Own your data!

There have been recent reports of permanent data loss for folks that kept their data on “the cloud”. As an IT professional, these are my recommendations:

Use a for-pay e-mail service that keeps your messages in a server and a local cached copy of all you data on you local PC or Mac. There are hosting companies that will manage Exchange servers on your behalf. You can connect to an Exchange server with Outlook from any PC. If you are away from your PC, you can still access your files from any web browser on any other PC or Mac with an Internet connection. For Mac users, you should look at MobileMe from Apple. Either one of those solutions allows you to have a local, cached copy of your e-mail AND your calendar and contacts. BTW, the mail, calendar, and address book applications that come with Mac’s latest OS (Snow Leopard) can talk natively to an Exchange server as well. An added bonus is that these setups will synchronize your data to your smartphone or iPhone as well.

Here is a good example of what can happen when you trust your data to a service provider: It has been reported T-Mobile just lost all data for their Sidekick smart-phone users (contacts, calendars, pictures, …).

Keep local backups, do not rely exclusively on off-site backup services. An external hard disk drive and some backup software are cheap insurance against a major disaster. Back up stuff you cannot afford to lose on CDs or DVDs and keep those off-site.

Contact me for specific recommendations.

Comments (1) | Trackback

Free Personal E-mail Certificates from Thawte to end soon

Not too long ago, I recommended getting a free personal e-mail certificate from Thawte for e-mail security. It has now come to my attention that Thawte will stop offering Personal Email Certificates on November 16, 2009. This is now posted on the Thawte web-site. According to their web-site, Thawte is offering a free one-year VeriSign Email Certificate for each active Thawte Personal Email Certificate you own as of 24 September 2009. If I remember correctly those normally go for about $20 US.

No comments | Trackback

Internet Security Sense for Mere Mortals

I was just interviewed by Lisa Diaz of iDiaz Marketing. The subject of the interview was: “Internet Security Sense for Mere Mortals”. The whole interview was conducted on-line using the “Tweeterview” service which uses the Twitter micro-blogging service. You can follow Lisa on Twitter at: @lisadiaz and you can follow me on Twitter @diazconsulting.

This was an interesting experience as each question and answer was limited to 140 characters. Here is a link to the actual transcript at tweeterview.

Here is a transcript of the interview.

LD: Hello, I’ll be interviewing Hector Diaz of Diaz Consulting.

LD: Hector will be telling us about how trust for e-commerce is established through passwords, digital certificates and encryption.

LD: He will also tell you how you can get a digital certificate to secure your e-mail.

LD: Hi Hector, can you tell us about your background?

  • I am an IT executive w/extensive experience running multiple data centers in international environments. That includes internet security.

LD: Where have you worked in the past?

  • 21 years at Hewlett-Packard/Agilent Technologies and most recently at CaridianBCT, a medical technology company.

LD: OK, so why is security important?

  • Trust is a necessary pillar for commerce and in particular electronic commerce. You have to trust the identity of the parties involved.

LD: Interesting. Any other thoughts on trust?

  • Yes, you must trust the transaction to be private, that is safe from prying eyes.

LD: Like credit card information?

  • Right, credit cards, bank account numbers, SSN numbers and other such data must be kept private and secure.

LD: How do you go about establishing trust? Can anyone do this or is it just for the big companies?

  • Basically by setting up the ability to conduct e-commerce that allows for authentication, privacy, and non-repudiation.
  • This applies to big companies, small companies, and you as an individual. I’ll explain shortly.

LD: Good! First, how do you define those terms you just used?

  • AUTHENTICATION is all about proving you are who you say you are. This applies to both vendors and customers.
  • PRIVACY has to do with keeping sensitive information (like credit card numbers) safe from prying eyes.
  • NON-REPUDIATION keeps buyers/sellers from lying about legitimately placed orders/shipments. An electronic fraud-prevention paper trail.

