How I’d Hack Your Weak Passwords (onemansblog.com)

The author starts off with a list of the top ten passwords, and how he would go about finding the personal information needed. For example, number 1 is “Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)” and number 2 is “The last 4 digits of your social security number.”

The really interesting bits are when the author explains exactly how he would approach hacking your accounts, and how likely he would be to succeed. Unfortunately, the tools needed to engage in this kind of mischief are readily available and do not require great skill to employ.

Some key protection points include…

• Don’t use the same password for all of your online activities. Use different passwords for each site. That way, if your Facebook password is compromised, your Wachovia password is safe.
• Never use dictionary words, names, or other common passwords.
• Look for a trusted password management utility to help ease the pain of having a hundred different passwords.
• Your email is one of the most important and critical passwords—a criminal can use the “reset my password” feature on many shopping sites once they have access to your email account.

Take a look at the article and see if you can make some changes in the way you handle password security so that you don’t get hacked!

Imagine that you were to become temporarily incapacitated for whatever reason…

• Can a family member log in to your computer, as yourself, in order to access your files?
• Can your spouse access your online banking details so the bills can be paid?
• Can your family find your insurance information that you scanned and filed away?
• Is there someone who can log in to any online accounts that need care and feeding?

Not a pleasant subject, indeed, but one that worries me from time to time.

One way to address these needs is to keep all of your passwords and so forth in one special place, using a password safe application, and make sure someone else has the access code. For example, you can use a tool such as 1Password or SplashId to store hundreds of secret bits that you use all the time, and your family might need.

You might consider writing down the master passwords that control your life and sealing them in an envelope that you provide to a trusted family member. Since this is such a great security risk if found by the enemy, you might want to omit any identifying information from the note. Impress upon them the need to secure the document very well.

Perhaps you can choose the same master password with your spouse, with one relatively short password locking your computer and a long secure password locking your password safe application.

Regardless of how you address these issues, sit down with your better half (or trusted family member) and review where documents are and how to access them.

Apparently this is not the case

It seems that the TSA has leaked their official document of airport security guidelines. ABC News says Online Posting Reveals a “How To” for Terrorists to Get Through Airport Security

A Rookie Mistake

Look at the screenshot of the document at the top of this post. Even though a certain part of the document has been blacked out, it is possible to select the text and copy/paste to find out what is hidden behind the black text.

What kinds of things are listed in this document?

• Photographs of all kinds of official ID cards. Ever wondered what a U.S. Senator’s ID card looks like?
• Procedures for calibrating equipment, such as where guns should be hidden for the testing and such.
• Guidelines for who gets searched and who doesn’t.
• Guidelines for what objects get searched and which don’t.
• And much much more!

In other words, this was a most unfortunate event.

See for yourself—ABC News (and others) have posted the document with redactions removed.

Easy as Pie

Here’s a screenshot of the original document, opened in Adobe Acrobat Professional.

As you can see, it was a trivial matter to use the TouchUp Object tool to gently slide the black rectangle off of the secret stuff (I have blurred the text here, though you can read it from ABC News if you wish).

If you are working with confidential documents that could potentially cause disaster if leaked, please learn how to redact your documents correctly!

I was reading a post on a board I frequent where a person was describing exactly this kind of activity—removing sensitive information from PDF documents. Several suggestions were made, but one individual suggested opening the file in Acrobat Pro and replacing the sensitive text with good old Lorem Ipsum.

It was at that moment that I recalled a peculiar feature of the PDF file format: it is designed to support nondestructive updates, allowing people to make vast changes to a PDF document while still retaining the original document, fully intact. I did a few experiments and was surprised with the results.

A Brief Note on the PDF File Format

For the geeky types among us, one place to begin is this article:

Portable Document Format: An Introduction for Programmers

The key points to get out of the article is this: A PDF document is comprised of several distinct sections, a Header, a Body, an “xref” Table, and a Trailer. At the very end of the file you will find the character sequence %%EOF

The PDF standard was designed to allow multiple updates to a document, while retaining the original version. This is accomplished by appending anything new to the end of the document, after the original EOF tag. The document will now have two EOF tags: one indicating where the original document ended, and a new EOF tag indicating where the new changes end.

