Be Your Own Security Expert: Difference between revisions
Line 110: | Line 110: | ||
In the case of an SSD (solid state disk) or memory stick, the way that it stores data in order to even out wear makes it impossible to be sure you've overwritten it all. Smashing it with a hammer until you are convinced individual storage chips are cracked is the only sure way of putting your data beyond reach. | In the case of an SSD (solid state disk) or memory stick, the way that it stores data in order to even out wear makes it impossible to be sure you've overwritten it all. Smashing it with a hammer until you are convinced individual storage chips are cracked is the only sure way of putting your data beyond reach. | ||
===Encryption=== | |||
Sensitive data may be at risk any time it's outside your full control. Broadly, there are two situation to think about: | |||
* Data at rest: on a storage medium such as a hard disk or memory stick, it may be lost or stolen. | |||
* Data in transit: any time it passes over a public network it's susceptible to interception. | |||
In both cases, encryption is strongly recommended if compromise of the data could cause you loss or harm. | |||
There are two kinds of encryption: | |||
* In symmetric encryption there is just one secret key and the encryption process is run in reverse using the same key in order to decrypt the data. But all is lost if that secret key is compromised. | |||
* Asymmetric encryption uses a pair of complementary keys, a public key for encryption and a private key for decryption. The private key is only known by the recipient of the message and cannot be derived from the public key. | |||
====Data at Rest==== | |||
Depending on your operating system you may be able to flag folders holding sensitive data as to be encrypted. This is very easy and simple, but any time you view or edit the data it's likely that fragments (at least) of that data will be left in temporary files or free space on your hard disk. | |||
Full disk encryption is much safer, but to be quite safe you must encrypt the disk before writing any sensitive data to it. | |||
Bitlocker is available on some versions of Windows, and provides full disk encryption. A free alternative is [Bitlocker is available on some versions of Windows Veracrypt]. | |||
For a memory stick or external hard drive you can use Bitlocker, Veracrypt and others to create an encrypted vault. This should be created so as to occupy all the space available so as to ensure no unencrypted data can be written to it. These tools generally allocate a new drive letter through which you can see the decrypted data. | |||
When choosing a password (from which many of these tools derive the encryption key), bear in mind that an attacker in possession of your data can spend as long as he likes trying to crack it, unlike a login password which may lock the account after a few failed tries. For personal data the loss of which could lead to financial fraud, a password length of 20 characters and not made of dictionary words or names is probably a sensible minimum. | |||
====Data in Transit==== | |||
When accessing a website with https prefix, you data is automatically encrypted, but not all pages on the site may use https. | |||
Emails are not generally encrypted, and the sender and recipient obviously cannot be, otherwise it could never be delivered to its destination. The easiest way to send a file securely by email is to compress it with Winzip or the free [http://www.7-zip.org/ 7-Zip] utility, selecting AES encryption. Make sure you send the encryption password to the recipient by a different means, e.g. by text message, post, or in a face-to-face meeting. | |||
If you use an email program that manages your email using POP3 or IMAP (for receiving) and SMTP (for sending), ensure that you use the SSL (encrypted) variants of those protocols otherwise your email password is at risk. | |||
==External links== | ==External links== |
Revision as of 22:59, 20 December 2015
Security tips we should all be following. (This page is work in progress.)
Summary
Modern computers and mobile devices store vast amounts of information, some of it sensitive, and yet more of our data is in "the cloud", held by corporations such as Facebook and Google. Just as we've learned that keeping a front door key under the door mat might not be a good idea, there are important and not always obvious lessons we need to learn about keeping our digital lives safe. The basics are covered here.
The first section following this should be understandable by anyone, but later sections may assume you're comfortable with setting up and configuring your device.
Security Top Tips
Google carried out research comparing the top security tips given by security experts with the top security measures general users believed were important, and found worrying differences, as shown below.