LD: About non-repudiation. Do you mean proving you really meant to purchase or transact?

  • Repudiate is to deny. A vendor should be protected from someone ordering goods and then refusing to pay claiming they did not place the or..

LD: OK, that helps. Thanks! so, how do you establish your identity on the web?

  • Web-sites use digital certificates to establish their on-line identities. They verify identities of individuals upon account creation.
  • Vendors buy digital certificates from companies like VeriSign. They provide a branding logo for your site.
  • Individuals “prove” their identity when they supply a password. They too can get for-pay digital certificates from VeriSign.
  • Free digital certificates are also available from companies like Thawte. They require showing an ID to a notary.

LD: I send emails and make purchases all the time. Why would you want to go through the trouble of doing that as a consumer or vendor?

  • W/ a digital certificate you can “sign” your e-mail to prove it actually came from you and was not forged (authentication, non repudia..
  • W/ a digital certificate you can encrypt your e-mail to keep it from prying eyes (privacy).
  • Modern e-mail clients like Outlook and Mac Mail allow you to use these certificates to secure your e-mail.

LD: So, if I want to send an email to someone with a password, I should consider this authentication system. Right?

  • Yes. I would use e-mail encryption to send someone a password in an e-mail.

LD: And if I’m not encrypting my e-mail, does that mean anyone can read it if they know how to hack my email?

  • In a nutshell, Yes. No hacking required. System administrators at any site your mail goes through can read your e-mail.
  • You should NEVER assume e-mail is private unless it is encrypted.

LD: So, to send encrypted emails, get that taken care of at a site called Thawte?

  • At Thawte you can get a digital certificate that will allow you to sign all your e-mails and encrypt e-mails to users who also have certs.

LD: Cool. What is the link to Thawte

  • http://www.thawte.com/

LD: Thanks. One more question about purchases. Does that mean I need a digital certificate to buy with confidence or do e-banking?

  • No, those transactions are encrypted “on the fly” Look for a small padlock or other indicator on your browser.

LD: Thanks. So, the security takeaways here are: “thawte” for emails, “security lock” or “https” for purchases and “Verisign” for vendors. Is ..

LD: ..that accurate?

  • Yes. A small clarification, I’d say encryption for e-mail. In order to encrypt, you need a digital certificate. Thawte is a source for that

LD: Thanks for clarifying. And thank you for taking the time for this Tweeterview.

LD: This digest will be posted on the iDiaz Blog at http://www.idiaz.org/Blog/?p=96 and at the Diaz Consulting Blog at http://hdiaz.org/Blog.

LD: Thank you everyone! This concludes the Tweeterview.