If we wish to revert PDF changes, it should be a simple matter of opening the PDF file in a binary editor, searching for the first EOF tag, and deleting everything following.

A Simple Experiment

Let’s start with a proper secret document containing missile plans…

Suppose we want to obscure some special information in paragraph 37. We can open the file in Acrobat Professional and use its text editing features to swap in the venerable Lorem Ipsum text.

Here’s what it looks like after the switch:

You can see here that the first seven lines of text starting on paragraph 37 have been replaced with appropriate unreadable text.

Now, open the new PDF file in a binary editor (since PDF files contain a mix of text and binary, the editor must be a binary editor).

Note the %%EOF character sequence embedded in the text. This is the first EOF tag, indicating where the original file ended. All we need to do is place the cursor to the right of the EOF and delete everything to the end of the file.

Once we have done so, it’s like magic:

The edits that replaced lines of paragraph 37 with gibberish have neatly been undone!

More Details

From the PDF Intro document linked earlier:

“The trailer, it turns out, plays an important role in the way PDF implements incremental updating. The key concept to understand here is that a PDF file is never overwritten, only added to. That goes for all portions of the PDF file – even the trailer itself, and the end-of-file marker. In other words, a multiply-updated PDF document may contain multiple trailers – and multiple end-of-file markers! (There may be numerous occurrences of %%EOF.) Each time the file is edited, an addendum is written to the tail of the file, consisting of the content objects that have changed, a new xref section, and a new trailer containing all the information that was in the previous trailer, as well as a /Prev key specifying the byte offset (from the beginning of the file) of the previous xref section. The cross-reference info will then be distributed across more than one xref section. To access all of the cross-references, the reader must walk the list of /Prev keys in all the trailers, in reverse order.

Space doesn’t permit a detailed exploration of updates here, but you can find several examples in Appendix A of the PDF 1.3 specification (available at http://partners.adobe.com/asn/developer).”

Summary

It is important to understand that the PDF standard allows for appended updates to files that leave the original document intact, regardless of how drastic the changes are. If you are intent on redacting text from PDF documents, do not depend on simply deleting the secrets using a PDF editor—you must use a proper redaction tool that addresses these issues correctly.

That said, I did some experimenting with a few utilities (Apple Preview, PDFpen, and Adobe Acrobat Pro) and found that some write the file from scratch each time, with no lingering cruft from former versions, while others respect the original intent of the PDF standard. This means that you can’t trust that older revisions are being retained in your file and you can’t trust that they aren’t.

Be conservative: use a redaction tool for secrecy and proper backups for versioning.

Their network security department very kindly (and politely) informed me that they had received a “cease and desist” order from a particular game publisher. They had included the game publisher’s email, complete with the incriminating evidence.

There it was: logs showing the MAC address of my cable modem being involved in suspicious BitTorrent activities.

Considering that at any time during the week there can be from two to six or seven different teenagers hanging out in my humble abode, carrying virus-ridden machines, the message was clear: I had to get serious about locking down network access

The Problem

I would have liked to have bought some net filtering software to slap on the offending machine and been done with it, however I knew that this was insufficient.

Even if this one event could be traced to a youthful source, a more ominous danger comes from the inevitable malware and viruses that teenagers collect on their machines as they swap cool stuff with their friends.

Complicating things, there are many devices on our home network: Besides their school laptops, the kids have video game consoles and one has an iPod touch, all with wifi access. Think about how many different gadgets are on your home network.

And shutting off access altogether was not an option—there is still schoolwork to be done!

The answer: A Private Network for the Kids

My solution was to put together an unusual network configuration using a second wireless router; I wanted the ability to manage every single kid-owned device at the flip of a switch, while leaving the grownups untouched.

I hooked the cable modem (red) to the main router, shown in green. I then plugged a second wireless router, shown in blue, into the first.