Non-Security Expert | Security Expert | |
---|---|---|
1 | Use antivirus software
|
Install software updates
|
2 | Use strong passwords
|
Use unique passwords
|
3 | Change passwords often
|
Use 2-factor authentication
|
4 | Only visit websites you know
|
Use strong passwords
|
5 | Don't share personal information
|
Use a password manager
|
What have you got to worry about?
For a law-abiding private individual the threat comes almost exclusively from criminals.
People often say that they have nothing of value on their computer so why should they worry? In fact you have more than you think, as described in this blog posting. And don't forget that your smartphone is a fully fledged computer too.
- Your address book or contacts list is a primary target. With this, an attacker can send malicious emails to all your friends, making them appear to come from yourself. Some of your friends may then fall for social engineering tricks, click on links or open attachments in these emails.
- Login credentials to online banking, PayPal and shopping or auction sites can and will be used to defraud you.
- Login credentials to your email account can be used in the same ways as your address book, but worse. With full control of your email an attacker will be able to reset the passwords to many different websites.
- Login credentials to social networking sites can be used to send malicious messages to your fiends.
- Your computer may contain enough personal information to facilitate identity theft, particularly if the attacker can gain access to your social networking sites. He may be able to complement the information he gains from your computer with information from other sources.
- Your computer may be recruited into a bot net. This is a large collection of compromised computers under the control of the attacker (the "bot herder") and used to attack websites or send out large quantities of malicious emails. Not only will your computer then be engaging in criminal activity, but it will be running slow ad swamping your network connection with traffic.
- You may be infected by ransomware. This encrypts all your files and demands payment for the decryption key.
Additional tips
- Reduce your attack surface
- Unsolicited attachments/phishing
- Backups - 3 copies, 2 media types, 1 offsite
- Data destruction
- Encryption
- Public networks
- Physical security
Reduce your attack surface
Each piece of software on your system could contain security vulnerabilities so it makes sense to uninstall things you don't need. This is critically important when it comes to browser plug-ins as these can often be directly invoked by websites you might visit.
In particular, uninstall the Java plugin if you have it. It is required by a tiny number of websites and has a poor security record.
Likewise, Flash has been plagued by problems, often exploited by malicious Flash-based adverts. Google for instructions for setting it to click-to-play in your favourite browser.
Unsolicited emails
If you receive an unsolicited email, clicking a link in it or opening an attachment can really spoil your day. This is probably the commonest way to get infected with something bad.
Such emails are normally part of a "phishing" campaign in which malicious emails are sent to large numbers of email addresses. Sometimes they are very crude, simply containing a link you may be tempted to click, just out of curiosity. Other times they may be quite cunning, e.g. making out there is a package addressed to you awaiting delivery. Since forging the sender's address in an email is trivially easy, the email may even appear to come from someone you know if their contacts list has been compromised.
To avoid getting caught, you should treat all emails you weren't expecting with the greatest of suspicion unless you are quite certain the sender is genuine.
Also, make sure your system is fully patched and updated in order to eliminate (as far as possible) the vulnerabilities a malicious email might try to exploit.
Backups
The importance of regular backups cannot be overstated. Many people don't learn the lesson until they loose something vital through a hard disk crash, an accidental deletion or data corruption, or loss or theft of their computer.
You can regularly copy important files to a memory stick, but the chances are you will have forgotten when disaster strikes, and if your house burns down you probably will have lost both your computer and your memory stick (not to mention your house).
Best practice is to follow the 3-2-1 principle:
- Keep 3 copies of your data
- Keep your data on 2 different computers or storage devices
- Keep 1 of those copies off-site, e.g. using an online backup service or on a memory stick with a trusted friend.
Windows provides a backup utility. Get yourself a memory stick or external hard drive to use with this. You can select which files and folders to back up.
Wikipedia contains a list of many online backup services. These generally work in the background, continuously sending files to a remote server as they are updated. Some of these offer a limited amount of storage for free. If you are concerned about privacy, use one which offers "zero knowledge" encryption. This means that the data is encrypted before it leaves your computer and that the online service itself has no way to decrypt it, since you have the only copy of the encryption key.
