Keep your computer secure from hands-on access.
You can have the best security software. You can be the greatest at identifying and avoiding phishing and other attempts to trick you into downloading malware. You can have the greatest, strongest passwords, doubly secured with two-factor authentication....
... and it's all for naught the moment someone else gets their hands on your machine. Let's look at security options at home, out and about, and going over borders; the possibility of theft; and my suggestions for each of those scenarios.
Become a Patron of Ask Leo! and go ad-free!
Your computer's physical security
Protect your devices from a variety of physical threats.
- Encrypt your hard drive.
- Require a login to access the computer.
- Log out when stepping away.
- Keep your device with you whenever possible.
- Physically secure devices you need to leave somewhere.
And possibly take extra steps when travelling internationally.
The friends and family plan: at home
This scenario is familiar.
You feel safe at home, so you don't bother locking your computer or taking other security precautions. It's just you and people you trust, right? Whether it's a spouse, roommate, or a good friend over for dinner, there doesn't seem to be a reason to take special precautions.
That's exactly how I roll. If you walk into my home, there's a good chance you can walk into my office and start typing away at my desktop computer.
But I often hear from folks who shouldn't have felt so secure.
Be it a friend pulling a prank by taking a photo with your phone, a soon-to-be ex taking revenge on your online accounts, or a child just wanting to play with your shiny toy, unlimited access to the technology you have lying around isn't the most secure approach to take.
I'm fortunate in that I feel appropriately secure for my situation. What matters most is that I've thought about it rather than just assuming it's ok or not giving it any thought at all.
Usually folks who run into problems fall into the latter camp: having given little or no thought to whether they consider their home (or workplace) "safe".
I'll just be a second: out and about
I began writing this article in a local Starbucks -- a place most folks consider anything but a "secure" location. Using the coffee shop's Wi-Fi through a VPN, I secured my internet connection, and my laptop never left my sight.
The gentleman next to me, on the other hand, was working on something and then ... left. I didn't check to see if he was just picking up a refill or making room for more, the fact was he walked away from his open and running laptop (and a few other belongings). He returned after a couple of minutes and resumed his work.
I know if you hang out at your local coffee shop or Wi-Fi-enabled eatery often enough, it can feel like home. But it's not. You might assume that the other mobile techie nearby is a "friend" who'll monitor your things for a few seconds, but that's a terrible assumption. You might assume that as long as it's within eyesight, nothing bad will happen.
There are so many ways this can go wrong.
The most common result is theft. But walking away, even for a few seconds, opens the door to everything that unfettered access to your device allows.
Inspect this: borders
Depending on where you live, where you're going, and the current political climate, any devices you take with you crossing an international border may be subject to inspection. That inspection could require you to provide full access to the contents of the device.
This is actually quite controversial, particularly in the U.S., and there are arguments and assumptions on both sides of the issue. What's important here is to realize that:
- This could happen
- It involves full access
- It's subject to the laws of the country you are traveling to, which may be radically different from what you're used to.
It may be something most people needn't be too concerned about, but it's important to be aware of and consider this possibility before traveling.
Thieves? Yeah, but...
Many people consider theft to be the biggest thing to worry about.
If your data isn't backed up and would disappear along with your computer, that might be true. But if you've been backing up appropriately, theft is generally just an inconvenience and not a disaster.
It's my belief that most burglary and opportunistic theft is all about the hardware, not the data stored on it. Most thieves simply aren't that technically savvy and are more interested in turning a quick profit by selling the hardware. Unless someone has specifically targeted you, your data is probably not that interesting, and will probably never be noticed.
Of course, "probably" isn't never. You should still take precautions. When someone steals your equipment, they have everything on it. Depending on their level of expertise (or that of the person they sell it to), and the preparations you've made (or haven't), they could once again have access to everything.
I do take steps, some of which I'll outline below; and should anything ever be stolen, I'll be changing passwords, of course. It's just not the first thing I think of when securing my equipment.
Steps to take
For physical security, there are a variety of steps you can take, but the most important is simply to keep it in mind.
Encrypt, encrypt, encrypt
I'm a big fan of whole-disk encryption. I use it not only on any laptops I travel with but also on my desktop computer.
Think of whole-disk encryption as password-protecting everything. Without the correct password (be it a real password or your system log-in credentials) the information on your hard disk is inaccessible. Whoever has physical access to it simply can't get at anything. Period.
Particularly if theft is a genuine concern, such as when travelling, whole-disk encryption is the first step to keeping your information secure. Similarly, enable encryption on any mobile devices that support it.
