This article is the first in a four-part series about safe computing on public networks.

This first article lists some basic precautions you can take. Parts two and three are about using SSL and VPNs to secure your communications, and part four will list some computer settings that you should change when using public networks.

When using a laptop on an insecure network, such as a public hot spot or a hotel network, others may be able to eavesdrop on your communications, especially when you connect wirelessly. You need to take some precautions to guard against attacks such as “shoulder surfing”, wireless “traffic sniffing”, and rogue access points.

Here are some basic precautions:

1) First and foremost, don’t use public networks for secure communications if you can avoid it. Do you really need to do your banking, trade stocks, or check your credit card balances from a public network? If you really do, you should use a VPN to connect to a secure network and access the internet from there.

2) Don’t store ANY sensitive data on your laptop that does not ABSOLUTELY need to be there. Instead, store it on a computer that is more secure and protected at home or at the office and access it through a VPN. Think about it – most of the sensitive data that is on laptops does not need to be there!

3) If you do not need to connect wirelessly to access the internet, TURN THE WIRELESS OFF. Almost all laptops have an easy way to do this – know how to do it on your laptop.

4) Pay attention to your physical surroundings, your position, and who is (or could be) watching. Don’t overlook the low-tech approach to stealing passwords – shoulder-surfing. A small concealed camera with a zoom lens can record keystrokes just as efficiently as a key-logger. Position yourself so that others do not have a clear view of your keyboard or screen. Use your body to shield the keyboard from view in public areas.
Dennis H – August 19, 2008

Password management tools like Blackberry password managers and Roboform are great, but what if you don’t have them with you? The Little Grey Cell Storage System(tm) is always available, but has a limited capacity (more limited for some of us than others). There are a number of free and paid online password managers available. Do you want to trust your passwords to this type of service?

I have been looking at a service in beta called Passpack. It has lot of great convenience features and flexibility that allows you to trade-off convenience for higher security. It can also import passwords from other password managers, including Roboborm.

These folks seem to understand security and implement it well. The passwords are strongly encrypted locally, using a strong passphrase. So far, I have not entrusted them with my most sensitive passwords, but I like the implementation, the features, and the backup in case I do not have my USB key with my Roboform passwords available (I have been known to leave it on the desk from time to time).

What do you think? Are online password managers secure and should we be trusting them with our most sensitive passwords?

Dennis H – August 18, 2008

So many passwords and so little brain space! The stronger the passwords are, the more difficult they are to remember. Even when we use clever schemes to make strong passwords that we can remember, it becomes almost impossible to remember which password goes where. The end result – we end up re-using a few passwords for everything, which is just not good security.

I told you my dirty little secret about using a U3 drive yesterday. The biggest single reason I use it is for my RoboForm2Go. It’s not free (there is a free version, but it only remembers ten passwords), but it is a great password manager and form filler. It integrates with both IE and Firefox, includes a password generator, uses strong encryption with a master password (one is about the number of strong passwords I can remember), and the 2go version on a U3 drive allows me to use it on any computer without installing anything or leaving anything behind.

There are also versions for non-U3 USB drives, Blackberry, Palm, Symbian, and Windows Mobile. For an extra $10 you can get it pre-installed on a 256 MB USB drive.

What is YOUR favorite? Tell us what you use to manage passwords. Keepass? (free alternative for Windows users)? OnePassword (great for Mac uers)? There are several available for the Blackberry. TELL US YOUR SECRET!

Dennis H – August 15, 2008

With identity theft surpassing drug trafficking as the number one crime in the US (I don’t suppose it is much different in Canada or elsewhere), clients need all the help they can get in protecting themselves. Although the information necessary to steal an identity may be obtained through phishing or other computer-based attacks, there are low-risk, low-tech attacks that even the most unsophisticated criminals can employ.

Sifting through personal garbage, otherwise known as “dumpster diving”, is not even a crime in many places. According to the US Justice Department, this is the second most common way of obtaining the information used in identity theft. Again, I have to assume that things are not much different in Canada, Australia, the UK, South Africa, or anywhere else.

When assessing clients’ security practices, don’t forget to account for the “hard copies”. Sensitive documents are printed, filed, placed in hoppers on desks, and left in insecure locations. So-called “junk mail” often contains personal information. All those credit card offers that come with some of the information already filled in are treasures for thieves.

Fax machines are another concern. If sensitive faxes automatically print to a location that is not secure, anyone can read them. The same applies to shared printers.

Paper shredders are low-tech, but one of the most important security tools available. As with anything, the secure way must also be the easy way. If people have to walk five steps further to shred a document, there it a good chance it will end up in the trash.

Sometimes we focus on the technical solutions because, well, technology is what we do. Printed paper and garbage are hardly high-tech, but are still important things to consider when assessing security.

Dennis H – July 30, 2008