Cyber Security

How to Protect Yourself in a Connected World

As geneal­o­gists, we are often online — whether using scanned records from a sub­scrip­tion site, search­ing through tran­scrip­tions on Gen­Web, vol­un­teer­ing for a local soci­ety, or send­ing e‑mail to a recent­ly found cousin. Being online as much as we are, we assume some risks. While these risks are man­age­able, and do not exceed the val­ue of com­put­ing and Inter­net use for geneal­o­gists, it is impor­tant to assess your risk lev­el, and take steps to lim­it poten­tial attacks. Let me walk you through some of the things you should con­sid­er.

Create Secure Passwords

With all of the pass­words we need to cre­ate and remem­ber, it is tempt­ing to have a sin­gle, mem­o­rable pass­word for e‑mail, sub­scrip­tion sites, and finan­cial insti­tu­tions. Doing so puts you at risk. If your pass­word is mem­o­rable for you it can prob­a­bly be guessed by some­one else, or by a com­put­er pro­gram. And if you only have one pass­word, if some­one guess­es it, that per­son has access to any and all of your accounts. The best pass­word secu­ri­ty will include pass­words that can­not be guessed. They should not be a date, a name, or a com­mon­ly known word found in any dic­tio­nary. Com­put­er pro­grams exist that can try numer­ous pos­si­bil­i­ties to hack your pass­word. Instead, your pass­words should have a com­bi­na­tion of upper- and low­er-case char­ac­ters, numer­als, and sym­bols. There are web­sites that can pro­duce ran­dom, secure pass­words; for exam­ple, PC Tools offers one www.pctools.com/guides/password/. Of course, hav­ing dozens of pass­words, all of them difficult to remem­ber, presents its own prob­lems— human mem­o­ry has its lim­its.

There is the tried-and-true method of writ­ing things down, but you cer­tain­ly do not want to lose a note­book of your pass­words. Since you might not want to take your pass­word list out of the house, you will not be able to log in to your sub­scrip­tion research sites from Star­bucks. Anoth­er method, which I rec­om­mend, is stor­ing your pass­words in a pass­word man­ag­er, either online or offline. This may seem counter-intu­itive, but it works. Pro­grams such as Robo­Form and web­sites such as Last­Pass allow you to encrypt pass­words and then store them on your computer’s hard disk, or in the cloud.

Robo­Form runs on Win­dows and stores all the pass­word data on your hard dri­ve in one of a num­ber of encryp­tion for­mats. You can also pur­chase a ver­sion that runs on a USB key, so you can take it with you. Last­Pass stores your pass­words in an encrypt­ed form in the cloud, in oth­er words, poten­tial­ly on a num­ber of servers across the Inter­net. For added secu­ri­ty, you can get a USB key to pro­vide anoth­er lev­el of val­i­da­tion. Access to the pass­words requires that the key, which is spe­cial­ly configured for your account, be plugged into your com­put­er, and that you know the e‑mail address and pass­word of the account. If you lose the key, you can reset the account by a request on the web­site that you then must respond to from your pre­vi­ous­ly asso­ci­at­ed e‑mail account.

Avoid E‑mail Scams

Bulk e‑mail can be a very finan­cial­ly efficient way for peo­ple to steal data. Spam­mers can send out mil­lions of mes­sages for almost noth­ing, and if only a few peo­ple respond in ways they can exploit, their cam­paign has been finan­cial­ly suc­cess­ful. The main method of e‑mail scam these days has been called “phish­ing.” In a phish­ing attack, the scam­mer sends an e‑mail that pre­tends to be for a legit­i­mate pur­pose, request­ing that you log in to its site, send your pass­word by return e‑mail, or in some oth­er way to pro­vide the scam­mer with some of the cre­den­tials (user name/password com­bi­na­tions) that would allow access to one or more of your accounts or your pri­vate data. The e‑mail can look very official, but often has some tell tale signs: words are mis­spelled and URLs are slight­ly differ­ent, either in a way you can read­i­ly see or under­neath the HTML code, which you can observe by hov­er­ing your mouse
over them.

