Receive this blog in your e-mail.

* = required field

powered by MailChimp!

Cyber Security


How to Protect Yourself in a Connected World

As geneal­o­gists, we are often online — whether using scanned records from a sub­scrip­tion site, search­ing through tran­scrip­tions on GenWeb, vol­un­teer­ing for a local soci­ety, or send­ing e-mail to a recently found cousin. Being online as much as we are, we assume some risks. While these risks are man­age­able, and do not exceed the value of com­put­ing and Internet use for geneal­o­gists, it is impor­tant to assess your risk level, and take steps to limit poten­tial attacks. Let me walk you through some of the things you should consider.

Create Secure Passwords

With all of the pass­words we need to cre­ate and remem­ber, it is tempt­ing to have a sin­gle, mem­o­rable pass­word for e-mail, sub­scrip­tion sites, and finan­cial insti­tu­tions. Doing so puts you at risk. If your pass­word is mem­o­rable for you it can prob­a­bly be guessed by some­one else, or by a com­puter pro­gram. And if you only have one pass­word, if some­one guesses it, that per­son has access to any and all of your accounts. The best pass­word secu­rity will include pass­words that can­not be guessed. They should not be a date, a name, or a com­monly known word found in any dic­tio­nary. Computer pro­grams exist that can try numer­ous pos­si­bil­i­ties to hack your pass­word. Instead, your pass­words should have a com­bi­na­tion of upper– and lower-case char­ac­ters, numer­als, and sym­bols. There are web­sites that can pro­duce ran­dom, secure pass­words; for exam­ple, PC Tools offers one www.pctools.com/guides/password/. Of course, hav­ing dozens of pass­words, all of them difficult to remem­ber, presents its own prob­lems— human mem­ory has its limits.

There is the tried-and-true method of writ­ing things down, but you cer­tainly do not want to lose a note­book of your pass­words. Since you might not want to take your pass­word list out of the house, you will not be able to log in to your sub­scrip­tion research sites from Starbucks. Another method, which I rec­om­mend, is stor­ing your pass­words in a pass­word man­ager, either online or offline. This may seem counter-intuitive, but it works. Programs such as RoboForm and web­sites such as LastPass allow you to encrypt pass­words and then store them on your computer’s hard disk, or in the cloud.

RoboForm runs on Windows and stores all the pass­word data on your hard drive in one of a num­ber of encryp­tion for­mats. You can also pur­chase a ver­sion that runs on a USB key, so you can take it with you. LastPass stores your pass­words in an encrypted form in the cloud, in other words, poten­tially on a num­ber of servers across the Internet. For added secu­rity, you can get a USB key to pro­vide another level of val­i­da­tion. Access to the pass­words requires that the key, which is spe­cially configured for your account, be plugged into your com­puter, and that you know the e-mail address and pass­word of the account. If you lose the key, you can reset the account by a request on the web­site that you then must respond to from your pre­vi­ously asso­ci­ated e-mail account.

Avoid E-mail Scams

Bulk e-mail can be a very finan­cially efficient way for peo­ple to steal data. Spammers can send out mil­lions of mes­sages for almost noth­ing, and if only a few peo­ple respond in ways they can exploit, their cam­paign has been finan­cially suc­cess­ful. The main method of e-mail scam these days has been called “phish­ing.” In a phish­ing attack, the scam­mer sends an e-mail that pre­tends to be for a legit­i­mate pur­pose, request­ing that you log in to its site, send your pass­word by return e-mail, or in some other way to pro­vide the scam­mer with some of the cre­den­tials (user name/password com­bi­na­tions) that would allow access to one or more of your accounts or your pri­vate data. The e-mail can look very official, but often has some tell tale signs: words are mis­spelled and URLs are slightly differ­ent, either in a way you can read­ily see or under­neath the HTML code, which you can observe by hov­er­ing your mouse
over them.

