Sunday, February 24, 2013

Heads, butts, clouds and cyber security

It's been a busy few weeks with many allegations of hacking by the Chinese.  Indeed, I have noticed that my "Chinese" visitors outnumber my United States visitors in the past month.  Well I guess it would only make sense that hackers would go after the big three, Facebook, then Apple and then MyTurnQuips.  What I can't understand is why the most popular post for these visitors seems to be Yachting with G.  Is it my orange Crocs?  In all seriousness, I don't believe I was hacked, but would not be surprised if some of this traffic was generated from automated probes.  And for all my Chinese fans, if you like my posts, feel free to add a comment; I would love to hear that I have fans in China and not hackers.

I have recently posted my experience with Windows 7 and more recently with Office 2013.  The big movement with both products is toward integration with the "cloud".  Also recently discussed in a post was this year's experience preparing federal and state income taxes.  The convergence of these posts got me wondering - how many people will be lured into storing their completed taxes out on the cloud?  I keep a PDF (Portable Document Format) copy of my taxes, but there is no way I will store this "on the cloud".  (Nor do I recommend that you place a copy of your taxes out on the cloud and while I'm at it, don't even think of emailing a copy of your taxes without encrypting it first).  At the risk of pointing out the obvious, your tax return is a treasure trove of information, including your name, date of birth, social security number and if you are expecting a refund may also include your bank account number.  I had initially played with titling this post something to the effect, "pull your head out of your butt and stay out of the cloud," but alas I thought it a bit too rambling; however, the point remains, use caution with what you choose to save to the cloud.

Cloud users should carefully investigate the security provided by their provider.  I did a quick search of 3 well known providers, Apple iCloud, Microsoft SkyDrive and Google Drive in regards to the level of encryption provided, with URL provided to the source of the information:

iCloud:  Quotation from Apple site: "iCloud secures your data by encrypting it when it is sent over the Internet, storing it in an encrypted format when kept on server (review the table below for detail), and using secure tokens for authentication. This means that your data is protected from unauthorized access both while it is being transmitted to your devices and when it is stored in the cloud. iCloud uses a minimum of 128-bit AES encryption – the same level of security employed by major financial institutions – and never provides encryption keys to any third parties."  I really liked the way that Apple provided a clear statement of the security it provides and a very clear table is provided on the URL identified.

SkyDrive:  Review by Bojana at provided URL provides this citation:  "Remote access is a very practical feature and it uses a two-way authentication process for logging in to your computer so your files are safe. Obviously, you have to be careful when your account password is in question. Try to be imaginative and change it every once in a while and that should make your account safe enough. As for more sensitive documents, you should either avoid storing them in SkyDrive or encrypt your account with some good encryption tools."  In short, it sounds like you are on your own in regards to encryption.

Google Drive:  Quote from CNET review follows:
Google Drive encrypts data between your computer and the Google servers. If you're using your Drive over the Web, the connection defaults to secure (HTTPS), and when you use the software that makes your Google Drive appear on your computer like a local hard drive, the data between your computer and Google is likewise encrypted. No casual hacker will be able to grab your files by monitoring or intercepting your Internet connection to Google.

Your data is stored under lock and key at Google itself, but it is not encrypted on the Google servers. A Google rep explained why to me: Encrypting files stored at Google would prevent you from previewing them on the Web, and it would also prevent services like Google Goggles and its OCR engine from accessing files on your behalf. (I presume it would also prevent Google's ad-serving algorithms from scanning your data to serve you more targeted messages -- and this is how Google makes its money.)
Let me reiterate, I do NOT recommend storing any sensitive information on the Cloud with ANY provider.  With that said, I would comment that if I were concerned about the privacy of my documents and selecting from one of these 3 providers, I would go with Apple's iCloud.

Encryption is just one tool toward cyber security.  There are 2 other areas of vulnerability that I want to discuss:

1.  Portable devices - smart phones, tablets and laptops can be quickly stolen.  Even though you may have a password on your laptop for log in, your documents are generally stored in plain text.  This means that they can be easily accessed if your device is stolen - log in is not needed, your documents can be accessed and read just like an external drive.  Smart phones are even more vulnerable.  First, they are small and users generally take them wherever they go and frequently get careless - lay them down, get distracted, and perhaps even forget about them for a little bit.  Due to the small size, they are easily concealed and can be quickly stolen.  Second, apps - yes, I said apps.  I find that many apps tend to keep you constantly signed in.  While this might be a convenience, it presents a huge vulnerability.  Once stolen, the thief may quickly be able to access your Facebook, your email and who knows what else - perhaps 2 or 3 other accounts.  In view of this vulnerability, setting a PIN or password is good practice for smart phone owners.  It will at least slow down a would be thief.  Installing software to find your device or wipe it may also be worthwhile to consider.  However, none of these measures is a replacement for good day to day practice - don't store sensitive information as attachments in your email or on your portable device; sign out and close applications when done using them.

2.  Passwords and more:  Many providers and services have improved in encouraging the use of strong passwords.  (Strong passwords are passwords that are not easily hacked).  There are a host of challenges with passwords.  For starters, it is difficult to remember multiple passwords.  Conversely, using the same password while easy to remember increases your vulnerability (if you become compromised in one application, it can lead to a domino effect of compromise among several applications or accounts).  Here is some tips:
  1. Before even getting to the password, if you are able to create your own UserID, carefully consider the ID that you create.  If you want anonymity, don't use your name or other identifying information such as date of birth.
  2. When setting up your user account, be mindful of what information is being provided.  No, you don't need to provide your real date of birth on Facebook and share it with the world.  Although, your annoying relatives may blow your cover when they feel the need to wish you "Happy xx Birthday" by writing on your wall...
  3. In selection of a password, I consider the level of risk (what is at stake if hackers get into the account) in developing a password.  For "who cares" accounts, I may use a relatively (simple to me) password.  For accounts where I want to maximize protection I ramp up the complexity.  Here is one way to do it in a manner that may enable you to have a fighting chance of remembering your password:
    1. Start simple - say "Walmart"
    2. Mix up capitalization in unexpected places like "waLmaRt"
    3. Now hash in some numbers like "wa2Lm4aR8t"
    4. If special characters are allowed or required, throw in one or two like "!wa2Lm4aR8t%"
  4. For very important accounts and services, you should plan to change your password on a regular basis.  Yes, it is hard to keep up, but you need to balance security with risk.
  5. There is no shame in (hand) writing down your password(s), although if you choose to do this you should consider keeping them reasonably apart from your computer.  Do not electronically keep your passwords in a text file (or Word or Excel or Outlook or any other file) which will make it too easy and clear for others to run with.  If your memory permits, it is also wise to write the password only without reference to what application or service it is affiliated with.
So there you have it - technology should be fun, but never forget there are truly bad guys out there so keep your head with cyber security.

No comments:

Post a Comment

Comments are appreciated. Please note that comments are moderated, but will generally be published if on topic and free from excessive profanity or hostility.