DEC. 14, 2016 How to Protect Your Personal Information Online
DEC. 14, 2016
How to Protect Your Personal Information Online
Runa Sandvik, The New York Times’s director of information security in the newsroom, and Nicole Perlroth, who writes about cybersecurity and privacy, answered reader questions about cybersecurity and protecting personal data online. Read the full transcript below.
Runa Sandvik
Director of Information Security, The New York Times
8:26 PM ET
Hello! I’m Runa, the Director of Information Security for the Newsroom at The New York Times. What questions do you have about information security and how to protect yourself online?
Please submit your questions in advance and we’ll answer some of them during tomorrow’s chat.
Nicole Perlroth
Reporter, The New York Times
9:04 PM ET
Hi, I’m Nicole and I cover all things cybersecurity and hacking for The Times. I’m looking forward to your questions and hearing about how you have dealt with your issues around data protection.
Runa Sandvik
Director of Information Security, The New York Times
1:57 PM ET
Hi everyone - we’ll be starting our chat shortly. Nicole is unfortunately running late, but we’re looking forward to answering your questions!
M
Marc
Reader, United Kingdom
2:00 PM ET
Should I buy a 2FA token or continue using my mobile phone to secure my account? How would you describe to my tech-illiterate relatives the importance of securing their email accounts?
Runa Sandvik
Director of Information Security, The New York Times
2:00 PM ET
Marc - I usually say that not securing an online account is like not having a lock on your front door. The better the lock, the harder it is to get in. Describing the importance of security to others is all about figuring out what matters most to them; sometimes it’s more about access to content and not so much encryption and security and privacy.
A
Andrew
Reader, Netherlands
2:01 PM ET
Besides a firewall and anti-virus software, do you recommend encrypting a harddrive as an extra measure against cyber crime?
Runa Sandvik
Director of Information Security, The New York Times
2:02 PM ET
Andrew - that’s a great question! Encrypting your hard drive will protect data stored locally on the drive if the computer is ever lost, stolen or seized. To protect data you have stored in the cloud, I recommend that you consider good passwords and two-factor authentication where possible.
CK
Charles Koppelman
Reader, Berkeley, CA
2:03 PM ET
Without giving away too much, can you tell us what security protections NY Times reporters take in their communications? Especially with sources.
Runa Sandvik
Director of Information Security, The New York Times
2:03 PM ET
Charles - earlier today we launched a tips page with secure communication channels for sources. This page (https://nytimes.com/tips) tells sources how to reach us on Signal, WhatsApp, SecureDrop, via encrypted email and postal mail. In short, we are familiar with and frequently use various secure communication tools to ensure that we protect our communications, data, and sources.
R
Rosie
Reader, Philadelphia, PA
2:10 PM ET
I am one of the unfortunate yahoo users. To update “security” they are asking for my phone number and another email. Isnt this just foolish to give to the site? What else can I do? What happens if you shut down an account (which I have never tried to do)
Runa Sandvik
Director of Information Security, The New York Times
2:10 PM ET
Rosie - I’m sorry to hear you were affected by the Yahoo breach! If you’re not confident that the provider can protect the additional information it is now asking for, you may want to consider other providers. The provider will still have all the contents you’ve given up so far, but at the very least you won’t give up more going forward.
J
Julie
Reader, Ireland
2:11 PM ET
If your browser asks, “Do you want to remember this password?” what should you choose?
Runa Sandvik
Director of Information Security, The New York Times
2:12 PM ET
Julie - instead of relying on a single browser to remember passwords for you, I recommend you look into a password manager instead. The password manager will help you create and remember good, unique passwords for all your sites and services. By using a password manager, you can access your passwords from any computer, regardless of the browser you are using.
WS
Waheed Shams
Reader, Brooklyn, NY
2:12 PM ET
Can I make a new e-mail account and transfer all data to the new address for protection?
Runa Sandvik
Director of Information Security, The New York Times
2:12 PM ET
Waheed - you could technically create as many email addresses as you want, but the bigger question here is what you’re trying to protect yourself or the emails from? If the emails are already with a provider, moving to a different provider isn’t going to change the fact that the first one already has access.
