PC security, NSA-style: 7 tips from the spymasters
Was it really just a few months ago that your biggest computer-privacy concern was making sure your employer didn’t find the college photo of you sucking on a beer bong on your Facebook page? That seems cute now. With the recent revelations that the National Security Agency may have been involved in everything from spying on U.S. residents to cracking online encryption to collecting global financial data, computer privacy has taken on all the cloak-and-dagger intrigue of a John le Carré novel.
If you’re like most users, you take your privacy seriously. So we went right to the experts—the NSA itself—and pored over the agency’s security tips and recommendations for its Department of Defense and intelligence-community customers. From there, we identified seven measures that both consumers and small businesses can easily implement to protect themselves from hackers and cybercriminals—and perhaps even from the NSA.
Enable automatic software updates
It isn’t the coolest counterintelligence technique, but good security starts with the basics, and nothing is more basic than making sure that your operating system is up-to-date. So it’s no surprise that the NSA recommends enabling automatic updates in Windows.
Doing so is easy enough: First, simply navigate to System and Security from the Windows Control Panel. Click Turn automatic update on and off, and select Install updates automatically.
Encrypt your hard drive
Recommended in the NSA’s rundown of security highlights in Windows 7 (PDF), BitLocker encryption is built into the Enterprise and Ultimate versions of Windows 7, as well as the Pro and Enterprise versions of Windows 8. When enabled, BitLocker encrypts all of the data kept on a storage volume, and it continues working in the background to protect the contents of a Windows PC from unauthorized access.
BitLocker is an excellent first line of defense that takes just a few clicks to enable. However, if you’re concerned that the full-disk encryption technology may have been compromised by a backdoor deal with the NSA (there is no evidence of that, so far), you can find plenty of alternative methods to encrypt your data.
Tape over the webcam
Integrated webcams are great for video chats, but they’re also excellent tools for hackers to spy on users. And you would never know that you were being watched: Although the webcam indicator light is supposed to switch on when the camera activates, hackers have found ways to disable the light in certain laptop models.
According to the NSA, a simple, low-tech solution is to tape over your webcam—with black tape, naturally. If you’re worried that the sticky residue might damage the webcam, use tape to secure a small piece of paper over the lens.
Disable the built-in microphone
Just as your machine’s webcam can give hackers a window into your private world, your laptop’s built-in microphone—typically enabled by default—can fall prey to remote hijacking and allow snoops to eavesdrop on all conversations in its vicinity.
To ensure that no one can listen in on your home or office, launch the Sound applet from the Control Panel. Click the Recording tab, select your laptop’s built-in microphone, and disable it.
Of course, taking this step doesn’t prevent a malicious hacker who has already compromised your laptop from reenabling it. If you’re really paranoid, you can disable the built-in microphone permanently simply by poking it with the business end of a needle or paper clip. The espionage game has its casualties.
Disable unnecessary network services
Although it’s impossible to lock out hackers completely, you don’t have to make their task any easier. Start by disabling network-related protocols and services that you don’t use, as attackers and snoops could exploit them to access your files and devices. For small businesses, such services will likely include IPv6, Bluetooth wireless, or even Wi-Fi, if you’re primarily using deskbound laptops connected via ethernet. And if you don’t share file and printer resources on your PC, be sure to disable sharing for additional security—a step that Microsoft recommends, as well.
Harden your account settings
Spend a few minutes tweaking your Windows account settings. Few security measures offer so much protection for so little effort. A good first step is to disable any guest accounts that are present, ensuring that a password is set for each account, and disabling automatic login.
Next, enable a screensaver and set it to start with a reasonably short inactivity timeout of between 1 and 5 minutes. To do so, right-click the desktop, select Personalize from the menu, and click Screen Saver. Make sure to select the On resume, display logon screen checkbox. Obviously, you will need to have a password configured first for this step to work.
Finally, require that users reenter their system password if the PC has been inactive. Configure this option by clicking Power Options in the Control Panel and selecting Require a password on wakeup in the left column.
Don’t read email on an admin account
Web surfing on a user account with administrative rights is kind of like walking through a bad neighborhood with your house keys in one hand, your Social Security card in the other, and your ATM PIN written on your forehead. You’re offering up all kinds of sensitive personal information to eager takers.
Because of that risk, the usual advice is to avoid surfing the Web on an admin account to limit the damage if a zero-day exploit happens to compromise your account. Given the growing number of attacks launched via email messages, it’s a good idea to extend this precaution to your inbox by reading new email messages only on a nonadministrator account. This practice won’t protect you from phishing attempts that try to trick you into giving up your password, though, so be sure to stay on your guard against fake email messages, too.
While adhering to these tips will go a long way toward shielding you and your data from prying eyes, to secure your PC further be sure to check out our tips to avoid the most devious security traps, Prism surveillance, and watchers on the Web. We can’t promise that following these measures will make you spyproof, but you will certainly sleep better. Just remember to keep one eye open.