As security professionals protect personal data

A Life Technologies / by admin / December 19, 2019

Ivan Birulya

director of security "SorchInform».

Half of my colleagues in the information security sphere - professional paranoids. I myself until 2012 was the - codified in full. Then I realized that such a blind defense interferes in work and life.

In the process of "publication" has developed such habits that allow you to sleep peacefully and not to build a Chinese wall around. I tell to which safety regulations are now treat without fanaticism, which periodically break, and which will observe with the utmost seriousness.

excessive paranoia

Do not use public Wi-Fi

I use and have no fears on that score. Yes, by using free social networks emerge threatening. But the risk is minimized if you follow simple safety rules.

Make sure that the access point belongs to a cafe, not a hacker. Legal point asks for a phone number and send SMS to enter.
Use VPN-connection to access the network.
Do not enter the login / password on untrusted sites.

More details about the third item. Previously, this would mean that the page is where you enter sensitive data, using a secure connection (signaling HTTPS before the name of the site).

instagram viewer

Recently, Google Chrome browser has become even tag pages, connection with which is not protected as unsafe. But unfortunately, phishing sites also recently adopted the practice of obtaining a certificate in order to mimic the real thing.

So, if you want to enter into some kind of service using a public Wi-Fi, I would advise to make a hundred times in the original site. It is generally sufficient to drive him through the address whois-service, for example Reg.ru. Fresh date of registration of the domain should alert - phishing sites do not last long.

Do not go into your account with other people's devices

I go, but the tune step verification for social networks, email, private offices, the site "Public services". This is also an imperfect method of protection, so at Google, for example, have begun to use hardware tokens to validate the user's identity. But while for the "mere mortals" enough that your account will request the code from SMS or Google Authentificator (the new code is generated every minute application on the device itself).

Nevertheless, a small element of paranoia I admit: Regularly check the browsing history in case someone else was part of my mail. And of course, if I go to other people's devices in their accounts at the end of the work I do not forget to click "Complete all the sessions."

Do not install the banking applications

Use bank mobile application more secure than online banking in the desktop version. Even if it is developed perfect from a security point of view, the question remains a vulnerability of the browser itself (and they are many), as well as the vulnerability of the operating system. Malware, stealing data, it can be introduced directly into it. Therefore, even if the rest of the online banking is very safe, these risks are more than real.

As for banking applications, its security entirely on the conscience of the bank. Each undergoes a thorough safety analysis code, often eminent external experts are involved. The Bank may block access to the application, if you change the SIM card, or even just rearranged it in a different slot smartphone.

Some of the most protected application does not even start until you met safety requirements, such as the phone is not recovery record. Therefore, if you, like me, are not ready to abandon the online calculation, in principle, it is better to use the application, rather than desktop online banking.

Of course, this does not mean that applications are protected by 100%. Even in the best detected vulnerabilities, so you need regular updating. If you think that this is not enough, read specialized publications (Xaker.ru, Anti-malware.ru, Securitylab.ru): write it, if your bank is lame security.

Use a separate card for online purchases

I personally believe that this extra trouble. I had a separate account, in case of need to transfer money from him on the map and make purchases on the Internet. But from this I refused - a detriment of comfort.

Faster and cheaper to start a virtual bank card. When you make a purchase online with its help, your primary card information on the Internet does not illuminates. If you think that this is not enough to be sure, take out insurance. This service is offered by leading banks. On average, at a cost of 1000 rubles a year insurance card cover damages of 100 thousand.

Do not use the smart device

Internet of things huge, and the threats to it even more than the traditional. Smart devices do pose enormous opportunities for hacking.

In the UK, the hackers hacked local casino network of VIP-client data via an intelligent thermostat! If the casino was so insecure that speak for the common man. But I use smart devices and cameras on them to seal. If the TV and will merge the information about me - to hell with it. It will definitely be something harmless, because all critical I kept on an encrypted disk and keep it on a shelf - with no access to the Internet.

