Defensive Data – An In-Depth & Technical Look at Online Data Security

Software Suggestions
(see bottom of post)

I need not list of the myriad of reasons one should be cautious of data security, but I should like to take a few moments to talk about the ways in which one can become more savvy in securing their data.

What is Data

  • n.
    Factual information, especially information organized for analysis or used to reason or make decisions.
  • n.
    Computer Science Numerical or other information represented in a form suitable for processing by computer.
  • n.
    Values derived from scientific experiments.

With regards to your person, data is all points of interest in you. Some really easy to understand data points on your person are: birthdate, full name, address, social insurance number, passport number. However, digging a little deeper, we can begin to see a much wider array of data on your person that could potentially become valuable information to somebody.

I want to iterate the fact that you don’t know who that somebody is. You don’t know what scheme they’re getting up to, or how they’re able to use the data of your person to their advantage.

Some more abstract ways that your person creates data are gps locations, browsing history, search terms, pattern keystrokes, facial features, facial responses, habits, grocery store foods commonly purchased, favourite websites, car colour, various usernames and passwords, etc..

Data then becomes any measurable or observable point of information (from you or anything else). If somebody is sitting at the corner of the street counting the colours of pants they see, this is data. Those two rubber lines one sometimes drives over on the street are collecting data on the number of cars driving by and the speed at which they’re driving. Data is the number of sales per day.

In our modern time of technology, we are very data rich and thus we’ve all become rather used to data being collected on us, and oblivious to the myriad of ways at which we are being observed – that is, we are becoming numb to our data points.

Securing Computer Data

Thus, a need arises to become more savvy in securing our data to make this unnecessary data collection harder on prospective snoopers who have no good intentions in their data collection. Every single level of security that you bring into your workflow will make it harder for somebody to steal it, and consequently will make it less likely they’ll go after you. In statistics, the bad guy usually goes after the easy pickings.

I will now begin a list of ways in which one can systematically become more secure in our data-centric world. I will first start off with fairly general security guidelines for every day application, and then I will drill down into some specific tactics for computer security.

General Online Secure Guidelines

  • Acting cautiously in the physical and digital world – this is really an obvious one. When somebody phones you up from who-knows-where saying they’d like to talk to you about something or other, and they just need your phone number, date of birth, postal code, and mother’s maiden name to begin with questions…  you might want to be a bit cautious about sharing this information. It’s not bad to say: “I’m not comfortable giving this information to you.” I do it all the time, and the caller is then forced to say: “Ok, no problem. Good bye.” In the digital world, this means not filling in all the fields if they’re not necessary (usually necessary ones are indicated by some sort of red asterix), or perhaps creating a secondary email that you can give to not-so-secure websites that are not-too-important to your person (more on this below).
  • Learn about encryption – encryption isn’t a scary thing, it’s actually really cool. Leonardo da Vinci wrote upside down and backwards as a form of encryption 500 years ago. Today, we have secure options that are password protected inside of encrypted database files.
  • Everywhere you enter information is a possible vulnerability – any/all of those websites that you enter in your name, password, family members name, mother’s maiden name, address, postal code, SIN, etc. are all possible vulnerabilities. If any one of them gets hacked by somebody then all of your information you entered is now in the hands of somebody who may or may not use it maliciously. This means at online stores where you enter your information, at the local swimming pool website, the transit card website, etc. Any of them are subject to attackers. I’m not suggesting never create an online account anywhere, but maybe think about the information you’re handing over as a general rule.
  • Never ever use the same password – never. No excuses. Hopefully explanations below will help with this one.
  • If it’s connected, it’s vulnerable – anything that is connected to the internet is vulnerable. Almost every single website or software or computer operating system has been cracked. Who and how, you don’t want to know. Internet of Things refers to those devices like a webcam or baby monitor that’re connected to the internet but don’t function like a computer. News every day comes out exposing how hackers are using this vulnerable equipment to their advantage.

Data Encryption Techniques

So those are general rules to consider as you enter upon your data security. The first big step towards really making change in your flow of things is data encryption.

Having data encrypted means that unless you have the proper password to decrypt the data, it is virtually un-accessible (or at least you’d need a few days and super computers working at cracking it). Thus, if you have to keep sensitive data on your computer or stored on a hard drive, the defensive security approach to this data would be to encrypt it!

