Computer security is a complex subject, and staying safe is no easy task. Paraphrasing a quote attributed to security analyst and cryptographer Bruce Schneier, the only secure computer in the world is unplugged, encased in concrete, and buried underground — and even that one might be vulnerable. This reality aside, it’s still important from time to time to review some of the basic steps of computer security.
A general rule of thumb is, once an attacker has physical access to your computer, the game is up. So be smart: Don’t let just anyone use your computer, and don’t leave it unattended in an insecure place. Even at home, you may not be completely safe. Is your screen visible through an outside window? Do you know and trust your neighbors? Has there been recent criminal activity near where you live? Who else in your house has access to your computer? Ask yourself these questions when evaluating your physical security.
Treat any information that you store unencrypted on your computer as though it is going to be stolen. You probably wouldn’t care (as much) if someone took your grocery list or vacation photos, but tax returns, bank statements, account passwords, and confidential emails, to name just a few, are another matter altogether. As a rule of thumb, if you can’t stand to have it read by everyone, then make sure it can’t be read by anyone. (For a more thorough treatment of why cryptography is important and to get software recommendations, see “Nothing to hide? Hide it anyway.”)
Actually, “password” is now anachronistic – “passphrase” is probably the better term, since short, simple words won’t cut it in this day and age. Good passphrases should be long (16 characters is not unreasonable), complicated (use upper- and lowercase letters, numbers, symbols, and whitespace), easy to remember, and, most importantly, hard to guess. Furthermore, you should use different passwords for different accounts (so that if one is compromised, the damage is contained), change them regularly, and not reveal them to anyone who you don’t implicitly trust.
These requirements are challenging to say the least, so a better solution is to let software pick – and remember! – your passwords for you. I like Keychain Access (built in) on Mac OS X and Password Safe (passwordsafe.sourceforge.net) for Windows.
It goes almost without saying that you need to be especially cautious when using your computer in public. If you’re somewhere where you wouldn’t feel comfortable thumbing through your wallet, you shouldn’t use your computer there, either. Be aware of who is around you, especially if they have a view of your screen or seem suspicious. Make sure that no one can shoulder surf as you’re typing.If you’re traveling, make sure you know where your computer is at all times. Never set it down and walk away from it in places like airports and train stations, even if it’s in a bag (thieves know what laptop bags look like).
If you use a public Internet connection (whether wired or wireless), treat everything you do online as though it is being intercepted and read. If you need to do anything sensitive, use encryption and a VPN if you have one. Avoid connecting to unknown Wi-Fi networks or those with suspicious names. If you are using VOIP or videoconferencing software, act as though your audio and video are being monitored. Make sure all your software, including the OS, is up to date, run antiviral and firewall software, and turn off features like file sharing and remote login before you go in public.
It’s nearly impossible to cover every possible scenario, but, in a nutshell, think carefully before you act.
If you get an email asking for your personal or account information, it’s probably a scam. Similarly, if you’re asked to visit a website for an unexpected reason (for example, to preserve your account information), you should be extremely cautious – it’s almost never the case that this is legitimately needed. Don’t click on any suspicious links (which might take you to a phishing website). Instead, type in the company’s URL yourself to see if it’s legitimate. If you get a message and you’re not certain that it’s legitimate, don’t hesitate to call whatever company is supposedly contacting you or email them at a trusted address to find out if the email is a scam. And, of course, if you’re offered something that’s too good to be true – a large sum of money, a special business venture, a lottery winning, or something similar – it is almost certainly a fraud.
Outside of phishing emails, you should avoid visiting strange websites or downloading files (especially software) that you don’t recognize or that are from questionable sources. P2P file-sharing software is particularly likely as an attack vector for malware. If you are visiting a secure website and are told that there is an error with its certificate, that it is expired, or that it is signed by an unknown Certificate Authority, it’s always safer to cancel whatever you were doing than to continue on and risk being trapped in a MITM attack. And, of course, be sure regularly to update your OS and install, use, and keep up to date antiviral and firewall software.