Security

You’ll be pleased to hear that security is a top priority at OpenSure. As you would expect we implement a raft of measures to protect our servers – pardon us if we keep the details to ourselves. We don’t rest on our laurels though, far from it. Our systems are monitored constantly, software kept up to date and performance reviewed regularly.

However this is just one aspect of maintaining security, and it’s one that’s pretty easy to understand, if complex to run. What concerns OpenSure just as much is the security of the information our clients store locally and pass between devices. We actively promote the use of software that works beautifully between desktops, laptops, tablets and phones, so we want to make sure that our clients understand how to protect themselves and their data.

You may be unaware of it, but if you use a mobile phone, you quietly leak information 24 hours a day. If you use email systems such as Gmail or remain logged in to services including Facebook and Google+, you allow ‘them’ unlimited access to your information and lifestyle. ‘Them’ can include government agencies as well as the usual information-scraping websites.

If you’re aware of this and view it as a happy trade-off in return for the use you get from these services then stop reading. if however it concerns you, read on for details of what happens, how it happens, why it happens and how you can stop it.

Security

Logging out of services

It’s easy and convenient to stay logged in to frequently used services, but getting into the habit of logging out as you exit is a very simple way to reduce your exposure to tracking, especially on mobile devices. This applies particularly to anything financial, all social media and services such as Google AdWords. It can be quite hard to find log-out options on some sites, but a quick search can identify you.

Cookies track your behaviour on a site and will tell you it’s to remember your preferences in order to deliver you the best experience on that site. There’s some truth in that, but it also sends lots of useful market data to the site’s owners. Deny cookies unless you feel it’s essential.

A very eye-opening process is to go through the cookies stored on your browser and kill off everything, then notice how often you’re prompted to accept them as you browse (make sure you have password details etc to hand if you do this). Your system will store cookies from sites you haven’t visited in ages. There’s no benefit to you in these cookies being on your system.

Cookie exploits are rare, but they do happen. Reduce your exposure wherever you can.

Permalink.

Public wifi

There’s no such thing as a free lunch, the old saying goes, and it could be updated to say there’s no such thing as free public wifi.

You go for coffee, you go to the theatre, you wait in an airport lounge, you’re in the European parliament, and the signs encourage you to log on to the free wifi. If you’re savvy, you pass on that. Theft of information (including password and identify theft) as it’s sent across public wifi is becoming increasingly common.

If you don’t have to enter a passphrase, then the wifi won’t be encrypted – that should be enough to stop you. If you do have to enter a passphrase, then you expose your web activities to the company providing the wifi. That will be distinct from the company whose premises you’re in – they’ll be buying in a service from someone whose business model will benefit from knowing what all its users are doing. That’s certainly enough to put us off, but if you need any more reason to stay away, how about that the hotspot you’re using might itself be compromised? The technology is out there and the criminals are using it.

Permalink.

Analytics

Analytics are small pieces of code on a website that allow the site’s owners to track your behaviour. This can be tedious as these bells and whistles all take time and bandwidth to load, but put together with every other site you’ve visited in a day, whether business or private, quite a picture builds up of your life online. We’re not keen on that kind of surveillance, so we take steps to remove as much of it as we can.

We use a very nifty little utility called Ghostery. It automatically blocks trackers and shows you a summary in the toolbar. You can see what it’s blocked and, if you choose, allow a tracker. If you want social media sharing features, this is handy as you can allow something when it suits you, but remain off the radar the rest of the time.

Permalink.

TOR

To quote its own website, TOR (The Onion Router) is “free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security”.

It does this by taking your web activity on a journey across multiple servers and encrypting it, so that the traffic can’t be traced back to you. This does slow things down, but it gives you anonymity. All you need to do is download the TOR browser (Orbot is the version for Android devices) and you’re off.

Permalink.

Updates and Patches

These matter. Regardless of which platform(s) you run, apply all patches and updates. Some of these are for non-critical feature updates, but some will address security issues and it’s vital that they’re applied as soon as they appear (in the case of updates to services we run for you, we will apply the update – that’s what you pay us for). If you’re unsure about the consequences of applying a certain update, please do ask.

Other updates modify a program in response to changes in operating systems or other elements. You could find that if you don’t apply updates some programs won’t work entirely properly any more or as smoothly as it used to with other programs.

Permalink.

Legal rights to your data

Do you post your own original content (words, pictures, music and anything else you can think of) on any platform other than one you own? This can be LinkedIn, Twitter, Facebook, Instagram, forums and any number of sites that take contributed content. If you do, double check who holds the rights to the content you post. It’s natural to assume that all content is yours to do with as you wish, but it ain’t necessarily so.

Simply by posting your content on a third party site, you could be handing over the rights to that content. That means the third party can edit, repost, publish etc as it suits them, and you will receive no income from this and have no grounds to object. Check the small print.

Permalink.

Encryption

Automatically applied to external services, and devices?

We recommend encryption of all file data on PC devices and where possible on
mobile devices such as smart phones and tablets and on all locations under your control that hold key data, including backups.

Permalink.

Free email

No free lunch, no free wifi, add no free email. Email accounts are freely available from all sorts of companies, such as Hotmail (provided by Microsoft, which is up to some funny tricks), Yahoo (which recycles old email addresses) and Gmail (which cheerfully admits to reading your email), but consider how much information you give to these companies in the signing-up process, and how much access they are legally permitted to the information you send via their systems. That’s the price for ‘free’ email.

If you’d rather keep your email secure and private, subscribe to a properly maintained and secure system, such as Zimbra, from us.

Permalink.

BYOD

Bring Your Own Device. This refers to staff using private machines in the workplace and for work. It refers mainly to laptops, mobiles, tablets and mobile storage devices such as USB sticks. We’ve written about it on our blog here and here.

The risks posed by a BYOD policy (or worse, it simply happening with no policy to support and protect the business or educational establishment involved) fall into several main areas:

  • malware that can be transmitted from the device to the company systems
  • security of data held or accessed on a private device, both in technical and human terms
  • ownership of the number associated with a device

If you allow/encourage/facilitate/suspect BYOD in your business, examine the issues and formulate a policy that addresses all the above issues.

Permalink.

Taking mobile devices offline

Your phone communicates with the outside world constantly. It connects to the wifi, it connects to the mobile network. This leaves behind a series of markers that record a great deal of information about your whereabouts and activities.

If you find this undesirable, there are steps you can take to minimize it. Clearly however, if you want to be contactable then there’s a trade-off. Fly below the radar only if you don’t need to be reached.

Two simple measures you can take are to disconnect from wifi and from the mobile network. That takes out the two most obvious signals, but won’t make you invisible. This also has the advantage of preserving battery life.
Your MAC address (machine access code) remains as an identity marker. The MAC address can be masked or ‘spoofed’, to remove this identifier.

Permalink.