I already:
- Back up both my Mac and my PC to external hard drives.
- Do not use Find My Mac.
- Have separate, strong passwords on all my online accounts.
I am probably going to set up two-factor authentication on my Gmail account, because yeah it would absolutely suck if that got compromised. It is an archive of my digital life, with all kinds of records of banking transactions and statements, license keys for software, voice mail via Google Voice, as well as the traditional personal e-mail.
How does it affect IMAP connections and other applications that tie in to your Google account, because I use Thunderbird with it and have things like Picasa and the Gmail app for Android.
Edit: Nevermind. The video at
this link says everything that needs to be said. Sounds like a long, arduous process. I'll have to set aside some time this weekend to get all set up.
Edit 2: It is scary how effective social engineering attacks can be. When I worked in tech support for a large retail chain supporting the P.O.S. systems of the chain stores, we would occasionally get calls from people manning the stores (usually just one person manning a store at a time) asking: "Hey there is this guy here that says he needs to install our new credit card reader. I haven't heard anything about getting a new card reader, do you know anything about it?" To that we would reply, "No, we are not upgrading any card readers. Call the police immediately."
For each person that called asking this question, how many do you think
didn't call and instead told the guy to go ahead? I have no idea, but I bet it is at least 5:1 for the ratio of people that didn't call to the ratio that did. Keep in mind many of the people manning these stores were basically kids from 18-22.
And sometimes the lapses aren't just due to laziness or incompetence, but due to an improperly thought-out security policy for just one piece of a procedure. For instance, I discovered a security gap in how we were handling 3rd party vendor VPN accounts at my current employer. We would get requests to set up a VPN account for a vendor by someone from within the organization, and the request form is very specific in that it requests a start and end date that can't be 3 mos. apart and the specific systems the individual needs access to.
When we got the form, we would set up the access, then e-mail the vendor with their username and VPN profile. Then in a separate e-mail we'd send the password. I didn't like that and changed it so that in the e-mail with the username and VPN profile, it asked the individual to call to retrieve their password via telephone. But then I got to thinking, what does this really stop? If someone intercepted the e-mail, all they would have to do is call and say they are the person the e-mail was sent to and we'd provide the password and then they would have remote access into our network for up to 3 months.
I then changed this policy again so that we require the employee requesting access to provide the contact phone number for the vendor, and we only provide the password by calling that number and speaking to the individual. I'm sure there are still gaps in the process that could be exploited and that's just the thing... this is but one tiny part of our network security and it wasn't immediately obvious that there were gaps.