You can encrypt a drive, folder, or a single file (to keep this explanation simple).

Whatever way you encrypt though, if you’re browsing on your computer to the location of the encrypted data file, it will look as a single file of unknown type and seem like no program will be able to open it. So, if you were to name your encrypted drive Secret Information, it will show up as just a file with the name Media of about the same size as you created it.

Encrypting a Drive or Folder

Encrypting a drive or folder are about the same. The theory is that you first create an encrypted drive or folder, then you mount it with your encryption software as if it’s a virtual drive, and then use it as if it’s a regular drive attached to your computer with supposedly no data transfer speed sacrifices. In a sense, it’s very similar to plugging in a USB stick. With the encrypted folder, you open up the software, select the encrypted data file you’d like to mount, mount it (this is like inserting a CD or USB stick), enter the decryption password, and then it’s mounted and fully accessible like any other drive on your computer.

Data Encryption Caveats

Encrypting data is essentially making more trouble for you, the user. It’s not as simple as just saving files to your computer, and you’re now forced to think about where you’re saving all your files. But, you’re adding steps to your workflow that will hopefully make it harder for thieves to get access to it.

One problem I constantly have is with an encrypted USB drive that I then plug it into another computer without the encryption software or the password to decrypt it. This makes this USB drive virtually an un-usable drive now. You can’t mount it to gain access to the information without the software (which you can technically download to the new computer). My current work-around is to have another un-encrypted USB device to easily plug into other computers. In this way, my secure USB drive works like an offline drive for my computer. This is the ultimate way to ensure there is no stealing of my data; if it’s not online, it’s not available.

Encryption Software Choices

VeraCrypt is the software I have chosen to use.

Password Security

Password security is probably the biggest issue right now in the online world. There is no secret that many many users are using simple passwords like: hotlegs2, bigdaddy69, etc. Further, many people have a hard enough time remembering their passwords, so they just keep repeating their same passwords for all websites they approach.

Not good.

If one of the websites compromises your password (and most likely all your other user data) then all of the sites you’ve ever used your data on with that same password are virtually accessible.

Like I said, not good.

Password Techniques

The longer the password string the better. The more random the password strings the better.

The way I see it, is that I only ever need my passwords if I’m on my computer, so if I make a digital safe that’s encrypted with all my passwords in it, I’ve just made life a whole lot easier for me. No sense trying to remember all the passwords in the world I’ve made (and yes, there’s a lot).

So, use software to remember all of your passwords, so that I only need one password to access that software that has all my passwords in it. This provides flexibility of password choices and to copy/paste the passwords and usernames it’s just a double click away.

A benefit of this is that most password software will also give you password suggestions. In this way one doesn’t even have to wrack their minds over their new password, you just click that suggest button and done. Further, using software, most of them will be able to remember password history (you can set how many of the last ones you’d like to remember). Further, in the unlikely event that you are held hostage and demanded to hand over the password to something, you can honestly say that you don’t know it, because you won’t. You’ll know the password to get into the password database, but you won’t actually know the password itself. (This might make more sense if you watch pwsafe.org’s quick start guide.)

All of the passwords, rest assured, are stored in a single encrypted database file. This file can be stored anywhere, and accessed by only the same software that made it in order to decrypt it. To unlock it, you need one password, and then you’re in and have all your passwords.

Sounds much more secure then a little book you carry around with you and sometimes forget it on your chair, right?

Password Encryption Caveats

Almost everybody these days has more then one smart device: laptop, smartphone, computer, 2nd laptop? Who knows which device you’ll need which password on. It would be silly to depend on having the encrypted password database file on one single device, for the passwords are long and not easy to enter in manually. Imagine having to read off your computer and then type into your phone this password: xkhs8H7shfp)-)8sjk%yHk. You don’t want to do that.

To get over this problem, one can transfer their encrypted password database file to all of their devices. My method of choice is to use a cloud file repository like Box or Dropbox. I’ll upload the encrypted database file to Dropbox which my other devices will also have access to. I then ensure that that file is available offline by that device because some programs that you may have passwords to don’t necessarily need the internet to run.

