Lessons from the alleged Schwarzenegger hack

There's been some discussion today of a possible hack of Governor Arnold Schwarzenegger's computer which resulted in a leak of tapes containing private conversations with his staff. This points to issues we've touched on in past blogs: Basically, data retention is an increasingly important reason for you to be concerned with the security of all your machines. This includes phones, printers, PDAs, laptops=85 anything where you keep information you wouldn't want posted on the internet, anything you wouldn't want to have to explain to your boss or your grandparents.

One part of protecting your data is maintaining the security of your machine: Make sure your machine is up to date with all the latest security patches for your OS and applications, make sure you have a firewall and an up-to-date antivirus program, and so on. If your machine is one which requires extra security due to having more sensitive data or because you or your company is higher-profile and more likely to be attacked, you need to be sure to take extra measures like using vulnerability assessment tools and/or intrusion prevention systems.

The other part of protecting your data is being aware of the recording of information that is inherent in typing things into your machine, whether it be things you type into your browser or say in an IM conversation or even recorded conversations. There are plenty of viruses which have been blamed for leaking documents on sensitive machines, this is not a new phenomenon. Hacking too, is nothing new. But as people conduct more of their lives through their computers, it becomes so ubiquitous that people cease to consider the implications of the medium.

Here are a few questions you can ask yourself to determine whether this is information you want to be typing:

1. Is this information going out securely?
2. Do I trust the security of the end-point?
3. Is this something that really needs to be said at all?

If this is, for instance, personally identifying information:
Have you verified that this a secure site? (Looking for the lock in your browser window, for example)
Have you verified that the site is what it says it is? (Logging in directly through your bank's main page, not following a link in email)
Do you really need to be giving out this information at all? (Verifying the reason this person or site is asking)

If this is something more seemingly innocuous like a conversation in IM, the last question becomes especially important. Typing something inflammatory in a chat window is a bit like passing notes in class – the information could be intercepted en route, it could be outright stolen, so the best tactic is just never to write the information down at all unless you want it shared. Then there's the issue of things like online journals or blogs – people so often post incredibly intimate details of their lives since the internet seems like such an incredible source of anonymity, but if word gets back to their employers, there can often be serious consequences.

This is not to say that people should never have private conversations over the internet, as it is a potentially incredible resource for connecting with other people or expressing yourself. The important thing to take away from this is to be conscious of your actions and interactions, as things written down (especially on electronic devices!) have a way of being rather more indelible.