Blog

November 9, 2017
The ‘Olivia’ Experiment Wrap-Up: A Personal Security Crash Diet

Wow, it’s November 9 already, and I still have all my National Cyber Security Awareness Month (NCSAM) decorations up! I really need to take care of those. But, before I go and take down all my 2FA authentication token lawn decorations, I figured it’d be a good time to chat it up with “Olivia” and see how her NCSAM crash diet went.

For those who haven’t been following along, “Olivia” has been testing all the security advice that is commonly espoused, regardless if it’s followed or not. She has covered everything from Maintenance to Social Sharing & Travel to Privacy & Backups to IoT right here on VentureFizz to get a better idea of security best practices, common threats in the wild, and what needs to be done to protect the everyday person.

So, to wrap things up, I sat down with “Olivia” to get her thoughts on the process and hear some of her key takeaways.

Tod: So, what’s the one task you performed that benefited you the most?

Olivia: I’d say that pretty much all of Part One was laying the groundwork for the rest of the diets. The topics and tasks covered in there are the building blocks of pretty much everything in the following weeks—Wi-Fi awareness, passwords, updates, and backups. For example, it’s hard to talk about travel security without first talking about password maintenance.

That said, going through the backup and restore of my iPhone was 1000% the thing I dreaded the most, put off for three weeks, and (begrudgingly) the thing that I got the most value from. I used to be a security savvy person’s literal nightmare with my backup hygiene—triple digit days since my last backup, just living on a wing and a prayer. Luckily, I came to my senses, and now that I’ve actually gone through a backup and restore process, I feel much better about things. I now agree that this intimidating step is important for security AND for anticipating non-security disasters, like when phone-meets-water-and-rice just isn’t enough to revive it—but also to know the extent of information, settings, and passwords that your back-ups cover.

Tod: Aside from the fear, uncertainty, and doubt of testing your backups, what was the worst part of the month for you?

Olivia: Cleansing my email was/is a pretty massive chore: I still haven’t finished pruning down all of my email subscriptions, let alone dealing with deleting old emails. Not exaggerating, there are thousands and thousands and THOUSANDS in there. Getting a handle on those mailing lists is a big, dull task—but I guess it’s more like a real diet in that you’ve gotta chip away at it in realistic portions. Slow and steady?

Tod: What did you learn that was particularly surprising or enlightening?

Olivia: I got a lot of out the app privacy management in Part Three permissions management; it’s kind of fun and borderline creepy to know what apps have access to my microphone, location, and photos. I’d definitely recommend just touring through all the permissions that your phone manages, even if you don’t change anything because some of the apps that had access to things they didn’t really need were surprising. Also, I never really considered the implications of the difference between camera access and photo access, and I learned that photo access is also kinda, sorta location access.

As far as surprising, I was taken aback in Part Four by the lack of security information that’s readily available when it comes to IoT security. It seems weird that a device’s features page and marketing would brag about how there are seven microphones and that it’s listening all the time… but not a word about what happens with all that data – is it stored on the device (and for how long), is it copied out of the cloud, is the storage secure, is the transmission secure, who gets access to all that info about me… all that. I had pretty low expectations going into it but was shocked at just how bad it was.

Tod: Yeah, you pretty much have to be a superhero to figure out just what most IoT is actually up to under the hood. Pretty crazy.

Olivia: Speaking of “under the hood,” I’m still pretty proud of my own tech savviness when it came to inspecting my Wi-Fi router settings in Part One. I’m pretty psyched at how easy that was, and it’s well within reason for the average person to do. I wouldn’t go as far as saying it’s a fun party trick… but my roommates were pretty impressed.

Tod: Nice! So, after this whole experience, what’s the one thing you would recommend to your friends and family to up their security game?

Olivia: Hmm… I’d say after putting these diets through their paces, there’s definitely a reason that password maintenance and NOT REPEATING PASSWORDS is at the top of most security tip lists. I mentioned how all the maintenance steps are interconnected earlier, so if you think of how one password/login leads to another, that’s the way that an attacker could move around collecting your info given the chance. And no, using the same bad password for only the “unimportant” accounts doesn’t fly – every account has a surprising amount of info, and if it leads to another, and another, that adds up quickly and it’s only a matter of time before it becomes important.

Tod: Welcome to your new life as the designated holiday-time troubleshooter. :)


Tod Beardsley is the Research Director at Rapid7.