Computer Security

Computer security and personal privacy are ever increasing problems, and the issues have recently broadened to include smart phones and tablets. This page is an effort to give you some pointers in the event you are concerned with privacy and security. If you are a member of the BU community you are welcome to help edit this page – any efforts to help improve this information and keep it up to date are appreciated.

A first thought is that there are two programs which always seem vulnerable: java and internet explorer. If you must use them, keep them up to date. Java is so insecure I have simply uninstalled it and manage to live a fine life without it – their last exploit has exposed over one BILLION devices. Best thing to do with IE is to not use it.

 

Good security practices

The National Security Agency has developed an excellent document.  I have stored a copy of their current (June, 2013) PDF here.

E-Mail

No system manager will ever request your password in an e-mail – do not fall for this. You do not need to send me the e-mail and ask about it – it is a scam. Guaranteed. Every time.

Also beware of file attachments and web links in e-mails. If you do not know the person sending the e-mail, do not open unexpected links or attachments – this is a great way for them to introduce a virus into your system. Just delete the e-mail or arrachment – if it was something you think might be legitimate contact the sender to make sure.

Use a password manager

Your best line of defense is using good passwords and not using the same password multiple times. This is somewhat painful, so I suggest using a password manager – this will encourage you to diversify and strengthen your passwords. I use LastPass:

https://lastpass.com

I use it so much I went crazy and ponied up the $1 a month for the full version. Seemingly works on everything: computers, tablets, and phones, and keeps them all in synch.

Note that some sites won’t even let you set a decent password – if this is the case try to make your account name as obscure as possible. In general you should endeavor to not use the same username everywhere – it makes you much easier to track. At least attempt to use new account names for sites that contain important information.

Protect private information

Think about the information you are providing to the internet, particularly to the public. If you post your home address and provide information about your current location, you are essentially telling thieves when they can rob your home. The trick here is you might post one piece of information on facebook and another on twitter, or something like that, and not realize the sum of the information might be available to thieves. Do not put it past them to combine the information – you probably provide the links between the various sites by re-using your username, posting links on a web page, etc.

You can also encrypt sensitive information so that if your device is stolen and the thieves manage to break in, they can’t get this information anyway. I find truecrypt

http://www.truecrypt.org/

fairly easy to use and it is quite secure. An advantage of truecrypt is it is not dependent on the operating system, so if you want to be able to read the files on mac or windows or linux, you are better off setting up a truecrypt volume. You can also encrypt whole drives using truecrypt, although I found this painful in practice, or some computers provide this service for you. By the way, if you encrypt a directory or drive, you need to make sure you keep a secure copy of your password (e.g. in lastpass), because nobody is going to be able to help you recover your files if you lose it.

Run a virus checker

There are good free ones available. For personal use under windows, Microsoft Security Essentials

http://windows.microsoft.com/mse

is a good choice. BU currently provides free access to McAfee

http://www.bu.edu/tech/desktop/virus-protection-security/mcafee/

for our users – windows or mac.

You must update

Virtually all software has bugs. As security holes are uncovered, good software vendors update their software. As you install software make sure to choose an auto-update option if provided. Your operating system and virus checker should be checking frequently for updates, probably nightly. Once a notice goes out about a vulnerability, it is quickly exploited, so if you are running out of date software you will be attacked.

Phone Security

If you have a smart phone or a tablet, you should change your log in to something reasonable. Most phones I’ve used default to a 4 digit code to log in, which is simply unacceptable. Check here:

http://howsecureismypassword.net/

when I type in a 4 digit code the answer is “Your password would be cracked almost Instantly” – not reassuring. If your phone can access your e-mail and other information you would like secure, you should change your log in to something acceptable. An iphone will allow you to change to an alphanumeric log in, and I assume most other phones will as well. I urge you to do so. Remember to make a secure password you should mix alphanumeric, digits, and symbols, and the longer the better. By way of example, I change ’1234′ (instant break) to ’1234boston*’ and the break time goes up to 48 years – I can live with that.

You should also consider what happens when you lose your phone or it is stolen. On my iPhone I set the phone to erase itself after 10 failed login attempts – even if I fail 10 times (which would be pathetic…) I can recover it using a backup. I also turn on ‘Find my iPhone’ to help me find where it went. I imagine there are equivalent settings for whatever phone o/s you have.

Security related web sites

Security Now podcast

If you are interested in security issues, you can listen to this weekly podcast to stay up to date.

http://twit.tv/show/security-now

BU’s InfoSec page

Nice site with plenty of info. Also a twitter feed (buinfosec):

http://www.bu.edu/infosec/

Information on storing confidential information on your Google drive:

http://www.bu.edu/infosec/policies/google-drive-security/#GD Security

Tools for a Safer PC

From the Krebs on Security site, a page all about securing your PC from one of the world’s experts:

http://krebsonsecurity.com/tools-for-a-safer-pc/

BU Police laptop registration

They will (for free) put a plate on your laptop to discourage theft and encourage recovery.

http://www.bu.edu/police/services/laptop/

Laptops are the favorite targets of thieves at BU. Keep a close eye on yours, but I recommend registering it and insuring yours as a precaution.