In the DC area especially, there are people who have reason to be concerned about computer espionage, either for work (national or corporate secrets) or personal reasons (divorce or blackmail). Here are 12 tips to guard against intruders snooping on your activities:
- Use decent passwords. The easiest way for someone to access your email and other information is if they know or can easily guess your passwords. It is estimated that 1 out of every 9 people use a password on the top 500 worst password list. Most passwords are “cracked” not through problems with the encryption itself, but with the password being poor. Don’t use dictionary words, the names of loved ones, the names of your pets, your birthday, etc. Longer passwords are better so government institutions often require at least 10-14 characters. Passwords should be random and use letters, numbers, and special characters.
- Use different passwords for different things. If someone sees your computer login password over your shoulder, you don’t want them to then have access to your bank account because it has the same password.
- Change passwords regularly. Government and corporate security protocols typically require that passwords be changed at least every 3 months.
- Use a password manager. Seeing a theme here about the importance of passwords? If you have different random passwords and change them regularly, then you either have a memory like Rain Man or you keep track of the passwords somewhere. The most popular software tools to manage passwords are LastPass (Free or Premium for PC, Mac, and others), KeePass (Free for PC, Mac, and others) and 1Password ($39.95 for Mac). Password software allows you to keep all your passwords encrypted with one master password. It can autofill site information so that you only have to remember that one master password. It also has a Password Generator to create random strong passwords, a great idea. Without this, most people use passwords that are similar. To the extent that your passwords are similar, an investigator can more easily guess your other passwords. (Tip: use Dropbox to backup/sync KeePass or 1Password encrypted files. LastPass syncs automatically between computers).
- Do not use personal information that can be guessed as the answers to your online secret questions. This is how Sarah Palin’s Yahoo email was “hacked” in September 2008 simply by someone guessing the answers to her challenge questions such as where she went to high school.
- Tie your Yahoo or other login site to another email account or cell phone number. This will let you know of any attempted password resets and help if tip 5 doesn’t work.
- Encrypt files. As we explained in our post Encryption on USB Flash Drive, TrueCrypt can be used to encrypt your important data. Remember that although TrueCrypt can not be cracked, someone could guess your password if you chose it poorly.
- Remember that your router is a computer too. Your router manages all the data between your computer and the Internet. If your router software is compromised, you could be sent to a site claiming to be your bank but really being a completely different site due to website misdirection from a bogus DNS system used by your router. The router software should be checked, firmware reloaded, and the password on the router should be changed. Most people unknowingly leave the router login defaults. That is safe enough if your local network is not breached, your WiFi isn’t hacked, and your router is not remotely accessible.
- Use strong WPA2 WiFi encryption. WPA2 is not easily cracked like WEP. Tools such as BackTrack and KisMAC can crack WEP in minutes. (See photo of “war driver” below hacking into a WiFi network.)
- Turn down your WiFi antenna strength. Hackers can crack into a WiFi access from over a block away with directional antennas and a good line-of-site to their target. If you don’t need the extra signal strength, turn it down since a weak signal is harder to crack. This isn’t an option on all routers. If you want to take extra control of your router for this and other options, see if you can load the alternative DD-WRT firmware.
- Check for keyloggers. Keyloggers will log everything you type. They can be in the form of software or physical devices that are attached to a USB port or between the keyboard and computer.
- Wipe computer and start fresh. If someone has had physical access to your computer or if the computer is already compromised, all bets are off. Some experts and government institutions will simply decommission a compromised computer and trash it. But most people should be satisfied with wiping everything. The hard drive can be wiped and the operating system reinstalled. The BIOS (seen from the very initial startup) can be reflashed and checked. The computer can be opened and physically checked for modifications.
Let me know if you have other suggestions for keeping your computer information safe from surveillance.