spaceace

Hi, not sure where this should sit or if it's been a topic before, so I'll say my piece...

As most of your are aware, immigration candidates need to document a huge amount of personal data in order to satisfy the immigration authorities.

As such, we need to scan documents and complete PDF forms/word documents with sensitive personal data.

Personally I like to keep copies of this data on my PC for future reference, it's easy and convenient.

But, this behavior is a security risk to you and your personal data which could result in your identity being stolen and used for criminal purposes.

How you may ask?
There are criminal organisations actively and openly paying webmasters to infect their own websites with invisible iframes (pages from external sites that you cant see). These iframes contain malicious scripts to exploit the weakness in your PC. You will never see it running but once your PC is exploited it will become owned and controlled by a 3rd party, potentially (and very easily) sending back documents to its owner using one of the many easily obtainable cybercrime kits available.

Did you know the BBC recently bought a 22,000 botnet (a collection of owned PCs) in an exercise intended to illustrate cybercrime risk (http://www.theregister.co.uk/2009/03/18/bbc_botnet/)

Scary stuff....how can you protect yourself?
If you surf the web, it's an incredibly difficult problem to defend against. Regular antivirus software and operating system updates do help, however the chances are if you have been infected, the exploit could be weeks or even months old before a corrective update is created, resulting in your PC being owned for a while before the hole is plugged.

Personally I'm a predominantly Windows user, my FREEWARE defense is 2 fold;

1.Truecrypt your system drive (truecrypt.org) - This will NOT defend against the problem above. It will protect the data on your hard drive if your PC is stolen.

2.Encrypt your sensitive data using GPGee with symmetric encryption (http://gpgee.excelcia.org/).
Sounds techie? Not really, simply install GPGee and right click on the document to encrypt.
Make sure you have a strong encryption password. (http://www.securitystats.com/tools/password.php)

Encrypting the file will prevent (or at worst delay) the opening of your document by a 3rd party should it be sent to them.
It will prevent the criminal owner of your PC searching for text within your protected document.
(Do NOT store a copy of your key on your hard drive, it could be used against you.)

Protecting your sensitive data will not mitigate against your PC being owned should an exploit be run on your PC.

Some people will say use the Firefox No-script plugin or don't allow cross site scripting or activex. These methods are not practical for most people because your surfing experience will be destroyed. Also you wil need to understand the threat and where it's coming from when prompted. Most sites these days have adverts and content that are not locally hosted with the web page, the content is pulled in from a 3rd party - how do you as a user verify the 3rd party and whether the script contains an exploit?

To summarise;
Encrypt your sensitive data with a strong password (http://www.securitystats.com/tools/password.php)
Do NOT rely on password protected documents, like Word or .ZIP - These are easily breakable.

Alternatively, don't store ANY sensitive data
If you do store sensitive data on your PC, don't use the internet.

ExcitedBrit

Are we any safer using Linux OS?

MarkG

Yes. And much safer if you use Firefox with no-script; which does not 'destroy your surfing experience'. Well, unless you count not seeing the three million Flash ads per page that you would get in Internet Explorer on many sites.

That's not to say it couldn't be infected, but Firefox is relatively hard to exploit and I'm not aware of any malware that can exploit it on Linux.

The big problem is Flash, because the Flash player has had a vast number of security holes of its own; hence why anyone concerned about security should block Flash from unapproved web sites.

mclaren family

buy yourself an apple mac http://www.apple.com/ca/mac/ and save yourself all the trouble of worrying about virus'

ExcitedBrit

Or wipe off that windows and install the new ubunto
This is cheaper than buying the apple

spaceace

It's not that clear cut I'm afraid.

Linux or Macs are not necessarily safer than Windows. It's just a matter of business for the cybercriminal...more people use Windows=more opportunity for money to be made out of the unsuspecting user.

If Linux was the majority, the criminal focus would no doubtfully be switched to that OS.

And for no-script; I'm not saying it's not a way of mitigating against attacks, but ask yourself this question; would your kids/mother/father/grandparents be able to use it ? I suspect not as it requires some degree of knowledge to successfully use it.

MarkG

Which do you think a crook would rather do: hack into your PC at home and get your hotmail password, or hack into a bank system or online retailer and get a million credit card numbers or access to millions of bank accounts?

There are vast numbers of Linux systems permanently connected to the Internet, many of them running extremely important software... yet they rarely get broken into (and when they do, it's usually because of yet another php bug, so if you don't run a web server you're even safer).

Linux has security built in from the ground up, whereas Windows has it bolted on the top; that is why you see millions of Linux boxes running vital services around the Internet while millions of Windows boxes have been turned into botnets sending spam.

If they're willing to spend a few minutes learning how to configure it, yes. Either way, Flash is far too insecure to risk running random Flash files from untrusted sites.

spaceace

Sorry, I'm talking about end users and desktops and keeping your immigration documents secure here.

