Home > Messages from the Ether > Security

Security

Bruce Schneier has a list of recommendations for Safe Personal Computing. He's the man when it comes to security in almost any form, so let's go through and see how many points I fail (eep).

(Security is an area that's become quite the testosterone-tinged hobby these days. Just bring up a discussion on firewalls or ftp around the office and watch the dicks get whipped out and measured. Once you get beyond non-trivial computing (which is the point that most every household is at), you get non-trivial security issues. Blame it on the vendors or the technology in general, but there are often no simple answers.)

• General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

Fail. The cost/benefit of a five-minute boot sequence (wah-wah, boo-hoo) keeps my computer always on.

• Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.

Pass. Although, since my PDA is my phone, and since my phone will be with me when we're out drinking, and since I sometimes ... miss-a-few-beats by the end of the evening (winkwink), I have been known to make frantic phone calls the next morning.

• Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.

Pass (partial). I do daily, incremental backups and monthly full backups to a Jaz drive. The previous month gets archived. I keep the old months for no good reason on the network (and will now stop), and have no off-site backup. My brother's backing up to a USB drive on his key chain: great for off-siteability, horrible for security.

• Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."

Pass (partial). Every machine on the network, although Windows, is kept up-to-date. I'm not so sure I want to lose command-line capabilities though.

• Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.

Fail. Whose got install disks for all of their applications?!?

• Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Set your browser to regularly delete cookies. Don't assume a Web site is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.

Pass (partial). I use Opera (the wife refuses to switch). I allow cookies to run free and happy in my browser because they're so useful for Web site development. I'll start (now) wratcheting them back. Opera has good tools for configuring cookie handling.

• Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

Fail. I won't purchase from a non-secure site (duh), but good deals are good deals, and big sites are as likely as small sites to have their user information stolen. With regard to online purchasing, you have to accept the risks (wisely) or don't use it at all.

• Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.

Pass. Always opt out.

• Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.

Fail. I won't talk about how I create passwords, but they don't follow these rules.

• Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.

Fail.

• Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

Pass. A while back, I was purchasing some books from a site and their order page was non-SSL. A raised a stink ... only to find out that I could've just typed "HTTPS" with the same address. Still, they should've linked me directly to a secure protocol. Most people would've have even noticed.

• E-mail : Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.

Fail. AFAIK, you can't disable HTML e-mail in Outlook. Just be careful. I've been considering switching email clients, but with contact management to move, that's a big step.

• Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

Pass. Deleting spam has become a daily chore.

• Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.

Pass.

• Antivirus and anti-spyware software : Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."

Pass (partial). I use TrendMicro's online antivirus (oddly enough, only accessibly through IE) and Lavasoft Ad-Aware monthly on all machines. It's a free solution that works.

• Firewall : Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

Pass. My router firewall does some of the work and ZoneAlarm (another free option) does the rest.

• Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

Fail. This would be icing on the cake, but apparently I have more work to do before I get to this point.

[ via BoingBoing -> Schneier on Security

10/17 pass and 7/17 fail (with 4 passes only partial). I've got some work to do.