Bush family email hacked: Here's a security refresher
Thanks to an anonymous hacker self-identified as Guccifer, we now know that former President George W. Bush likes to paint self-portraits in the bath.
That's one of the tidbits revealed when at least six email accounts belonging to Bush family members and friends close to the family were hacked and their contents shared online. The high profile hack underscores, once again, the importance of a strong password when it comes to your email account—whether you are the former President of the United States or an average Jane or Joe Gmail user.
The email messages from the family of George H.W. Bush and close friends span 2009 to 2012, and include private family discussions along with family photos, according to The Smoking Gun.
Other than the shower paintings, the photos posted online are pretty generic. One shows former presidents George H.W. Bush and Bill Clinton posing with a younger member of the Bush clan, possibly Pierce Bush (no stranger to online over exposure himself). Others include photos of Jeb Bush, George W. Bush, and Laura and Barbara Bush.
The Bush family intrusion is the focus of a criminal investigation, a Bush family spokesperson told The Houston Chronicle. Hacking public figures has become a routine occurrence in recent years, with email, personal photos, cell phones, and social networking accounts all under fire. The Bush family joins a roster of hacked politicians that includes former Alaska governor and vice presidential candidate Sarah Palin and Sen. Chuck Grassley. Beyond politicians, the volume of celebrity hacks inspire countless online slideshows, including leaked photos of Miley Cyrus, Olivia Munn, and Scarlett Johansson.
But not only public officials and celebrities get hacked. Sometimes people become a target just because of their Twitter handle, political activities, or for no apparent reason at all. Over the last few days, for example, I’ve been seeing a warning at the top of my Gmail window to let me know state-sponsored attackers might be trying to compromise my account.
So what can you do to prevent attackers from breaking in and flooding the Internet with your personal snapshots, documents, and email? Here's a refresher on security practices.
Try to choose a password that is lengthy (a minimum of ten characters should do the trick) and includes numbers, letters, and special symbols (if allowed). Many password managers such as 1Password, KeePass, and LastPass can generate and remember passwords for you. This makes it much easier to manage multiple online accounts, each with unique and hard-to-remember passwords. For more about passwords, check out these PCWorld tips.
You should never use the same password across multiple accounts, and that piece of advice goes double for sensitive accounts. That would cover anything that involves your money or your online identity, including banks or PayPal; sites that save your credit card information such as Amazon, e-mail accounts, Facebook, and Twitter; or any other social networks where you use your real name.
If you have any online accounts that can be secured with two-factor authentication, use it. This adds an extra layer of protection, making it harder for hackers to break in. The basic premise of two-factor authentication is that accessing a protected account requires two things: Something you know (your password) and something you have (an authentication token).
Many authentication tokens can be generated by smartphone applications, such as Google Authenticator. These apps provide time sensitive codes that you have to enter after your enter your password. Examples of services that support two-factor authentication include Battle.net, Dropbox, Google, and LastPass.
One popular point of attack is to use a Webmail service’s account recovery option. Hackers try to break into a primary email account by taking over a secondary account. If you were using email@example.com, for example, hackers might click the “forgot password” link and figure out that your back-up address is firstname.lastname@example.org. Many people forget to keep their recovery account up to date, allowing hackers to restart a forgotten email address, and have an account recovery email sent to it. Then, before you know it, you’re locked out of your Gmail account. Google and other Webmail providers periodically show you reminders to make sure your account recovery options are up to date--don’t ignore these warnings.
Don’t daisy chain
When it comes to sensitive accounts, ones that manage your money or your online identity, don’t use the same recovery email account for all of them. If your single recovery email address falls, that can snowball into a hack that reaches across your entire online life. For more information on how this can quickly turn into a nightmare see Honan, Mat.
Now for the bad news
Those are some of the best practices you can handle to make sure your data stays safe. But some weaknesses are beyond your control. For example, the bad guys could trick customer tech support into resetting your passwords, or use some other social engineering hacks involving third parties.
Ultimately, there’s only so much you can do to deter hackers. But the harder you make it to hack your online life through proper password management, two-factor authentication, and account recovery practices, the less likely you are to become a victim of malicious actors online.