Security tips to act on today

Security and giving away information

Security isn’t just down to other people choosing not to hack your device or a service you use – you have some control and some responsibilities too. As part of our ongoing weekly series on security, we review three measures you can take today to increase your security and privacy and that of the people you communicate with.

Keep distribution lists private

How often do you get an email from someone that includes swathes of other email addresses in the Cc field? Lucky you if the answer is ‘not often’. Dare I ask how often you *send* an email like that?

Apart from the bad manners of revealing lots of email addresses that I’m willing to bet have been displayed without their owners’ consent, it looks amateurish and spoils the layout of your email – depending on the system they use, the recipient may have to scroll through the lines and lines of addresses before reaching the body of the email, or they may realise it’s hardly personal and give up without bothering to read it.

So how do you prevent this and avoid jeopardising other people’s security? It’s very simple: when sending a mass email ensure that the recipient addresses go in the Bcc (blind ‘carbon’ copy) field. Put your own address in the To field. That’s all it takes.

Be careful what information you record

It’s too easy to keep up a running commentary of our thoughts and actions across the breathtaking range of social media opportunities we have at our fingertips. Add to that devices that we actively configure to record our sleep, exercise, health – even our driving experience with dashboard cams.

The innocent face of this is to increase our own security and protect ourselves (proof that that white van simply pulled out in front of you) and help us to optimise our lifestyle for the benefit of our health. Consider though the implications of being on the wrong side of the law or a dispute. Clearly we aren’t going to encourage anybody to with-hold evidence or do anything shady, but put it like this: information you don’t record can’t be twisted to be used against you.

Just imagine the fun an insurance company (yours, or someone else’s) could have with your health and fitness data? What if it could be proved that you were sleep-deprived or lacking food the morning you had a car accident (consider this case ongoing in Canada)? What if you’d taken to social media to vent your frustration with a child the day that child has to be taken to A&E with a broken arm? You’ll be 100% innocent of any wrong-doing, but now you may have to prove that because of the information you’ve broadcast and/or recorded.

You’ve all heard of children having parties while their parents are away, the time and venue making it onto social media and 300 uninvited guests arriving, with predictable results. Hilarious. What a numpty. But take a step back and draw the connection between that and the situation you could be creating for yourself.

Kill off obsolete accounts

Over the years we all accumulate vast numbers of accounts – forums, social networking, journal log-ins, multiple email accounts etc etc. It’s worth revisiting these from time to time and deleting any that you’re sure you no longer need. This minimises your exposure to hacking attacks as well as reducing the amount of information about you that’s available on the internet.

In most cases, certainly for personal non-work related accounts, it’s advisable to avoid using your real name for display purposes (clearly professional sites such as LinkedIn are an exception) and remember – never EVER re-use a password.


Smartphone security

Smartphone security – be informed

Smartphone security and the specific risks attached to increased smartphone use have attracted a lot of attention recently. Not only is the technology ever more sophisticated, inter-connected and beyond many people’s ken, but we rely on these phones in business and give them free access to much of what we do.

By sending information back and forth and connecting to myriad accounts and services we concentrate lots of valuable data about ourselves in one easy to intercept location. Here we outline three steps you can take today to minimise your exposure.

Reviewing connected apps & accounts

Do you run social media on your phone, using Twitter, LinkedIn, Instagram, Pinterest, Facebook etc for your business? Five minutes’ use of these platforms will show you that many people automate cross-platform posting so that every Facebook status update is tweeted and every Instagram post pops up on Tumblr  – often with no accompanying information and without any suggestion of why we should want to schlep over to FB or Instagram to see it in its full glory.

There are lots of reasons for not cross-posting (from a content point of view, these platforms have different functions and audiences therefore your FB content isn’t suitable for Twitter and vice versa, and it bores audiences who follow you on several platforms to see the same content on each), but the most significant is that linking your accounts like this dramatically increases your exposure to hacking. If someone gets into one account it’s a short hop to compromise the others.

  • Review your linked accounts and consciously uncouple wherever you can.

