Today many people know someone close to them who have become victims of crimes associated with data theft: it can be phishing, stolen identity, credit card fraud, or an account has been hacked, say, to a social media account. In this post, we review some security protocols. Some of these may be specific to Macintosh and iOS devices, the use of Google Suite, and more generalized considerations for personal privacy. I’ve organized these around different themes.
Passwords and PINs
This may surprise some, but it is highly inadvisable to use the same passwords or PIN codes through different services. Passcodes in today’s technology environments are very weak ways to protect your data. Therefore, we recommend (1) using different passwords across different services, (2) changing passwords periodically, (3) using two-factor authentication services, and (4) using password manager tools to remember passwords on secure devices. Let’s unpack some of that!
Using Different Passwords and PIN Codes
Let’s say that one of the online services you use has a data breach. These are happening all the time. Data breaches can reveal personal information, such as a social security number, but they can also reveal passwords. Sometimes these passwords are not attached to accounts, but many times they are. So if the password you’ve used, say, with yahoo.com is attached to your name, someone can try using that same password on other services where you may have an account, i.e., google.com. By using different passwords across different services and devices, one breach doesn’t cascade to your entire online persona.
Because of the common news around security breaches, it is a good idea to change your password from time to time. At a minimum, we’d recommend four times per year. But what makes up a good password?
When people hack accounts, they typically aren’t sitting at the screen trying to guess your password. Instead, they write programs that can use the work of the computer to keep trying and trying a long list of passwords. Words that appear in the dictionary and common names do not make good passwords. Short passwords are also poor. Most online services now require at least 8 characters and many can go up to 32. While passwords with combinations of letters, numbers, and symbols may sound impossible to remember, there are ways to automate logins (read below). But it is in your best interest to choose passwords with complexity to reduce the impact of dictionary-style attacks on your accounts.
Two-factor authentication is a way to login to some online services that require two steps. The first is typical, such as typing in a username and a password. The second is part is a key exchange between the service and you, using a trusted online medium. The most commonly used today is a SMS text message to your cell phone. After receiving the code, you have a limited amount of time to complete the second step of login. And it means always having your phone with you.
While two-factor authentication by cell phone is a common mechanism for enhanced security, it is also rife with problems. Please note that an SMS method is better than no second method at all, however for better security, consider another two-factor method.
Keyed media is another method for logins. For instance, Google sells a Titan Key for authenticating to Google. This physical key must be inserted into a device to authenticate. If you use Google Single Sign On (SSO) for many services, think how many would be protected by use of a physical key. This is not a tool we recommend using, however it is a good option for someone with system administrator responsibilities. However, we mention it here because it currently one of the more robust ways to keep your Google Account secure, and it may evolve to become more commonplace in the future.
Better than using SMS text messaging is to use a trusted app for managing two-factor authentication. We recommend the use of Google Authenticator on your phone on iPad. It works very similarly to a SMS text message, except instead of going to your text messages app, the code is sent to the app by Google.
For your Google account, you can make these account settings in the security area. To use the Authenticator app, download it first to an Android or iPhone then go through the setup on your Google account. You will scan a QR code then type in the code to set things up. You can even use Authenticator with other, third-party services.
Why are SMS text messages less than ideal for two-factor authentication? Phone numbers are tied to the SIM card on your phone. When connected to your cellular network (AT&T, Verizon, etc.) that SIM card’s number and your carrier make the connection so that calls and texts get routed to your actual phone. You can easily change your phone number if you have a second SIM card that has been activated (some people do this for various reasons).
So what happens when someone spoofs your number by plugging in a SIM card with your number? They can get the texts and phone calls made to your phone. While doing this isn’t simple, there have been cases where celebrities have had their private information stolen by paying off cellular employees that grant the information that gets written onto another phone. If I know your Gmail account and have spoofed your phone? Two-factor authentication won’t help. While the use of apps for authentication isn’t nearly as widespread as using SMS numbers (as an example, Apple still only uses text messages for two-factor authentication), it probably will be in the future.
Which is to underline another fact: always have your phone with you if you count on using it for two-factor authentication. And use the best protection your phone offers for unlocking your phone (i.e., longer PIN codes or FaceID or TouchID).
So, if you have accounts across, let’s say, 100 services, and you’re using, let’s say, 100 different passwords, how can you possibly remember them, if you don’t have a photographic memory?
Password managers can keep track of all those passwords! There is now password management built into Chrome, Safari, and through the use of third-party managers. The Chrome and Safari options are free.
The best option, in our opinion, is a third-party manager. I use 1Password by Agile Software on my personal Mac and my personal iPhone. The data file containing all my passwords is stored on Dropbox as an encrypted file. Only 1Password can open this file.
That way, when I add a new password to this collection, it is accessible across any device with 1Password installed, such as my Mac and iPhone. It even has random password generation support, so you don’t have to think-up a randomized password. On the phone, I use FaceID to open the app, keeping everything secure.
You can also use your browser’s ability to remember passwords. When it detects you choosing a password, more often than not, it will present a pop-up dialog asking you if you want Chrome or Safari to remember your password. This information is stored on your device in an encrypted file.
In Chrome, these passwords can be shared across devices if you use a Chrome Profile. In Safari, you can enable iCloud sharing of your keychain.
One thing to be cautious of is using these built-in password management solutions on an insecure device. If I am using Chrome password management, for instance, let’s say I leave my laptop open and unlocked on a table. Anyone can walk up to that device, for instance, and take a look within Chrome settings at my saved passwords. Likewise, if my Google account is compromised, anyone with my password could access the Chrome profile information (assuming I didn’t use two-factor authentication).
It would also not be advisable to use this solution on a personal device you share with others. Not only can your password be seen, but it can also be changed, thus locking you out of your own account.
Finally, it speaks to the quality of the password or mechanism you use to open your physical device (laptop, cell phone). For instance, if I choose an easy-to-guess PIN on my iPhone, once someone is inside, they’ll have access to the keychain.
The third party management app I use, for instance, has its own master password and it does not enable auto-login unless you enable that feature for convenience.
The most secure way to protect data is through encryption. For instance, on an iPhone, once the device is off, if someone were to remove the memory chip inside with all of your data, they’d find it is scrambled. iOS devices are encrypted by default. Without going into the weeds of how it works, think of encryption as a mechanism for scrambling the contents of your data with a key that can unscramble the data later. Imagine un-doing your smoothie into whole chunks of pineapple, yogurt, and banana? Encryption on the Mac can be generally enabled in three ways for free.
FileVault is Apple’s whole-disk encryption standard. Once set, it encrypts the entire hard disk or SSD inside your computer. This means if your computer’s disk is removed, it cannot be read.
FileVault is convenient. Everytime you unlock your laptop with your password, FileVault is decrypting your hard drive’s contents. And everything stored in your home folder is protected. FileVault is enabled through the security pane of your Mac. You should not turn on FileVault unless you understand the implications of locking yourself out of your entire computer. You can now use your AppleID as a backdoor should you forget your Mac’s admin password. We do not recommend FileVault if you’re not an expert user. Consider one of the options below, instead.
This guide outlines how to enable FileVault on MacOS. We recommend you do this with the help of technology staff if you think you’re a good candidate, using one of our laptops.
Secure Disk Image
This is similar to creating a big secure folder on your Mac. A disk image is a single file that is treated by the MacOS as a “disk.” Once created, and set up with encryption, it can be “mounted” or “dismounted” like an external hard disk. Any files you copy into this disk are encrypted when your virtual disk is unmounted. Each time you want to mount the disk in the Finder, it will ask you for your encryption password. See a tutorial here on using Disk Utility to create an secure disk image.
Single Encrypted Files
This method encrypts a single file on your Mac. It requires the use of the Command-Line Interface in the Terminal app. You tell the Mac to create the encrypted file and pass to it the password. After that, opening the file each time will require for you to enter that file-specific password. If the file is moved to another Macintosh, the user must know the encryption password for that file. This guide covers the Terminal commands for creating zip files, which can be encrypted in the MacOS Terminal application.
Encryption in Google Drive
Since so many of us today use Google Drive’s storage and the tools attached to Google Drive (Sites, Sheets, and Docs), you may also want to encrypt data stored in Drive. We provide a third-party solution to encrypt both files and folders called SysCloud. Every user with access to your file must know the encryption password. It’s easily enabled by right-clicking on a file in drive and opening with… SysCloud Encryption for Google Drive.
Then, you’ll be asked to choose an encryption password. This should not be your Google password.
While the Google Drive environment is very secure, it’s only as secure as you’ve made your Google Account. However, anyone with access to your Google Drive will find they cannot access an encrypted file without the added resource of your encryption password. Any data stored in Google Drive that contains personal identifiable information regarding students and employees should be encrypted.
At VSTE 2019 this past year, we learned from Google that your data stored in the Google Cloud (i.e. Drive) is stored in their data warehouses in a very interesting way. If someone were to penetrate a Google server farm and steal a hard drive, for instance, they would never see your documents. Instead, Google’s system slices your Google Docs at the word level across their server infrastructure around the world. One word in your Google doc could be stored on a machine in California, and the next word is sitting on a server in Ireland. It only gets put back together in your account, once you’ve authenticated. 🤓