A few weeks ago, in purchasing a new phone and looking for the best deal on the internet, I was taken in by a phishing site. Additionally, Angela, my girlfriend in South Africa, left her USB thumb drive in a library and returned to find it missing. A few weeks later she was accosted by a mugger high on something and although not very threatening (as he was chewing on a KFC drumstick and making little sense) she appease him by letting him take the phone rather then try for her bag with a computer, a tape recorder, and the new USB flash drive with her work. Around that same time my websites were hacked, most likely by a script, which change the home page on all of my websites.
Angela is fine, and nothing major has been lost. The data I’ve sent to the phishing site didn’t contain enough information to create an identity (i.e. No SSN), I’ve reported the site to US-CERT as well as Google (where I found the site), and notifying the credit card company. My websites are back up and working (I was already in the middle of moving them to a new webhost) so little damage was done. These, though, are only the personal incidents of late. I’ve read of many other far worse incidents relating to identity theft, scandals due to theft of laptops with sensitive data on it, government required decrypting/unlocking of cell/laptop data at border checkpoints, etc. etc. Also worth noting is this article on 10 things that companies screw up on as breaching your privacy is not always intentional.
I am a huge proponent of transparency everywhere. I believe that privacy is somewhat of a myth, and I acknowledge that their is an inherent contradiction between what I’m going to say as a practical piece of advice and this belief in total transparency. It is not my intent to reconcile it here. I will say that we live in a day and age where we need to trust but verify, especially in the government’s case. We cannot implicitly believe that the government is acting in our best interest when our own butts are on the line. It’s necessary to take basic precautions in keeping your person secure. That being said, I don’t advise go so far as to be paranoid and never take any risks, but realize that sometimes it’s fairly easy to mitigate some of those risks.
Especially when it comes to digital data.
My top six recommendations:
- Build a “what if?” plan for loss, theft, or hacking. Again this isn’t so much digital as it is learning to watch your digital identity. What would your wallet were stolen hour house broken into? This lawyer and the FTC have some thoughts planning for that what if. Don’t forget to pro actively check you credit report every year (or more often), annualcreditreport.com is free in most US States.
- Change your passwords regularly. It’s also key here to remember that most hacking these days isn’t done by a random outside hacker, but a known associate. For this reason it’s good to keep your passwords to yourself and also make it hacker resistant. “Memorable, but not personal” is my mantra. 6 years ago I wrote up All About Passwords and it’s still very useful today.
- Digital data is no exception. Paris Hilton showed us what happens when you don’t realize your contacts are another database, and you yourself need to have a policy of privacy and an intent to secure it. Now, you can’t secure everything from everyone, but like putting a deadbolt on a door, you are discouraging them from trying and making them go after someone else. If you use USB thumb drives often, or you are like me and walk around with a laptop everywhere you go, or have a crackberry like device, or you carry an external hard drive with you, then it might be time to invest in some encryption/security. See below for more recommendations.
- Back it up, and secure it! As a IT guy, it’s important to remember that your backups are both a necessity and a security risk. Keep your digital life (and physical life) backed up, but at least make it somewhat secure from external threats. Some times a password on a file is all you need.
- Dumping it doesn’t make it go away. Just because you threw it in the garbage doesn’t mean it gone. Shred/hard wipe/or physically destroy data and material that is sensitive.
You will see security become a larger and more present existence not just in foreign and domestic policy, but at home and on your person. Be rational about this as much as possible. DO NOT give in to fear. Balance between risk and convenience; realize that the point here is to show intent and deter. I’ll say it again, that no matter how secure you think you are, its impossibly to be totally secure so don’t try and don’t worry about it. This is an arms race beyond the imagination of the cold war and the race itself often belies the real question of a human created need for privacy verse nature’s inherent open-ness. Your best ally is a question, it allows you to learn and then to go beyond the fear.
Recommendations on protecting your computer’s hard drive from legal and illegal intruders.
First. Don’t keep data that you don’t want others to get. — For example, a permanent US resident who is a Cisco employee and is regularly stopped by US customs regularly wipes his cellphone, sure they can ask, but if doesn’t exist they can’t have it.
Second. If it’s sensitive and you know it, encrypt it. — TrueCrypt and many others are simple ways to pack data away from prying eyes. TrueCrypt is free, open-sourced (meaning regularly checked for holes) and easy to implement on your USB Key, home hard drive (the entire thing), DVD backups, without sacrificing to much in the way of time.
Third. Plan for a loss of data. — Some day, some time, you’ll lose a USB key, cell phone, or something. Plan for that day, I don’t care how you do it, discuss it in the back of your head, dialogged in a document, or with your significant other, but decide what you’ll do if that happens. It might help to ask people questions on how to spend a little time securing it or what data you really want to keep on the these devices. In the case of a cellphone with Windows Mobile, try Sprite’s Terminator