Cyber Security

How to Pro­tect Your­self in a Con­nected World

As geneal­o­gists, we are often online — whether using scanned records from a sub­scrip­tion site, search­ing through tran­scrip­tions on Gen­Web, vol­un­teer­ing for a local soci­ety, or send­ing e-mail to a recently found cousin. Being online as much as we are, we assume some risks. While these risks are man­age­able, and do not exceed the value of com­put­ing and Inter­net use for geneal­o­gists, it is impor­tant to assess your risk level, and take steps to limit poten­tial attacks. Let me walk you through some of the things you should consider.

Cre­ate Secure Passwords

With all of the pass­words we need to cre­ate and remem­ber, it is tempt­ing to have a sin­gle, mem­o­rable pass­word for e-mail, sub­scrip­tion sites, and finan­cial insti­tu­tions. Doing so puts you at risk. If your pass­word is mem­o­rable for you it can prob­a­bly be guessed by some­one else, or by a com­puter pro­gram. And if you only have one pass­word, if some­one guesses it, that per­son has access to any and all of your accounts. The best pass­word secu­rity will include pass­words that can­not be guessed. They should not be a date, a name, or a com­monly known word found in any dic­tio­nary. Com­puter pro­grams exist that can try numer­ous pos­si­bil­i­ties to hack your pass­word. Instead, your pass­words should have a com­bi­na­tion of upper– and lower-case char­ac­ters, numer­als, and sym­bols. There are web­sites that can pro­duce ran­dom, secure pass­words; for exam­ple, PC Tools offers one www.pctools.com/guides/password/. Of course, hav­ing dozens of pass­words, all of them difficult to remem­ber, presents its own prob­lems— human mem­ory has its limits.

There is the tried-and-true method of writ­ing things down, but you cer­tainly do not want to lose a note­book of your pass­words. Since you might not want to take your pass­word list out of the house, you will not be able to log in to your sub­scrip­tion research sites from Star­bucks. Another method, which I rec­om­mend, is stor­ing your pass­words in a pass­word man­ager, either online or offline. This may seem counter-intuitive, but it works. Pro­grams such as Robo­Form and web­sites such as Last­Pass allow you to encrypt pass­words and then store them on your computer’s hard disk, or in the cloud.

Robo­Form runs on Win­dows and stores all the pass­word data on your hard drive in one of a num­ber of encryp­tion for­mats. You can also pur­chase a ver­sion that runs on a USB key, so you can take it with you. Last­Pass stores your pass­words in an encrypted form in the cloud, in other words, poten­tially on a num­ber of servers across the Inter­net. For added secu­rity, you can get a USB key to pro­vide another level of val­i­da­tion. Access to the pass­words requires that the key, which is spe­cially configured for your account, be plugged into your com­puter, and that you know the e-mail address and pass­word of the account. If you lose the key, you can reset the account by a request on the web­site that you then must respond to from your pre­vi­ously asso­ci­ated e-mail account.

Avoid E-mail Scams

Bulk e-mail can be a very finan­cially efficient way for peo­ple to steal data. Spam­mers can send out mil­lions of mes­sages for almost noth­ing, and if only a few peo­ple respond in ways they can exploit, their cam­paign has been finan­cially suc­cess­ful. The main method of e-mail scam these days has been called “phish­ing.” In a phish­ing attack, the scam­mer sends an e-mail that pre­tends to be for a legit­i­mate pur­pose, request­ing that you log in to its site, send your pass­word by return e-mail, or in some other way to pro­vide the scam­mer with some of the cre­den­tials (user name/password com­bi­na­tions) that would allow access to one or more of your accounts or your pri­vate data. The e-mail can look very official, but often has some tell tale signs: words are mis­spelled and URLs are slightly differ­ent, either in a way you can read­ily see or under­neath the HTML code, which you can observe by hov­er­ing your mouse
over them.