There is no denying the internet has a vast number of linux/bsd servers in operation, our data centers are full of them across the globe ;-)

What I am saying, is it's easy to exploit a users desktop PC and control it to steal documents, key strokes, run man in the middle attacks etc etc.

Just make sure your immigration docs are encrypted.

KS2008

Spaceace, I think that your original post is overly alarmist and is likely to worry people unnecessarily. Come on, the average computer user doesn't have a clue about Linux or encryption so when they hear all this technobabble and the magic words "identity theft" people are going to panic.

It's really very simple. There's no cause for panic or alarm. Yes, there are threats out there, but all it takes is a bit of (non-technical) common sense and a few simple safeguards.

It is right to be concerned about security and to be a little bit paranoid, you just have to not take it too far. No system can be totally secure. It just isn't practical. There is always a trade-off between security and ease-of-use and its about finding the right balance. For example, a computer that physically can't connect to the internet, has no CD drive and can't talk to memory sticks is pretty secure, but its also not as useful.

I think the first thing is physical access. It's a lot easier to get into a computer if you can get your hands on it, so just take sensible precautions with laptops etc. the same way you would with any valuables.

Don't surf to dodgy web-sites. Don't install software if you don't know what it is or does.

Passwords are important. If your computer isn't set to require you to put a password in when it starts up, then it is a lot easier for anyone to use it if they did get hold of it. Having to put a password in every time might be a bit of a pain, but that is the price you have to pay if you want to restrict access.

Think of a password like a toothbrush. Change it regularly and don't share it with anyone else.

Don't use the same password for everything and stay away from anything that someone could reasonably guess about you (e.g. your name, name of pet, names of family members etc.). In fact, stay away from any proper names or ANY word in the dictionary. There are programs that will literally try every word in the dictionary over the course of minutes or hours and eventually it will crack your password.

It is always best to use a mixture of letters, numbers and special characters. One common technique that is used to come up with good passwords is to replace some letters with numbers, e.g. replace the letter E with 3, the letter A with 4, S with 5, O with 0 and so-on. Doing that "My Name" would become "MyN4m3".

Having anti-virus software on your computer is absolutely essential. That can't be stressed enough. There is no single, "best" type. All have their own strengths and weaknesses and every time a new virus comes out, some are better than others at detecting it. Personally, I think that the average home user should just go with Norton or McAfee. IT professionals tend to look down on these because they are aimed at the mass-market (there's a bit of a snob-factor) and, in all honesty, they aren't the best, but they are good enough for most people and unlike some "better" products are fairly simple for non-technical people to set-up.

One thing about anti-virus software. Never put two different types on the same computer! Some people think that this would be twice as good or that if one misses something the other would catch it. In reality, each one would just prevent the other from working properly and would end up leaving your computer more vulnerable than if you'd just used one.

Every month Microsoft release security patches for Windows. These are designed to close holes in the software that can be used to access or take control of your computer, so always make sure that your machine is up-to-date. To do this,and if you are using Internet Explorer, go to Tools, Windows Updates and follow the instructions there.

With the more modern operating systems like XP or Vista files and folders can be encrypted. If you are using an earlier system (like Windows 98 you should update anyway. Encryption means that only you can access the files, no-one else, but remember, if they log on as you then they'll still get in so it goes back to protecting the password that you use to log in with. To turn on encryption on a folder (at least in XP) there are some instruction at http://support.microsoft.com/kb/308989 which should be fairly easy to follow.

Keeping backups of files is a good idea as if anything were to happen to your computer (i.e. it is stolen or blows up or whatever) you would lose all the information. If you copy your files onto a CD or a memory stick there are a few things that you need to remember.

1. Keep it up to date. If and when the information changes, do another backup to keep it up-to-date.

2. CDs and memory sticks sometimes don't work or just stop behaving properly. It might be worth taking more than one copy.

3. CDs, memory sticks etc aren't that secure. All the protection that you have on files on your computer, such as encryption or password protection, might be stripped away when the data is copied onto the disk. That means if someone got hold of the disk then they could read everything on it on any computer, so don't lose them! Stick them in a safety deposit box in a bank or something.

Sorry for such a long post!

spaceace

All I'm saying is be mindful of your sensitive data if you keep it on your hard drive.

Simples.

kleinluka

As KS2008 said, a good solution is to copy any sensitive files on DVDs and erase them from your computer... This way they are safely stored offline and you can look them up any time you want.

Or you use an external hard drive that you can disconnect whenever you get online.

john5655

there's also a HUGE risk from P2P software, like Foxy and many others

these programs allow others using the same software to browse through all your files by inputting search requests for key words

this has been a problem for my company employees recently, and they did not know what was happening until it was too late as the P2P software was loaded on and used by their children