WS
Waheed Shams
Reader, Brooklyn, NY
2:13 PM ET
What can I do AFTER finding my e-mail was hacked?
Runa Sandvik
Director of Information Security, The New York Times
2:13 PM ET
Waheed - in situations where one of your online accounts have already been hacked, it is highly recommended that you secure the account as best as you can. This means changing the password, setting up two-factor authentication (if possible), reviewing active sessions and devices for anything suspicious (that is, for devices and activity you don’t recognize).
JG
Joan Garrity
Reader, White Marsh, MD
2:13 PM ET
Is it really realistic at this point to think it is possible to protect one’s personal information from being hacked??
Runa Sandvik
Director of Information Security, The New York Times
2:13 PM ET
Joan - within the information security community we always say that nothing is 100% secure. What’s important is that you consider how the service will use the information you’re providing; this is essentially information that you are trusting the service with, information that could leak at some point in the future. This is true not only for emails, but for social media, messages, etc.
L
Liz
Reader, Boston, Massachusetts
2:17 PM ET
How do I validate an email from my email provider telling me I need to change my password if there is a chance it is a hacker?
Runa Sandvik
Director of Information Security, The New York Times
2:17 PM ET
Liz - some phishing emails look very realistic and it can be hard to tell a phish from a real email. A few things to look out for include; is the sender someone you recognize? did the email come from the provider itself? if you hover over the link in the email, does it point to the domain owned by the provider? If you receive an email requesting that you change your password, I suggest you open a new tab in your browser, go directly to the email provider’s website and change your password there. Do not use the link in the email to do so.
P
Patrick
Reader, San Francisco, CA
2:18 PM ET
What is a 2 FA token
Runa Sandvik
Director of Information Security, The New York Times
2:18 PM ET
Patrick - good question! 2FA is short for “two-factor authentication.” That’s when you use your username, password and a random code that, say, your phone has generated to log on to your account. In this case, your phone is the ‘token’ that generates the code. You can also receive the code via SMS, or you can use a hardware token, such as a YubiKey (looks like a tiny USB stick).
B
Bryan
Reader, Chicago, IL
2:19 PM ET
Can you suggest a password manager? There are so many to remember.
Runa Sandvik
Director of Information Security, The New York Times
2:19 PM ET
Bryan - a password manager is a great option if you’re looking for ways to create and remember good, unique passwords for all your services. I highly recommend you look at 1Password, Dashlane and LastPass.
M
Marc
Reader, West Islip, NY
2:20 PM ET
Hi, do you recommend storing files on a separate drive to protect from ransomeware?
Runa Sandvik
Director of Information Security, The New York Times
2:20 PM ET
Marc - I’ll always recommend creating backups of data you care about, whether you’re concerned about ransomware specifically or something different. For many, cloud services are great for backing up content. If you don’t want to put your data in the cloud, using an external hard drive is a great alternative.
B
Barb
Reader, Philadelphia, PA
2:25 PM ET
Are we really protected by secured apps if a hack were to happen?
Runa Sandvik
Director of Information Security, The New York Times
2:25 PM ET
Barb - when we talk about secure messaging apps and what they can do for us, it is important to remember that while the apps may not provide 100% security or any guarantees, they do protect a bigger portion of the communications than if we didn’t use the apps. With Signal, for example, the app will encrypt the contents of the messages (and calls) and the service does not retain any metadata about the who and when and how often.
Photo
Subpoenas and Gag Orders Show Government Overreach, Tech Companies Argue
Open Whisper Systems received a subpoena for information on its Signal app subscribers and an order not to talk about it, a practice Microsoft and others say is too prevalent, and unconstitutional.
The New York Times
WK
William Kolb
Reader, Memphis, TN
2:25 PM ET
A billion were hacked; out of how many? How do I know if I’ve been hacked?
Runa Sandvik
Director of Information Security, The New York Times
2:25 PM ET
William - I believe Yahoo is currently notifying users who were affected by the most recent breach. If you have not received such a notice, I’d still advice you to change the password on your account (and anywhere else where you’ve used the same password) and set up two-factor authentication where possible. This is true not just for Yahoo and email in general, but for any other account that you have.
