Tuesday, July 20, 2010

Do You Trust Unknown Computers? Paranoia, Part 1

You may call it paranoia, but I call it caution. Do you drive recklessly without wearing a seat belt? Do you wander through bad neighborhoods at night? You probably avoid these behaviors because they are dangerous and you know what could happen if you did do them. You have made a decision that they're not worth the risk. Is that paranoid? No, you're being cautious, and that's a good thing.

So when I say that I won't check my email on any computer except my own, I get told I'm being paranoid. I don't see it that way. I see checking my email on other computers as being dangerous and I know what could happen if I'm not careful. This article is the first in a series on being paranoid about privacy and security with your digital life. Except that it's not really being paranoid, it's being cautious, and I'm going to tell you why.

We all know that malware exists. Everyone has heard one of the various terms used to describe it such as virus, trojan, spyware, adware, scareware, and rootkit. The list goes on. The general feeling about malware seems to be that it makes your computer really slow and not work right. Except that if it's doing that then it's not doing its job very well. Most malware you'll never know you're infected with until one day you realize you've become the victim of identity theft and you'll wonder how it happened. The malware you really need to be worried about is quiet, unobtrusive, and farms your computer for information that it ships off to its controller.

Ready for some numbers? According to data collected by Panda Labs, out of 21.5 million computers they scanned from businesses and homes in over 100 countries, 47.87% of them contained malware. Nearly half of the computers were infected. That's the reason I won't use other people's computers for anything requiring me to enter a password. While I'm pretty sure my own computer is safe, I have no clue about anyone else's.

What does this mean for you? That means that you certainly shouldn't use a public computer like those found in libraries or coffee shops, you shouldn't use a computer that belongs to a friend or family member, and you shouldn't even use a computer that was configured by a security expert. You should only use a computer that you configured and have protected from unauthorized use and unauthorized software. Now when I say "use," do I really mean "use at all?" The answer is no. If you want to check the weather, or a sports score, or anything else really that doesn't require a password or make use of personal information, then that's okay. Your passwords and other private information are what you need to protect by only using computers that you trust. In order to trust a computer, you have to know it and that means having exclusive control over it.

If you disagree with my proposed safe computing habits then that's fine, it's your life. You can live it how you choose. If nothing else I hope I've given you something to think about the next time you borrow a friends computer to check your email, log into facebook, or buy something from Amazon. I think of it as being cautious, but you can call it paranoid if you want.

Wednesday, July 14, 2010

Are Your Passwords Really A Secret?

Are your passwords really a secret? For a lot of people, that answer is a resounding "no". And just so that you are clear, I'm talking about every single password you have. That includes your Facebook, your email, your bank, your computer and any other place that uses a password for authentication. Are your passwords really a secret? If you're answer is anything other than "yes," then you should seriously think about why.

Think about all the couples out there who think it's cute to log into each other's Facebook accounts. Or the ones that know each other's email passwords. What do you suppose happens when they split up? Is it still cute when they start defacing your Facebook page or lock you out of your own email account?

I knew someone while I was in college who's account on the school computers stopped working. There was some hiccup in Active Directory somewhere and she couldn't log in. Her solution? Instead of calling the help desk and having it fixed she just borrowed her roommate's password and would log in using her roommate's account whenever she had to use a computer in one of the school labs. And her roommate was totally fine with this! Think about the fact the the exact same credentials gave you access to a user's account on the lab computers, the course registration program, their Blackboard account, and their school email.

When I bought my Motorola Droid, I got it from a Verizon Store. The sales person I worked was very friendly and helpful. She turned on the phone and proceeded to activate it, just like they always do. Then she handed me a piece of paper and a pen, asking me to write down my Gmail username and password. She was genuinely surprised when I flatly told her "no." It turns out that whenever she asks customers to do this, they comply without any question. I mean we're talking about the password to your email account. The account to which all other online accounts are tied to and where reset emails are sent if you forget your password somewhere. And people would hand this over to a complete stranger who also, incidentally, likely has access to your billing information, home address, and maybe even your social security number.

I'm sure that everyone has probably had someone sit down in front of their computer and ask for the password so they can check something online. Whenever this happens to me I usually just look at the person and say "really?" To which the response is almost always "What? Don't you trust me." I hate to break it to you, but no, I don't trust you. At least not that much. And it's not that I necessarily think you will do something intentionally malicious, but I certainly don't trust you not to do anything foolish.

Ultimately whether or not you share your password with someone else is up to you. It all comes down to trust. How much do you trust another person? And trust is more complicated than whether or not someone will use your password to be intentionally harmful. Trust is also accountability. What are you going to do if you let someone use your password and they get phished or install a virus on your computer thinking it was a game? Also consider that a 2008 study found that most people use the same one or two passwords everywhere online. That means that while you might have only meant to share one password, but actually just shared half of your passwords, or maybe even more.

Monday, July 12, 2010

Enforce Security Practices by Disrupting Work Flow

Convincing some people to practice good security in their daily life can be a challenging task. If someone chooses to be careless with their personal computer it may be frustrating, but there really isn't anything you can do to force them to practice good security. At least not in any ethical way. But what happens when you are a system administrator for a small company and the employees there don't seem to care about following the company policies for security?

I know a system administrator who had a creative solution to this problem. In an office that had a lot of clients and visitors coming in and out frequently, it was important for employees to lock their workstations when they would walk away from them. Some of the employees, however, failed to view this as a priority either because it slowed their work flow on returning or they simply didn't care. So the tactic the sysadmin would take was to punish the employee in a relatively harmless way so that through the magic of operant conditioning they would learn to lock their workstation.

The punishment the sysadmin chose was one that would disrupt their work flow and cause inconvenience rather than harm. The key was to ensure that the inconvenience for not locking a workstation is greater than the inconvenience incurred by locking it. So what did he do? When the employee left their computer unlocked, the sysadmin would create a new text file on the user's desktop and name it something like "I will lock my screen.txt". Then he would copy the file around 400 times so when the user would return their desktop would be covered in copies of this file. Since a lot of users save files to their desktop and launch programs using shortcuts that are stored there, this caused them consternation when trying to open new files and programs. Was it annoying? Yes. Was it harmful? No. Was it a little bit childish? Possibly. But did it change the behavior of the employees? You bet it did.