By doing this, you can see that there is one single wire connecting the entire blue network (the kids) to the green network. It was trivial to then configure the green router with appropriate access control and filtering for that one single device: the blue router.

Some quirky details

Home routers like these are, by default, configured with a NAT firewall. They work sort of like one-way mirrors: someone on the network can see out, but nobody can see in. As a result of this, the kids (blue devices) can see any device on the main router (green devices), such as our print server and the NAS device, but no one can see into the kids’ network.

As paradoxical as it seems, this is exactly what I wanted. By making the kids’ network a private network, it appears to the green router as a single device. When I am configuring access restrictions, I only need to control access for the blue router’s IP address or MAC address.

Many consumer-grade routers have flakey firmware that just doesn’t really behave well when you start doing things like turning on filtering for multiple machines. I simplified things by bringing down the number of controlled devices to one. In addition, if one were to try filtering on the IP addresses or MAC addresses of individual machines, this can be easily defeated by manually changing the IP address or MAC address. With my configuration, the MAC address being filtered is the blue router, locked away safely.

The Finer Points

If you want to set up a network like this, do the following:

• (Recommended) Reset the kids’ router. Hold the hard reset button on the router in while you turn on power; hold the button for 15 seconds or so.
• Hook the kids’ router up to a spare laptop using an Ethernet cable. (Turn off the wireless of the laptop for the time being).
• Use the laptop to navigate to the configuration web page (usually 192.168.1.1).
• Set the router’s own address to a different network from the main network, such as 192.168.2.1. This is critical.
• Configure the router’s gateway and DHCP server entries to all point to the main router (192.168.1.1). This tells the kids’ router to use the main router as a source for its DHCP lookups and such, rather than going to cable modem.
• Navigate to the configuration web page at the new address (192.168.2.1). You may need to close the browser and replug the Ethernet cable.
• Set up your wireless security for the kids however you like. Make sure to choose a different channel and SSID from your main router.
• Remove the laptop and plug the WAN port of the kids’ router into one of the LAN ports of the main router. Restart everything.
• Test both networks to make sure things work the way you think they should.
• (Optional) You might want to connect to the kids’ router and set it’s external IP address statically. Make sure that this is set to a number on the home network (e.g. 192.168.1.2).

Some notes:

• You can only maintain the kids’ router from a machine connected to the kids’ network; the home network cannot see the management screens. If you wish, you could enable remote management for the kids’ network only, since the main home router is still protecting the whole network from intruders.
• Computers on the kids’ network can see all devices, but they aren’t on the same network. This means that network printers and NAS devices are accessible, but you will have to attach to them using IP addresses. I was able to easily set up the machines on the 192.168.2.1 network to use a print server on 192.168.1.100.
• For machines that should have full access (a.k.a. yours), make sure that you either set the green network to be a higher priority or remove the blue network SSID entry altogether. I found out the hard way that my iMac would randomly pick the green or the blue depending on which one it saw first when it woke up.
• This does not wall off your main network; it simply provides a single point of control to the entire kids’ network. In other words, don’t depend on this setup to prevent malware on the kids machines from seeing your machine. You can, however, set up your PC to not trust the kids’ network.

Wireless Network Security

Regardless of how you set up your network, make sure you use at least WPA encryption (Never use WEP!). Make sure your passwords are solid.

Using DD-WRT on my new wireless router

In addition to the new network configuration, I went one step further and chose a main router that lends itself well to installation of open-source firmware. I ordered a Linksys WRT54GL from Amazon for a little over fifty bucks. I chose this one because, as a direct descendent of the venerable WRT54G, this router is very well suited for running alternative firmware such as DD-WRT, giving substantial control over things like, say, access control…

Within a half hour after my new router arrived, I had gone to the Supported Hardware page, obtained the latest build of DD-WRT, and replaced the Linksys firmware with the far-better open source code.

I won’t go into the specifics of installation here, but it isn’t very challenging. Check out the DD-WRT site for details.

