Three Steps to Securing Your Online Documents

Google Drive & Docs
Google Drive & Docs

You want your documents and data to be secure, accessible everywhere and easy to access. As the saying goes, You can have any two of those requirements you want, but never all three at once. It is simply impossible to have all three. Unfortunately, most people choose easy over secure, and then complain bitterly when their documents are stolen and made public. Or simply deleted.

The dream of instant access to all of you documents is now a reality with cloud based services such as Google Docs and Drive, Dropbox and a host of other services.

You can sit down at any computer or tablet and access almost all your documents immediately.

But there is a downside to that. Others can also access documents from the cloud if they have your login details. They can access your documents if they can access your computer.

So how do you ensure the security of cloud hosted documents? Let’s look at the ups and downs of adequate security.

1. Choose a Good Password

Number one on the list is the level of security we have on our cloud account. The most obvious question is, how good is your password? If your password is 123456 or monkey, secret, letmein or similar, you have a major problem. Security breaches over the last few years have resulted in millions of passwords being leaked. These passwords have been analysed by both good guys and bad guys, and now everyone knows the million or so most used passwords.

For the curious, I have listed the 12 most common passwords of 2013. If you are using one of these, bow your head is shame, and know that any time a hacker wants your data, he will have it in minutes…

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12. trustno1
Lastpass Password Manager
Lastpass Password Manager

Clever passwords are not so clever. If you think s3cret is more secure that secret, think again m0nkey and monkey are pretty much the same when someone decides to use a password list of a million common passwords to crack your account. Use a long, random, different password for every site you visit. If you cannot remember passwords, use a password manager app or plugin for your computer or browser. I use Lastpass, and have had no problems with it. I let Lastpass generate passwords for me. Lastpass is highly respected, well designed and a Trust No One (TNO) app. Lastpass cannot give your passwords to anyone, because they do not have them. they are encrypted for everyone but you.

Don’t Save The Password on Your Computer. Do NOT write your passwords down in a file named Passwords and save it on your desktop. Just read about the Sony hack to find the down side of that approach.

Add Two Factor Authentication

Then, for better security add two-factor authentication.

Google Authenticator
Google Authenticator

For Google, Dropbox and Lastpass, and many more online services, an authenticator app like Google Authenticator or Authy work perfectly. I prefer Authy because I can make it require a PIN when it starts up. There is a little effort involved in getting an Authenticator working, but they are well documented. Just be prepared to spend 10 or 15 minutes setting it up on your devices

Authenticator
Authenticator

You need the app running on your phone or tablet, preferably both, and when you log into your cloud service from a new computer, or every few weeks, you must authenticate by providing a six-digit code that changes every 30 seconds. This means you need the password and the mobile phone with the authenticator to log into your cloud account.

Print out a few “Get out of jail” keys so you can log in without your device in an emergency. But secure these printed keys well. See the documentation for your cloud provider.

Secure Your Computer, Phone  and Tablet

Authenticator App
Authenticator App

This makes it very difficult to get into your cloud accounts from another computer. However is someone steals your laptop, phone or tablet while they are unlocked, they will have access.

So make sure you have a password or PIN that is strong enough to keep a thief out. Ensure that a PIN or password is required to access your computer whenever it starts or comes out of standby.

Remember, if someone steals your phone and can access your cloud accounts and your  Authenticator, they can change the password. So keep that phone or tablet secure.

I always close the lid of my laptop or HP Chromebook 11 when I walk away from it is a shared space. In fact I rarely get more than a couple of meters away in public or shared space.

I have made a habit of putting everything into a pocket or bag when I put it down in a public or shared space. Basically I treat a laptop, phone or tablet the way I treat cash. I NEVER leave it lying around unattended.

Here is an example of why…

If you work in an office or have a desktop computer, make sure you lock it when you get up and walk away. Having a screensaver that locks it after a few minutes is probably enough in an office environment. I work largely alone in my home office, so I simply set

Chromebook Lock Button
Chromebook Lock Button

the screensaver to come on after five minutes. If I was is a co-working space or an office with a lot of people, I would (and have) activated the screensaver manually when I walk away. This is easy to do on computers running Linux. I think it also an option on later versions of Windows. On Chromebooks and Chromeboxes, it is in the bottom right corner of the status window.

Remember the simple security rule. If someone can access your unsecured hardware, they can do pretty much anything. A running, logged in PC is the crown jewels for a thief. Don’t assume everyone in your office is trustworthy.

