Making my living working with computers requires me to be aware of various security issues and how to handle them. Everything from viruses, to spam, and even to encryption. But sometimes I'm fortunate enough to observe the humanity behind the computers. And sometimes this humanity itself is a security issue. Humans are mostly social creatures. They want to interact with each other and share information. Humans can also be parasites trying to better themselves or their environment at the expense of others. This dual nature of us humans leads to some interesting situations. We trust. Then we have the trust abused. Some learn to be more cautious when trusting, some don't.
The Internet is a relatively new phenomenon for humanity. It brings about many new and useful ways to gather information or resources that were not even considered before 1983 (the introduction of TCP/IP to the DARPA networks which spurred the growth of the Internet - http://wiki.answers.com/Q/When_was_the_Internet_invented). It also brought about many more ways for trust to be abused and people to be taken advantage of. Some of these methods have become well known. The so called "Nigerian scam" is known to the majority of Internet users, viruses can usually be easily handled via an anti-virus program or an operating system that is less susceptible to them. But there are still many areas the general public do not see as dangerous yet.
Imagine you receive an email from someone you don't know, asking for your bank information. Of course you do not give it to them (one would hope). What if the message was asking you about your family - who your parents are, how many kids you have, their names and ages, etc. Hopefully this is also thrown into the trash. Now, what if they were asking realtively meaningless things - "who was the last person you called on your cell?", "have you ever been cheated on?", "Have you ever met someone who changed you?". This is much more subtle, each answer taken on it's own is meaningless - right? If you said "yes" to that, then you really need to read to this whole posting. What about looking at these questions as a whole? You begin to get a rather detailed picture of of someone.
Now, imagine the same types of questions coming to you not via email, but via a web page on a social network such as Facebook. Unfortunately, I have seen too many people post enough information about themselves that ANYONE can answer all the questions posed above. Sure, social networks do allow you to adjust your privacy levels and who can read your profiles or other information. But few set these controls properly, and more importantly - these controls are not adequate.
The problem with expressing information is that you are never just expressing what you think you are. For instance, if I say "I have a flu." you can easily infer that I am not well, I'm not going to work, I'm taking some sort of flu medicine, and that I have a fever. Every piece of information you express also expresses what I think of as "inferred information". This inferred information may not be 100% accurate, but it is accurate enough to glean more information to anyone willing to think about it a little. Sometimes even the inferred information is not harmful at all, but if you can get enough of this inferred information you can paint a rather accurate picture about someone. Try it sometime - find one of those annoying chainmail type quizes your friends have filled out (we all have one or more friends who cannot resist). For each question there, ask yourself what else their answer tells you. You'll be surprised at how much information they have given away.
Besides the information - whether direct or inferred - we have a problem with trust. Would you trust me with me with your banking information? Some close friends might, but I suspect and hope that no one else would. Do you trust me with your family information? Perhaps you have a young child just starting school - do you trust me with their name and what school they go to? Again, I'm hoping to hear a resounding chorous of "no's". Assuming everyone responded said no, I have to ask the question - why would you trust the Facebook employees (or whatever social network you use) with this information? Oh, you don't put that kind of information out there? Too many of my own friends on FB, and other random profiles I have been able to see do. Mostly without knowning it. Maybe it's a picture of your child and you have tagged them with their name. Or maybe it's the school picture - with the school name displayed in it. Ever buy something over the Internet? Yep, you have trusted complete strangers with your banking or financial info. AND you have told them you have the means to do Internet purchases, and have a credit card (assuming a credit card was used for the purchase).
Ever hear of Murphy's Law? Anything that can go wrong, will. Even if all reasonable percautions are taken, bad things happen. A router breaks, a laptop gets stolen, someone does an 'oops'. As robust as the Internet is, it is also rather fragile in some ways. There are still many instances where something happens and the information you thought was "safe" is released to the public. If you follow tech news, you will see instances of this on a regular basis. Credit card numbers get leaked, personal information is stolen, a laptop was stolen from Company X that contained all the customer's financial data.
Granted, some trust is needed. I *should* be able to trust Amazon to properly handle my credit card information so that their employees cannot abuse it. I should trust the government to have technology and procedures to limit the chances of my personal data being stolen. But in other cases, too much trust, or lack of thought/knowledge about the consequences, will be abused. We have a name for one kind of this abuse - Identity Theft. If someone gets ahold of enough information about you, they can assume your identity, buy whatever they want using your bank account/credit card/good will, and then leave you to deal with the fallout. We haven't begun to see all the situations where our trust is abused. Check out the DefCon video of Renderman's presentation How can I pwn [own] thee, let me count the ways. It is full of many samples where trust is abused in new and meaningful ways. (The "teledildonics" point is funny as heck, but also very alarming.)
All is not doom and gloom though. Now that we have a much better understanding of the issues, there are things we can do ourselves to help minimize dangers. What follows are the steps I personally take, and why. This is not a comprehensive list though, but I am willing to expand it - leave a comment if you have something to add.
- Black-list everyone. Aka - Trust no one. In person (or IRL for the truly geeky) I tend to trust everyone until they give me a reason not to. Online is different - I trust no one until they have proven I can trust them. This is done in little ways. Emails from people I don't know are highly suspect. If I cannot decipher the purpose of the message from the subject line AND that it is meaningful to me, it usually gets tossed as spam. This goes for social networks too - if I don't know someone, or have not had any interaction with them, they will not be added to my friends list.
