Oct 16, 2014

    6 ways to protect your data in cyberspace

    THIS would be remembered as the Year of the Hack, if next year didn't promise even more cyber security breaches. Ordinary users shouldn't wait for businesses and governments to respond to the growing threat.

    This year's spectacular revelations include the theft of 145 million personal records from eBay, and the acknowledgment by JPMorgan Chase that 76 million households and seven million small businesses may have been affected by a data breach.

    On Monday, hackers claimed to have obtained millions of passwords from Dropbox. These reports followed news of tens of millions of compromised credit card numbers at Target, Home Depot, WalMart, PF Chang and Nieman Marcus.

    Other as yet undisclosed thefts could be linked to two longstanding vulnerabilities in open-source software known as Heartbleed and Shellshock, discovered in recent months. In addition, we have seen the release of celebrities' naked pictures stolen from Apple's iCloud and images of ordinary youngsters lifted from Snapchat.

    There was also the theft of classified data by at least two groups of Russian hackers, one using malware called Snake and the other dubbed SandWorm by the cyber security company that discovered it. Perhaps the best way to get a general picture of global information (in)security is an interactive map produced by Russian cyber security company Kaspersky Lab.

    According to PricewaterhouseCoopers, which surveyed 9,700 executives in 154 countries in April and May, there were 42.8 million reported incidents this year, up 48 per cent from last year's survey. The number of companies reporting losses of more than US$20 million (S$26 million) doubled compared with last year. At the same time, investment in information security is down 4 per cent from the year before.

    In this game, innocent bystanders may be most likely to get hurt. Here are six rules for protecting yourself:

    Keep nothing on any of your devices, or in the cloud, that you wouldn't want the world to see


    These include Dropbox and iCloud, even if the former says no user credentials have been compromised and the latter has added two-factor authentication requiring access to a user's phone.

    All computer systems are vulnerable because humans write code. A vulnerability could lurk for years, as Heartbleed and Shellshock did.

    It is much safer to keep your data under a loose floorboard than on a major company's cloud service: Only someone who is intensely interested in you will search your apartment, but Internet services are subjected to generic, wholesale attacks.

    Don't send any sensitive information over the Internet.

    Kids thought Snapchat was a safe way to sext because pictures and videos disappear after being viewed.

    It turns out that an outside developer found a way to store the content and someone else broke into the storage.

    Besides, governments are watching, and even if you don't believe Edward Snowden's story of National Security Agency staff passing around naked photos obtained through blanket surveillance, it could happen.

    Block e-mail messages from people you don't know.

    They are much more likely to be spam and phishing attempts than legitimate correspondence. Those who really need to reach you can contact you via social networks.

    Never open any e-mail attachments unless you've discussed them with the sender. SandWorm used a previously unknown Windows vulnerability to get into Ukrainian and North Atlantic Treaty Organisation member networks, but they needed a user to open a "weaponised" PowerPoint file.

    That unnecessary click can get you fired and your organisation robbed blind.

    The credit card you use online should have a spending limit that reflects the amount that you would be comfortable losing to thieves and, perhaps, never recovering.

    Virtual cards that are never used again are best for big purchases. The credit card you use offline should have a chip and require a PIN code to pay a merchant.

    If you don't have a chip card, don't use plastic to pay small merchants - few invest in data security.

    Vault applications that store your many passwords are just as vulnerable as any other services, regardless of the claims they make about encryption and not storing your data.

    True, none of the widely available vaults has been cracked, but every new breach is always a surprise. It might make more sense to minimise the number of services allowed to store your credit card numbers, only picking ones with two-factor authentication and committing the passwords to memory.

    Don't buy anything that could be maliciously reprogrammed with physical consequences.

    That applies to most Internet of Things devices and, increasingly, to cars.

    I don't always follow these rules, but every time I break them, I know I'm taking a risk. The pre-Internet world was safer, if not as convenient. We have put way too much trust in the magic of technology.