In response to a reader Ben Brooks wrote a recent article about his personal data security practices. That got me thinking about my own risk posture and how I secure the devices I own.
Hard Disk Encryption
Ben starts off with advice on disk encryption.
The basic things to encrypt are: all of your HDDs/SSDs, your internet connection (when on a public network), your passwords, and any financial information you keep on your Mac.
Personally I don’t use it. Unless you are traveling to high risk areas ( China? ) or are a high-profile person ( Scott Snowden? ) carrying highly sensitive your risk is quite low. Disk encryption is just too much of a hassle for the average person to deal with and it won’t protect your data from a determined attacker.
I don’t encrypt. I also don’t carry any highly sensitive information on my a MacBook. I have no financial data on any portable device I own — iPads, iPhone, etc — I am more likely to have my iPad or iPhone lost or stolen than a laptop.
My philosophy is to try my best to mitigate the most likely scenarios.
iPad and iPhone
I hate having to type in a password each time I use my iPhone or iPad. But … both of these devices — more so the iPhone — are with me everywhere I go. These devices have apps for accessing my financial accounts and certain online storage accounts. Since it is more likely that I’ll lose my iPhone or have my iPad stolen I put a very strong password on my device. Strong means something 12-18 characters in length. Something that’s a combination of letters, numbers and symbols. No anniversaries. No birthdays. No names of your favorites pets.
Change your passwords regularly. At least once a year.
Most financial apps allow you to set a short four digit pin instead of requiring you to enter a username and password each time you use the app. Personally, I don’t need access to my financial accounts more than once a day so I don’t mind entering my credentials each time.
I have two Apple AirPort Express wireless routers on my network. Both are configured to use WPA2 — the strongest encryption for available for consumer Wi-Fi. I secure my wireless network with a strong password. I also enabled the guest network feature. This reduces the chance that compromised — certain family members use Windows — machines will attack my computers. The guest network also has a password. Why? I live in a townhouse development. Either my neighbors or the kids waiting at the school bus were surfing my network. At least that’s what my router logs showed. Not anymore.
But just as I don’t trust other computers on my network I don’t trust my devices on other network. I want prevent malicious attackers from sniffing my network connection when I’m in an internet café. I want to be sure that a compromised computer on my in-laws network doesn’t hack my device. I encrypt all my internet traffic. Even when I’m on my own network.
The second most important thing to secure on your computer is the information you send and receive over the Internet. This information, if not encrypted, can easily be swiped by malicious individuals on open networks. (Think: Starbucks, hotels, conferences.) This data is a very easy thing to secure with a Virtual Private Network (VPN).
Ben mentions Cloak which is a $24/year service — per device. I use [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][Umbrella VPN][umbrella]. It’s an enterprise class service from the folks who run [OpenDNS][opendns]. For $25/year I get VPN coverage for all the mobile devices in my home. I have it installed on my iPad and iPhone, my son’s iPad and iPhone, my daughter’s iPad mini, my wife iPhone and her MacBook ( which almost never leaves the house ). The Umbrella service provides an easy to install app and profile, and a web front end for configuring service options — like the included web filtering. My family is no longer afraid to use Xfinity hotspot or Starbucks wi-fi.
There is of course an alternative: tethering. While tethering on a cell network is not the most secure thing, remember that the goal for the average user is just to be harder to hack than the average person.
But note Ben’s caveat.
If you choose to use tethering via an iOS device, be sure to choose your own WPA key, as the automatically generated keys are susceptible to cracking.
I’m an Apple geek. No, I don’t mean a Mac geek. I mean Apple. We have three iPads, three iPhone, a MacBook, an iMac, two AirPort Express devices, and an Apple TV. My kids and I have matching t-shirts with the words “I’m a Mac” on the front.
Ok, so this is where I should advise you to use strong, unique passwords for every site and get yourself a copy of 1Password.
I love 1Password. I use the auto-generate password feature quite often. As I stated before I use 12-18 character passwords.
However, there is a caveat. There needs to balance between convenience and security.
Because there is a set of accounts that you will need access to if everything goes tits up, you should have a core set of strong passwords, perhaps unique, that you can commit to memory.
The email account that you will use to recover your password from your other accounts? That needs to be something you can remember. Something you can recall if your 1Password ( or LastPass ) password file is deleted. Use a long phrase you can remember and use the first letter of each word of the phrase in the password. Substitute numbers for some of the letters and add some symbols as well.
For example, “I love listening to local bands play outdoors in the summer time” would become “illtlbp0it5t!”.
Longer version: it’s possible, but incredibly cumbersome to encrypt this data and requires both sender and recipient to have encryption setup. Essentially you can’t just encrypt an email, one way, as both parties need to be able to deal with the encrypted data. The tools exist but they’re generally unfriendly to install and use.
I think Ben is overstating the difficulty of using digital certificates for encrypting email, especially given his position on full disk encryption. Installing a digital certificate is free and easy. I digitally sign all my email and my most technically savvy friends already used certificates. It’s great to send encrypted email from my iPad or iPhone.
When you are evaluating how to secure your digital life, the most important thing is to determine what you are most paranoid about. Is it the NSA? Or Bob, the hacker that loves venti Macchiatos and reading your Twitter DMs?
The NSA most likely have tools that can defeat most of the consumer security tech available. I’m just trying to keep out the bored neighborhood kids and the financial data thief sitting in the local coffee house.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]