Closing Thoughts

Make no mistake: we are responsible for whatever goes on our home networks. Just like your home telephone; if someone dials up some 900 number and rings up a thousand-dollar phone bill, the phone company won’t care a whit who did it, you will still pay. Likewise, regardless of who did the BitTorrent download, there is a certain degree of responsibility of the homeowner to lock down the network.

Another point: Without some degree of personal responsibility on the part of the kids in the house, this sort of activity would simply be an arms race of filtering and blocking versus hacking. My goal is to help keep the honest people honest and to make life more difficult for the viruses and malware.

Another issue altogether is the spam email that is carefully crafted to appear as if it has come from your bank, saying cheerfully “Your statement for May is available online, just click here to access!” … but whoever clicks will inevitably be providing their secrets to some ne’er-do-well in New Zealand who will promptly empty their accounts.

Here is a simple, quick, and free way to avoid phishing attacks as well as casual/accidental exposure to unwanted adult content.

OpenDNS

The service I am referring to is OpenDNS, a free domain name lookup service that you can use in lieu of your Internet Service Provider’s own DNS servers.

When your computer goes to a web site, the name of the web site must be converted to a numeric address, in much the same way that you use a telephone directory to look up a friend’s number.

This lookup service is typically provided by a server owned by your Internet Service Provider. The address to this server is automatically configured when your cable modem connects to the network the first time.

The way OpenDNS works is you change the Domain Name Server (DNS) setting in your router to now point to the OpenDNS servers instead of your ISP servers. By doing this, you have changed the default telephone directory used by your home network.

A Phone book with the Bad Numbers Missing

To take the phone book analogy further, imagine that in your new phone book, all of the phone numbers for shady businesses such as escort services and massage parlors have been replaced with a special number. When you dial that number, a pleasant older woman gives you a gentle scolding for trying to call such a business.

This is pretty much what happens with OpenDNS: when your browser asks for a page from www.naughtystuff.com, the OpenDNS server points you to a different place, a nice page from OpenDNS that says that the page is blocked and explains why.

One fix for your Entire Network

There are many options available for “net nanny” style software that can be installed on individual machines, such as the kids’ machine. These features are also embedded in modern versions of Windows and OS X. But, what about all of the little portable devices that find themselves into kids’ hands? How about their gaming consoles?

Since you configure OpenDNS at the network entry point to your home, the router, any device attached to your network is automatically covered.

Customizable Blocking

You can use OpenDNS without an account, just by pointing your router to their servers, but the real power comes when you register with them (for free) and make your own choices about what you want to see.

You can choose which parts of the Internet you don’t want to see using their online configuration tool. You can either use their “High/Moderate/Medium/Low/Minimal” options or you can pick and choose individual bits of stuff to allow or block.

Here’s a look at the categories available when you choose the custom blocking level:

Basic Setup (about 20 minutes)

• Configure your router to use the OpenDNS servers for DNS lookups.
• Create a free OpenDNS account.
• Install their small updater program on one machine on your network.
• Log in to your OpenDNS Dashboard on the web and configure your blocking settings to taste.

Why do you need the updater utility?

In order to provide the custom blocking, the OpenDNS servers need to know your main IP address assigned by your Internet Server Provider. The desktop utility simply informs OpenDNS of your new IP address if it ever changes.

What do users see if they go to a blocked page?

They see a page that indicates the site that was blocked, along with a short reason and a link they can click if they want access to the page. If they click that link and fill out the short form, you will get an email from OpenDNS with the user’s request.

The remainder of the “blocked” page is a search form with some sponsored links.

You can customize the message as well as the image shown on the web page. When someone reaches a blocked page in my network, they are greeted by a picture of our calico cat, Roxy.

Keeping the Honest People Honest

This approach to blocking unwanted web sites is not a complete solution for keeping your kids from where they shouldn’t go; it is more like a simple padlock: it keeps the honest people honest. A determined individual can easily get around this product using various techniques, but they have to make a conscious effort to do so.

The real strength of OpenDNS is that it helps avoid accidental exposure to unwanted web content and phishing sites.

Not everyone who works with documents in the home will run into this problem, but sooner or later you are probably going to find yourself in a situation where you would like to email someone a useful document that just happens to have your social security number embedded in it, or your full name and address, or some other info that you would rather keep private.

