"They broke in and stole my computer and my USB external drive," the potential identity theft victim began, "and now I'm worried that my unencrypted bank account files, my social security number, my health information … my whole life is out there on the Internet being shared among thieves."
If you have not considered this scenario, then you need to. Realize that it can take years to get past identity theft, especially when electronic confidential data is involved. As an aside, if you think you may have been the victim, take the steps mentioned in SideBar #1 immediately. As more of us work on mobile computers, we are saving more of our confidential data on them. But, how do we protect that data against unauthorized use?
The answer is “Encryption!” Encryption of data files can address these issues. There are corporate solutions, as shown in the sidebar, that your workplace may use to encrypt data, but these techniques may be non-existent in K-12 education. And, what do you do with the information you have at home or away from work that is confidential? This article explores how you can use free software tools – regardless of whether you are a Mac, Windows, or Linux user – to protect your confidential data.
If you use these encryption tools on your work computer, make sure that you provide a copy of the private key and pass-phrase to your employer. Since you can create multiple keys – one for use at work, the other for personal use – keep them separate or on a USB Flash Drive, such as the PenDrive. This enables your employer to access your work data, which is within their rights since you created it for them as ‘work for hire.’
Why Protect Confidential Data?
To ensure that you will not ever have your data used without your authorization by malicious strangers, encrypt the data on your hard drive. Why do we so often shred paper documents and then leave the same information unencrypted on our computers.
In addition to encrypting data on your hard drive, you are also able to encrypt the Email messages sent to others. While some question why they would ever encrypt their Email, remember that information about you can be used by a criminal. This is especially important if you take advantage of WiFi hot spots (Read SideBar #2). Unless you are using a Virtual Private Network, your data can be easily accessed by others. But, once your data has been encrypted, it is not viewable by others, even while in transit. When the encrypted Email arrives at its destination, the recipient can decrypt it. Confidential data can then sit on the computer — safely encrypted — until the reader needs to access it.
Mobile Laptop User? You Need Encryption!
Are you not entirely sure about that? Do you think this is not a high priority or that encrypting your data takes too much time? Then, consider these five statistics:
- More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in losses and totaling an estimated $5.4 billion in theft of proprietary information. Source: Safeware Insurance, 2004
- Some 73% of companies do not have specific security policies for their laptop computers. Source: Gartner Group, 2003
- Informal surveys show that thieves are intent on selling the data in 10 to 15 percent of laptop thefts. Source: Securityfocus.com (http://www.securityfocus.com/).
- Some 97% of stolen computers are never recovered. Source: FBI
- According to 2003 statistics, Texas ranks fourth per capita among all states for identity theft with about 93 of every 100,000 Texans being a victim. More than 20,000 Texans were victimized in 2003. Source: Texas ID Theft Statistics, 2003
Let me repeat item 4. Ninety-seven percent of stolen computers are NEVER recovered. That means your data could be out there forever, waiting like a time-bomb to explode until someone discovers it and then uses it.
As we become more mobile, there is no doubt that laptops will be stolen. The question is, "Do you know how to protect the data on your laptop or desktop in such a way that thieves can't get in?"
What Do I Encrypt?
The answer is: encrypt all the critical files on your laptop. Which files are those? Any of the following items, from my perspective, is considered "critical":
/ Name, address and birth date. This information can be used in combination with other data to impersonate you.
/ Documents with social security numbers in them.
/ Documents with credit card numbers, bank account information, etc.
/ Any information that might be considered confidential. This can be your spouse or child's medical information, house insurance, etc.
What Do I Do After Identified Critical Data?
Once you have identified confidential data, realize that you should separate it from other data on your hard drive. When you do this, you make it easier to protect. Once you have encrypted the data, you can easily move it from one place to another. I often do this with my Email. Since I use the Mozilla Thunderbird Email client – available on Windows, Mac, and Linux – I follow these steps to ensure that my data is protected:
1) Move all confidential data files into a common folder.
2) Use zip compression option, which is available via the right-mouse click on Windows, Mac and Linux, to create ONE, compressed file with your data.
3) Encrypt that zipped file with the option to wipe the original zip file.
4) Make a backup of the compressed,encrypted file to an external USB drive, e.g. 120 Gigabyte or PenDrive, etc. Include a copy of the program with which you did the encryption.
Now, there are several encryption programs available for your use.
Built-in Encryption Tools
Before we jump into some specific free, open-source tools, be aware that both Windows XP and Mac OS X operating systems have built-in encryption schemes that can protect your data at a basic level. Often, these encryption systems work in the background, encrypting and decrypting your data on the fly.
