Something interesting hit me a few days ago. I was using Google when I noticed the feature “Web History”. Basically, it’s all about saving your web history to Google so that you can access it at a later time. I’m sure that’s an awesome feature, but I instantly got struck by the big “No No No…” which lead to this post.

Most of the people reading this are Google users. I’m a big time Google fan. To be honest, I’m having a hard time trying to remember how I were able to browse the Internet effectively before Google. Their search engine is excellent, the notebook is handy, the online office productivity suite is not so bad either, gMail leaves a bit to wish for but it’s innovative and useful, Google Maps and Google Earth fills the voids that are left since geography class, and there’s of course Google Video and YouTube not to mention Google Groups. It’s fancy, that’s for sure.

What’s even better is that you have one single log in for all these services. Or, is it? If we just let our thoughts run wild here for a bit we realize that with one unique key (john.doe@gmail.com) we can access a persons e-mail account. The same unique key now gives us access to John’s Internet history so we know what web pages he has browsed. John’s spreadsheets and word processor documents are also available using the same identical key, linking them to the previously accessed Internet history as well as e-mail communications. Basically, you have got one key that unlocks a truckload of data about yourself, and you’re putting all this information in the hands of Google.

The “Evil Villain” problem (a.k.a Big Brother Symptom)

Please note that this scenario is not based on the fact that the information holder is evil, but more that the information is present and so are the tools to access it, but I’m gonna go “all in” here in honor of the post title. Just remember that what I’m writing here is not facts, it’s merely a mind play to help you think in a way that’s a bit more aware. In my opinion, there is a difference between awareness and paranoia, and when it comes to this topic I’m just being aware of the risks.

Now, imagine if Google was not at all formed in a garage back in 1998 by two college kids. Google was formed by two agents from the CIA, and it’s been government funded ever since. After a slow start it’s now become more or less every man’s online office. All the information you store as well as your browsing habits and your e-mail/im communications is accessible to you, but also to the people that are in control of the country’s intelligence agency. It might be a bit far fetched, and as I said it’s not based on any facts, but it still leaves one huge question unanswered: Who is really in control of your data?

What this all boils down to is trust. When you link information like this, it’s all about trust. The same question is valid for Yahoo, MSN, and all the other major actors who all offer a “one size fits all”-solution with e-mail, instant messaging, and a huge bundle of other Internet-related services. If you don’t trust the website, look for alternatives or register using incomplete details. Your online bookmarking site perhaps doesn’t need to know your full name or your address for example, while your favorite e-commerce site doesn’t really need to know if you’re married or single.

Sure, the purpose may be purely statistical, but don’t give a web site that you doesn’t trust any information that you would not give a stranger on the street. This is also related to the next scenario, which I’ve decided to call…

Data-leak

…which is a pretty wide term. Leaking of data could be either intentional or unintentional but could in either way compromise security or cause harm. Doing a simple Google search on the topic renders a number of hits, such as “AT&T online store hacked for credit card info”, “Steam Hacked, Credit Card Numbers Taken”, and “T.J. Maxx hack exposes consumer data”.

Credit Card data is probably the most sensitive information that could be leaked. The cards them self are based on more or less ancient technology (magnetic strip) and lack proper security. But other information may also be just as sensitive. Perhaps you wouldn’t like people to go over your web searches, history, or e-mail even if you have got nothing to hide.

Intentional data leak is for example having your e-mail address listed in plain text on your profile page for anyone to see. I won’t cover this too closely, since you’re probably already aware of this risk. You usually browse around on for example a social networking website before registering so you know what to expect. The unintentional leak is what’s more important, and also to know what’s at risk.

Hacking Google!

You know that co-worker that just seems to totally hate you? The guy that goes through your trash can in order to find something to report to your boss? Imagine if that co-worker managed to figure out your Google account details. Within a minute he would have in his hand every search you’ve ever made, which could be very compromising when taken out of context. He would also as previously mentioned have access to your browsing history and your e-mail.

Your single key, that is there only to simplify things for you, have now opened up the entire vault of your private life to someone that should not have access to it. With one single authentication token he can now access every little piece of information there is about your “online life”. Not really a nice scenario.

What to do then?

I covered passwords and online personas in the last post, so read that if you haven’t already. Personally, I don’t use Google or Yahoo for all my online business. I use Yahoo’s web based e-mail, I use Googles web-search, and I have a totally different user account at YouTube. None of the three sites share the same authentication data.

As always, this is a matter of trust. Who do you trust? I’ve chosen to trust my OpenID providers (I currently use two different providers), and I’ve chosen to trust Yahoo to keep my e-mail safe.

Who you trust is up to you. Just remember to think twice before sacrificing integrity or security for convenience.

A final note

I have made sure to write this through the article, but it can’t be stressed enough that Google is not an evil CIA corporation that’s trying to steal your identity. This article just used Google as an example, and you can safely go on using it without worrying. This article is not about Google or any other online service provider, but rather about awareness. This is also valid for Yahoo, YouTube or any other name mentioned here.

Welcome to the first part of Minimal Security. In this series of articles I’m gonna give you some pointers on how to make your system more secure, and also hopefully show that it is no rocket science – It’s just a matter of thinking one step ahead! So, let’s get started!

Passwords – What are they?

A password is basically an authentication token, something that is used to identify you and give you access to something, for example your system, your e-mail, or your Internet banking web page. Normally this token consists of not only a password, but also a user name (or your e-mail address).

So, passwords are secure, right? Well, they can be. Passwords are mostly compromised due to them being easy to guess, too simple, by the use of social engineering or irresponsible users. For example, having the password “fluffy”, after your dog, is probably not a good idea. Neither is your phone number, girlfriends name, birth date etcetera. I think you get the idea here.

