Archive for the ‘malware’ Category

I just got through building myself a new desktop PC.  It’s a combination of the techno and the craftsman — a hot new unlocked 3rd-generation quad-core Intel i5 on a Gigabyte motherboard using the cool Intel Z77 chipset, but without any case.  That’s right, all the boards, cables, fans, and drives are mounted on a vertical wooden spine with nothing around them, hanging out there for everybody to see, bare and uncovered.  Kind of like doing the Bay to Breakers ride in San Francisco: hey, here’s all my stuff, like it or look somewhere else.

But this isn’t about building hardware, it’s about remembering the smug satisfaction I had when I hit the “on” button (an old round brass doorbell button) for the first time and all the engines lit.  I paged through the many Gigabyte BIOS configuration screens and saw all the stuff I could twiddle and reset, it was great.  Digging, getting inside things, looking behind the “user interface” and into the minds of the designers, this makes it all worth while.  Hacking it, making it truly mine.  Works for me, big time.

And in that context, it’s disturbing to see how the term “hacker,” which to me is a good and honorable word , is so often used to describe techno-criminals of the worst sort.  Some crook exploits a known exposure in software that a few idiot users have not patched, and steals passwords or vacuums their bank account, and they cry that they were “hacked.” They really weren’t hacked, they were robbed with a computer after they failed to take the most basic precautions to prevent it.  There is a profound difference between hacking and theft.

I suppose it’s useless to try to stop this wretched misuse of the word, once the general press locks onto a name for something they don’t understand it’s all over but the self-righteous pontification.  But I try; if somebody calls me a hacker I am silently pleased, and I hate to see a perfectly good word turned into a criminal classification.

I recently did find a really good description of what a hacker is, in my terms, and I pass this on for your edification, here.  If you want to hack, here’s the real deal from one of the experts.  What struck me, though, was that one of his suggestions was to become a better and more fluent writer in your own native language, because:

If your writing is semi-literate, ungrammatical, and riddled with misspellings, many hackers (including myself) will tend to ignore you. While sloppy writing does not invariably mean sloppy thinking, we’ve generally found the correlation to be strong — and we have no use for sloppy thinkers. If you can’t yet write competently, learn to.

He also points out that “attitude is no substitute for competence,” which is true to the core, and more surprisingly “develop an analytical ear for music,” and “develop your appreciation of puns and wordplay.”  Guess I’d agree with these, too, from my personal experience.  QED, the essence of being a hacker is no longer to be a reclusive, socially-disabled monomaniac.  Perhaps this reflects the almost overwhelming penetration of technology into our society.  The population of potential hackers is now much larger and includes all kinds of otherwise-normal people.  I’m for it.  Hacking is too much fun and way too important to our national future to be a closed community.

Read Full Post »

You are going to have to change the way you make up and use passwords, or you’re going to be very sorry.  There.  I’ve said it.  And I really mean it.  Sorry to start out so negative.  Read on, and I’ll tell you why.  And I’ll tell you right up front what to do about it, so you don’t have to read the whole thing if you don’t want.

This is different from the post I just wrote about the Mat Honan hack, which had nothing do to with password strength or hacking or encryption or anything like that, because in that hack the customer service drones at Apple and Amazon simply gave the hackers the passwords — nothing technical can protect you from that kind of “service. ”  No, this is about technically hacking your passwords using a psychological understanding of how humans construct passwords, databases of stolen passwords, and readily-available password-cracking software to lay waste to the presumed security of what people believe are “clever” passwords.  They aren’t clever, folks, they are transparent.

As Dan Goodin said in Ars Technica recently:

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

If you read the rest of this post, you will see how this works and why this really has become an issue in the last 6 – 9 months, where it wasn’t before.  If you believe me already and don’t want to dig into the details, fine, here is what you need to do.  If you’re not sure yet, read on — it’s technical but I have simplified it for you, and when you’re done back up to here and start executing these steps:

  1. You need to stop using anything but computer-generated, high-entropy gibberish passwords, at least 12 characters.  See below on the use of long passphrases;
  2. You should manage these passwords through a cloud-resident password manager such as LastPass or 1password, so you don’t have to remember them;
  3. Critical accounts should be protected by two-factor authentication, wherever they offer it (e.g. the service will send you a text-message with a numeric code you have to enter, in addition to your password.
  4. Anything you are storing in the “cloud,” e.g. iCloud, needs to be encrypted with a private key YOU and only you know, before this data leaves your PC.

There have been several papers, blogs, and articles published in the last 6 months that demonstrate this, specifically here and here and here.  These and a few more even more technical are my sources for this analysis.