I was just interviewed by Lisa Diaz of iDiaz Marketing. The subject of the interview was: “Internet Security Sense for Mere Mortals”. The whole interview was conducted on-line using the “Tweeterview” service which uses the Twitter micro-blogging service. You can follow Lisa on Twitter at: @lisadiaz and you can follow me on Twitter @diazconsulting.
This was an interesting experience as each question and answer was limited to 140 characters. Here is a link to the actual transcript at tweeterview. http://www.tweeterview.com/published-tweeterview/4d544131
LD: Hello, I’ll be interviewing Hector Diaz of Diaz Consulting. Hector will be telling us about how trust for e-commerce is established through passwords, digital certificates and encryption. He will also tell you how you can get a digital certificate to secure your e-mail.
Hi Hector, can you tell us about your background?
I am an IT executive w/extensive experience running multiple data centers in international environments. That includes internet security.
LD: Where have you worked in the past?
21 years at Hewlett-Packard/Agilent Technologies and most recently at CaridianBCT, a medical technology company.
LD: OK, so why is security important?
Trust is a necessary pillar for commerce and in particular electronic commerce. You have to trust the identity of the parties involved.
LD: Interesting. Any other thoughts on trust?
Yes, you must trust the transaction to be private, that is safe from prying eyes.
LD: Like credit card information?
Right, credit cards, bank account numbers, SSN numbers and other such data must be kept private and secure.
LD: How do you go about establishing trust? Can anyone do this or is it just for the big companies?
Basically by setting up the ability to conduct e-commerce that allows for authentication, privacy, and non-repudiation.
This applies to big companies, small companies, and you as an individual. I’ll explain shortly.
LD: Good! First, how do you define those terms you just used?
AUTHENTICATION is all about proving you are who you say you are. This applies to both vendors and customers.
PRIVACY has to do with keeping sensitive information (like credit card numbers) safe from prying eyes.
NON-REPUDIATION keeps buyers/sellers from lying about legitimately placed orders/shipments. An electronic fraud-prevention paper trail.
LD: About non-repudiation. Do you mean proving you really meant to purchase or transact?
Repudiate is to deny. A vendor should be protected from someone ordering goods and then refusing to pay claiming they did not place the or..
LD: OK, that helps. Thanks! so, how do you establish your identity on the web?
Web-sites use digital certificates to establish their on-line identities. They verify identities of individuals upon account creation.
Vendors buy digital certificates from companies like VeriSign. They provide a branding logo for your site.
Individuals “prove” their identity when they supply a password. They too can get for-pay digital certificates from VeriSign.
Free digital certificates are also available from companies like Thawte. They require showing an ID to a notary.
LD: I send emails and make purchases all the time. Why would you want to go through the trouble of doing that as a consumer or vendor?
W/ a digital certificate you can “sign” your e-mail to prove it actually came from you and was not forged (authentication, non repudia..
W/ a digital certificate you can encrypt your e-mail to keep it from prying eyes (privacy).
Modern e-mail clients like Outlook and Mac Mail allow you to use these certificates to secure your e-mail.
LD: So, if I want to send an email to someone with a password, I should consider this authentication system. Right?
Yes. I would use e-mail encryption to send someone a password in an e-mail.
LD: And if I’m not encrypting my e-mail, does that mean anyone can read it if they know how to hack my email?
In a nutshell, Yes. No hacking required. System administrators at any site your mail goes through can read your e-mail.
You should NEVER assume e-mail is private unless it is encrypted.
LD: So, to send encrypted emails, get that taken care of at a site called Thawte?
At Thawte you can get a digital certificate that will allow you to sign all your e-mails and encrypt e-mails to users who also have certs.
LD: Cool. What is the link to Thawte?
http://www.thawte.com/
LD: Thanks. One more question about purchases. Does that mean I need a digital certificate to buy with confidence or do e-banking?
No, those transactions are encrypted “on the fly” Look for a small padlock or other indicator on your browser.
LD: Thanks. So, the security takeaways here are: “thawte” for emails, “security lock” or “https” for purchases and “Verisign” for vendors. Is ..
LD: ..that accurate?
Yes. A small clarification, I’d say encryption for e-mail. In order to encrypt, you need a digital certificate. Thawte is a source for that
LD: Thanks for clarifying. And thank you for taking the time for this Tweeterview.
LD: This digest will be posted on the iDiaz Blog at http://www.idiaz.org/Blog/?p=96 and at the Diaz Consulting Blog at http://hdiaz.org/Blog.
LD: Thank you everyone! This concludes the Tweeterview.
No comments | Trackback

Hector to be interviewed on E-mail Security

On Sunday 03 October, at 2:00 MST, I’ll be interviewed by Lisa Diaz of iDiaz Marketing. The subject of the interview is: “Internet Security Sense for Mere Mortals”. This interview will also serve as a test of the “Tweeterview” service which uses Twitter to conduct an on-line interview. Lisa will be asking me about e-mail security issues, and the actions every day business people can take to be aware of and be more proactive about e-mail security. This interview does not guarantee e-mail security, but simply creates more awareness of the issue. I will post a link to the completed interview in post comments below.

No comments | Trackback