Defending The Kingdom

One of my favorite webpages is haveibeenpwned.com. It tells you if a database containing your email address has been breached and the contents published online.

If you have more than a handful of internet accounts, there is a good chance that your data have already been leaked. Mine certainly have, due to multiple data breaches.

If you see that you have been pwned (gamerspeak for ‘owned’, which means someone ‘got one over on you’), don’t panic. There are two easy steps you need to follow to make sure this doesn’t cause you a lot of grief:

1. Go to the website that was the source of the data leak and change your password.
2. If you’ve used that password for any other websites, go to those websites and change your password.

Don’t just ignore the problem. You might think, “who cares if someone hacked into ponyphotos.com, I don’t have any sensitive information there.” You’re right that hackers aren’t interested in ponyphotos.com — but they are interested in your bank and if you use the same password (or security questions, etc.) for your bank as you do for ponyphotos.com then you’re in trouble.

Beware the ancillary information you post online when you upload photos to the web. From the NYTimes:

Security experts and privacy advocates have recently begun warning about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, the concern is that many people may not realize it is there; and they could be compromising their privacy, if not their safety, when they post geotagged media online.”

Here is an example of geotag stalking in action.

The latest Internet Crime Complaint Center report is out and I’ll be blogging interesting bits over the next couple of months.

Apparently, one of the newly fashionable scams starts with an email threat to your life:

In 2009, IC3 received several complaints presenting a new spin on the media coined “Hitman Scam,” a type of email extortion scheme. Victims are reportedly being threatened in an attempt to extort money. The victim receives an email from a member of an organization such as the “Ishmael Ghost Islamic Group.” The emailer claims to have been sent to assassinate the victim and the victim’s family members. The emailer asserts that the reason for the impending assassination resulted from an alleged offense, by the victim, against a member of the emailer’s gang. In a bizarre twist however, the emailer reveals that upon obtaining the victim’s information, another member of the gang (purported to know a member of the victim’s extended family) pleaded for the victim’s pardon. The emailer alleges that an agreement was reached with the pleading gang member to allow the victim pardon from assassination, if the victim takes some action such as sending $800 to a receiver in the United Kingdom for the migration of Islamic expatriates from the United States. Victims of this email are typically instructed to send the money via Western Union® or Money Gram® to a receiver in the United Kingdom. The emailer often gives the victim 72 hours to send the money or else pay with his/her life.

Respond as you would to any other extortion attempt or threat to your safety: inform the police.

Of course, investigators would have been equally stymied by limited evidence crimes involving non-twins before DNA analysis was possible, but our expectations are higher now:

Saved by their indistinguishable DNA, identical twins suspected in a massive jewelry heist have been set free. Neither could be exclusively linked to the DNA evidence.

I expect a lot more of this sort of thing in the next couple of years. But that doesn’t mean you should completely shun cloud computing.

Security is not a switch

As always, the decision to use Google Docs or any other cloud service is not made by asking, “Do security dangers exist?” Rather, you should ask, “Is the mix of benefits and security risks for cloud computing more or less attractive than the mix of risks and benefits involved in keeping all of my files on my laptop?”

Keeping all of your files on your own storage media is attractive in several ways. You have complete control over your files, and you can’t lose them or lose control over access rights unless you make a mistake (fail to back-up your files, fail to encrypt your files, fail to prevent someone from stealing your hard disk, etc.).

But some mistakes are pretty tough to prevent. Consider the situation where you are typing on your laptop in a cafe, and someone grabs and dashes with your laptop. Suddenly, you’ve lost all the files you haven’t backed up, and you’ve lost control over everything you haven’t encrypted.

Floating on a cloud

If you had been working on one document among many that is hosted in a cloud, the dasher would probably just get access to whatever he could click on in the time it would take you to change the password to your account. (That seems true as long as the website in question requires the old password to by typed in before a new password can be created.) Not a great position to be in, but cloud computing comes off looking okay, especially if you aren’t the type who encrypts every file stored on his hard drive (and who is?).

The tradeoff is that you have to trust that the cloud computing company is better at backing up your files and preventing unwanted access than you would be. But what happens when their servers get hacked, a disgruntled employee sabotages data, the company gets acquired, or the company goes out of business? Your data in each of those situations is in danger.

It will be interesting to see how cloud computing develops and how popular it becomes. So far, it seems that most people prefer to keep important files on their own computers, but that may change.