Follow these three steps, and you will be well on the way to having secure and safe access to your cloud based files and documents.

There is a price. It takes a little longer to log into your account, there is a bit more friction. But after a few days it becomes second nature.

Enjoy! – Phil Stephens

Would the SONY Hack Work on a Google Drive Based Business?

Your Information IS your business, Keep It Safe

Google Drive & Docs
Google Drive & Docs

A modern business of ANY size is largely the sum of it’s data and documents. Keeping them safe and private is crucial for the survival of your business. Are you safe if you use Google services?

Security in the Post Sony Hack World

The Sony Pictures hack has shone the spotlight on the security issues posed by Internet connected systems, particularly those using Windows desktops. Sony, it will probably be revealed, got hacked via a spearfishing attack. Spearfishing is aiming a carefully crafted attack at an individual using personal information to make the attack seem like an email or document they expect, know, or want. Once they have allowed it into the network, lax security procedures and poor passwords gave them access to everything. However they got in, poor security procedures will ultimately be revealed to be the main culprit.

Sony Hack
Sony Hack

Passwords were stored in unencrypted files named “passwords”. Thousands of email messages stored in Microsoft Outlook .PST data files were copied. massive numbers of documents were just copied off the Sony servers and out to the web. It is obvious that security was lax, but the reason all this was copied is basically that it was all sitting on Sony servers, and the passwords were weak or available to the hackers.

This was a failure of the classic server-client network on a huge scale.

Security in the Google Cloud World

Google Drive Logo
Google Drive Logo

On the other hand, a business that keeps it’s workers on Chromebooks and stores data in the cloud is going to be in a better position to defend it’s data.

The documents, spreadsheets and mail are all stored on Google’s secure and backed up servers. Access is via individual user passwords. Documents can be private, shared with individuals, shared with domains (everyone in the business) or publicly.

There is one huge security advantage to this. Instead of documents being emailed around the company, they can be shared via email. This means that all that is sent is a link. A document in an email can be forwarded, copied and stolen. The document link will only work for someone logged into Google Drive as the recipient of the document. Anyone else that gets the link will not be able to access the document. This is a huge step up from emailing documents.

An Example of the Dangers of Sending Documents

Some time ago, I worked for a very large organization that used Microsoft Office. Everyone used Outlook for email. People inside the company sent contracts, proposals, memos and other documents as Word documents attached to emails.

In one large department, Instead of saving documents on the corporate servers, they began to go back to Outlook to find the last version of the document and worked on that. Then they sent it or saved it back to Outlook. Corporate data was not being saved on the file servers. Outlook .PST files grew to huge sizes.

Then, one Sunday night, the mail server for that department ran out of disk space. It tried to alert the Sysadmin, but there was no space on the server to process the email. The whole system collapsed at 2:35 AM and no-one knew anything was wrong until they arrived for work on Monday.

The lack of disk space had also prevented backups from running properly. Tape backups had failed weeks before, but no-one had checked the logs. It took two weeks to get the mail system running, and many users had lost hundreds of documents and revisions of documents. Some lost their entire email history, address book and calendar. For weeks, email flew around the organization begging for recent versions of contracts, proposals and other documents to be sent back to the originators. The fallout went on for a year or more.

As the Sysadmin for my department, I began monitoring the size of Outlook data files, and began delivering scathing warnings if they began to grow to large.

It was a lesson I never forgot.

And the Winner Is…

If Sony had been using Google cloud storage, how may this have played out?

E-mail would have been protected by storage in Google’s cloud. Google mail is accessible by web browser. The connection to Gmail is by a secure HTTPS connection. This would have made intercepting e-mail difficult to impossible. Attachments would have been replaced by links, and not accessible to the hackers without the relevant passwords. Email would have remained secure as long as passwords remained secure.

I have mentioned secure passwords a few times. A cloud based solution needs good password security. Sony obviously were using bad passwords and poor password procedures.

For Google Docs (the business version of Drive) User policy is controlled centrally by the Administrator and allows policy like good passwords and two factor authentication to be enforced.

Lastpass
Lastpass

A corporate account with Lastpass would have saved a lot of grief. Lastpass creates and stores secure passwords. Instead of using “Monkey” or “123456” everywhere, Lastpass will generate a real, unique and secure password for every site and then store it for you. Every time you visit that site while logged into lastpass, it will paste the password and username into the browser for you.