For example, according to the Microsoft page 4 Ways to Protect Your Mobile PC Against Data Loss and Theft, in Windows XP, "you can encrypt a subset of files or folders or a full disk, in which case it protects the data stored in files and folders, the operating system, and any installed programs."
Mac OS X users should check Apple’s Security: MAC OS X Minds the Store. There they will learn of their many options, including FileVault, which protects data placed in your home folder. Other tools include disk image encryption, and permanent delete (the equivalent of a digital shredder). Disk image encryption enables you to create a new "disk" or volume and then save data to that volume. All data saved on that volume is encrypted and prevents you from having to periodically wipe the hard drive of data.
Although these built-in operating system tools can save you trouble, you may also want to consider additional tools shared below. The following tools can be useful if you are trying to share information with others, or if data has to be encrypted prior to transfer over the Web.
What Encryption Software Should I Use?
In previous articles, I have recommended several tools. Unfortunately, while free open source encryption software tools are getting easier to use, they are not all equally easy. For example, the free tools for Windows called WinPT, or WinPrivacy Tools and the Linux tool KGPG are relatively easy to use. The Mac version still needs some work since it occasionally has to drop to a command line. Command line modification, although guided by prompts, can appear daunting to a Mac user.
In spite of that, you can still use the tools mentioned below to encrypt your data. Below is a quick overview of each of the tools:
Windows Privacy Tools
For Windows, use Win PT -Windows PrivacyTools. I have used this program over the last year and have been very pleased with its relative ease of use. The main benefit of WinPrivacy Tools — aside from the fact that it is free — is that once set up, it is incredibly easy to use to encrypt/decrypt files. Aside from being able to encrypt zip files — or any other file you have, whether zipped or not — is that you can also encrypt the contents of your clipboard. This is helpful when sending confidential information via Email to others.
While Windows Privacy Tools comes with a built-in WIPE tool, the equivalent of a digital paper shredder, some prefer to use the right-clickable Eraser. Use Eraser to wipe the hard drive free space or to wipe individual files. This is especially important if the drive is being discarded or auctioned off since old confidential data may remain.
Warning: if you do not wipe your computer using programs like WinPT or Eraser, malicious others can use Free Undelete tools or PC Inspector File Recovery to resurrect your “deleted” data.
Another complementary tool that you might consider using is TrueCrypt, a free, open-source disk encryption tool for Windows XP/2000/2003.Often, we have to wipe free space on a computer because data remains even after we have “deleted it” – by emptying the Recycle Bin, which really does nothing. The data can remain on the disk unless it is wiped. A safer approach to wiping is to prevent the data from ever being written to hard disk in unencrypted format.
Instead, use a program like TrueCrypt to create a virtual encrypted disk. Your data is saved "inside" this encrypted disk and never touches the unencrypted hard drive. No footprints of the original data are left on the hard drive.
While this may seem complicated, it is as easy as inserting a USB Flash drive (or memory stick) and having the icon appear in your “My Computer” area. TrueCrypt can also encrypt an entire hard disk partition or a device (such as USB Flash drives, 3.5" inch diskettes, etc). Note: Because of the danger of losing all existing data when you attempt to encrypt a USB Drive or other device it is important to carefully read the Beginner’s Tutorial and the FAQ’s before beginning to work with this program
Macintosh Privacy Tools
There are several privacy tools available for Macs. While the Personal version of the PGP -Pretty Good Privacy is free, it lacks disk encryption after the 30-day trial expires. It is the easiest to use, but there is another alternative – FOSS, for Free Open Source Software.
While installation of these tools is straightforward, you will have to spend about an hour puzzling over the documentation to see how they all work together. Unlike as with Windows Privacy Tools, there is no one unifying installer. Instead, you are left trying to make all the pieces work together. You will need to install five different tools on your computer. I recommend creating a new folder on your desktop, then copying the files to that folder.
Figuring out how all these tools work together can be difficult, but not impossible. The most difficult part of the process is actually setting up your public and private key. You may be forced to work at the command line. To find help at the command line just type "help" and press RETURN, but it is always a good idea to read through the directions.
I have successfully encrypted Emails and specific zipped files with the Mac privacy tools above, then unencrypted them with privacy tools on other platforms, e.g. WinPT on Windows or KGPG on Linux. This enables you to enjoy cross-platform security.
According to the site, “Gpg Tools is a Mac OS X graphical interface to the GNU Privacy Guard (GPG) utility. It provides approximately the functionality of the old PGP tools, and is freeware.