J
John
Reader, Pasadena, MD
2:27 PM ET
Are password managers like keychain and lasspass really a good idea? Doesn’t this just mean that a hacker has to crack/discover/fish one password to get access to all your passwords?
Runa Sandvik
Director of Information Security, The New York Times
2:27 PM ET
John - you’re asking a good question and I understand it may seem a bit backwards to put all your passwords in the cloud, hope the provider doesn’t get hacked and trust us all when we say this is better than not using a password manager. Realistically, using a password manager with a good, unique master password is better than not using one. If you’re not using one, you’re likely to start re-using passwords at some point and that’s far from ideal.
Nicole Perlroth
Reporter, The New York Times
2:29 PM ET
Hello readers! Nicole Perlroth, cybersecurity reporter for the New York Times here. Sorry I’m late! Excited to jump in and answer your questions.
C
Cynthia
Reader, Manhattan Beach, CA
2:34 PM ET
Is there any way to permanently delete old messages from email and social media accounts?
Runa Sandvik
Director of Information Security, The New York Times
2:35 PM ET
Cynthia - deleting content means that it’s no longer available to you or anyone who gains access to your accounts. The majority of service providers out there do retain content, however, even if you have deleted it yourself. Something to keep in mind depending on whether your concern is a hacker or someone taking legal action.
L
Larry
Reader, Encino, CA
2:35 PM ET
I am a CEO concerned about protecting my employees’ emails in the wake of this Yahoo attack. What can I do to prevent them from reusing passwords? Is 2FA an option for me?
Nicole Perlroth
Reporter, The New York Times
2:37 PM ET
Larry, Your best defense is to encourage employees to enable two-factor authentication and to set policies that force employees to change up their passwords every 90 days or so. You are bound to hear some gripes, but some complaining is much preferred to having your data in the hands of hackers.
J
Jerry
Reader, New York, NY
2:41 PM ET
Are firewalls such as Sonicwall effective in preventing hacking?
Runa Sandvik
Director of Information Security, The New York Times
2:41 PM ET
Jerry - a firewall is one tool in the security toolbox that can help you protect your network and the devices on it. There is sadly no one tool that can defend against all possible attacks. Keep in mind that you also need to secure all your online accounts - we’ve talked a bit about use of two-factor authentication and password managers as starting points for doing so.
Nicole Perlroth
Reporter, The New York Times
2:47 PM ET
Jerry- Firewalls are never a bad idea. But I put them in the same bucket as antivirus software, in that they make it harder for hackers, but are not a cure-all. It’s important to layer on other security defenses, like two factor authentication for email, to protect your data.
A
Arne
Reader, Dallas, TX
2:41 PM ET
Is it true that most SMS message apps are easily read by outside parties, but that Signal cannot be?
R
Rosie
Reader, Arlington, MA
2:41 PM ET
I heard iPhones are encrypted. Should I be using Signal anyway?
Runa Sandvik
Director of Information Security, The New York Times
2:45 PM ET
Nicole has a good point here about the iPhone and the Signal messaging app; the iPhone does encrypt the data stored locally, but does by default not do anything for your communications using the phone. That’s where apps such as Signal come in; the app will encrypt your messages and your calls, and the service is designed to retain as little metadata as possible.
Correction 12/16/16: Suggesting that the iPhone does not do anything to protect your communications is an oversight on my part. iOS does, by default, use end-to-end encryption for messages sent using iMessage from one iPhone to another. In addition, FaceTime will encrypt audio and video calls by default. If you are communicating with someone who does not have an iPhone, however, it is recommended that you use an app such as Signal to ensure end-to-end encryption. — Runa
Nicole Perlroth
Reporter, The New York Times
2:41 PM ET
Arne and Rosie had similar questions about protecting text messages from snoopers. iPhone content is encrypted and harder for hackers to intercept, but I also recommend that people use secure, encrypted messaging apps like Signal and Wickr for more sensitive communications.
P
Phil
Reader, Cary, NC
2:43 PM ET
Runa, you said to use an external hard drive to protect data from ransomware. Doesn’t ransomware take all drives connected to the computer hostage?