To pro­tect your­self, the best first step to have good spam filter­ing. G‑mail from Google includes some of the best spam filter­ing avail­able. G‑mail is also free and is easy to set up. Very rarely do I see a phish­ing attack in my G‑mail inbox; but the spam fold­er on G‑mail is full of phish­ing attacks. In addi­tion to e‑mail filter­ing, you can set up lists of e‑mail address­es and domains so as always to allow (white list) or dis­al­low (black list) mail from those sources. For exam­ple, if you want to make sure that mail from your cousin Sheila gets though, you would white list her e‑mail address. On the oth­er hand, if you had received mali­cious e‑mail from paypal.net (not PayPal.com), you might black list any mail com­ing from the domain paypal.net. Many ser­vice providers pro­vide this ser­vice, build­ing a black list of known or sus­pect­ed sources of spam and mal­ware.

Once you have spam filter­ing, and even if you have a black list and white list set up, some phish­ing attacks will get through. To keep your data safe, use cau­tion when respond­ing to e‑mail. The e‑mail address the mail comes from might be oth­er than what appears in your e‑mail soft­ware. If you believe that your bank may actu­al­ly be con­tact­ing you via e‑mail, do not sim­ply click on the e‑mail link, hit the reply but­ton, or call a phone num­ber in the e‑mail. Con­tact the bank direct­ly, either by typ­ing its Web address in your brows­er your­self, send­ing e‑mail where you enter the address your­self, or by call­ing the bank with a phone num­ber you already have on file for them. If this was a legit­i­mate e‑mail from your bank, a copy of it will be in your online account, and it should also be avail­able to the bank’s cus­tomer ser­vice per­son­nel when you call.

Thwart Viruses and Malware

Mal­ware is soft­ware that is designed to do harm. This soft­ware can be embed­ded into soft­ware pro­grams or files, and can be hid­den in what look like harm­less web­sites. This is a risk whether you are on a Win­dows or a Mac com­put­er.

Over the years, Mac­in­tosh enthu­si­asts like me have boast­ed that its oper­at­ing sys­tem is immune to these kinds of attacks. Despite the fact that we can be annoy­ing, even PC devo­tees have to admit that the num­ber of mal­ware pro­grams direct­ly aimed at the Mac OS has remained low. There have been no major virus out­breaks on Mac OS X, but this may be on the verge of chang­ing. Even the Mac OS X has to use browsers to nav­i­gate the Web, and any soft­ware designed to request files from the Inter­net will have vul­ner­a­bil­i­ties. At the CanSecWest dig­i­tal secu­ri­ty con­fer­ence in Van­cou­ver this Spring, com­put­er secu­ri­ty engi­neers demon­strat­ed the abil­i­ty to exploit Inter­net Explor­er on Win­dows, Fire­fox on the Mac­in­tosh, and Safari on the Mac­in­tosh and on iPhones. (Google Chrome was the only brows­er on which no one was able to demon­strate secu­ri­ty holes.) Anoth­er aspect of anti-virus con­sid­er­a­tions is that users who run Win­dows through Boot­Camp or a third-par­ty Win­dows vir­tu­al machine, have Mac­in­tosh­es that are vul­ner­a­ble to both Mac­in­tosh and PC virus­es.

What can you do about this? First of all, you should install virus pro­tec­tion soft­ware. On Win­dows, the best known pro­grams are McAfee VirusS­can and Nor­ton AntiVirus; on the Mac OS, choic­es include Nor­ton AntiVirus, McAfee VirusS­can, and Intego Virus­Bar­ri­er. Next, you should keep your oper­at­ing sys­tem and browsers up to date. Oper­at­ing sys­tem and brows­er devel­op­ers reg­u­lar­ly release patch­es (small fixes) to their soft­ware when they are able to thwart a known secu­ri­ty threat. If you set your pref­er­ences to allow down­load and instal­la­tion of these secu­ri­ty patch­es, you will be less vul­ner­a­ble to mal­ware than you would oth­er­wise be.

Geneal­o­gists pre­fer to focus their time on research and on eval­u­at­ing sources, but the abil­i­ty these days to do research depends on access to the Inter­net and to the files that have been scanned, down­loaded, and cre­at­ed. If you invest a min­i­mal amount of time in learn­ing how to address pass­word secu­ri­ty, phish­ing attacks, and mal­ware, you will like­ly avoid much more time-con­sum­ing and frus­trat­ing sit­u­a­tions in the future, where you might lose some of your genealog­i­cal data or have your com­put­er raid­ed.

This arti­cle, which orig­i­nal­ly appeared in a slight­ly dif­fer­ent form in the Nation­al Genealog­i­cal Soci­ety’s NGS Mag­a­zine, is repub­lished here by per­mis­sion.