Information Security and You, Yes You

June 14, 2008 / A checklist for protecting your personal information online.

More web security advice from Bruce Schneier from a recent interview in Malaysia’s The Star. I’d say I follow about eight of these, and people think I’m anal. In a gloomy outlook indeed:

1. Turn off the computer when you’re not using it, especially if you have an “always on” Internet connection.
2. Keep your laptop and PDA with you at all times when you go outside—treat it as you would a wallet or purse.
3. Back up data regularly.
4. Set up automatic updates so that you automatically receive security patches.
5. Limit the number of applications installed on your machine.
6. Limit the use of cookies and applets.
7. Keep in mind that Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.
8. Think before you do business with a website. Limit the financial and personal data you send to it.
9. Never reuse a password for something you care about. It’s fine to have a single password for low-security sites, such as for newspaper archive access.
10. Assume that all PINs (personal identification numbers) can be easily broken and plan accordingly.
11. Never type a password for a service that you care about, such as a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don’t believe them; they’re wrong.
12. Turn off HTML e-mail. Don’t automatically assume that any e-mail is from the “From” address. Also delete spam without reading it.
13. Use either a combination or separate antivirus and antispyware software. Always update them.
14. Use personal firewall software. If you can, hide your IP address. There’s no reason to allow any incoming connections from anybody.
15. Install an e-mail and file encryptor. Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

Number 11 is crucial: it’s shocking how many sites ask you to log in over open http. Never give your password unless it’s over https, unless there’s nothing at stake for you personally by exposing that password, because that’s what you’re doing. Better still, look at your browser’s address bar and make sure that the lock icon is intact. Browser’s like Firefox will refuse to give you the yellow lock all-clear if the site’s SSL certificate is invalid or can’t be verified.