WIRED:People in the know are finding it difficult to keep track of all the threats to the security of our data, writes DANNY O'BRIEN
I’M IN the middle of a refresher course on personal security, which, if you deal with any confidential information at all, I heartily recommend to everybody who can afford it, or can persuade their boss that they can afford it.
It helps if you have an entertaining trainer. Ours worked out the pin number for an important safe by detecting how dirty each key was, and then trying combinations of the digits that looked the most worn. He also spotted and relayed passwords on Post-it notes, and charmed janitorial staff into letting him into the office after hours.
It sounds a little extreme – a little cloak-and-dagger – but the reaction I’ve had from friends and colleagues has followed the same pattern. “Nothing in my office or on my computer is of interest to anyone else,” they say. Then they pause, and add: “Oh, wait, actually . . .”
Then, thank goodness, they shut up.
Protecting yourself is, on one level, straightforward. You just build up patterns and habits to protect your possessions and your data. You use software like TrueCrypt to password-protect files and use a commonsense approach towards opening strange e-mails and choosing passwords.
But, Lord, it ain’t easy. We are sinners, all, when it comes to cyber security. I, for instance, have reused passwords or just chosen dumb ones in the past.
When you have someone around like my trainer, who takes a pranksterish delight in exposing the security flaws of even seasoned techies like me, you get paranoid.
Before I knew it, I realised that there were a dozen places where my security practices were weak. And, of course, that’s exactly where a determined attacker would attempt to hit me.
For instance, I’m guilty of using the same password on a few websites. But when I went to change them, I realised that all my sites use the same e-mail address, which I check using Google’s Gmail. Find my Gmail password, and all those unguessable passwords wouldn’t matter a jot.
So it’s good that I have a long and convoluted Gmail password, right?
Well, yes, except that I use the same password for syncing my Google calendar and contacts, for the GTalk messaging service and for documents. This means that it is stored somewhere on my phone and on a half-dozen or so messaging, calendaring and e-mail applications on my laptop and desktop.
Not any more, I hasten to add. But this means that I have to laboriously enter my (now super-secure and super-long) password every time these applications start up and, in a few cases, every time they try to synchronise their data.
Will I have the self-discipline to continue? If I do, it’s because I’ve worked all of this out myself, rather than being told to do it.
Most interactions with computer security folk aren’t quite as fun as mine. In most offices, they consist of receiving demanding memos from IT with a long list of requirements. The majority of us print these demands out, paste them up in our cubicle next to the Post-it note of our passwords, and promptly forget all about them.
Sometimes common sense and good advice fail us. As my trainer and I were chatting, I told him of some ongoing research into a potential future threat.
Many modern photocopiers and printers have a small hard-drive built into their hardware. A hard-drive is cheap these days, and a printer or copier uses it to temporarily store an image of whatever it is copying or printing.
The problem is that even the cheapest hard-drives can store vast amounts of data – and these printers and copiers only delete the stored copies when they run out of room. This means that all the confidential documents you photocopy or print with your office printer might still be contained within it – dating from years back.
It is not yet clear how widespread this problem is or what can be done to fix it. For now, it means that, not only do you have to keep an eye on your laptop and your mobile phone, but your office equipment is turning into a library of valuable documents.
My security trainer had not heard of this problem, but I can assure you that there are at least a few techies buying printers off eBay or Craigslist to see what’s inside.
At this point, most of them are like my trainer: curious about potential security problems, and motivated to investigate and highlight the dangers. But I’m sure an increasing number of them have rather more malicious intentions.
In the meantime, it’s yet another way that our precious information can leak out into the wrong hands. And when even the experts are having problems keeping track of all of these dangers, what are the rest of us to do?
