I was in merry old London, England a few weeks ago, attending the InfoSecurity Europe conference. About 12,000 people from all around the globe showed up for the 3-day affair and, as you might suspect, the overall concern of those at the conference was information security.
The field of information security covers a lot of territory: information security on computers, on the Internet, on cell phones, on PDAs, on portable media devices such a flash drives and digital cameras, on iPods, and on just about every other device that you can imagine. Most of the conference’s exhibitors and speakers were high-rolling heavy hitters of the industry. I was deep inside the global corporate/enterprise computing scene; there were more suits there than an Armani factory.
As the Internet bad guys become smarter and their crimes more daring and successful and government security regulations are becoming stricter, people are starting to take information security more seriously. That’s a good thing, but it’s easy for individuals and small companies (those with fewer than 100 employees) using the do-it-yourself approach to get lost in the information security maze. Part of my job is translating what are often complex (and expensive) security solutions into things that individuals and small companies can actually understand and use.
The most effective way to protect your information is to use encryption. Encryption turns your information into encoded gobbledygook that can only be read by people with a special encryption key, a key that only you can provide. Years ago, encryption was a real hassle to use, but not so anymore. There are some very easy-to-use, free encryption methods that can give you a very high level of information security, divided into three areas: Internet websites, email and storage devices.
If you are like most people, you visit websites that require you to login by providing a user name and password. Websites that provide email fall into this category, as well as banking websites, social networking sites like FaceBook and dating websites like Match. When you visit these sites, pay attention to the website’s address at the top of your browser and observe the “s+lock” rule. What you want to see is the address prefix “https” and a little yellow lock symbol down in the corner. The “s” at the end of http and the lock mean that you are logging in on a secure page that encrypts your username and password before sending this information across the Internet. If you do not see the “s” after http or the lock then you may be sending your username and password in “plain text,” meaning that this information can be easily intercepted and read, resulting in stolen login credentials. If you don’t see the “s,” try putting it in the address yourself and visiting the modified address. Website bookmarks and favorites should be changed accordingly.
One glaring example of security stupidity is the social networking website MySpace. MySpace does not have a secure login page; they do not observe the s+lock rule, and they don’t seem to care about fixing the problem. If you use MySpace, make sure that your user name and password are not the same as any other sites that you visit, as you may be giving away important information.
One worthy exception to the s+lock rule is the Cox Internet website used by many local folks at www.oklahomacity.cox.net. There are no s+lock options because they have embedded these features into the page itself. Note the little lock inside the login box; this tells you that your username and password will be encrypted as soon as you click the “Sign In” button.
For some entertaining information on this subject, read my articles from August, 2008 titled, “Busted by Defcon’s Wall of Sheep,” and “Be safer with secure email.” Next week, we’ll look at encrypting your email and files on your hard drive.