Remove apps that sell information

Downloading a free app is always a gamble (and some paid ones are risky too – do your homework before downloading). Consider how the developer is going to monetise that app: it might be advertising, it might be anonymised user data gathering or it might be simply selling on your data, with or without – most likely without – your consent.

Consider this Flashlight case. First of all, what on earth is a torch app doing asking for  access to such a range of data in the first place? It gets worse. To quote the Wired article linked to above:

The FTC has clamped down on another flashlight apps [sic] for doing downloading data for advertisers without informing consumers

Trying to find out precisely what information is being gathered (as opposed to simply the scope the app requests) is very difficult, and that’s in the developers’ interest. As the article goes on to say, there’s really no such thing as a free app.

As well as that article listen to this brief podcast article from The Naked Scientists.

  • Pay attention to the permissions a new app asks for and don’t download it if it’s not essential and you have concerns

Apply software updates

Do you keep on top of your phone’s requests to update apps and software, or do you automate updating? Patches and updates come out in response to changes in external elements that apps use to run (ie not something within the developer’s control), in response to security concerns and calamities, and in order to offer you a better service or user experience.

You should have the option to authorise these updates manually (and change other settings such as downloading updates only over wifi so you don’t hammer your data allowance). Setting update to manual is a good idea if you want to keep close control over updates and have the option to review what they’re asking for. You might be surprised at what’s still lurking on your phone (you can uninstall anything you feel you don’t need any more – do you really need that eBay app these days, the one with your eBay password stored in it?) and what updates are asking to access.

  • Set updates to manual and review them with every update request


Security tips to act on today

Security – online and in the office

Security is an ongoing headache for most of us. Each week between now and our talk on security to the Inspire group on 13th May we’ll be delivering three security suggestions you can act on easily and quickly to tighten up computing security within your company.

Security of Public wifi

Going to a friend’s house and logging into their wifi is one thing. Yes you subject yourself to the security your friend may or may not have applied to their connection – ask questions if you need to or if the sensitivity of the data you’re sending requires it (in which case you shouldn’t really be doing it round your mate’s) – but it’s likely to be less risky than the sort of public wifi you can connect to in a café, hotel, hospital or other public space that selflessly provides wifi as a public service.

There are various models for providing free public wifi but be sure that someone somewhere is profiting, and it’s not just because you’ll drink three lattes while you use it. The security of the connection is completely beyond your control for a start. Secondly you have no idea what information the provider is taking as you communicate. Thirdly simply by logging onto that network you show up as an entity – one reason to be careful how you represent yourself.

Don’t click on unsolicited attachments

Don't open unsolicited attachments

Attachments may look genuine but treat them with caution

Attachments – don’t you just love them? Fortunately some scammers are very bad at their jobs and make their dodgy attachments blatantly ones to avoid; others are far more subtle. The subject line and sender’s name can both seem very relevant to current projects, which is disturbing in itself, but nothing compared to what happens if you open the attachment.

Simple rule of thumb: if an unsolicited attachment comes from someone you’ve never heard of, ignore it. if you’re worried it’s something you need, ring the company (via a number you find independently, not the one provided in their nice helpful email) and use lots of judgment and scepticism.

If the attachment is from someone you know but still unsolicited it might be worth a text or call to find out what it is. Even genuine documents can contain viruses, so really be sure it’s worth the risk before you click.

Password protect devices

You know about the obvious things – phones, tablets, PCs. If you haven’t password-protected them do it now. A shape drawn on the screen, a number, a phrase or something more sophisticated such as facial recognition. Whatever your preference, implement some form of protection as a first line of defence.

Where it’s an option, employ a remote wiping utility such as Android Los/ a kill switch. The ubiquity of this sort of app is, so we read, having a huge impact on the number of smartphones stolen with thefts down 40% in London.

Look more closely at other devices you use, particularly infrastructure such as routers and other home network devices. If you can change the password, do. Leaving this sort of device with the factory-set password makes it very vulnerable to exploitation.

Lastly anything you own that can come into the Internet of Things category: CHANGE THE PASSWORD.