#117 Stephanie Losi

Stephanie was a senior Bank Examiner for the Federal Reserve and has promoted security awareness for CERT and others. Today she sits down to talk about what we can and cannot do to protect ourselves and keep our personal information safe. We also geek out about AI for a moment! 

***Check out the MindPod event in LA on March 18th!***

Here are Stephanie's tips:

"1.) To make sure your computer's firewall is on: On a Mac, open System Preferences, open the Security & Privacy preferences, and click the Firewall tab. Bonus: Click on Firewall Options and check Enable Stealth Mode to make your Mac less discoverable. (It will stop responding to some common network reconnaissance techniques.) On a Windows PC, open Control Panel and then Windows Firewall to see the firewall status. If you want to get fancy and try some alternative firewalls for Windows, there are many options, such as ZoneAlarm Free Firewall or Comodo Firewall. You only really need one firewall, so choose the one you prefer. 

2.) Use a VPN on public Wi-Fi networks, whether or not they require a password for access. A VPN encrypts the traffic you are sending over the network, so anyone snooping on traffic won’t be able to decipher yours. I use Witopia, which has good support and is fairly easy to set up, but there are many options. How to use a VPN: Log on to a public Wi-Fi network. Once you are connected, BEFORE doing anything else or visiting any other sites, log in to your VPN service. Then launch your web browser and you can surf more securely. 

3.) Consider a password manager. You can use one that stores passwords on your computer, for example Keychain Access or KeePass, or one that stores passwords online like LastPass. It’s a personal choice. Pluses: You don’t need to type your passwords each time you want to use them. Copying-and-pasting passwords protects you from key loggers (malicious software programs that capture your keystrokes in an attempt to capture your passwords). Caveats: Use a strong master password, and don’t forget it or you could lose access to your passwords permanently (especially with some password managers that store passwords on your computer). Also, be aware that online password managers can be and have been compromised, so be prepared to change your master password promptly if you receive notification of a compromise. 

4.) You can reduce the amount of data stored about your web searches by logging out of your Google account before searching, as well as frequently clearing your browser cookies/history/cache or using Private Browsing or Incognito Mode. If you want to search the web with no trace, consider using DuckDuckGo, which does not track or store search queries at all. For example, to clear your browser data in Chrome: From the Chrome menu, choose Clear Browsing Data and check off as many boxes as you like. Be aware that this will leave you logged out of websites such as Facebook, and you’ll have to log back in later. 

5.) Don’t plug untrusted USB drives (flash drives) or other untrusted devices into your computer. They can introduce malicious software directly to your system. (We didn't discuss this, but I think it's important to mention here.)

6.) Consider hard drive encryption if losing your laptop would be catastrophic from a data-leak perspective. Caveat: If you forget the password to decrypt your hard drive, you will lose access to your data. Some programs allow you to create sub-drives on your hard drive and then encrypt just those sub-drives. Caveat: Same as for whole-drive encryption: Don’t forget the decryption password or you could permanently lose access to your data! 

7.) If you’re taking your smartphone into a high-risk situation (as defined by you), you can remove as many email accounts and apps as you want from your phone. It’s easy to reinstall them later. 

8.) Think of email as a postcard that you send to someone. Other people along the sending path may be able to read it. One possible solution for privacy is Canada-based Hushmail, which allows end-to-end encryption of email messages. Caveat: Both sender and recipient need to have Hushmail accounts with strong passwords and check the “encrypted” box before sending messages with the service. Be aware that Hushmail can decrypt emails on their end and will do so if they get a request that’s enforceable under local laws, so use it for privacy, not illegal activity.

9.) Rather than sending plain-text texts, you can use end-to-end encryption for messaging. Two possible solutions are the Signal app and Off-the-Record Messaging. Remember to periodically delete local messages from your phone/device; otherwise, losing your device could expose all of your messages.

10.) If you’re on Windows, an antivirus program may be useful, but you certainly don’t need to have 20 antivirus programs running at once. Some options include Windows Defender, AVG and Avast, but there are many others. 

Further Reading: There are lots of guides online to securing your computer. One interesting guide is at https://spideroak.com/infosec and gives you some different perspectives on ways to secure your online accounts."