Turn off your phone abroad in the case of wiretapping

Abroad, we often use messengersThat great cipher text and audio messages. If the traffic and is intercepted, there will be only unreadable "porridge".

Mobile operators also use encryption, but the problem is that they can turn it off without the user's knowledge. For example, on-demand security services: it was a terrorist attack on Dubrovka to special services can quickly listen to the talks of terrorists.

In addition, negotiations intercept special complexes. Their price starts from 10 thousand dollars. They are not commercially available, but they are available to special services. So, if the task is to listen to you is worth, you will listen. Are you afraid? Then turn off your phone whenever and in Russia too.

Kind of makes sense

Change your password every week

In fact, enough time in a month, provided that the passwords are long, complicated and specific to each service. It is better to listen to the advice of banks, because they change the password requirements for the growth of computing capabilities. Now a weak encryption algorithm gets over brute force in a month, hence the requirement for the frequency to change the password.

However, a reservation. Paradoxically, the requirement to change passwords once a month contains a threat: the human brain is designed so that new codes to keep constantly in mind, if necessary, starts to get out. how found kibereksperty, every new user password in this situation becomes weaker than the last.

Exit - use complex passwords, change them once a month, but used to store special attachment. And the entrance is carefully protected: in my case is the cipher of 18 characters. Yes, applications sin that contain vulnerabilities (see. point about the application below). We have to choose the best and keep up to date about its reliability. Safer way to keep in my head dozens of strong passwords I do not see.

Do not use cloud services

Story with indexing Google Docs to find "Yandex" has shown how people are mistaken about the reliability of this method of storing information. For sharing, I personally use cloud's servers, because I know how they are protected. This does not mean that free public cloud - absolute evil. Just before you put the document on the «Google Drive," Stump in order to encrypt it and put a password for access.

necessary measures

Do not leave a phone number and someone anywhere

But this is not a superfluous precaution. Knowing the phone number and F. AND. O., an attacker can make a copy of a SIM card for around 10 thousand rubles. Recently, this service can be obtained not only in the darknet. Or even easier - to re-register a foreign phone number on the phony power of attorney in the office operator. Then you can use the number to access the services of any victims where necessary two-factor authentication.

So attackers gone account in Instagram and Facebook (eg, to send spam to them, or use social engineering), have access to banking applications and clean out accounts. recently, the media toldAs one day at a Moscow businessman under the scheme stole 26 million rubles.

Alert, if your SIM card for no apparent reason stopped working. Better to be safe and secure bank card, it would be justified paranoia. After that, contact the office service provider to find out what happened.

I have two SIM cards. To one number that I did not share with anyone, bound services and banking applications. Another SIM card is used for communication and household needs. This phone number is left to register for the webinar or get a discount card at the store. Both cards are protected by PIN-code - is an elementary but effective safety measure, the forgotten.

Do not load on your phone all in a row

Iron rule. Reliably know how an application developer is going to use, and protect user data, it is impossible. But when it becomes known as the creator of the application they are used, it often turns into a scandal.

Of the latter cases - story with Polar Flow, in which you can find out the location of intelligence officers all over the world. Or earlier example with Unroll.me, which was supposed to protect users from spam subscriptions, but at the same time selling on the data side.

applications often want to know too much. A textbook example - app "Flashlight", which only need light to work with, but it wants to to know everything about the user, up to the contact list, see the photo gallery, and where the user is located.

Others require more. UC Browser sends the IMEI, Android ID, MAC-address of the device and some other user data on the server Umeng companies engaged in the collection of information for the trading platform Alibaba. From this application, I, like colleagues, prefer to refuse.

Even professional paranoids accept risks, but conscious. To not be afraid of every shadow, decide that your life publicly and privately that. Around personal information to build the walls, and on the preservation of the public do not fall into fanaticism. Then, if one day you will find the public information in the public domain, you will not be excruciatingly painful.