So what is a safe password then? Well, for the passwords I use, I tend to settle for no less than 10 characters. They also consist of both uppercase and lowercase letters as well as numbers, and no words that can be found in a dictionary. The easiest way to make the “fluffy” password a little bit more secure is to add something else to it, for example “fluf13fy”. Your dogs name have now been split in two parts and had a number added somewhere in the middle, and, obviously it’s not that easy to guess any more.

You can also use a third party application to keep track of your user name and password, like for example PasswordSafe which is also able to generate random passwords for you. Your credentials are saved in an encrypted file with a master password, and in order to log in to f.ex. a website you just enter your user name, double-click the entry in password safe, and paste it in the password box. When you close PasswordSafe, the clipboard is automatically wiped.

Irresponsible users

I mentioned social engineering and irresponsible users earlier. These two go hand in hand, and both of these are actually related to the huge amount of credit card and Internet banking frauds lately. Your password should never ever be shared with anyone else. The banks explicitly state this in the security information etcetera, and yet people still hand out this information to “bank employees” over the phone in order to sort out some complications with their checking account. Here comes another part I mentioned, think one step ahead. The bank will never need your password. The bank runs the system. If they need to access your details, they can do so without your password.

The same goes for e-mails received from the bank with the proper bank logotype etcetera, and included is an attachment said to be a “anti-virus software” or similar. You can be pretty certain that your bank will never ever send you an anti-virus program or any other program for that matter via e-mail.

It is just as irresponsible to hand your password over to your friend, your family etc. As a general rule of thumb, don’t give your password to anyone you would not trust with your keys and your wallet.

Saved Passwords

Saved passwords are excellent. I admit that I use them too. You know, that fancy box that pops up when you log on to a web site; “Would you like Firefox to remember this password”. It’s an awesome feature, but these passwords are saved and made accessible to anybody that is using your computer, and not only to you. The simple remedy to this problem is to enable the master password. In Firefox, this can be done in the options dialog in the tab “Security”. Check the box “Use a master password”, and use the command button next to it to change the master password. The next time Firefox feels an urge to auto fill a login box with your user name and password, it will prompt you for your master password (if you haven’t entered it during the session, that is).

Your saved passwords are now available to you, and only you.

Security on your Workstation

All operating systems based on the 2000/XP kernel have got a pretty sophisticated security layer running under the hood. This security layer, or subsystem, validates every request made and ensures that you have access to the object or the function that is requested. These credentials are validated during the login, and are then used every time a file is accessed or another file system or registry operation is taking place.

It also offers the excellent ability to lock the workstation, either by hitting Ctrl-Alt-Delete and selecting “Lock Workstation” (for this to work, you have to disable the “Fast user switching” in the control panel), by hitting Win-L (if you’re using Windows Explorer) or by hitting Win-Space (if you’re using bbLean). Screen savers can also be set to prompt you for your password before allowing you access to your system after the screen saver has closed. This is an excellent feature to keep nosy people away from your system, protecting your sensitive data and making sure things are still the the way you left them when you return.

If you are using NTFS as your file system, you can also encrypt your files in order to make sure that they are safe from curious eyes and nosy people. To protect a file or a folder, right-click it and select “Properties”. Then click “Advanced” on the first property page, and check the box next to “Encrypt”. This file (or folder) is now a little bit more secure if your hard drive would ever be lost or compromised.

You can also use virtual encrypted drives to protect your sensitive data, the best one I have found so far is TrueCrypt, which is also open source and 100% free. It works by creating a file on your hard drive of a specific size, and then “mounting” this file as a virtual drive. You could for example create a 2 GB virtual drive as C:\myfiles.tc and have it appear as D: when the password has been properly entered. This file is in turn protected by strong encryption based on your password, and a possible key file (for example an image, a mp3-file, or just a random text file stored on your hard drive or on a USB memory stick).

Virtual Identities

Wow. That’s a fancy word for sure. What is a virtual identity then? Basically, a virtual identity is something that identifies you in the virtual world. Very often this is associated with your e-mail address or similar information, for example your yahoo username “johndoe123″ which has a corresponding e-mail address “johndoe123@yahoo.com”. The same is valid for MSN messenger, where your virtual identity actually is your e-mail address.

Here in Sweden it has become more or less of a trend to have fancy web pages where you can win stuff, such as a plasma television or the latest cellphone, if you just recruit enough people to the website. Basically, the one who makes the most friends sign up will win the grand prize.

Who wants to enter all their friends e-mail addresses? Nobody. Instead they offer a box to allow the web page to sign in to your messenger account and automatically inform your friends of the ongoing competition. I am not 100% certain, but I am pretty sure that there are no grand prices in the end. At least not for the users. The thing is that when you share your virtual identity like this, you are first and foremost sharing your password with a third party that you don’t really trust. This is bad. But what’s even worse is that you are also exposing your friends virtual identities to the website. These sites mostly harvest e-mail addresses, that are then sold to spam networks, and what you end up with in the end is not a new fancy big screen television, but instead a flooded inbox. Once again, think one step ahead.

Summary

Security doesn’t have to be hard. It just requires you to think a little extra, just like you do when you swipe your credit card in the store and is about to enter your pin-code. You won’t pound in those magical 4 digits with someone looking over your shoulder. Or in a terminal that’s been glued together with a clerk looking more than suspicious. Yet, most people think it’s okay to recommend contests to their friends by giving up their user names and passwords. And honestly, isn’t your IM password the same as the one for your e-mail? And for your computer?

Think one step further.