Important: remember that if you can't log in to your own machine (or forget the password) you cannot access the data contained on the disk. It's critical you have a separate backup kept secure in some other fashion. Make sure also to take advantage of any backup options, like a recovery key offered by the encryption technology you use.
Log out
Yes, having to log in to your machine is an inconvenience. But by not having a login, you've made it trivial for anyone to walk up to your computer and access its contents, running or not.
Minimally, make sure a password is required to access your computer, and use a screen saver that also requires a password to regain access after some period of inactivity.
Similarly, make sure your mobile device has a PIN code.1 Configure an appropriate time-out after which the device requires the code to access the device's contents.
For bonus points, consider getting into the habit of locking your computer or device when you walk away (keyboard shortcut: + L).
Take it with you when you pee
At the coffee shop, if I need to use the restroom, my laptop comes with me. I do not trust it away from my sight. Period. You wouldn't leave your phone sitting there when you walk away; don't leave your laptop either.
Honestly, even walking a couple of dozen feet away to get sweetener for my coffee makes me uncomfortable, even though the device is within eyesight.
This is true for any public place you take and use your devices, including airports, libraries, and schools. It even applies when at the home of your latest new acquaintance or friend of a friend. At a minimum, make sure the device is locked if you walk away.
Lock the doors
I hear fairly regularly from individuals who've had their information compromised by their roommates or roommates' friends. In situations like this, one of the most common solutions is to lock your device.
Not with software (though that's good too) -- with hardware.
Get a lock for the room containing your computer, or find some form of physical security to prevent access or theft.
Make plans for travel
Travel can be complex, depending on where you're going and what you need to take with you.
At one extreme, the Electronic Frontier Foundation has some ideas for individuals traveling internationally that could include traveling with only pristine devices that contain no sensitive data and relying on cloud access for the information you need.
At a more practical level, the single most important thing you can do is plan for your device(s) to be lost. Not only is losing a device when traveling frighteningly common, but preparing for the possibility also readies you for theft. Encrypting, backing up, logging out, and making a habit of all the items I've discussed above are key to traveling safely and keeping our digital lives secure.
Do this
There are times -- intentionally or otherwise -- where our devices will be out of our control and potentially even in someone else's hands. It's at those times, it's important to remember the most basic rule of all:
If it's not physically secure, it's not secure.
Podcast audio
Footnotes & References
1: I prefer PINs over biometric authentication such as face or fingerprint recognition. There may be scenarios where you can be compelled to provide biometric information but cannot be compelled to provide a PIN.
You talk about “Encrypt, encrypt, encrypt.” Is it safe to use Veracrypt on an SSD drive? I’ve heard that encrypting an SSD drive can shorten the life of that type of drive. What is your take on that?
What shortens the life of an SSD drive is constantly writing to it. So yes, in that sense using anything on an SSD drive will shorten its life. However, the SSD drives that are being sold in computers now have such long lives that it is not much of an issue. A thumb drive is a different matter.
Encryption is fine. It adds only the initial encryption pass as a write operation, after that all the writes are normal (and encrypted).
I prefer BoxCryptor to Veracrypt for my cloud data for a couple of reasons. I encrypt all of the sensitive files I have on OneDrive. Using BoxCryptor only uploads and downloads changed files. With container encryption like VeraCrypt the whole container is uploaded and downloaded. BoxCriptor saves a lot of bandwidth. It might not be a significant savings, but this would also reduce the writes to your SSD.
https://askleo.com/boxcryptor_secure_your_data_in_the_cloud/
I use Veracrypt for my system drive whole disk encryption. I use a similar password for LastPass and Veracrypt. 12 random letters that I memorized and 2 different no longer existing phone numbers. The reason for that is I want a password that I won’t forget. Typing it in at least twice a day should make it stay even if my memory fades. I’ve known thos phone numbers since >I was a kid, so they should never fade from memory. LastPass handles all my other passwords which are unique.
I sometimes find myself thinking “This computer is safe. I’ve kept all my sensitive data elsewhere, and I’ve protected everything with good passwords, even a pre-boot fingerprint. It won’t do a thief any good. Then I have to smack myself on the forehead and remind myself “The thief doesn’t know any of that. At the very worst, it’s worth a quick hundred or two.” Even if they don’t do any harm to my data or ID, it will mean hundreds of dollars and months of inconvenience and grief, not to mention the agony of thinking someone else can play in my life.
Leo’s right. Not even for a second.
A few years ago [quite a few, truth be told] I had to help a customer of mine [I manage a small internet provider] hack into her own computer. Her daughter’s ex-boyfriend had changed the login password. Now, of course, she would likely be our of luck.
