Archive for July, 2010

Lets say that you are using all the right techniques for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass.  But right on your own machine you have sensitive and personal files, perhaps your tax returns, your investment worksheets, private letters, or the details of your opinion of your manager at work.  You don’t want these to be broadcast to the world, or to fall into the wrong hands.  But if they’re on your own computer they’re safe, right?  Wrong, for two reasons:

  • You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe.  Your files just became available.  This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose.  Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.
  • Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy.  Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes.  You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like.  These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself.  And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason.  Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it.  And it comes for Windows, Mac, and Linux systems.

Here’s what you do.  Go to the TrueCrypt website, download it, and install it.  Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it.  Create a strong password — a really random one — perhaps using LastPass to generate it.  TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on.  TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible.  Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all.  The secret is in the password.  Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all.  They describe this in their documentation here.  Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality.  TrueCrypt should be one of these steps.


Read Full Post »

This adds onto my recent series of posts on personal security on the Internet, with some suggestions on software that can help you secure yourself more completely.  OK, so even if you’re following my suggestions in my last post (here) for a simple password scheme, it can get a little confusing, so here’s a few software products that can help out.  We’ll start out discussing password databases, and then a file-encryption vault in the next post.

Storing passwords.

The problem here is that if you get some malware on your machine, it will snoop around looking for the file you made called “passwords” and send a copy of that file off to it’s master somewhere.  Even if you called this file “Uncle Otis’ Birthday,” most malware is smart enough to just look inside your files and find the neatly-arranged ID / password pairs and presto: you are penetrated.  The way you avoid this is by having this data in an encrypted data store, where only you know the key.  Don’t even think about using Excel and having Excel “encrypt” the data, this is baby-step encryption and it can be brlken in less than 3 seconds by several password crackers on the market.

So what to use?  My most basic suggestion is called PasswordSafe, a free program invented by security maestro Bruce Schneier.  I have used PasswordSafe for several years and it’s a fine product and is supported by bombproof, government-grade encryption.  What it does is keep an encrypted database of ids/passwords (and other stuff, like the idiot “secret questions” and so on that some sites demand).  You open the database with one password, and double-click the appropriate site’s entry.  The password is copied to the clipboard, from whence you paste it into the password field on the website.  PasswordSafe then erases the clipboard.  It has lots of other features including the ability to generate completely random passwords for you if you wish.

PasswordSafe has served me well for several years until I started using LastPass, which I’ll discuss below.  Its very straightforward to use, free, and available here.

I have now started using a different password repository called LastPass, available here.  LastPass does everything PasswordSafe does, but with a while bunch of added features.  Mainly, it interacts through a plug-in with your browser(s), so that when you have it opened and in force, and it arrives at a site where you have an account, it fills the ID and password fields, and can even hit “enter” for you if you want it to.  You don’t have to pull up PasswordSafe’s panel, find the site, double-click it, and paste it in.  LastPass does all that for you, slick as anything.  You can set it to auto-log you in to familiar sites, ask you to review it’s form-fields for some more sensitive sites, and even demand another login to LastPass for some sites, as for instance your bank.

LastPass is cross-platform (Windows, Linux, and Mac) and has plug-ins for essentially all the browsers in common use — IE, FireFox, Safari, and Chrome.  So you are totally covered.  And it has a host of very cool capabilities, for example generating and managing some one-time passwords for use if you’re on public machines, and the ability to use an on-screen, mouse-driven keyboard for entering your LastPass id and password (to foil keyboard-logging software on a public machine), and the ability to work off of a USB drive.  It’s an extremely well thought-out and comprehensive platform and I recommend it highly.

One of it’s other key features is it’s ability to transfer and sync your encrypted database across all the machines you use, so you never have to do this yourself.  And it can do this without the company having access to your passwords at all, they do store it but they don’t have the password, only you do.  If you’re interested in the detailed security features built into all this, I recommend Steve Gibson’s Security Now podcast, specifically this one.

The password to your passwords

Both of these make the assumption that you have one password that is the master, that unlocks the vault for you.  With both products, you need to remember this password at all costs, since if you forget it, they can’t help you — the company doesn’t have it either.  So, write it down in a couple of places (NOT in a file on your computer!) such as in your wallet, or even a copy in your safe-deposit box, or whatever.  Make sure this password 1) is not a word, or a series of words, 2) is not something obvious like your phone number or social-security number, and 3) that you can easily remember.  If you’re stuck about this, you could use the first letter of a phrase that means something to you — but mix in some numbers and capitalize one or two of the letters.

Hope this helps you out!

Read Full Post »