Secrets from Georgie's Past?

Well, not exactly. But guest blogger Carolyn Nicita has provided us with an incredible wealth of tips and tricks for keeping our data secure - exactly what Georgie used to do.

Carolyn Nicita writes fiction, screenplays, and occasionally does articles on data security for authors. Her passwords are longer than most men's. She says they hold up longer, too, and I'm just going to take her word for that!

In honor of Georgiana Neverall and Samurai Security, may I present top-secret intel on data security.

It may be useful.

Some of you might be authors yourselves, and you just got the news that in this market you have to have something called a Web Presence.

Or, you might be one of these people:

Lately one of my friends has gotten hacked, another has gotten credit card numbers stolen, and a third had her house broken into and her writing computer stolen. This along with all of her jewelry, but since she's an author, of course the computer was most important.

Seeing my friends' discomfiture, I called a member of my family who works as a data security expert for a government contractor--a satellite company. I asked her for advice.

She gave me toys.

These toys are Spy Decoder Rings on crack. They are tools to ensure government-level security.

I'm not even going into the elementary things you should already know, like "don't open email attachments" and "make sure they've set up the firewall on your router".

Instead, I'm going to introduce you to four of these toys.

TrueCrypt

How would you like to be able to put your files into a secret, invisible place on your hard drive or thumb drive? How would you like it so secret and invisible that professionals can't detect the hidden data, yet easy enough to access that it doesn't impede your work?

Most importantly, when someone steals your computer or you lose your thumb drive, nobody gets your data.

With TrueCrypt, you create a special file called a partition, and use it like a file folder. You can use the files in this folder all you want, add, change, right on the fly, and as soon as you close the folder your files are instantly protected.


So now, download this free program. Make a TrueCrypt container and, for practice, copy in all the files you're supposed to be backing up. You do back up, don't you?

Stegdetect

If you tell the owner of a blog "Never let guests post random pictures onto your site" he'll probably answer "It's just a picture. What's the big deal?"

But...

If you inspect some of those innocent pictures using Stegdetect, the answer will become shockingly obvious.

Download this free set of programs and use xsteg to inspect some of the web pages and pictures you've randomly downloaded.

The program will tell you that some of these innocent-looking pictures include something called jphide.

This threat doesn't even include the fakepicture.php.jpg type files, programs masquerading as pictures. This is about actual jpeg files where people have put code inside them. They can put the graphic up on your website as their forum picture or an illustration, or a picture that you "just got off the Web somewhere" and used without permission of the owner (but you'd never do that, would you?).

I found this bit of code in a jpeg file from a respectable web site -- here's a snippet --

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

I have no idea what they're trying to do with it. It's probably all very innocent. However, finding this did prove to me that you can indeed put code into a jpeg.

How do they execute that code? Sometimes a senile browser will do it for them. Sometimes you turn off javascript and then the code which asks "Hey this file isn't really a picture, is it?" doesn't execute.

Or they use outside code of their own.

How?

Read stegbreak.pdf, also enclosed in the stegdetect download.

It tells how to hack somebody's web site using those innocent-looking jpeg files -- by using the code in stegbreak to launch what's called a brute-force dictionary attack against your site or account.

A hacker successfully used this dictionary attack on one of my author friend's web sites.

If my friend ever finds said hacker, I will lend my friend the 1024-page 1990 edition of the Webster's New Dictionary and Thesaurus, which sits on my desk.

He could use it to launch a brute-force dictionary counterattack.

But I digress.

To help prevent dictionary attacks, at least of the digital variety, you can make long, gobbledygook passwords that the brute-force dictionary attack can't break. And you don't even have to memorize them.

You use....

KeePass

Despite its name, this program actually works to help you make and keep secure passwords.

It's like a briefcase for passwords. You use one password to open the briefcase program, open your browser, then quickly copy and paste the long, incomprehensible, randomly-generated password from the briefcase into the site. It will even let you generate passwords with non-alphanumeric characters. And KeePass makes it easy for you to change your password frequently, another safety tip you've heard often.

Your main password never goes online. It can be a password you type in, or the fact that you're using the program on your own computer.

I'm recommending this program although I know somebody's going to blame me when they get it set up and then forget their main password. Use some common sense. Back up the KeePass file. It's a bit inconvenient, but a lot less so than having to write to all three credit reporting agencies, finding the federal agencies necessary to report identity theft crime, and waking up at night wondering what they're going to be doing with your personal information in the future.

Or waking up some morning and finding that your blog has been magically turned into a Neo-Nazi Jihaad billboard.

Fedora on a Stick
One of my friends decided to do some online banking from a public hotel computer. Silly him. Of course, someone had put a keylogger on this oh-so-public computer and of course, every keystroke my friend entered got sent to the criminal.

Don't do that.

But what if, for some reason, you're on the Kona coast in the middle of executing a wedding and you have to do some last-minute online transactions with the photographer?

-Or-

What if you want to try to get files off a computer whose operating system has just crashed, without incurring a $150 tech support bill?

-Or-

What if you don't want to write any data to a strange computer? You've learned that even if you delete the data, it can still be read off the hard drive.

-Or-

What if you just want to use your own little computer to take notes on a project...and amaze your friends...mooch off their hardware....

True, you may not find the need for this very often, but dang it's a fun toy, so I'm including it.

I call it "Make Your Own Parasite." The techies call it Fedora on a Stick.

Use Fedora Live USB Creator to install a small operating system, complete with word processing, web browsing, and persistent file storage, onto a thumb drive.

Then plug your new baby parasite into a host computer.

Now you can surf the web, write some manuscript pages, and save the results. Afterward, pull your computer-on-a-stick out and take it home with you. Their disease-infested PC can't access the thumb drive because their operating system isn't running the hardware. And you've written nothing to their computer.

Oh, and by the way, this type of thing is why antivirus programs will ask you to unplug thumb drives before turning off your computer.

Lastly--


To figure out how to use these toys, read their instructions. It really isn't hard, and most important, it will train you in data security.

None of these toys will fry your PC. Much. They are real spy toys, though.


This blog will self-destruct...