This process of editing documents to remove sensitive content is referred to as redaction—that’s the keyword you probably want to be searching for as you tip toe through Google for guidance.

In this article I discuss the obvious problems we face using the most naïve approach toward document redaction, and provide some resources for better options.

The only sure way

The only absolutely certain way of guaranteeing that you cut out secret information would be to print the document, physically cut out the bad bits, scan in the document, and send the scanned PDF to your colleague. This may seem a bit extreme, but if you were an anonymous tipster sending the media a document full of mob-related evidence, containing your name, you might go this route (You probably don’t want to send the email from your personal account. Try a throwaway email account at the library.)

Other options… Microsoft Word

Don’t even think about sending a raw MS Word document to your recipient. There’s loads of hidden stuff within those documents that you might forget. If you really must, you can look into some recommendations from Microsoft, and consider tools such as Microsoft’s free Office add-in for removing hidden data.

Danger lurking in PDF documents

Since my paperless life really revolves around PDF documents, this is the most likely kind of document that I would be sending via email. Unfortunately, PDF documents have even more hidden data within than MS Office documents. Many people have been burned when they tried simple attempts at obscuring parts of a PDF.

A Simple Demonstration

I started with a nice PDF of the Declaration of Independence.

Now, supposing that we needed to send this document to a colleague, but we must not reveal the name of the original signer, we might try opening up the PDF in our favorite PDF markup tool and slapping a big fat rectangle over the sensitive information.

Now, all is good. But the enemy is crafty and they exploit the huge flaw in our thinking: the information never left the document. All they need to do is copy and paste:

A quick copy/paste from the PDF viewer application to Microsoft Word lets the whole world see that John Hancock is to blame! Better let him know we slipped up so he can take appropriate actions.

This sounds trivial, right?

In February, the Associated Press was able to uncover the secret details of the Facebook/ConnectU settlement using this same technique.

Apparently, the U.S. military has been caught in the same trap.

Last year, Google founder Larry Page’s home address info was leaked in a similar fashion.

How about Scanned Documents?

Up to this point I was working with a document that had been printed to PDF, thereby preserving the document text perfectly.

What about a document that we scan in?

Here’s some honest-to-goodness missile plans…

This is an excerpt from a scanned copy of the U.S. patent for the venerable Sidewinder Missile, complete with a black square that I have added to obscure some special information.

As seen here, the copy/paste trick still worked.

But why does it still work? Because the document had OCR run on it in the past.

A brief look at Acrobat’s document inspector tool shows the hidden secrets:

All of the red text above is hidden text. The actual hidden text is displayed by itself in the box on the right side of the screen above. It isn’t very pretty, but it has all of the details.

Proper Redaction

If you are concerned about keeping your secrets secret, do a bit of research into the tools available. You want to be absolutely certain that you don’t pass along any more information than you intend to.

Adobe Acrobat Professional comes with tools to do just this, and I show their use here:

You can see that I have used a redaction tool to select scanned text. Acrobat is selecting the hidden text as well as the bitmap image of the page. Once I apply the redaction, you can see the result below:

Now when my enemy tries the old copy/paste trick, the stuff between 38 and said means is totally blank, as intended.

Summary

I covered a very simplistic form of redaction here as well as a very simple way of getting around someone’s naïve censoring. Don’t stop here. You should use your PDF editor to search the metadata and hidden text for any terms you don’t want made public. You may wish to strip all metadata from your documents.

This is a topic that has been covered in depth by many, particularly in the legal field. Here’s a few articles worth reading on the topic:

Control metadata in your legal documents (Microsoft)

Redaction and Metadata Removal eSeminar (Acrobat for Legal Professionals)

Redacting PDF files with Acrobat 8 (AcrobatUsers.com)

But what would you do?

Many of us have smartphones these days that hold substantial quantities and varieties of data. What happens to that data and how you replace it are two key questions to consider in the event that a mobile telephone is lost.