To pro­tect your­self, the best first step to have good spam filter­ing. G-mail from Google includes some of the best spam filter­ing avail­able. G-mail is also free and is easy to set up. Very rarely do I see a phish­ing attack in my G-mail inbox; but the spam folder on G-mail is full of phish­ing attacks. In addi­tion to e-mail filter­ing, you can set up lists of e-mail addresses and domains so as always to allow (white list) or dis­al­low (black list) mail from those sources. For exam­ple, if you want to make sure that mail from your cousin Sheila gets though, you would white list her e-mail address. On the other hand, if you had received mali­cious e-mail from paypal.net (not PayPal.com), you might black list any mail com­ing from the domain paypal.net. Many ser­vice providers pro­vide this ser­vice, build­ing a black list of known or sus­pected sources of spam and malware.

Once you have spam filter­ing, and even if you have a black list and white list set up, some phish­ing attacks will get through. To keep your data safe, use cau­tion when respond­ing to e-mail. The e-mail address the mail comes from might be other than what appears in your e-mail soft­ware. If you believe that your bank may actu­ally be con­tact­ing you via e-mail, do not sim­ply click on the e-mail link, hit the reply but­ton, or call a phone num­ber in the e-mail. Con­tact the bank directly, either by typ­ing its Web address in your browser your­self, send­ing e-mail where you enter the address your­self, or by call­ing the bank with a phone num­ber you already have on file for them. If this was a legit­i­mate e-mail from your bank, a copy of it will be in your online account, and it should also be avail­able to the bank’s cus­tomer ser­vice per­son­nel when you call.

Thwart Viruses and Malware

Mal­ware is soft­ware that is designed to do harm. This soft­ware can be embed­ded into soft­ware pro­grams or files, and can be hid­den in what look like harm­less web­sites. This is a risk whether you are on a Win­dows or a Mac computer.

Over the years, Mac­in­tosh enthu­si­asts like me have boasted that its oper­at­ing sys­tem is immune to these kinds of attacks. Despite the fact that we can be annoy­ing, even PC devo­tees have to admit that the num­ber of mal­ware pro­grams directly aimed at the Mac OS has remained low. There have been no major virus out­breaks on Mac OS X, but this may be on the verge of chang­ing. Even the Mac OS X has to use browsers to nav­i­gate the Web, and any soft­ware designed to request files from the Inter­net will have vul­ner­a­bil­i­ties. At the CanSecWest dig­i­tal secu­rity con­fer­ence in Van­cou­ver this Spring, com­puter secu­rity engi­neers demon­strated the abil­ity to exploit Inter­net Explorer on Win­dows, Fire­fox on the Mac­in­tosh, and Safari on the Mac­in­tosh and on iPhones. (Google Chrome was the only browser on which no one was able to demon­strate secu­rity holes.) Another aspect of anti-virus con­sid­er­a­tions is that users who run Win­dows through Boot­Camp or a third-party Win­dows vir­tual machine, have Mac­in­toshes that are vul­ner­a­ble to both Mac­in­tosh and PC viruses.

What can you do about this? First of all, you should install virus pro­tec­tion soft­ware. On Win­dows, the best known pro­grams are McAfee VirusS­can and Nor­ton AntiVirus; on the Mac OS, choices include Nor­ton AntiVirus, McAfee VirusS­can, and Intego Virus­Bar­rier. Next, you should keep your oper­at­ing sys­tem and browsers up to date. Oper­at­ing sys­tem and browser devel­op­ers reg­u­larly release patches (small fixes) to their soft­ware when they are able to thwart a known secu­rity threat. If you set your pref­er­ences to allow down­load and instal­la­tion of these secu­rity patches, you will be less vul­ner­a­ble to mal­ware than you would oth­er­wise be.

Geneal­o­gists pre­fer to focus their time on research and on eval­u­at­ing sources, but the abil­ity these days to do research depends on access to the Inter­net and to the files that have been scanned, down­loaded, and cre­ated. If you invest a min­i­mal amount of time in learn­ing how to address pass­word secu­rity, phish­ing attacks, and mal­ware, you will likely avoid much more time-consuming and frus­trat­ing sit­u­a­tions in the future, where you might lose some of your genealog­i­cal data or have your com­puter raided.

This arti­cle, which orig­i­nally appeared in a slightly dif­fer­ent form in the National Genealog­i­cal Soci­ety’s NGS Mag­a­zine, is repub­lished here by permission.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>