No matter how vigilant we might be, most of us do at least one unwise (read: unsafe) thing when it comes to using our PCs, mobile phones, and other Web-enabled gadgets. Some of these seemingly innocent habits, however, can have disastrous consequences. You might lose years of work, risk the security of your online accounts, or expose sensitive personal information, all through a seemingly innocuous act of carelessness.
To help you clean up your act, we’ve identified seven common computing habits that have security implications. We’ll tell you why and how you should break them.
Bad Habit #1: Carrying unencrypted drives, discs, or laptops
Are you listening doctors, administrators, and employees of insurance companies, financial institutions, and municipal agencies? This is one of the worst habits you can possibly have—and most of us do it every day. If someone steals your unencrypted flash drive, CD, or DVD, there isn’t anything stopping him or her from popping it into his or her computer and seeing the contents. If someone gets his or her paws on your laptop, it’s not hard to bypass your Windows password to see your files, documents, and browsing history by inserting a Linux CD, for example.
Data theft horror stories have become commonplace in the news. Among the most serious was a breach that exposed the personal information of over 26 million troops and veterans when a laptop and drive were stolen from the home of a Veterans Affairs worker in 2006.
Encrypting your drives, discs, and laptops is the only way to protect your data when it gets into someone else’s hands. Of course, you might not need to encrypt every drive or disc, but you need to protect anything with sensitive information on it.
One helpful tool that can make it easy to break the unencrypted data habit is TrueCrypt, a piece of free open source disk encryption software. Using it, you can create encrypted file containers to store select files and documents, or you can encrypt entire partitions or drives. You can even protect the Windows partition or drive, so all your system files, browsing history, cached passwords—everything—is protected. [For further help, refer to my tutorial series on the subject.]
If you want to protect a flash drive that you carry around to other people’s computers, consider using FreeOTFE. It’s another free disk encryption utility. However, this one doesn’t require administrative rights to decrypt and access your files, so you can use it on any PC. [See my recent tutorial on this solution.]
Bad Habit #2: Ignoring mobile phone security
If you e-mail, browse the Web, store files, or use Bluethooth on your mobile phone, you need to treat it like any other computer. You need to consider all the privacy and security issues. Check out the security features of your particular phone and possibly see if there’s an encryption app you can use to secure the phone and/or files.
If your phone has a Wi-Fi chip and you use hotspot connections, consider using a VPN connection to secure your local traffic. Otherwise, make sure your e-mail and sensitive browsing are secured by SSL encryption.
Bad Habit #3: Not having a backup and disaster plan
Faith alone isn’t enough for a disaster plan. At any time Windows can become corrupt or you could have a fire or theft, losing your computers and your valuable data. The hardware is replaceable, but your personal files, documents, and photos are likely priceless and irreplaceable.
You should backup your important files, either to another office or home or to an online storage service. Mozy, iDrive, and Carbonite are a few online providers you can consider. When shopping around for a backup solution, consider features like incremental backups and version saving
Bad Habit #4: Storing passwords in clear-text
Don’t create long complex passwords just to store them in an unsecure text or Word document. If your computer or phone is stolen, the thief will have all your login credentials. You’ll have to change all your passwords.
You can still create and store your passwords, but use a password manager that encrypts them. LastPass is one solution that works on just about all operating systems and mobile phones. Keep your credentials synchronized between the browsers on all your Windows, Mac, and Linux systems. Plus access them on your mobile phone or anywhere via your online account.
Bad Habit #5: Not using proper encryption for your Wi-Fi network
Wi-Fi is by default open and not secure. To stop others from connecting to your network and from seeing the data traveling through the airwaves, you must enable encryption. Don’t use WEP encryption; it can be quickly cracked.
The best encryption is WPA2. Try to not use mixed WPA/WPA2 or TKIP-RC4 with WPA2. Use WPA2 with AES-CCMP only.
If you’re setting up a home network, you can use the simpler pre-shared key (PSK) mode, also known as the personal mode. However, make sure you create a long and complex encryption passphrase as they are still susceptible to password cracking with dictionary-based attacks. Go nuts, use something like this:
If you’re a business or organization and have employees on the network, you need to use the more complex enterprise mode that requires an external RADIUS server. There are lower cost servers (such as Elektron) targeted for smaller deployments and outsourced services (such as AuthenticateMyWiFi) that host the server for you. When configuring the client authentication settings in Windows, make sure you enable server verification, specify the server address, and don’t prompt users for new certificates. These settings help prevent man-in-the-middle attacks.
Bad Habit #6: Using Wi-Fi hotspots or public Internet without protecting yourself
Some of the large Wi-Fi hotspot networks (such as T-Mobile, iBahn, and iPass) provide secure connections with 802.1X authentication and WPA/WPA2-Enterprise encryption. However, most don’t and are not encrypted. Therefore, people in and around the hotspot would be able to snoop on all your Web traffic.
Make sure your e-mail and other sensitive services you use while connected to hotspots are secured by SSL encryption. If you can’t easily secure your e-mail client, for example, you should consider connecting to a VPN server to secure your traffic from local eavesdropping. If your employer doesn’t provide VPN connections, consider using a commercial or free outsourced service.
Bad Habit #7: Using clear-text protocols and services
Most of us are still surprisingly sending and receiving most of our e-mails and information unsecurely through local networks and the Internet. Most of the protocols and technologies we use transfer data in what we call clear-text, so passwords and data are readable by eavesdroppers. POP3, IMAP, FTP, and Telnet are just a few examples.
If you access your e-mail via a Web browser, make sure SSL encryption is enabled, indicated by an https:// address instead of http://. If you use an e-mail client, like Outlook, make sure SSL encryption is enabled in your account settings.
Remember, you still don’t want to send really sensitive information via regular e-mails. You’ll want to completely encrypt those messages, such as by using a third-party service like Send. If you regularly send sensitive information between select people, consider setting up and using OpenPGP encryption.
If you use FTP for file transfers, use it with SSL encryption. This is supported in the free and open source FilleZilla Server. You can also use SSL encryption with the MySQL protocol. For Telnet, use SSH instead.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.