Defending The Kingdom

One of my favorite webpages is haveibeenpwned.com. It tells you if a database containing your email address has been breached and the contents published online.

If you have more than a handful of internet accounts, there is a good chance that your data have already been leaked. Mine certainly have, due to multiple data breaches.

If you see that you have been pwned (gamerspeak for ‘owned’, which means someone ‘got one over on you’), don’t panic. There are two easy steps you need to follow to make sure this doesn’t cause you a lot of grief:

1. Go to the website that was the source of the data leak and change your password.
2. If you’ve used that password for any other websites, go to those websites and change your password.

Don’t just ignore the problem. You might think, “who cares if someone hacked into ponyphotos.com, I don’t have any sensitive information there.” You’re right that hackers aren’t interested in ponyphotos.com — but they are interested in your bank and if you use the same password (or security questions, etc.) for your bank as you do for ponyphotos.com then you’re in trouble.

Introduction

Many software review sites don’t mention security. That may be because security can be difficult to assess from the outside, unless you’re a hacker. However, we have noticed that some review sites do consider security and they do it in a way that may seem surprising at first: they simply ask, “does the company’s website talk about security?” Does that make sense? Let’s look at an example to find out.

Example of a document automation review website that assesses security

Documentautomationreviews.com is an example of a website that reviews document automation software and incorporates the security of the software into its grading system.

The reality is that the security of each document automation software package is opaque, and difficult to impossible for an outsider to assess, at least apart from engaging in a penetration test.

However, documentautomationreviews.com takes a simple tack: it simply checks whether the document automation software vendor discusses security on its website. If it does, the company is deemed to have a degree of security conscientiousness; if it doesn’t, the company is deemed to have potentially overlooked security issues.

Is this technique helpful?

While mentioning security on one’s website may be superficial, we agree that it does indicate whether the company’s staff are at least somewhat security conscious and thinking about security. It’s an imperfect metric, to be sure, but we think it’s better than nothing!

So the next time you’re considering buying document automation software, consider browsing their website and observing whether the website talks about security. It’s not a guarantee, but if they mention it they are more likely to take security concerns seriously than if they fail to mention it altogether.

When buying or subscribing to document automation software, you need to take security into account. But how can you know what to look for and what questions to ask potential vendors?

We think you should focus on two specific security risks: transit risk and storage risk.

Transit risk for document automation software

You should ask potential document automation software vendors if their “software client”, which will be installed on your PC, will communicate with their server. If so, you should ask if that communication is encrypted.

If the vendor mentions TLS (new name) or SSL (old name) encryption, then you’re probably in good shape. If they don’t mention any encryption, you should be concerned that your communication could be eavesdropped on via a man-in-the-middle attack.

Storage risk for document automation software

The other risk you need to pay attention to is storage risk. While your information may arrive safely on the document automation provider’s servers, if those servers are poorly protected a hacker might sneak in and grab your information.

So ask about the measures the document automation provider takes to secure documents when “at rest” or “in storage”. They should mention firewalls and possibly even encryption at rest.

However, there is one method of security that is even better than those: a document automation provider that deletes all uploaded content within a specified time range is the most secure of all. It’s impossible for a hacker to steal something that isn’t there.

This is the approach taken by some document automation software providers. Epsillion document automation is an example of a company that deletes customer-uploaded documents on a schedule the company agrees with each client.

Conclusion

In conclusion, consider both transit risk and storage risk when choosing a document automation software provider. Conscientious vendors take security precautions like encryption and regular deletion. It’s your right to ask potential vendors about their security precautions before you agree to become their customer. After all, the customer is always right!

James Fallows had an article in the Atlantic last year that did a good job of scaring the wits out of me, as any entertaining and informative security article should. Fallows described what happened when his wife’s Gmail account was hacked and she (briefly, before friends of theirs at Google saved the day) lost the entire contents of her Gmail account. The experience got Fallows thinking about how vulnerable we are when we store our information in the cloud.

My passwords are strong — and I’m hoping yours are too after reading the articles on DtheK — but what if your account gets broken into anyway, either through a server problem, hacker, or some other issue? Most of us would be willing to expend considerable effort to prevent the loss of all of our email data in such a worst case scenario, so I’ve compiled a few ways you can protect yourself. Each method is rated by difficulty, using the “Grandma Frustration-O-Meter” gold standard.

Options for backing up your email accounts

1. Use a desktop client like Microsoft Outlook, Zimbra, or Mozilla Firebird to download and store copies of your emails on your hard drive. Grandma-Frustration-O-Meter: What the dang is POP3? Aaack!
2. If you want to backup a Gmail account, start a new Hotmail account. Then ask Hotmail to store copies of your emails. Or vice versa if you use Hotmail and want Gmail to store your emails. I haven’t looked into Yahoo, but I’m guessing something similar might work for that. Grandma-Frustration-O-Meter: Goes down easier than a warm glass of milk.
3. Use Gmail Backup and hope that it is not stealing your password information like the program described here. User beware, but one reason to trust it is that it is featured on the Google Apps Marketplace; another reason is that Softpedia certifies it as a clean program, free of adware, spyware, and viruses. Grandma-Frustration-O-Meter: I have to remember to run the program monthly? Okey dokey. What? Where am I?
4. Use Backupify, an online service that claims to be able to store all of your Gmail account information and settings, then restore it to a Gmail account at any time. Sounds great, but of course you have to trust Backupify with your email content. Even if you trust Backupify to keep your information private, you now have to worry about two websites that could potentially get hacked instead of just one. Grandma-Frustration-O-Meter: Remember the warm glass of milk? It’s like that, but pricier.
5. Pray. Don’t worry about backups, use the password “Lucky123” for every account on the internet, and pray that trouble won’t befall you. Grandma-Frustration-O-Meter: Ignorance is bliss… while it lasts

While I am uneasy about giving my email password to anyone but Google, I have chosen options 1 and 2 (note that options 3 and 4 require trusting another program, company, or website with your password, too). Make your choice, and may the odds be ever in your favor.

A better than nothing video guide to asking Google not to keep as much information about your online behavior as they otherwise might.

It’s still a black box, though, and the only real assurance you have is that Google has some incentives to stay nice. It doesn’t always work out that way, of course.

In Google’s favor, notice how complete domination of the search market has lead the company to provide services that look a lot like public goods. Here is Wikiipedia on public goods.