Sleeping like a baby
An intro to device security for the everywoman.
A few months ago, I fell asleep reading a book on my iPad. To be clear, most nights, I fall asleep with my iPad, and I usually wake up cuddling that little square instead of my wonderful boyfriend. This time, though, I was on that annoying second leg of a transatlantic jaunt, with the ocean behind me, Europe laid out in front, and a beautiful Ativan stupor enveloping me.
In true travel-warrior-sleepy-zombie mode, I woke up at my final destination completely unaware that the iPad had slipped off my lap, and focused simply on getting off the plane and the hell out of yet another airport. Hours and several espressos (Europe!) later, I discovered it was gone. I called the airline, but as it was Europe(!), no one answered the phone at first, and then, when they did, they had no real answers.
And yet, I didn’t worry much. Amusingly, my nonchalance shocked all those who knew me. “Aren’t you like, a *security person*?” they asked. Haha, of course I am, which is why I’m not too worried.
Say what?!
I know, right? But preparing for the worst gives you peace of mind. You see:
- I knew no one was getting into the device or its contents.
- I could track it and remotely erase its contents.
- I had no compromising, irretrievable data on it.
Locked down data.
First of all, my loves, how did I know my shit was safe? Passwords. I realize my passion for passwords can bore even the most earnest among you, so I’ll harp lightly. Passwords and passcodes are your first and arguably best line of defense. Imagine if you lost your passcode-less phone during a rager Saturday night. What kind of goodies would the finder be able to access? Your emails, your contacts, your sexts and SnapChats (because we always remember to delete that stuff, don’t we)? Maybe you left your banking or Dropbox apps open? Your photos, access to your social media accounts, maybe your home address if you save it “for convenience” on your Google Maps app? Anything on there have one (or many) of your credit card numbers saved with it…? Apple pay? Jackpot!
Better hope the person who finds it is a good person!
If you’re like me, you prefer to hedge your bets. Instead of putting SO much faith in humanity, you put a little more into the passcodes on your devices — phone, computer, tablet. Passphrases are the strongest and easiest kind of passcode or password to remember. On Apple mobile devices, you can use the QWERTY keyboard or a really long numerical PIN (do a CTRL+F search for “passcode considerations” in this document). If you want something shorter than “correct horse battery staple” every time you want to send a text, take heart: Based on how long it takes a newer iPhone/iPad to process each passcode attempt, it would take more than 5½ years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers. This becomes the default with iOS9. Touch ID is also a good option since you can use a longer passcode without having to enter it every time, the fingerprint data is securely stored on the device, and you can use up to five fingers, just to keep ’em guessing. {{Update 6/16: If you might be arrested — for example, if you’re on your way to a protest — Touch ID does have a drawback: U.S. law allows police to use your finger to unlock your phone, without your consent. Want to avoid this? Turn off your phone or let the battery die. It will require your passcode on restart, even with Touch ID enabled, and you don’t have to share that code with anyone. (Thanks, 5th Amendment!)}}
Android users, as always, you can do the really complex finger-drawing thingie.
Not only do passcodes keep creepers out of your intimates, they ensure that your data stays unreadable, even if someone tries to copy it. According to Apple, mobile devices that run iOS 8 encrypt your personal data — photos, messages and attachments, email, contacts, call history, iTunes content, notes, and reminders — with your passcode as the key Not only can Apple not decrypt your info, it can not be compelled to give it to law enforcement. So, stop making excuses and just update already.
What iOS 8 promises, by default, is full disk encryption. FDE is a fancy way of saying that all the data on your device is stored in an encoded manner so that no casual teenage hacker can read it. Anyone who takes your machine or tries to make copies can only get your information as a nonsensical series of numbers and letters. So, unless they’re Bletchley ladies, you’re safe.
While this is news for Apple users, Android has almost always made FDE simple — and has made even stronger in its most recent 5.0 Lollipop OS. If you’re on a Windows PC, check out this guide with plenty of options for FDE. FDE is super easy for a Mac; simply turn on FileVault, which lives in System Preferences -> Security + Privacy. Just make sure your machine is plugged in — it takes some time and juice.
See? Unbreakable.
Track it and wipe it!