One thing it’s important for people to realize when traveling internationally is that not all countries subscribe to the concept of innocent until proven guilty. That’s based in English common law. The more common situation is Napoleonic Law ( Mexico and most Latin countries, and some European ). Under Napoleonic Law, one is assumed guilty until proven innocent. This can be an inconvenience, or quite devestating.
Wasn’t quite finished, but my tablet thought I was.
One other important thing I wanted to add was that one needs to consider that not everything that is legal in the U.S. may be legal in other countries one is visiting. This could even include photos taken or information on the device, including what is written in email.
Hope this helps.
I don’t know where you got this idea that Napoleonic law means guilty until proven innocent, although it’s useful to remember that laws are not the same in other people’s countries.
The important thing to remember is : for all practical means, laws don’t apply when you’re a foreigner at a border point. The border agents have the power to refuse you entry no matter what, and to make your life miserable in the meantime, which could include many hours under police supervision before your being kicked out. Once you have been refused access to that country, there might be a big red check next to your name, which guarantees you enhanced attention if you ever try to re-enter some day.
This of course applies first and foremost to that large country with “English common law”, the United States. It also applies to Israel, which was the first, to my knowledge, to ask for social media handles at border points. But even if you’re an American citizen (or, worse, resident), you can be harrassed at the border, required to give up user names or passwords, and upon refusal relieved of your devices (which could be held up for many months before being returned to you, after having been possibly hacked into).
In any case, you can be confident that any bad idea of this sort will quickly be picked up by many state authorities all over the world, regardless of “Napoleonic” or “English” past.
As for encryption, there are several countries in the world where refusing to provide a password when required to do so by police or court order is a crime. Currently, there is at least one person in the United States serving indefinite time in jail because of that. Great Britain has a similar law. You don’t even need to apply rubber hose in order to do rubber hose decryption nowadays.
https://en.wikipedia.org/wiki/Key_disclosure_law
I got fired from a job because I left my desk but didn’t secure my PC. Someone used it to send a Talaban joke – shortly after 911 – to 20 managers. I couldn’t prove it wasn’t me. Although I explained and apologized to the managers (they all forgave me), the company did not. To this day, I have no idea who did it although I have a suspect in mind. One can only hope that what goes around comes around.
G’day Leo,
Just heard on the news that some airlines will be introducing new security procedures with carry-on laptops/ipads etc. Seems some terrorist use them to plant bombs. Is this off topic? Well apparently they will be interfering with the security of the system, so just maybe they could cause damage to the OS or such. Don’t know how this will affect encryption.
I have 3 overseas trips from Australia this year during which I usually take a larger laptop but this year I’ve purchased a basic 11.6 inch tablet with only 32GB of internal memory and have supplemented this with a 64GB microSD card. These 2 areas of memory will hold OS and other applications including PortableApps.com which covers most of my roaming requirements.
Now back onto the subject of security, I’m also taking a 2TB external drive and on this have a backup of my OneDrive folders and a lot of other real private stuff that I will keep secure using a free version of Steganos Safe to have a well secured hidden folder on the 2TB drive.
When roaming to access WiFi I’m considering using the free version of TunnelBear VPN.
US citizens returning to the US are subject to having their devices held as long as ICE wants. This applies even to being within 50 miles of a border. Don’t take your devices with you unless you can do without it after coming home. It may be rare but i don’t trust homeland security. A little too authoritarian.
My laptops lock the screen when I close the lid and I have the screensaver on all my PCs configured to lock the screen after two minutes. When I walk away from either of my laptop PCs, I close the lid. If I forget to lock the screen on any of my PCs when I walk away, they lock on their own after two minutes.
I don’t travel much anymore so my laptops are used much as if they are desktop PCs. On the few occasions when one of them does go bye-bye with me, it is never out of reach – period. I think that most people are honest, but I don’t want to tempt those who are not.
Leo, you state “Important: remember that if you can’t log in to your own machine (or forget the password) you cannot access the data contained on the disk.” But my understanding was that your data and files can be accessed without logging into Windows, e.g., by booting to Ubuntu or another OS from external media and then accessing the internal hard drive. Not true?
Yes, you can use a live Linux disc or remove your HDD and place it in an HDD housing to access the files on it. That would work in most but not all cases, for example if the drive or the files were encrypted. I use Veracrypt whole disk encryption to protect my laptop against that.
Locking your laptop prevents against someone walking up to your computer and accessing it. I thought of removing my Windows password because I have to log in to Veracrypt before logging into my computer and that means typing two passwords. But I thought about it and realized that without a Windows password, my computer wouldn’t be lockable when I step away.