Runa Sandvik
Director of Information Security, The New York Times
2:44 PM ET
Phil - you’re correct in saying the ransomware will grab whatever is on the local drive and any attached devices. What you could do is either use the cloud to back up your data or use a hard drive that you attach, back up the data on, detach and store somewhere safe.
G
George
Reader, Tampa, FL
2:50 PM ET
How reliable is checking to see if the email comes from the alleged sender? My niece published an op-ed in today's Times explaining how she became a victim of a spear phishing attack courtesy of Qatar. Can phishers fake domain names? And I believe the Times reported on the Israeli company that developed the hacking tools and sold them to Qatar. See http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html.
Runa Sandvik
Director of Information Security, The New York Times
2:51 PM ET
George - it can sometimes be difficult to tell a fake email from a legit one, and the people behind these emails are getting more and more creative with how they do it. Sometimes they create fake domain names that look just like the real ones you’re expecting to see, other times the contents of the email is almost exactly the same as what the real company would send out (minus a spelling mistake or two). A great piece on what it’s like to have your accounts hacked is this one from Mat Honan
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
D
David
Reader, Austin, TX
2:51 PM ET
I’m still unconvinced about using a password manager, in effect ‘putting all your eggs in one basket’- it seems like these companies would be prime targets for hackers. How long before we hear of one of these 'vaults’ being hacked?
Nicole Perlroth
Reporter, The New York Times
2:51 PM ET
David, You’re right to be skeptical. Password managers like LastPass have themselves been compromised in a breach. It’s important to do some diligence to understand which Password Managers have the best reputations. I am also a skeptic and keep my most sensitive passwords (for banking and email) off the web completely.
S
Susan
Reader, Dallas, TX
2:53 PM ET
I, too, have had a Yahoo email account for a long time. I see above that you said people might consider switching, which I want to do. What type of email do you use personally and/or what would you recommend?
Runa Sandvik
Director of Information Security, The New York Times
2:53 PM ET
Susan - I personally use Google for email and that’s the provider we use here at The New York Times too. I can’t speak to other providers, but I would encourage you to choose a provider that allows you to do things like: set a good password, turn on two-factor authentication and review active sessions and devices (this comes in useful if you need to review where your account was last accessed from, for example). Some providers have better terms of service agreements and privacy policies than others, so you may want to review those as well to better understand when/how your information is collected, stored and used.
P
Priya
Reader, Glen Ellyn, IL
2:59 PM ET
I was talking to my colleagues today about protecting data online and trying to articulate why its important. They think I am paranoid and a conspiracy theorist. Am I? Can governments, businesses and individuals really use your information against you? Emails, google searches, photos, etc?
Nicole Perlroth
Reporter, The New York Times
2:59 PM ET
Priya, That is a great question. You are paranoid and these days, that’s a wonderful thing. Government hackers have routinely scoured LinkedIn and Facebook to send tailored emails to targets they want to hack. There was even one case of an oil company that state hackers could not breach head on, so they researched which restaurants employees preferred by looking at their Facebook Likes and infected the PDF take out menu of a Chinese restaurant employees ordered from. I would recommend sharing that story with any colleagues that consider you a paranoid, conspiracy theorist. It’s sure to be a wake up call.
Photo
Hackers Lurking in Vents and Soda Machines
Companies are finding that their greatest cybersecurity threats can hide in third-party systems, like networked air-conditioning equipment.
The New York Times
Runa Sandvik
Director of Information Security, The New York Times
2:59 PM ET
Priya - that happens to me all the time! I find that it’s easier to argue for why it’s important if you can find a hook that helps them understand why it’s important to them. One example is use of the Signal messaging app; not everyone will care about the fact that it encrypts all calls and messages and retains little data. For some, the fact that it allows calling and messaging for free is a better selling point (and gifs, everyone loves gifs).
Nicole Perlroth
Reporter, The New York Times
3:00 PM ET
Thanks so much for your (very thoughtful) questions, today, everyone. It’s been a pleasure. I hope we didn’t scare you off the digital universe completely!
Runa Sandvik
Director of Information Security, The New York Times
3:01 PM ET
Thanks everyone! This has been great and I hope our answers were helpful.
new post
No comments:
Post a Comment