Yesterday, the Wall Street Journal had an entire section devoted to Information Security. With that in mind, I thought I’d reprint my own post from last October containing some helpful hints in that regard:
How do you, with a cell phone ensure that the images one takes on one’s phone or, any information that you input onto that phone or your computer; everything from your texts and e-mails, your vacation plans, your financial information, your sources, if you’re a journalist, or your briefs, if you’re a lawyer, stay private.
Which brings us to you and me. On August 6th of this year, Molly Wood, the technology columnist for the New York Times, reported that hundreds of millions of email addresses and other types of personal identification were found in the hands of Russian hackers. She wrote, assume that your personal information is stolen, and recommended that you change your password for sites that contain sensitive information like financial or credit card data.
Here lies the conundrum. If you log in to a typical site that holds financial or credit card data, that site will usually pose a series of security questions such as “Where did you go on your honeymoon?,” “What is the name of your dog?,” “What was the first car that you owned?,” “In what hospital were you born?,” “What was the name of your elementary school?” or “What city would you like to visit?” Now go to your Facebook profile or page. There you will likely find the name of your hometown, pictures of your dog and maybe your vacation photos. Now, let’s recall how Jennifer Lawrence’s photos were obtained; through a targeted attack on user names, passwords and security questions. Unless you grew up in New York City, a hacker could easily run through the names of the elementary schools in your hometown, if he could find your birthplace, he could easily run through the names of the hospitals there; I haven’t lived in Washington D.C. in many years and I can still identify the names of eight hospitals located there at the time that I lived there. If someone can get on your Facebook page, they could probably find out the name of your dog and from your photos what city you would like to visit. So a brute force attack could probably get through the bar posed by your security questions. As for your password, it is suggested that it not be based on dictionary words and that even a word obscured with symbols and numbers can be cracked relatively quickly. So use a password like 4J@2stiI. That’s a great idea….now try to remember it and use a different similarly designed password for Google, Twitter, Instagram, Facebook, your bank, your investment account, Uber, etc. Unless you’re an idiot savant, I doubt that you can. So Molly Wood suggests using a password manager; i.e., a site that creates a unique password for each website you visit and stores them in a database protected by a master password that you create. Here, I must disagree with Ms. Wood. Would you hand over the keys to your home to someone who knocks on your door and promises that he’ll take care of your house? I doubt it. People ensure the security of their home to either companies with a long-standing reputation for safety like ADT (They’ve been around since 1874.) or leave their keys with a trusted neighbor or relative whom they know very well. The value of your investment account or bank account or personal reputation, all of which may be accessed by someone with your password, may be much greater than that of your house. Would you leave your password with a company that may not be around in three years? Even the most innocent photo that you put in your iCloud account or Google Drive may not be so innocent if you’re pictured associating with someone about whom someone might draw the wrong inferences, for example, an attractive colleague at work or someone who is later indicted, e.g., an Illinois politician.
So, what should you do?
1.Pick a strong password with a combination of numbers and letters, capitals and small letters and punctuation marks that you can remember. Use at least eight or more characters. Don’t use the same user name/password combination for multiple websites.
2. Play with the security questions. For example, you went to Pyongyang on your honeymoon, your dog’s name is FreddyMercury, the first car that you owned was a Tucker, your were born in the Damascus Hospital for the Criminally Insane, your elementary school was the Chernobyl grammar school and the city you’d most like to visit is Mogadishu. Answers like these will be more difficult to guess than if your dog’s name was Fluffy, your first car was a Ford, you were born in St. Joseph’s Hospital and the city you’d most like to visit is Paris. Don’t everyone use these examples or the won’t work.
3. Use two-factor authentication. This works with Google. If someone tries to access your Google account on another computer, including you, Google will send a one-time code via text message to your cell phone. If you happen to be using checking your Gmail in a public library, this can be embarrassing. You then enter that code to log in. Two-factor authentication should become standard as it essentially generates a random multi-digit number that you must key in to gain entrance to a web site that resides in the cloud and if your cell phone has a “kill switch,” in the event it is stolen, and you activate that “kill switch” it becomes useless as a key to your personal records located in the cloud.
Obviously, one way to avoid these issues is not to put your personal information on the “cloud.” The problem with this is that your Gmail, Google browsing history, Facebook posts, on-line banking records, credit card statements, mobile phone calling records, tweets, Amazon purchases and buying preferences and Instagram photos are all on the cloud and, chances are, you don’t want to give up using Google, sending out e-mails, banking on-line, social networking or sending photos to your friends. Anil Somayaji, an associate professor at Carleton University in Ottawa is quoted as saying, “The thing with the cloud is when it gets compromised, it can get really compromised.” Cloud providers could go bankrupt, change their policies in a way that prevents you from accessing your data or suffer a security breach themselves. Somayaji goes on to say, while he thinks services like Microsoft, Google and Yahoo are “really good” and have good policies, “they’re just one software glitch away from blowing away all the email you’ve ever had.
So this is what I recommend. Buy a back-up hard drive or a DVD or a USB key and maintain a spare copy of your photos and important documents and e-mails. I save these documents and e-mails in .PDF format so that they are easily accessible as software versions change or in the event that I or someone else who needs access to those files in the future is using a different OS from the one that I am using now. Don’t carry the back-up with you; if at home, keep it in a locked fire-safe box and, if you are leaving town for an extended period, and you have a safe-deposit box, put it there. If the back-up is in the Office, at least keep it in a secure locked drawer, and if you can do it safely, bring it home on weekends and on vacation and follow the procedure noted above. Encrypt access to the back-up drive if possible. If you’re going on vacation or working at a Starbuck’s leave the backup disk in one of the safe locations noted above. Wait until you return home or to the office to back up your data. Also, perform a back-up every day that you use your computer. If you have a mobile phone, the principle involved is the opposite. Here, you are carrying the drive with all your personal information and it is with you all the time. Here, to protect yourself, make sure that phone has a “kill switch” and a password so no one else has access to your phone other than you. Then back up the data on your phone to the cloud using the password tips noted above.
And remember, if you travel, the border is a privacy-free zone and the government, namely the U.S. Customs and Border Protection Agency, has the right to take a look at your laptop computer, open up the folders on that computer and peer inside as it can do with your luggage. And if you travel to China, as I noted back in April of 2012, the Chinese have installed key-logging software on visitors’ laptops which renders password protection useless. In addition, Bluetooth and Wi-Fi connections can be used to remotely access computing devices, which include smartphones, tablets and laptops. That New York Times has quoted a former counterintelligence official as stating, “If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated.” Chinese hackers have been known to access computing devices’ microphones and cameras remotely. In fact, an official of McAfee, the computer security company, was quoted as stating that if any employee’s device was inspected at the Chinese border, it can never be plugged into that company’s network again.
So the bottom line is you can’t avoid the cloud, but if the information is really personal and of an intimate nature or otherwise potentially embarrassing or, for whatever reason, you are never going to want to disclose it to the world, don’t put it on Facebook or Tweet about it and lock it up outside the cloud where neither thieves nor hackers can have access to it. The celebrities who had their intimate photos hacked should have treated them as if they were the galleys to their autobiography or their diary or as Apple treats its product development plans; in the most secure manner, out of the rest of the world’s reach and not in a data center combined with the confidential information of thousands of other people and likely accessible to a 20-year old something male with a great deal of technical computer knowledge. Just ask the NSA…Edward Snowden was 29 when he walked off with their secrets.