Ruminations on Securing Data

A couple of caveats:  These are my personal thoughts/ideas.  They are in no way to be associated with my company or my current project.  I am not pointing fingers at anyone in particular, nor am I calling anyone stupid.  I am simply trying to get people to think about the impacts of security policies on the daily personal and business functions.  The instructions below are either as generic as I can make them (since I don’t know what WiFi gateway device you are using) or they are specific to Windows Vista (since that is what I am using).  Please let me know if you have specific questions about Windows XP or Linksys/Belkin WiFi units, as I have experience with and access to both.

I think we can all agree that it is important to protect data.  I think we can also agree that some data need more protection than other data.  Protecting your personal data is critical to mitigating the risk of identity theft.  You shred mail that has your personal data in it (don’t you?).  You protect your Social Security Number (don’t you?).  You keep a close eye on your credit cards and your Driver’s License.  But how well do you protect the data that is on your computer?

Do you ever access your email from a kiosk (at the library or at an Internet Cafe at K-Mart)?  Do you ever use a Starbucks Hot-Spot?  Do you ever war-drive and find some sucker whose SSID is still linksys?  How do you protect your data in these cases?  Doing any of these things puts your email at risk of being intercepted/infiltrated by someone looking for personal/professional data about you.

Does your desktop/laptop have a password that must be entered before it can be accessed?  Do you regularly patch your system and your Anti-Virus/Anti-Spyware software?  Do you use MAC filtering and WEP/WPA for your home WiFi?  Have you renamed and disabled the Administrator and Guest accounts on your computer?  Have you changed the default SSID, administrator account, and password on your home WiFi?  If you aren’t doing all of these things, then you are putting your email and data at risk of being harvested.  You also put your computer at risk of becoming a virus-bot.

You might be thinking a couple of things at this point:  What can I do to protect myself, and where is it OK to access my email/the Internet when I am not at home?

You can protect your computer and data while at home in the following ways:

  • Make sure that your desktop/laptop has a password that must be entered before it can be accessed
    • Make it complex (at least 2 upper-case letters, 2 lower-case letters, 2 numbers, and 2 special characters)
    • Make sure it is NOT your name, your child’s name, your pet’s name or anything obvious like that
    • Change it every three months
  • Regularly patch your system and your Anti-Vuris/Anti-Spyware software
    • If you use Microsoft’s operating systems (Vista or XP) turn on automatic updates.  This will download and install all critical patches (which are usually the security patches).  This may result in unexpected restarts of your system, so make sure you save your work before you go to bed (especially on Tuesdays).
    • Make sure you are running anti-virus software AND anti-spyware software.  There are some VERY good FREE home use products out there that you can use.  I like Avast.
      • Make sure they have the latest engines and signature files.
      • Make sure they are set to actively scan (incoming emails, inbound connection requests, downloading documents) and also make sure that they are set to do a full system scan once a week.
  • Rename and disable the Administrator and Guest accounts on your computer
    • Right-click “My Computer” or “Computer” and select Manage.
    • In the window that opens, select Local Users and Groups.
    • Select Users.
    • Select the Guest account.
    • Right-click it and select Rename.
    • Rename it to something else (it doesn’t matter).
    • Right-click it again and select Properties.
    • On the General tab, select the check box for “Account is disabled”.
    • Repeat this for the Administrator account.
  • Use MAC filtering and WEP/WPA for your home WiFi
    • Record the MAC addresses of each NIC that will be used to access your home WiFi.  Enter it into the MAC filtering area in the administrative console for your WiFi.  You can find the MAC address by getting to a command prompt (Start, Run, “cmd”, OK) and then typing “ipconfig /all”.  The MAC address will be something like 00-1C-23-53-94-6B.  Make sure you get the address for the NIC that is connecting to your home network.
    • Assign only the number of IP addresses to your home segment that you will be using at any one time.  I have mine set up for 8 concurrent connections.
    • Use some form of security.  WEP is better than nothing.  If your WiFi, Operating System, and NIC support WPA, then use that.  Any security is better than none.  If I am war-driving, I skip right over those hot-spots I find that have security, because I can ALWAYS find one that has none.
  • Have you changed the default SSID, administrator account, and password on your home WiFi?
    • Change the SSID on your home WiFi to something other than the default
    • If you can, change the name of the Administrator account
    • CHANGE THE DEFAULT ADMINISTRATOR PASSWORD!!!

If you MUST access your email while you are away from home:

  • Do NOT war-drive unless you have a completely patched and protected machine
  • Do NOT use a Starbucks (or any other) hot-spot unless you have a completely patched and protected machine
  • Minimize your time doing anything that involves personal data, usernames, or passwords while war-driving or using a commercial hot-spot
  • If you are at a library or Internet Cafe (using one of their machines) try to avoid doing anything that asks you for a username or password.  You have NO IDEA what kind of spy-ware is on these machines.
    • When you are done, make sure you clear all locally cached data from inside the browser (cookies, history, downloaded files, temporary files, etc)
  • If you find yourself often connecting in these circumstances, consider setting up and using a “junk” email account that is used only for sending generic emails to known (by you) email addresses.  Do not store any email addresses or old emails here.  That way, if it gets hacked, you don’t lose much, and you don’t expose your contacts to spam or phishing attempts from your email account.

Some general thoughs/recommendations:

  • Learn to recognize phishing attempts
  • Stay away from porn sites – these will often try to install some sort of spy-ware/malware on your computer
  • Stay away from phreaking/hacking/cracking sites – these will often try to install some sort of spy-ware/malware on your computer
  • NEVER give out your personal information (username, password, SSN, birth date, full name, mother’s maiden name, place of birth, etc) unless you are ABSOLUTELY sure you are speaking with someone trustworthy.  For example, if I call the number on the back of my credit card, I can expect to provide my credit card number and some other piece of personal information.  I initiated the contact, so I have to verify who I am.  I will NEVER tell anyone who calls me anything about me or my family.
  • Along the same lines, you will NEVER receive an email from your bank, eBay, PayPal, etc asking you to “click here to verify your account”.  Any email that asks you to “click here” or else (something bad will happen like your account will be suspended, etc) is a phishing attempt.  Hover over the link.  It may look like it is from eBay, but unless the link has “ebay.com/” in it, it is not from eBay.  If you want to make sure that everything is OK, open a new web browser, type http://www.ebay.com, and log in with your credentials.  If something is wrong with your account, you will see it once you have logged in to the legitimate site.
  • NEVER click on a link in an email (your Anti-Virus product should protect you if you goof up, but better to be safe)
  • NEVER launch an attachment that you were not expecting

Be smart, be safe, be secure.

Advertisements

About Tim Smeltzer
I am a husband, father, and technologist. While I am very much interested in almost all technology, my current area of specialty is secure mobile messaging. You will find me blogging from time to time on mobile technology - what I think is cool, what I think is not cool, and how to do things. Please be nice if you leave me comments. I am really trying to help!

2 Responses to Ruminations on Securing Data

  1. Pingback: Topics about Stephen-smith » Ruminations on Securing Data « Tim Smeltzer's Weblog

  2. mrred says:

    Love this blog I’ll be back when I have more time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: