How to Protect Yourself in a Connected World
As genealogists, we are often online — whether using scanned records from a subscription site, searching through transcriptions on GenWeb, volunteering for a local society, or sending e‑mail to a recently found cousin. Being online as much as we are, we assume some risks. While these risks are manageable, and do not exceed the value of computing and Internet use for genealogists, it is important to assess your risk level, and take steps to limit potential attacks. Let me walk you through some of the things you should consider.
Create Secure Passwords
With all of the passwords we need to create and remember, it is tempting to have a single, memorable password for e‑mail, subscription sites, and ﬁnancial institutions. Doing so puts you at risk. If your password is memorable for you it can probably be guessed by someone else, or by a computer program. And if you only have one password, if someone guesses it, that person has access to any and all of your accounts. The best password security will include passwords that cannot be guessed. They should not be a date, a name, or a commonly known word found in any dictionary. Computer programs exist that can try numerous possibilities to hack your password. Instead, your passwords should have a combination of upper- and lower-case characters, numerals, and symbols. There are websites that can produce random, secure passwords; for example, PC Tools oﬀers one www.pctools.com/guides/password/. Of course, having dozens of passwords, all of them diﬃcult to remember, presents its own problems— human memory has its limits.
There is the tried-and-true method of writing things down, but you certainly do not want to lose a notebook of your passwords. Since you might not want to take your password list out of the house, you will not be able to log in to your subscription research sites from Starbucks. Another method, which I recommend, is storing your passwords in a password manager, either online or oﬄine. This may seem counter-intuitive, but it works. Programs such as RoboForm and websites such as LastPass allow you to encrypt passwords and then store them on your computer’s hard disk, or in the cloud.
RoboForm runs on Windows and stores all the password data on your hard drive in one of a number of encryption formats. You can also purchase a version that runs on a USB key, so you can take it with you. LastPass stores your passwords in an encrypted form in the cloud, in other words, potentially on a number of servers across the Internet. For added security, you can get a USB key to provide another level of validation. Access to the passwords requires that the key, which is specially conﬁgured for your account, be plugged into your computer, and that you know the e‑mail address and password of the account. If you lose the key, you can reset the account by a request on the website that you then must respond to from your previously associated e‑mail account.
Avoid E‑mail Scams
Bulk e‑mail can be a very ﬁnancially eﬃcient way for people to steal data. Spammers can send out millions of messages for almost nothing, and if only a few people respond in ways they can exploit, their campaign has been ﬁnancially successful. The main method of e‑mail scam these days has been called “phishing.” In a phishing attack, the scammer sends an e‑mail that pretends to be for a legitimate purpose, requesting that you log in to its site, send your password by return e‑mail, or in some other way to provide the scammer with some of the credentials (user name/password combinations) that would allow access to one or more of your accounts or your private data. The e‑mail can look very oﬃcial, but often has some tell tale signs: words are misspelled and URLs are slightly diﬀerent, either in a way you can readily see or underneath the HTML code, which you can observe by hovering your mouse
To protect yourself, the best first step to have good spam ﬁltering. G‑mail from Google includes some of the best spam ﬁltering available. G‑mail is also free and is easy to set up. Very rarely do I see a phishing attack in my G‑mail inbox; but the spam folder on G‑mail is full of phishing attacks. In addition to e‑mail ﬁltering, you can set up lists of e‑mail addresses and domains so as always to allow (white list) or disallow (black list) mail from those sources. For example, if you want to make sure that mail from your cousin Sheila gets though, you would white list her e‑mail address. On the other hand, if you had received malicious e‑mail from paypal.net (not PayPal.com), you might black list any mail coming from the domain paypal.net. Many service providers provide this service, building a black list of known or suspected sources of spam and malware.
Once you have spam ﬁltering, and even if you have a black list and white list set up, some phishing attacks will get through. To keep your data safe, use caution when responding to e‑mail. The e‑mail address the mail comes from might be other than what appears in your e‑mail software. If you believe that your bank may actually be contacting you via e‑mail, do not simply click on the e‑mail link, hit the reply button, or call a phone number in the e‑mail. Contact the bank directly, either by typing its Web address in your browser yourself, sending e‑mail where you enter the address yourself, or by calling the bank with a phone number you already have on ﬁle for them. If this was a legitimate e‑mail from your bank, a copy of it will be in your online account, and it should also be available to the bank’s customer service personnel when you call.
Thwart Viruses and Malware
Malware is software that is designed to do harm. This software can be embedded into software programs or ﬁles, and can be hidden in what look like harmless websites. This is a risk whether you are on a Windows or a Mac computer.
Over the years, Macintosh enthusiasts like me have boasted that its operating system is immune to these kinds of attacks. Despite the fact that we can be annoying, even PC devotees have to admit that the number of malware programs directly aimed at the Mac OS has remained low. There have been no major virus outbreaks on Mac OS X, but this may be on the verge of changing. Even the Mac OS X has to use browsers to navigate the Web, and any software designed to request ﬁles from the Internet will have vulnerabilities. At the CanSecWest digital security conference in Vancouver this Spring, computer security engineers demonstrated the ability to exploit Internet Explorer on Windows, Firefox on the Macintosh, and Safari on the Macintosh and on iPhones. (Google Chrome was the only browser on which no one was able to demonstrate security holes.) Another aspect of anti-virus considerations is that users who run Windows through BootCamp or a third-party Windows virtual machine, have Macintoshes that are vulnerable to both Macintosh and PC viruses.
What can you do about this? First of all, you should install virus protection software. On Windows, the best known programs are McAfee VirusScan and Norton AntiVirus; on the Mac OS, choices include Norton AntiVirus, McAfee VirusScan, and Intego VirusBarrier. Next, you should keep your operating system and browsers up to date. Operating system and browser developers regularly release patches (small ﬁxes) to their software when they are able to thwart a known security threat. If you set your preferences to allow download and installation of these security patches, you will be less vulnerable to malware than you would otherwise be.
Genealogists prefer to focus their time on research and on evaluating sources, but the ability these days to do research depends on access to the Internet and to the ﬁles that have been scanned, downloaded, and created. If you invest a minimal amount of time in learning how to address password security, phishing attacks, and malware, you will likely avoid much more time-consuming and frustrating situations in the future, where you might lose some of your genealogical data or have your computer raided.