And even better, it is really secure, really cheap, and uses two factor authentication.

Singing the Praises of Two Factor Authentication  

Two factor authentication simply means you need something other that the password. The password is easily stolen, but a second form of identification means the password is not enough

The second factor or token can be one of those key-ring devices that shows a number every thirty seconds, a fingerprint, a retinal scan, or a usb dongle that has to be plugged into your computer before you can log in.

Every teller at my bank has to swipe a card and type a password before they can use a terminal. That card is their second factor.

The simplest one for most of us is an app for our phone or tablet. I use Google Authenticator. I have registered my Google Mail account, and when I login, I have 30 seconds to type in the six digit number displayed on my phone or tablet. I also have a sheet of six emergency codes. I keep that paper very safe, and have never had to use it. I always have a phone or tablet in range when I sit down at the computer.

The Cloud IS Secure

00131-drive-iconsAs we can see from this, using a cloud service like Google Docs is no less secure than storing everything on a local server.

Is it absolute security? No. No-one is even sure such a thing exists. It is all relative.

If the FBI, NSA, ASIO or GCHQ want your data, they will get it. But Google is working hard to make this process more difficult for them, and is making great strides.

This is a low friction, low cost option to provide secure storage and sharing of your data with high reliability, and no cost for a big IT team to keep it working.

REALLY Secure Information in the Cloud  

Some things really are secrets, rather that just private. There are ways to put the absolutely most secret things in the cloud to. They just require a little work to get them there.

More on that later – Enjoy!

Anker IQ 40W 5-port Smart USB Charger Reviewed

Anker 40W charger
Anker 40W charger

The best USB power supply I have seen is the Anker 5 port, 8 amp smart charger. It uses a so-called PowerIQ charging system to provide the best power possible for each device. It is a small brick shaped device that connects to the wall via a figure-eight cable.

A USB based charger can charge most portable devices, from Android phones and tablets, iPhones, iPads, Bluetooth headsets, Cameras, to a wealth of other devices.

Most of these devices come with a “wall wart” plug pack and a USB to micro or mini USB plug, or the Apple Lightning connector. Carrying the original charger for every device we own, and finding a power outlet for each is impossible.

The Anker charger is a small brick, smaller than a cigarette packet, (58 x 91 x 25mm) with 5 USB ports on one end and the small two-pin figure eight socket on the back. The advantage of this (and the wide power supply range) is that the charger can be used in any country with the addition of the correct cable. It can be found on Amazon here and eBay here.

Every USB device makes it’s power requirements known by talking to the charging port via serial communications through the two inside pins, or, for dumb charging devices, by being wired with certain resistors in the power lines. This allows a smart charger to supply just the right amount of power to each device. The Anker charger is very well regulated, and assuming the cables are of suitable quality, maximum charging speeds will result. Overcharging is impossible as long as decent cables are used. I label the cables that come with my devices and try to keep the correct cable with each device. I have only once seen a different cable to cause a problem. It was supposed to have a “Fast Charge” switch on the plug. switching to “Fast Charge” caused charging to stop completely! More about cables another time.

Anker 5 Port 40W charger
Anker 5 Port 40W charger

I found the results to be impressive, though I could never get my HP Chromebook 11 to charge at anything like the 3 amps that it’s dedicated charger is supposed to deliver. But I torture tested the Anker charger on a one week stay in Melbourne recently. I was sharing accommodation with three other device users. Each night four smartphones, three tablets, a USB charged HP Chromebook 11, a power bank, Bluetooth headsets, two keyboards and a USB powered Seagate WiFi hotspot and media server all had to be kept topped up by the Anker IQ 40W 5-port smart USB charger. It worked flawlessly for the week, charging everything, in some cases with split two headed charging cables connected.

Anker 5 Port 40W charger Replacement
Anker 5 Port 40W charger Replacement

The Anker IQ 40W 5-port charger comes with an 18 month warranty, and this is backed by an impressively fast and helpful customer support operation. My first charger had one port die within a week. Anker asked for the serial number of the device, and had a replacement in the mail within 24 hours. Since they are in the US and I am in Australia the replacement arrived with great speed. A tribute to a real belief in quality and customer support.

Anker now has a 60W version, but I seriously doubt it will result in faster charging except with the most extreme combination of devices. But if you believe more is better, here is a link to the 60W charger on Amazon.

00105