Root of the Problem: Corporate Security Incompetence

Almost weekly, it seems, we read about some corporation or governmental entity announcing, “Oopsie, we have been hacked and our password files stolen.”  Yahoo, LinkedIn, Gawker, eHarmony, Lastfm, Sony (multiple times), and many more, all the way back to the RockYou penetration in 2009, are all part of this dismal litany.  Now you might think this is relatively harmless, after all they’re encrypted, right (well, sometimes, anyway they’re encrypted, but sometimes they’re not)?  But it turns out that a stolen password file is anything but harmless.  Right now, there are perhaps around 500,000,000 passwords that have in this fashion been turned over to  hackers, who then are free to crack them offline, and share the results of their cracking with each other.

From this immense database of cracked passwords they have extracted rules and probabilities and psychological principles about how real people try to generate secure passwords.  It turns out that these rules are rooted in our human consciousness and apply across broad swathes of the population.  For example, the lame exchange of “L”s by “1”s, or “B”s by “3”, or “O”s by zero and so on.  Or, your name followed by the year you graduated from high school.  Or two words with varying capitalization (duckspit or ducKspiT).  The crackers have built databases and rule engines that follow these and other examples, and run them against stolen passwords until they find a match.

But doesn’t that take, like, twice the age of the Universe to decrypt them?  Well, only if you’re trying to actually decrypt the password.  But they don’t do this — they use their giant index of already-cracked passwords and take yours, encrypt it, and compare the encrypted value with the encrypted password in their index.  If it matches one of them, presto, they have your password, no decrypting necessary!

Example: in the recent LinkedIn hack, they lost 6.5 million passwords, and it took only 6 days for 90% of them to be cracked.  Actually (and I can’t find the reference for this, but I read it somewhere) about 25% of them were cracked in something like the first 30 minutes.  Note the futility of rushing out three or four days later when you heard about it, and “changing your password.”  Almost certainly, your password had already been cracked.

Cracking Engines: Hardware and Software

And they can do this encrypting and comparing very, very quickly.  It turns out that not only are today’s PCs very powerful, the secret weapon is none other than the display adapter boards (GPUs, or Graphics Processing Units) that gamers and statisticians alike use to draw sophisticated images on their monitors.  These boards, by Nvidia, AMD, and others, are in reality very powerful floating-point calculators that are just right for carrying out encryption. You can plug in one, two, or however many you have card-slots for, and you have something that rivals a Cray of 20 years ago.

To make it worse, there is no shortage of free or low-cost software that leverages this hardware to perform the cracking.  Good examples, and far from the only ones, are John the Ripper, HashCat, PassPal, and ExtremeGPU Bruteforcer.  Take a look at them, it’s downright scary.

How fast are they? Well, Rick Redman of KoreLogic has a machine with four GeForce GTX 480s, certainly not huge by today’s standards, and he can try 6.2 BILLION passwords per second.  Yes, billion, and per second.  At this year’s Defcon hacker conference, a project computer called Project Erebus made up of 8 Radeon HD7970 GPUs demonstrated it could test every single combination of 8 characters, including upper and lower cases, numbers, and symbols, in 12 hours.  So, if your password was 8 characters or less, it would have been hacked in less than 12 hours.  Actually, in an average of 6 hours!  This machine, believe it or not, cost less than $12,000.

The Result is Where We Are Now

Which is where?  Corporations and website operators have proved dismally inept at protecting the most basic security component, their login / password files, and these losses have fed crackers who are armed with computational power nearly undreamed of only a few years ago, and software that makes unfortunately fine use of their advanced hardware platform, to extract the passwords.  A big part of the solution would be to punish the corporations who lose this data by a fine that threatens their existence, and put the CIO in prison for a decade, but I have no hope at all that any such thing will ever come to pass.  They own our data, and we have nothing to say about it.  And when they lose it, it’s tough luck — for us.

So we can no longer be Pollyannas and trust these site operators to competently protect our data.  Pretty much, eventually it seems that it will all leak out and fall into the hands of people with the means to pry it open.  So, prudence says to make YOUR passwords one of the ones they have to brute-force and so likely give up on.

The only solution then is to make sure that a) our passwords are long, and b) they are so random that they can’t be guessed according to the human-sourced rules the crackers have, and will fall only to lucky brute-forcing.  12 characters gets us back up into the “thousands of years” area but ONLY if the passwords are inhumanly random.  And that’s where the password-handlers I discussed above come in — they can do the heavy lifting for you in this approach — they’ll generate these passwords for you, store them, and then play them back when you need them.

