You don’t have to be paranoid to be worried about your privacy online.
Just last week, a cyber-attack on the U.S. Office of Personnel Management, blamed on Chinese hackers, is reported to have stolen the records of every federal employee.
In Fort Wayne, it was revealed that two networks at Medical Informatics Engineering, a software company, had been breached. The company has begun notifying patients of health care providers it serves that their names, addresses, birth dates and medical records have been exposed.
Like Indiana weather or visits from annoying out-of-town guests, some of what happens to our information online is beyond our meager individual powers to predict or prevent.
But now more than ever, it’s wise to listen to the experts and do what you can do avoid becoming a virtual-world victim.
Here are some pointers for staying safe online from people who do this for a living.
1. Keep it current
"The first step in protecting yourself is bringing your software up to date," said Marina Blanton, an assistant professor in the University of Notre Dame’s Computer Science and Engineering Department.
Updated software will contain the latest anti-malware protections.
Malware – malicious software – allows outsiders to explore or even control your computer, tablet or cellphone.
"If the machine is compromised," Blanton said, "then there is little hope for privacy."
You may not need the latest version of, say, a calculator app that isn’t connected to the Internet. "But for something like a browser," Blanton said, "that should be updated ASAP."
With up-to-date software, you don’t have to worry too much about online commercial transactions being compromised. On many browsers, Blanton said, "there’s a little lock that shows whether the connection is safe. On Firefox, for instance, the lock is just to the left of the URL."
2. Watch what you let in
Bacteria evolve to resist antibiotics: evil minds are constantly upgrading malware, too. Even with the latest protections, you need to be cautious about what you expose your computer to.
"Don’t open a suspicious email," Blanton said, and avoid questionable websites. "Questionable," in this case, doesn’t just mean porn sites – it means any site you encounter that "just doesn’t look right."
Your computer can pick up malware just by visiting some of those sites.
3. Don’t put your secrets in email
The Indiana House has been trying to exempt itself from legally having to reveal email. Maybe someone should tell the House not to bother.
"With email, everything should be considered public knowledge," Blanton said. An email may go through a number of storage and retransmission centers, where it may be read, or it can be intercepted en route.
Encrypting email allows it to be sent securely, said Blanton, who specializes in information security and applied cryptography. "There are programs you can buy. But both ends must be able to support it." Though such email is unreadable if it ends up in the hands of a third party, it’s also useless if the person you send it to doesn’t have encryption capabilities.
4. When you look at your phone, it may be looking back
It’s widely understood that your cellphone’s service provider can track your location by GPS. But – creep-out alert – if your cellphone is infected with malware, someone else can take pictures of you with its camera.
"It is also possible for someone to listen via your smartphone without your knowledge," according to Mitch Davidson, chief information officer for IPFW, interviewed by email.
"I personally block the camera on my laptop with a piece of tape when I’m not using it," Blanton said. "The phone can take pictures of your environment," she continued. Malwared phones have even been known to snap photos of sensitive documents for remote viewers.
But doesn’t the sound of the camera click give the game away? With some phones, said Blanton, malware manipulators can actually tell the system to turn it off. But some phones have a setting that prevents that, she said.
5. Things are not always as they seem
Don’t give out information online, even if the requester looks legitimate.
"A simple rule of thumb to follow," wrote Davidson, is "if you receive an unsolicited email asking for you to provide information, or to click on a link to confirm your identity ... contact the supposed sender directly via phone ... to ensure you are dealing with who you think you are."
"A criminal organization can send bulk messages that appear to be very authentic. The message may look like it’s from your bank or an online service you use. They typically will ask for information that will allow them to breach your account or to steal your identity, and identity theft is very lucrative."
It’s called phishing and, according to Davidson, it is one of the biggest causes of computer-breaching today.
"Phishing is not something new," he wrote, "but it has become much more effective over time."
6. Passwords still matter
Do you wonder why so many systems and sites get so prissy about having a variety of letters and numbers in your passwords? "It still holds that a weak password is not only going to compromise you, it can compromise the system," Blanton said; once an outsider gets past the password, he or she may be able to move laterally to other users.
"Have different passwords for each service," she recommended, and when your browser asks you if you want to store a password on it, answer with a polite "no."
7. Be aware
"Be careful about what you do post online," advises Jonathan Sweeny, an FBI computer scientist in Indianapolis. But also, "be aware of what information is already online about you. Google yourself. I’ve heard of people who will even search for their own Social Security number," he said, although he warns that could create its own problems.
8. Assume the worst
Because you’ve never seen evidence that your personal computer or private information has been breached, you’re probably OK, right? Wrong.
"The truth is," wrote Davidson, "you may never know. Or you may discover it weeks or months after it occurs. The most widely published breaches are sometimes not discovered by the companies in question for extended periods ... even several years."
Blanton agreed. "We know that this happens all the time," she said. "A small number get reported. I think there’s a lot that we never know."
At least when a company learns its customers have been compromised, it will probably take steps to warn them.
But, Blanton said, when Internet service providers or other companies are legally compelled to turn over an individual’s information, "the company is not even allowed to say that they gave away the data."
And then, of course, there are the mass data interceptions of the National Security Agency, which Congress appears close to reining in this year.
"They’re not necessarily after me," Blanton said. "They’ll take data from a lot of users."
But as with hackers and law enforcement investigations, no one from the NSA is likely to send you a happy-gram telling you your communications have been surveilled.
9. Guard your credit
Sweeny advises Hoosiers who think they might have been personally targeted by criminals or who suspect they’ve been caught up in a breach to begin with the obvious. "Watch your credit-card transactions; watch your credit history."
But you can do more, Sweeny said.
First, you can notify a credit agency that you may have experienced fraud.
Second, you can have the agency begin credit monitoring. Often a company whose records have been breached will offer to pay for that service. Medical Informatics Engineering, for instance, will provide credit monitoring for the patients whose records were compromised, even though the company doesn’t yet know how many of those patients there may be.
Davidson also advises that credit monitoring can help. "Unusual activity, an attempt to open an account or loan in your name, etc., can be quickly reported to you," he wrote.
But such monitoring, Sweeny said, still is "not preventive – it’s responsive."
The third step potential fraud victims can take is, Sweeny said, the most effective: ask one of the three big credit agencies – Equifax, Transunion or Experion – to institute a security freeze.
If you need to use your credit yourself, to apply for a mortgage, for instance, or open a new credit card, you lift the freeze, make the transactions, and ask that the freeze be reinstituted.
In many states, that can mean a series of charges. But in Indiana, Sweeny noted, the law requires the service to be free. For information on Indiana’s credit-freeze laws, with links to the three credit agencies, go to www.in.gov/attorneygeneral/2411.htm.
10. Don’t be too social on social media
Though millions of users have decided to place all sorts of personal data on Facebook, they might want to consider that many of the applications they’re invited to join don’t necessarily have the same privacy standards as Facebook.
"It’s already a lot to trust Facebook with the data," Blanton said. "For me, I’m hesitant to interface. Then they have access to my profile. Anybody can write an application for Facebook, and say, ‘Want to install it?’ "
Sweeny is wary of putting much personal information on social media. Even the act of "friending" someone you’re not really familiar with on Facebook or LinkedIn can create problems.
"Any time you add someone as a connection, that gives them a deeper view of you," Sweeny said. "It allows them to send a message to you any time, or to send you websites to open."
Sweeny said helping to investigate digital crimes have definitely colored his view of the Web.
"I have a little extra level of paranoia," he said. "Knowing what I do about computers and security, I definitely don’t put as much online."
Tim Harmon is an editorial writer for The Journal Gazette.