A Postmortem on a Hacked MetroAir: Part Three

We covered a lot about the how, what, when and wheres of how MetroAir got attacked. In this final post of the series I wanted to shift the discussion a little. While our software wasn’t running the most current version and our backup policies weren’t what they once were, the true cause of the hack was the ability to hack at one of the executive’s passwords for the forums.

We all hear how important security is and deep down we know what we should be doing, but do we? You may think  why do I need a complicated password for my forum account. What can a hacker really do by logging into the forum. Well unfortunately for us, we saw what happened. As an Administrator on the forums, great power comes with great responsibility (and great unfettered access to the guts of the system). So you’re a pilot. You can’t change the themes on the forums or mess around with access for others, so maybe you are wondering why password security on VA website matters to you. I guess the answer to that question depends on how much you ? MetroAir. If a hacker gains unauthorized access to your forums and begins to post using your account content that is objectionable and in violation of the rules, it’s very possible that you will be terminated and banned from the airline. While we often will allow rehires for simply being terminated due to inactivity (even tho we may ask you to prove your commitment), terminations due to behavior or failure to abide by some of our most core policies will keep you out and may take a long time before being allowed back. Can we prove that it wasn’t you? Maybe. It depends on how good the hacker was. Ultimately though, you are responsible for your accounts. It’s your job to safeguard those authentication details and make sure they aren’t shared with anyone else. Or to say it in much more direct terms, it’s your butt that is in the hotseat.

Despite how much we all care about this VA, there are much more secre details about your personal identity flying across the internet these days from financial information to medical details. If you don’t want your neighbor to know how much $ you make and why you got that suspicious blood test at the doctor’s office last week, you should probably care just as much to make sure some unscrupulous individual trolling the internet doesn’t get that information either.

Are you motivated yet to start improving your security practices? You SHOULD be!

First, make sure you are running an antivirus program. Viruses and trojans are hidden much more cleverly now. With websites becoming much more media intensive and running other applications like java in the background, simply visiting a website with plugins enabled can infect your machine. Trust the websites you visit but more importantly, make sure you’ve got some protection. It may not just be a website that can infect you; downloads, transferring files from a USB drive (which I have recently heard at a tech conference being equivalated to sharing needles) and via e-mail.

Second, use unique passwords for different websites. Don’t use the same password of “IROCK” on every website you visit. If someone is able to figure that you’re not rocking out so much when you create passwords, suddenly your identity has been stolen and someone has access to your finances, your most personal data, and all of the pictures you ever uploaded to Facebook. And let’s be honest, if you don’t want your mother seeing that picture of you when you were so drunk you fell to the street and probably should have used the restroom before leaving the bar, you probably don’t need the world seeing those photos either.

Unique passwords that have no significance can be hard to keep track of. Unique passwords on post-it notes all over your monitor isn’t very secure either. There are a number of password managers out there now that can help you create a password and associate it with a certain username and website. I won’t get into an argument over which the best one is. I use two, one for personal usage and one that is shared with colleagues for business: LastPass and Keypass. There are a few more out there and they are a simple google search away. If you’re worried that it will complicate things for you, put that fear away. I think it actually makes things easier with features like autofill and autologin; You won’t even need to think about authentication to a website again.

The last thing to touch upon in this post is two-factor authentication. A lot of websites are starting to introduce two-factor authentication. The simplist way of explaining it is it combines something you know with something you have to protect your accounts. Something you know is your password. Something you have is your phone (or something else on your person like a code generator or paper with pre-generated codes). If you use GMail, go into your settings and enable it. Hint Hint to MetroAir staff 🙂 Recently Apple introduce two-factor authentication for iTunes accounts. Even the MetroAir blog now has an option for two-factor authentication. It’s certainly something you should be investigating if given the option.

In closing, we hope that the attacks on our beloved VA in the middle of April have really brought security to the forefront for all of you and have you questioning your security a little more and paying attention to your online transactions just a little more. Don’t get too lax because we know that you really do rock!