Password Encryption Software Choices

I use PwSafe. It is recommended by Bruce Schneier who’s one trusted expert.

Email Security

Emails easily have the most sensitive information that’s most vulnerable in it. Personal conversations are where the juicy stuff is! Each email usually has a thread of a whole long conversation about specific topics of discussions. And more. Your email address alone can become compromised, meaning somebody gets access to all your emails. And if somebody else gets access to your emails, they can do all sorts of damage.

There is a benefit to using a service like Gmail: they are almost too big to break (I’m sure somebody somewhere is snickering about this). Sure, this may go against the axiom: the bigger they are the bigger they’ll fall, but compared to your own personal email server, they’re most likely on top of data security. On your own email server, when was the last time you did a security audit on it? Further, if you’re using an email at your own domain, what happens if somebody actually gets access to your domain itself and re-routes all your emails to their own inbox? The likelyhood of somebody getting access to google.com is pretty slim, whereas somebody getting access to a domain name registered through a website with very weak password recovery options is a lot more likely.

This extends to company email systems. One would hope that they’re secure, but security is an expensive business to be savvy in.

It is not a bad thing to have multiple email addresses. There are some email solutions that pride themselves on being very secure end-to-end encrypted email providers (think Proton Mail), and then there are some others who have no encryption. In fact, there’s probably a list somewhere on the internet of email providers who are notorious for being watched, hacked, and easily accessible to just about anybody with that intent.

So, when you’re creating an account on a website, keep in mind what email address you’re using. My rule of thumb is that if it’s a website related to anything un-professional, I’ll use a secondary email address for spammy things that is definitely level 2 or even 3 importance. This includes online shopping stores and website newsletters or blogs. If it’s a government, banking, professional website, I use the most secure email address I have.

Email Archives

When the Germans, meticulous record keepers they are, realized they were losing the war, they started burning everything. All their records destroyed. Why? Because records can and most likely will be used against you.

In our modern day of data richness, it is almost counter-intuitive to delete emails.. any data for that matter, especially emails you’ve been holding on to for the past 10 years. But they’re a security breach.

My suggestion is two fold.

The first is to just delete all the garbage emails that have no significant value in storing. Easy things are ads, newsletters, flyers, promotions, etc. Harder ones are emails from family members with some form of communications. Find a level that you’re comfortable with. Some people want a history so that if their grandchildren want to read their old communications in 50 years, they can. Others don’t plan on having kids and expect nobody will ever read a thing. Your choice.

The second suggestion is to practice archiving old emails, putting them into a local (encrypted) folder. Think of it similar to a filing cabinet. It’s no longer on your desk of important letters to attend to, it’s been properly filed away and most likely never to be looked at again.

It Takes Two To Email

Unless you’re emailing yourself, you’re having an email conversation with another person. This could be your biggest vulnerability. It is kind of up to you to make sure they are taking the necessary precautions to avoid compromisation. And to further this, it is up to you to avoid conveying any sensitive information to a person who doesn’t need it. If you’re in the habit of conveying sensitive information, it is imperative to take the necessary precautions to protect your data security. If the other person doesn’t want to be secure, then don’t send them secure information, your security depends on it.

Conclusion

The road to online data security can get quite long. The main idea with security techniques is to make it harder for others to access your data. Every practice you implement makes you much less likely to become a target. The day may not be now that you’re a target, but if we think of a long term strategy, the long game, starting your data security game now will save you a lot of trouble and headache in the long run.

Hope this helps!

 

Additional Data Security Resources

  • Online Privacy Guide for Journalists 2017 <- if anything I’ve written is at all interesting, this is a very in-depth article on all privacy techniques.
  • Signal Messenger <- look in the app store of your phone, it’s secure, end-to-end encrypted messaging
  • WhatsApp <- also secure, peer-to-peer encrypted messaging
  • Tor Browser <- ultimate online web activity security using built in proxies
  • Password Safe <- my favourite secure password database software, available for computers and most smartphones
  • Bruce Schneier <- security expert who puts out really interesting articles worth a read (that means sign up to his newsletter)
  • Proton Mail <- free secure email service with built-in end-to-end encryption and state of the art security features (like gmail on high alert).
  • VeraCrypt <- free disc encryption software

Leave a Reply

one + 3 =