Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Secure Thinking

By

I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives.  Here’s those tips:

 

  • Patch your systems regularly (patch Tuesday is a great start)
  • Run Anti-Malware, but don’t pay too much for it.
  • Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites).  Likewise with Java in your web browser.
  • Stay off the seedy side of the net
  • Only install software from trusted sources
  • Don’t click links in emails.
  • Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
  • Never, ever use a public computer, for anything. It’s like swimming in a sewer.
  • If you find a USB thumb drive, destroy it – never plug it in.
  • Encrypt your data – FileVault or BitLocker
  • Backup your data to a trusted repository
  • Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
  • Enable two factor authentication when it’s offered
  • Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
  • Only use Google Nexus android devices to ensure you can stay current
  • When asked for secret questions, lie – and record those lies in 1Password.
  • Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
  • If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
  • Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.

 

In the end, it boils down to simply being aware.

 

Think about security!

Gentlemen, Encrypt Your Data, Part I

By

A friend of mine used to shoot dead chickens out of an air cannon at fighter jet canopies to test them against bird strikes. She told me a story that a team in the UK was trying to replicate the process, but kept shooting the birds right through the canopy. When they reached out to the US team, our folks replied with a simple message: Gentlemen, thaw your chickens. That’s become a sort of shorthand for doing something that should be obvious, but isn’t.

From whole disk encryption to public key cryptography, encryption has a long history of being the magic bullet that will solve all our information security problems.   If only in were so!   Yet encryption is a key defense against the Bad Guys™ for as individuals and as organizations. In part I of this two-part post, I’ll share some thoughts about using it to protect your own information. In part II, I’ll talk about how it can help businesses protect their employees, customers and shareholders.

I know there’s a lot of concern about secret back doors (or front doors as they’re now being rightspeaked) in major encryption solutions. While I do have a large stock of tinfoil hats (they hide me from the black helicopters), let’s be a bit pragmatic here for a minute. If a nation state wants to get my data, they’re going to. They’ll break into my home, install a keylogger in my machine, and capture my password. Or book a seat next to me on an airplane or grab the table next to me at my local coffee shot so they can record me unlocking my computer, or even use Rubber Hose cryptography to get me to reveal my passphrase.

Likewise, when I’m online, my computer is unlocked and the information accessible, so any malware on my computer will be able to phone it home (that’s why patching is so important). So why do we worry about encryption? The big one is theft.   I’ve had a laptop stolen in the past (right out of my docking station over a weekend) in an office behind a door with a badge reader and a security guard – and I’m not alone. By some estimates 10% of all laptops are stolen in the first year of ownership.  So the threat we’re talking about here is that if someone grabs my laptop out of the tray at the airport, hacks the hotel room door, or simply steals my car with my backpack in the trunk, my entire digital life is now exposed and at risk.

And that’s what encryption helps protect. It’s the difference between “oh crap, I lost a piece of hardware and have/get to buy a new model” and “oh bleep, I have to drop everything and try to figure out what the damage is”. It’s important to use a good passphrase or password, and you’d better remember what it is. If you forget it, you’ll lose your data for sure. By the way, that’s why I like passphrases for this kind of thing more than passwords – it’s easier to remember a complex phrase, than it is a complex password.  I recommend putting all your drive encryption passwords into a secure password vault like 1Password, because it may be years later when you have to decrypt the data, and you may not remember the one you used.

If you use a Mac, it’s easy to turn on FileVault 2, just follow these instructions. Make sure you also encrypt your Time Machine backup too.   For Windows, turn on Bitlocker.   Just be careful – if your windows 10 device came with bitlocker turned on, you need to turn it off, then back on in order to encrypt the entire disk. For cloud services, well, that’s a whole different post!

It’s easy, simple, and free. Like thawing your chickens.

Image (c) DepositPhotos / Cseh Ioan