Encrypting Your Data – Think about it

Imagine that police arrest an individual for a simple traffic infraction, such as running a stop sign. Under the search incident to arrest doctrine, officers are entitled to search the body of the person they are arresting to ensure that he does not have any weapons or will not destroy any evidence. The search incident to an arrest is automatic and allows officers to open containers on the person, even if there is no probable cause to believe there is anything illegal inside of those containers. What happens, however, when the arrestee is carrying an iPhone in his pocket?

Now you might think this scenario is far-fetched, but it’s not really. Just imagine if you have your laptop, and the officer decides to search it. You may have data on there that is none of law enforcement’s business. As a matter of fact, none of it is their business!

Here’s another scenario that I preach to all my clients, family, and friends.

You can always replace your hardware if it gets stolen. You can’t replace your data or the damage done if someone gets their hands on it.

While you may think that you don’t keep enough data on your computer to matter, I bet the vast majority of you reading this post allow your email program or web browser (IE or Firefox) to remember your passwords. With that information, someone can have access to your email and a lot of other things. By using some social engineering combined with the data they are able to pour through, some serious damage can be done.

Oh – you didn’t think about that did you? What about all those pictures of your family, kids, etc?

Fortunately, there is a pretty easily solution to most of this. You need to install and use TrueCrypt. This simple, free, open-source program will solve just about all of those problems. You know all those stories in the news about stolen/lost laptops with tons of SSN’s and personal data? Well, there is simply NO excuse for that. You can install TrueCrypt, create an encrypted container, put your important data in it, and that’s that. I actually use 2 containers. One is for my most important data that I cannot afford to lose. The 2nd container is used to hold my Thunderbird email and settings. As a bonus, I only have to backup 2 files – the TrueCrypt containers, and my backups are encrypted as well.

Another rule to remember: don’t have your browser remember your passwords. First, this means you will forget them. Time and time again, I revamp customer computer systems and they have no clue what their passwords are. Secondly, if someone does steal your computer (swiped laptop or breaking into your house and taking your desktop), then they may get a nice computer and whatever software you have installed, but they won’t have easy access to your email, banking sites, etc.

http://en.wikipedia.org/wiki/Post_Office_Protocol

Although plain text transmission of passwords in POP3 still commonly occurs, POP3 currently supports several authentication methods to provide varying levels of protection against illegitimate access to a user’s e-mail.

Here’s something else to think about: Did you know that the vast majority of email flies around the ‘Net in plain text? That’s right – your email has zero protection! Why do you think you should never ever ever send your SSN or credit card number via email? Let me give you a good example. People like me will sit at a hotel and run some network sniffing software. Your email client checks your email – I get to see your username, password, and email all sent across the network in the clear.

This is one of the reasons that I’ve been migrating and pushing most of my clients over to Gmail (Google’s email service). Gmail uses an SSL connection from your email client to their servers. This is actually more secure than using your browser since Gmail only uses SSL for the login with your browser. The best news is that all major email applications support it (some better than others – like Thunderbird), and it totally stops the hotel scenario. And its free!

Now, that doesn’t stop someone at Google from potentially viewing your email; nor does it stop anyone along the path from Google to the recipient’s email. As as an example, many people use their ISP’s email systems – Comcast, Bellsouth/ATT, Verizon, etc. We can’t even trust them to deliver us the services we were sold and paid for. You think we can trust them with our email? The way around this is using something such as OpenPGP/Enigmail so that the entire contents are encrypted. Alternatively, you can do something as simple as create a small TrueCrypt container, put your message and contents in the container, and forward that as an attachment. Call the recipient and tell the the password. Simple but effective!

In the near future, I will releasing several video tutorials on how to set this up. As always, if you want assistance in creating a relatively secure way to store your data, then contact me.

References:

The iPhone Meets the Fourth Amendment
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503

www.truecrypt.org