Data Destruction
When you dispose of a computer, hard disk or memory stick, be sure that it contains no sensitive personal data. Simply deleting files or even reformatting a disk or memory stick leaves most of the data still recoverable using simple and freely available tools.
If you are selling it or giving it away you should use a disk wiping tool, of which there are several freely available. That up to 35 overwrites might be needed is an urban legend. If you were James Bond on a mission to save the planet you might choose 2 passes but even that is probably overkill.
If the disk to be wiped is not your system disk, you can use Ccleaner. Under Tools, choose Disk Wiper.
To wipe a computer's system disk in the computer itself you will need a tool which runs from bootable USB media or from a CD. DBAN is a Linux-based utility which comes as a bootable disk image. CMRR SecureErase is a utility which can run from a bootable DOS disk and uses a built in function of modern hard disks to effect a complete erasure.
If you don't want to reuse the disk the quickest and safest option is to physically smash it with a hammer. In modern disk drives the disk itself is often made of glass which should shatter into many pieces. Your job is done if you can hear them rattling about inside. If not, unscrew the lid and hit the disk directly, but be aware that if it's glass it may disintegrate into dangerous flying shards.
In the case of an SSD (solid state disk) or memory stick, the way that it stores data in order to even out wear makes it impossible to be sure you've overwritten it all. Smashing it with a hammer until you are convinced individual storage chips are cracked is the only sure way of putting your data beyond reach.
Encryption
Sensitive data may be at risk any time it's outside your full control. Broadly, there are two situation to think about:
- Data at rest: on a storage medium such as a hard disk or memory stick, it may be lost or stolen.
- Data in transit: any time it passes over a public network it's susceptible to interception.
In both cases, encryption is strongly recommended if compromise of the data could cause you loss or harm.
There are two kinds of encryption:
- In symmetric encryption there is just one secret key and the encryption process is run in reverse using the same key in order to decrypt the data. But all is lost if that secret key is compromised.
- Asymmetric encryption uses a pair of complementary keys, a public key for encryption and a private key for decryption. The private key is only known by the recipient of the message and cannot be derived from the public key.
Data at Rest
Depending on your operating system you may be able to flag folders holding sensitive data as to be encrypted. This is very easy and simple, but any time you view or edit the data it's likely that fragments (at least) of that data will be left in temporary files or free space on your hard disk.
Full disk encryption is much safer, but to be quite safe you must encrypt the disk before writing any sensitive data to it.
Bitlocker is available on some versions of Windows, and provides full disk encryption. A free alternative is [Bitlocker is available on some versions of Windows Veracrypt].
For a memory stick or external hard drive you can use Bitlocker, Veracrypt and others to create an encrypted vault. This should be created so as to occupy all the space available so as to ensure no unencrypted data can be written to it. These tools generally allocate a new drive letter through which you can see the decrypted data.
When choosing a password (from which many of these tools derive the encryption key), bear in mind that an attacker in possession of your data can spend as long as he likes trying to crack it, unlike a login password which may lock the account after a few failed tries. For personal data the loss of which could lead to financial fraud, a password length of 20 characters and not made of dictionary words or names is probably a sensible minimum.
Data in Transit
When accessing a website with https prefix, you data is automatically encrypted, but not all pages on the site may use https.
Emails are not generally encrypted, and the sender and recipient obviously cannot be, otherwise it could never be delivered to its destination. The easiest way to send a file securely by email is to compress it with Winzip or the free 7-Zip utility, selecting AES encryption. Make sure you send the encryption password to the recipient by a different means, e.g. by text message, post, or in a face-to-face meeting.
If you use an email program that manages your email using POP3 or IMAP (for receiving) and SMTP (for sending), ensure that you use the SSL (encrypted) variants of those protocols otherwise your email password is at risk.
External links
- External links (if any) as bullet points.
- If non, delete this section.