Mac GNU Privacy Guard
This includes most of the programs that you will need.
Linux Privacy Tools
While there are several tools on the Linux side, KGPG is the easiest to get working, at least compared to the Gnome and KDE graphical user interfaces for Linux. Installing KGPG is straightforward, especially on Debian Linux distributions such as Edubuntu, SimplyMepis, and others. You can use the built-in, graphical Synaptic to get the program or at the command line, use Apt-Get (e.g. "apt-get install kgpg").
KGPG is a nice front-end to GPG, which is already installed on your Linux system. An easy start tutorial is available online. Unbelievably, KGPG is easier to get going than the MacGPG Tools mentioned earlier!
Discarding Computers: When Encryption isn't Enough
If you deal with confidential data on a regular basis, you might consider using a "Boot-n-Nuke" software program to complete wipe your hard drive.This is especially useful when discarding older computers. In this case, you may have an administrator computer that has housed documents containing sensitive data. Or, it may be one of your own computers. Either way, you need to wipe the hard drive completely.
The ultimate solution for erasing or wiping a hard drive may be a program known as Dban, or Darik's Boot-n-Nuketo ensure all previous data was erased from the hard drive. According to their Web site,Darik's Boot-n-Nuke works for both Macintosh and Windows computers. It is a self-contained CD that securely "wipes the hard disks" and will do so "automatically." To get the boot CD, you will need to download an ISO file and create a CD from it. Not sure how to do this? Use the Terabyte Unlimited free BurnCDCC™ to make a CD from the ISO file. You’ll find the link for BurnCDCC access link approximately halfway down the Terabyte Unlimited page.
While some see the use of encryption tools like those discussed in this article as the recourse of the paranoid, remember that identity theft is the fastest growing crime in the United States. If you are a victim of identity theft, you may spend an average of 607 hours and a thousand or more dollars in clearing your name. Make sure that your computer is not one of the sources of confidential information. Protecting yourself online is as much a digital literacy as being information literate. Pass it on!
Protecting Against Identity Theft
Take the following steps if you believe you have been the victim of identity theft.
1) Notify the Federal Trade Commission regarding the possibility of identity theft. After dialing (877) 438-4338 choose option #3 for specific advice on what to do next.
2) Place a Fraud Alert: Contact one of the three major credit reporting agencies to complete an automated phone-in fraud alert process. When individuals place a free, seven year fraud alert, that agency will notify the other two agencies. Fraud alerts will then be placed automatically on the individual's accounts at all three agencies.
Contact information for the credit agencies:
Once individuals receive their credit reports, they should review them for suspicious activity. If individuals see any accounts they did not open or incorrect personal information, contact the credit agency(s) or the individual's local law enforcement agency to file a report of identity theft.
3) Call the U.S. Social Security Administration at (800) 772-1213.
4) Password protect your bank accounts. Work with your bank to have them require the use of a password before any transactions — including withdrawals or deposits — can be made.
5) Take advantage of these resources for Identity Theft victims:
Sidebar #2: Commercial Virtual Private Networks
School districts often use Virtual Private Networks (VPN) to encrypt transmission of confidential data between a staff member's home computer and work servers. But, what do you do while traveling? Without encrypted wireless, your data is sent "in the clear," lacking the encryption to protect it. This means that a wireless connection at a hotel, or at the local Starbucks, would allow others unauthorized access to your logins and passwords.
Fortunately, you can use free tools to "sniff" out how much private information you’re sending out on a network.. For Mac OS X, try Ethernal 1.2 and for Windows or Linux try EtherealNetwork Protocol Analyzer
Try the About.com site entitled Free Packet Sniffer Software for a slightly longer list.
HotSpot a provider, defines a Virtual Private Network thus:
A virtual private network typically provides you with a private connection to your end destination. To do this a tunnel is created through an untrusted network (the Internet). Everything in the tunnel is encrypted on the way in and decrypted on the way out. It no longer matters that someone can sniff your packets. All they will see is an unreadable series of letters and numbers. Additionally, anyone snooping around on your connection will not be able to discern the final destination or the type (Web, Email, chat, streaming video) of service you are connected to.
Several commercial services provide VPN for you to use while in wireless environments, such as:
Although HotSpot has flexible pricing for heavy users, as well as infrequent travelers, cost is about $8.88 per month, for an annual cost of approximately $89.00. It is compatible with Windows and Mac systems
Supports Windows, Mac systems, but Linux users can also take advantage of this service. Cost is about $5.95 per month or $59.95 per year. Some report that it provides better service than HotSpot.