To pro­tect your­self, the best first step to have good spam filter­ing. G-mail from Google includes some of the best spam filter­ing avail­able. G-mail is also free and is easy to set up. Very rarely do I see a phish­ing attack in my G-mail inbox; but the spam folder on G-mail is full of phish­ing attacks. In addi­tion to e-mail filter­ing, you can set up lists of e-mail addresses and domains so as always to allow (white list) or dis­al­low (black list) mail from those sources. For exam­ple, if you want to make sure that mail from your cousin Sheila gets though, you would white list her e-mail address. On the other hand, if you had received mali­cious e-mail from paypal.net (not PayPal.com), you might black list any mail com­ing from the domain paypal.net. Many ser­vice providers pro­vide this ser­vice, build­ing a black list of known or sus­pected sources of spam and malware.

Once you have spam filter­ing, and even if you have a black list and white list set up, some phish­ing attacks will get through. To keep your data safe, use cau­tion when respond­ing to e-mail. The e-mail address the mail comes from might be other than what appears in your e-mail soft­ware. If you believe that your bank may actu­ally be con­tact­ing you via e-mail, do not sim­ply click on the e-mail link, hit the reply but­ton, or call a phone num­ber in the e-mail. Contact the bank directly, either by typ­ing its Web address in your browser your­self, send­ing e-mail where you enter the address your­self, or by call­ing the bank with a phone num­ber you already have on file for them. If this was a legit­i­mate e-mail from your bank, a copy of it will be in your online account, and it should also be avail­able to the bank’s cus­tomer ser­vice per­son­nel when you call.

Thwart Viruses and Malware

Malware is soft­ware that is designed to do harm. This soft­ware can be embed­ded into soft­ware pro­grams or files, and can be hid­den in what look like harm­less web­sites. This is a risk whether you are on a Windows or a Mac computer.

Over the years, Macintosh enthu­si­asts like me have boasted that its oper­at­ing sys­tem is immune to these kinds of attacks. Despite the fact that we can be annoy­ing, even PC devo­tees have to admit that the num­ber of mal­ware pro­grams directly aimed at the Mac OS has remained low. There have been no major virus out­breaks on Mac OS X, but this may be on the verge of chang­ing. Even the Mac OS X has to use browsers to nav­i­gate the Web, and any soft­ware designed to request files from the Internet will have vul­ner­a­bil­i­ties. At the CanSecWest dig­i­tal secu­rity con­fer­ence in Vancouver this Spring, com­puter secu­rity engi­neers demon­strated the abil­ity to exploit Internet Explorer on Windows, Firefox on the Macintosh, and Safari on the Macintosh and on iPhones. (Google Chrome was the only browser on which no one was able to demon­strate secu­rity holes.) Another aspect of anti-virus con­sid­er­a­tions is that users who run Windows through BootCamp or a third-party Windows vir­tual machine, have Macintoshes that are vul­ner­a­ble to both Macintosh and PC viruses.

What can you do about this? First of all, you should install virus pro­tec­tion soft­ware. On Windows, the best known pro­grams are McAfee VirusScan and Norton AntiVirus; on the Mac OS, choices include Norton AntiVirus, McAfee VirusScan, and Intego VirusBarrier. Next, you should keep your oper­at­ing sys­tem and browsers up to date. Operating sys­tem and browser devel­op­ers reg­u­larly release patches (small fixes) to their soft­ware when they are able to thwart a known secu­rity threat. If you set your pref­er­ences to allow down­load and instal­la­tion of these secu­rity patches, you will be less vul­ner­a­ble to mal­ware than you would oth­er­wise be.

Genealogists pre­fer to focus their time on research and on eval­u­at­ing sources, but the abil­ity these days to do research depends on access to the Internet and to the files that have been scanned, down­loaded, and cre­ated. If you invest a min­i­mal amount of time in learn­ing how to address pass­word secu­rity, phish­ing attacks, and mal­ware, you will likely avoid much more time-consuming and frus­trat­ing sit­u­a­tions in the future, where you might lose some of your genealog­i­cal data or have your com­puter raided.

This arti­cle, which orig­i­nally appeared in a slightly dif­fer­ent form in the National Genealogical Society’s NGS Magazine, is repub­lished here by permission.

 
Share
OPENGEN - Genealogy Standards Alliance OPENGEN.ORG - Genealogy Standards Alliance