But what about passphrases — long phrases that you can remember (presumably)?  Because they’re so long, aren’t they resistant to cracking? Well, as Jeremi Gosney has said, “If the phrase you have in mind exists anywhere in writing it’s probably in somebody’s wordlist and can be cracked with a rudimentary dictionary attack.”  So, none of that, please.

Should Password Crackers be Shot?

Actually, I think not.  At first blush, it seems that they are to blame for all our problems, punish them!  But really, if they weren’t doing this, and pointing out the problems, I can assure you the government and the serous crooks WOULD be doing it, and not telling us.  We would be fat and happy using 4-digit pins online, and they would be reading our every word and when push came to shove, they would own us.  So I applaud the crackers for punching holes in our complacency and forcing us to take better care of our online assets.

Final Thoughts on Internet Safety

Sometimes the people I talk to start thinking that the Internet is such a dangerous place that they should get offline at once, or they just give up and think that they can’t find off the hackers and crackers at all, so they might as well not try.  Neither of these is true.  The Internet is just another place we go, like a new downtown or maybe a foreign country.  There are online risks as well as offline risks; we are good at evaluating offline risks (where we would walk at 2 AM or whether we should get out of a stalled car at all on a freeway), but we are still learning about online risks.  Don’t lose heart, you can adapt as your children surely will.  It’s just the march of progress leading us into new places.

Read Full Post »

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.


First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.


This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.


All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.


Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Read Full Post »

Make enough mistakes, and you will pay the price, no matter how much you think you know.  Here’s a good story about such a major hack, which was carried out on Mat Honen of Wired.  It’s worth reading, and reading carefully.

Part of the problem is rather egregiously poor security practices by AppleCare, Amazon, and to a certain extent, Google.  But a big part of the problem was self-inflicted, since Mat wasn’t properly backed up, he linked his cloud-service providers (iCloud and Google) together, he used the same prefix on many different email accounts (yourname@gmail.com, yourname@me.com, etc., you get the picture), and a few other things that made the attack much more successful and more painful.

He does have one key point, which is that cloud services should have higher security requirements than they do now, and that apparently the providers don’t understand that. Just a password is not enough. And as this points out, even the strongest password is useless if the provider’s customer service personnel will hand out your credentials in exchange for very weak authenticators, in this case billing address and last-four of your credit card.

It’s also not a good idea to link cloud accounts to each other, either using the linkages they provide for your use, or by using the same password on all of them.  This is not their fault, it’s yours.

Here’s the story, read it and weep: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Read Full Post »

I am split between a positive outlook about how the Internet has improved our lives and extended our experiences, and a generalized uneasiness over continuing breaches of privacy and loss of personal data by merchants and others. Here’s a great article that talks about how much companies DON’T have to report when they have a breach, this is really recommended reading:  http://news.yahoo.com/cybercrime-disclosures-rare-despite-sec-rule-073104140.html.

I’m not sure which is worse — that there are crooks going after our credit card numbers, companies that have grossly-incompetent security capabilities such as LinkedIn, or social media sites like Facebook or Twitter leak our private data around by sharing it, however indirectly, with advertisers.  It’s an ever-changing world and I guess you just have to go in with your eyes open.

Probably the most irritating thing is that there seems to be no downside for Internet security failures by companies.  LinkedIn’s approach to protecting their users passwords was juvenile or worse, they lost millions of them, and for some reason they’re still in business.  Ditto Zappos and others.  And the SEC has been so gutted by budget cuts that they can’t even enforce the laws on the books.  So, in this context, I’m sure most companies see data security as kind of an optional thing, to be evaluated on the basis of PR possibilities and mainly cost.  Bah, sometimes it’s enough to make you a communist.

Read Full Post »

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases.  I’m not optimistic.

Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

  • Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
  • Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
  • This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
  • But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
  • Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

  • Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
  • In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
  • The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
  • After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

Read Full Post »

Lets say that you are using all the right techniques for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass.  But right on your own machine you have sensitive and personal files, perhaps your tax returns, your investment worksheets, private letters, or the details of your opinion of your manager at work.  You don’t want these to be broadcast to the world, or to fall into the wrong hands.  But if they’re on your own computer they’re safe, right?  Wrong, for two reasons:

  • You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe.  Your files just became available.  This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose.  Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.
  • Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy.  Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes.  You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like.  These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself.  And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason.  Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it.  And it comes for Windows, Mac, and Linux systems.

Here’s what you do.  Go to the TrueCrypt website, download it, and install it.  Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it.  Create a strong password — a really random one — perhaps using LastPass to generate it.  TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on.  TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible.  Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all.  The secret is in the password.  Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all.  They describe this in their documentation here.  Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality.  TrueCrypt should be one of these steps.

Read Full Post »

Older Posts »