- Control your own data. This can be done in many ways. I do not use web based email systems because they require me to trust that someone else is doing things in my best interests. Yahoo, Hotmail, Gmail, etc are providing a service to you but have THEIR best interests in mind. If you use these services, you must also agree to not being totally in control of your email. Instead, I have my own domain and have set up hosting of that domain's email at a professional web host. This was a conscious choice after running my own email server for years. I didn't feel like maintaining a mail server any longer, and made a compromise. I also use Thunderbird to retrive my mail, and make sure my communications with the server are encrypted (see the next point). The same concept applies to web pages (I run my own server), and choosing who and when I post my data to. My Facebook account is pretty open, but only because I try to never post anything there that gives out too much detail.
- Use encryption. If you have to enter a password, or sensitive information (financial data, personal data, etc.) on a web page, make sure the address starts with "https". If it says "http", then all your data is transmitted in plain text when you submit it. You might trust the server you are sending too, but do you know what routers/servers the data passes through to get there? Do you trust all of them? HTTPS makes sure your data communications are encrypted between your browser and the server - which means you do not need to trust the "middle men" because they would have a very hard time decrypting your data. (Recent news shows HTTPS to be getting less reliable in this way, but it is still better than not using it.)
If you must submit a password over regular HTTP, use a throw away password - or one that is not important.
For email, you should be using either POP3 or IMAP. These are the communication protocols for retrieving email from a server. Now go one step further and use POP3S and IMAPS - which is an encrypted form, using the same underlying technology and concepts behind HTTPS (which is SSL/TLS). If you do not use the encrypted forms of the protocols, your username and password is sent in clear text through all the intervening servers/routers to reach the target server. Anyone along the way can get that data if they wanted.
If you are really concerned about privacy, then you can also use encryption for your files. Encrypt the full drive, a directory, or even a single file.
- Use strong passwords. Using "password" is not recommended. Using "Bob" (or substitute your name) is also not recommended. A good password is usually 7 or more characters, mixes uppercase and lowercase letters, includes one or more symbols (the characters above the numbers on the keyboard), and includes one or more numbers. This sounds like a lot to get right, and hard passwords to remember. The secret I use is to join two words together with a number or symbol between them and at the front or end of the phrase. For instance I might use "Go2store!". This makes a very easy phrase to remember yet is a rather secure password. You can make use of slang words here as well to help prevent dictionary attacks - "youR2kewl!" possibly. (don't use these samples!!!!)
- NEVER NEVER NEVER give your password to anyone. System administrators don't need your password. If they need to access something as you (which is incredibly rare!) they will change your password and then force you to change it when they are done. The role of a system administrator is such that they already have the trust to do WHATEVER it takes to keep the network running right. At least where network security is concerned.
- Assume everything you say online is PUBLIC. I have seen some young friends go on very verbal rants about their parents. I have seen discussions of rather compromising positions between a married woman and an online suitor. All this is equivalent to having the information through bull horns in a crowded stadium. Most people won't care, but some will that you have no knowledge of. Even worse, the Internet has a long memory. Social networks are increasingly used to check up on potential employees, friends, lovers, etc. Even just Google is being used for the same purposes. If you do not want anyone to jump to conclusions about something you posted 5 years ago in the middle of a heated debate, then keep it to yourself. Seeing a rant about how much you hate your parents, or how adventurous your ex was in bed may not be very helpful to you down the road. Do not talk about anything on the Internet that you wouldn't talk about over bull horns in a crowded stadium.
Related to this is the idea of an online reputation. Treat people and events online the same as you would if you were talking to someone face to face in a public location. Just because you are online, and using a fake name doesn't mean information cannot be linked back to you. The network engineers have a lot of resources to match "anonymous" users to specific people if needed.
- Assume the wrong person is intercepting your message. If information can be transmitted over a public medium - paper, air, radio, Internet, etc. - it WILL be intercepted and interpreted by someone you did not intend. The moment you transmit data over a public medium, you loose all expectation of control over the data. Sure there are laws to address some cases, but these are reactive and after the fact. They do not prevent the transmission in the first place. In short, if you want to keep it secret, then keep it to yourself. If you must share a secret with someone, take some reasonable precautions - encryption, controlled access, etc. But do not assume it will only be seen by the intended person. (This is some old school radio warfare training kicking in that also applies very nicely to the Internet.)
- Do not choose to expose data for someone else. Friend A calls you up and asks you for Friend B's phone number. You know they do not know each other and cannot see any reason why this is needed. Chances are you do not give out Friend B's number. Yet online people freely tag their friends in pictures, talk about what they and their friends (identifying they by name) did over the weekend, etc. In these cases, you have made a choice for your friend(s) that the public can know they are in the picture and whatever that picture represents, or what they did that weekend. Most often this is not a problem - people tend to be open about public things they have done like speding time with friends. But some people are very selective about what information they post online and resent this type of action.
In a different way, people often want to protect their children, but then post their name, pictures, and activities to the public. I have a daughter, and I might post some occasional pictures of her. But if you do not know me, her, or members of her family, then you will have a hard time finding her name from my online postings, or her age, or anything related to her other than what little I have chosen to make public. She is not yet old enough to make the choices (nevermind understand the consequences of those choices) about what info goes online. But that doesn't give me permission to ignore her wishes either. (And I understand this is a personal value judgement, that her mother or others may not agree with....)
- Do not forward chain mail. Whether it shows up as an email, as a request on the social networks, in a chat room, or on a web page even. If something asks you to "forward this to all your friends", use a lot of caution. This is bad for a number of reasons. First, regardless of what reported doom may befall you if you do not forward the message, nothing will happen to you. Even if you consider it fun, entertaining, informative, or important, not everyone you send it too will. The transmission of the message to each of the recipients eats up time and resources that could be used to transmit more meaningful data. And most importantly most people just hit forward and do not edit the message - which means that all the previous recipients get listed in the message, without their blessing.
Related to this is the inferred information problem. If I receive a forwarded message, I also can see who else has seen the message. I can even start to determine who your circle of friends are. And perhaps I want to market something to you and your friends...