Most mobile devices allow you to automatically wipe the device if an incorrect passcode is entered too many times. Knowing the forgetful data hoarder I can be, that scares the shit of me. If that scares you, too, or you want to double up, you may (also) want to consider remote tracking and wiping options. There’s Find my iPhone/iPad/Mac for Apple products, which requires you to connect your devices with your iCloud account. Given iCloud’s crappy security history, choose your password for your iCloud account carefully. Android’s tracking is baked in (see this article for instructions to set it up) and Lost Android is there for you if you didn’t plan and are now panicking. This pretty comprehensive list covers other device platforms.
If it gives you more peace of mind, check out apps like Lookout. It seems to do all that I advise and can apparently remotely turn on your front-facing camera and take snaps of those who intend to steal or keep your lost device. That said, it’s sadly run by an all-dude team, minus the token lady HR and marketing peoples, so I can’t wholeheartedly endorse the tool.
Know what’s compromising and keep it off your machine.
Let’s be real, this was my iPad. I don’t keep anything but kitty pics and ebooks on it. Had this been my phone, there would have been need for an Ativan re-up.
Figuring out what’s compromising is a personal journey. For me, location is something I don’t want shared writ large; my organizations do a lot of work in not super open places, so our presence there is better left under the radar — for us, for the people we’re working with in those places, and for the people we work with in all other places.
Similarly, from a counter-intelligence, or hell, a stalker’s perspective, your geographic habits and patterns are a goldmine of compromising data. So, keep in mind that you and your devices can give up and store a lot of location data — you can turn this off on your laptops and tablets without too much ado. Your mobile phone, however, is literally a homing device. When you carry it, you’re by technical necessity giving up your location. I don’t say that to scare you — largely because getting that data about you from a telecom should require legal process in the US. BUT, that data may also be written into your phone. Lock it up and shut down all the apps that share your location that are happy to have your location but don’t really need it. Twitter may really want to know where I am when I tweet hate at the DMV, for example, but I don’t need that kind of digital trail. I get that my TheWeatherChannel app can give me a forecast more immediately with location services on, but if I’m that desperate for immediate weather data, I can also just look out a window.
So, when you do your soul-search and make a list of what is compromising or what would break your heart if you lost it (the literally thousands of pics of your kitties, the years of text messages with your beloved, your solitaire scores), or would be a total pain to replace or would make you look completely unprofessional to have or not have, get that shit off your device. For help thinking through your data, check out Violet Blue’s The Smart Girl’s Guide to Privacy. Even if you’re not a girl, you’ll be given food for thought. Once identified, back up that data to another computer, an external hard drive that you lock up in a fireproof safe or (AND!) the cloud. NOW you’re solid.
As for my iPad, well, even after numerous calls with the airline that assured me they didn’t have my iPad, I persisted. When I checked in for my very early flight after a long night of drinking, I asked in broken Spanish for the lost & found. I was directed to the airline’s office, which was, miraculously, open. I explained as best I could about the iPad, the green cover, the photo of the cat in the pirate hat. I was shown AN iPad with a green cover, a dirty screen, and a dead battery, and was assured that it actually belonged to someone else. Still undaunted, I politely asked to plug it in and turn it on, and without hesitating, plugged in my key code when the iPad came on. Voila! There was my Livvie, there was MY iPad. Miracles can happen.
Two final notes on device security:
- Don’t forget that when plugging your phone or tablet in to charge it, you’re also tapping into its data port…so you can be unwittingly sharing the info on your phone with your computer, another computer, or an unknown outlet, say at an airport while traveling. If you’re not cool with leaking your data, either accidentally or intentionally, consider one of these little guys, which shut down the pins that pass data and only allow those that charge your phone to be active.
- The cameras on your devices can be remotely turned on through clickjacking, by making a Flash permission prompt invisible, so that when you click on the Play button of a video, you inadvertently give permission to a program running Flash to start taking pictures. Two things to thwart this: put a corner of post-it note, blue painters tape or a sticker over the camera on your device, or disable Flash on your browsers. Your Windows machine can show you exactly what’s using your camera, though it’s a bit complicated to unearth. Also, remember to be aware of others’ cameras. During tense negotiations last summer, the other party kept leaving the room to let us confer with the lid to their computer suspiciously half open. We closed it before speaking frankly.
