Revisiting Security and the Cloud
A “hacker” gained access to a Twitter employee’s Google Docs account, and sent some sensitive corporate information to TechCrunch, which is now debating whether or not to publish the information.
The ethics of TechCrunch I’ll pass on for now, but one worthy message: we should be more careful with our logins and passwords, what we share online, and remain distrustful of the “cloud.” Even in today’s world of social sharing everything and mobile computing, I still follow the old adage: if you want to keep stuff private, don’t put it on the web, period. Since there is no such thing as a secure system, the best place for data you want to keep secure — is outside said system.
That said, there are obviously a lot of conveniences to be had with using some services online — online bill pay and banking come to mind. But I use such services sparingly and as carefully as possible.
Here are some steps I’ve taken to keep those accounts secure:
- Every account has a unique, complex password (Google has some great suggestions).
- Change passwords periodically.
- Set up a separate email solely for these services.
- Logins and passwords are not stored digitally on any computer.
- Clear cookies on browser quit.
- Laptop has no important documents on it (both in case of theft or hard drive failure, which happens more often on portables). All documents are backed up to the desktop regularly.
- Desktop accesses the Internet using Ethernet, not WiFi.
- Regular backups.
- Computers have logins and passwords.
- Computers are Macs which have less viruses, trojans, and keystroke loggers.
As I write this, I already see some places where I could take things further:
- Unique, complex logins for every account.
- Copy backups and store in another secure location, away from the computer.
- Change logins and passwords even more often than I do now.
This all may sound drastic, but I’ve had an email account broken into, received form letters from banks regarding data breaches at data centers, and a company I worked for had an employee laptop stolen which contained data affecting several thousand employees.
So I fall on the cautious side, which explains why I won’t sign up for a financial service like Mint or put online banking on my iPhone. I am willing to give up convenience (having logins and passwords stored in cookies for example) for security.
The tug of war between convenience and security is made more complex by the influence of social media, which encourages everyone to share so much of our personal lives online (some answers to security questions could be broken for some through a simple Google search), and mobile computing which drives desire for access to our data wherever we are. The end result is people being far too cavalier with their data in the name of convenience and then backpedaling, calling for more privacy, once security has been compromised.
But the Twitter situation is playing out as expected: it’s not Google or TechCrunch’s fault; it comes back to personal responsibility, the Twitter employee who was targeted and whose account was hacked. So if you have data you want to keep private, do what you can to protect it, because if it’s ever compromised, most of the blame will — fair or not — fall on yourself.
Anyhow, what sort of strategies do you take to manage your online accounts? Any tips are welcome.
[…] employee’s Google Apps account. Cue a chorus of commentary alleging how this shows that if you want to keep stuff private, don’t put it on the web, period, because cloud security is not ready for prime time and nothing is secure on the […]
Here’s what I do: I use 1Password to store all of my passwords. My master password is a tough one, but one that I can remember (1337 speak helps when making passwords).
I use Dropbox to sync the passwords between machines, but as the password files themselves are encrypted, they’re useless to anyone without the master password.
Each individual site’s password is randomly generated, with letters and numbers (and sometimes punctuation). My email accounts are secured, too — as most passwords can be reset via email.
If I suspect an account has been compromised, I change the password immediately.
Email is stored on the server via IMAP — and as mentioned before, I use Dropbox. I don’t mind using the cloud, as long as sensitive stuff is encrypted and reasonable measures are taken to protect the account itself.
I wish more sites would adopt IMAP’s kind of caching — in the event that my IMAP server dies, I can use my local cache to rebuild somewhere else. I can’t do that with most “cloud” services available today — if Delicious disappeared tomorrow, I’d lose a lot of bookmarks.
I should check out dropbox, especially in comparison with .mac (iDisk)
that I currently use for some files. But your mention of encryption
reminds me, I don’t have Any of that going on with local files.
There’s filevault but I winder if there’s a good desktop app for that…
Oh yeah, Dropbox fills a bunch of gaps that you miss when you don’t have .Mac (I dropped .Mac when I discovered shared hosting).
As for encryption of files — you could just make a disk image with Disk Utility — a sparseimage would do the trick, as it expands to accommodate more files. Choose AES encryption, and set a password. You could even save that to your Dropbox and have it synchronize between computers, though it would probably use a ton of bandwidth to keep uploading it every time you change your files.
TrueCrypt is better, if you need compatibility with Windows machines (or Boot Camp/Parallels/VMWare). TrueCrypt is probably more secure than the encryption used for Apple’s disk images, but I’m a big fan of using built-in stuff whenever possible.
Oh, and forgot to mention financial stuff — I’m also hesitant to enable auto-pay stuff. I have my credit card send me a paper bill in the mail, but I pay it online. They’d love to withdraw money directly from my bank account whenever they feel a bill is due, but I think there’s too much potential for an error to go unnoticed. This way, I can read over the bills and make the decision to pay.
Filevault would be worthwhile on the laptop — there’s no way to get into a Filevault account without the password, so you can sync documents and whatnot to the laptop without worry.
[…] services we use, but the basic security we apply in our use. Webomatica has good write-up of some security precautions you can take, but I’m not sure about being distrustful of the “cloud” as I rather like my […]
Just as a follow-up — I bought Pukka because it periodically makes backups of your online bookmarks.
It makes for much easier posting, too, but I really like the backups.
[…] a Twitter employee’s Google Apps account. Cue a chorus of commentary alleging how this shows that if you want to keep stuff private, don’t put it on the web, period, because cloud security is not ready for prime time and nothing is secure on the […]