, lest it becomes too cumbersome to manage. Finally, as always sound the battle cry to those around you—“You stand or fall by what you do or fail to do at the gates.”

Leave a Reply

Your email address will not be published. Required fields are marked *