If you haven’t thought about it much before, why not take a few moments to consider the factors involved and any changes you might want to make to help minimize the stress from such an event.

What’s the problem?

There are really three basic areas of concern when you lose a portable phone:

• Someone else can make calls on your phone and bill them to you.
• You just lost all of your pictures, contacts, and text messages.
• Some bad dude has access to all of your pictures, contacts, and text messages.

Problem 1: Some Bad Dude has your Telephone
Most people take care of the first problem right away, and you should do so as well.

Take Immediate Action
You must contact your provider ASAP and let them know your phone was lost before some ne’er-do-well starts dialing up 900 numbers or making overseas calls to some see-no-evil third-world country that gladly charges you thousands of dollars per minute.

Even if you don’t have the provider’s number with you, it’s important enough to make a dash for the nearest computer to do a quick Google search. Call them up; it should be sufficient to give your name and mobile number.

Once you have reported the phone as lost or stolen, make sure you change the passwords for any email accounts you had configured on your phone. This will shut off any routes open to bad guys to send messages in your name.

Take Preventative Measures
There are a few measures that you can take up front while you still have your phone. Note that these all fall under the category of “closing the barn door after the animals have left,” so you want to do them before you lose your phone.

You can minimize the risk of costly bills ahead of time by asking your provider to block 900 number service and block overseas calls. Of course, when you are packing for your trip to Paris, you might want to call your cellular provider to let them know so that you don’t block yourself. 

In addition, many phones come with a “lock” option, where a PIN is required to unlock the device. I wouldn’t trust my Swiss bank account number to such a PIN, as there have been known bugs in these, but it’s better than nothing.

There exists a class of utilities for smartphones that allow you to remotely lock and erase your device. I used one of these utilities for a while when I was a Treo user, but it always seemed a little too quirky to depend on as my only defense.

You might consider handset insurance from your provider—for a few bucks a month, you can have your handset replaced if it is lost, stolen, or destroyed. Make sure you read the restrictions first!

Problem 2: You lost your Data
Have you ever considered what kind of data you would lose if the phone were lost?

Here’s a short list of possibilities:

• All of your contacts
• Pictures you took with the camera
• Calendar events
• Text messages
• Email messages
• Music
• Software
• Special notes (A shopping list? A list of passwords?)

Synchronize with your Desktop
Many phones come with desktop synchronization software that can be used to protect you to some extent. For example, the iPhone synchronizes with iTunes whenever you plug it in, and in the process the contacts and photos are copied between desktop and phone (only if you have this enabled, of course).

This kind of synchronization is pretty good, but it is implemented imperfectly for many devices, and it does you no good if the only time you synchronized was when you bought the phone.

Worse still, many phones don’t provide software data utilities out of the box. When my wife purchased a Motorola Razr 2, I was disappointed to find out that Motorola phones require a software package called Motorola Phone Tools which costs $35.

Take some moments and consider how many contacts you carry with you on your telephone. If it is a couple dozen, you can probably just keep a list on your desktop machine and keep them both up to date.
But once you get into the realm of hundreds of contacts, you have no choice: to avoid a catastrophic loss of your social sphere, you had better back up that list somewhere.

Consider the impact of losing Text messages and Email
Think about the text messages and email on your phone: would you shed a tear if you lost these? I couldn’t care a lick about losing old text messages, since I use SMS strictly for need-to-know-now information that loses relevance quickly. I imagine that folks who buy the “unlimited text message” option may have some special ones that they don’t want to lose.

With a bit of luck, and planning, you might be able to keep from losing important emails. One option is to use the mobile web versions of various online email services to handle your mail. This way, you never have any messages on your device.

I like Gmail because they offer a free service called IMAP email, where your emails are retained on their servers and your device simply shows what is available on the servers, kind of like webmail, but nicer.

Get to know what your device supports and what services are out there.

Google Sync to the Rescue!
For the smartphone set, Google recently introduced a great calendar/contact syncing service, where you can set your phone to connect to your Google Calendars via a new tool called Google Sync for your Mobile Phone.

The screenshot on the right shows the phones that they support as of the time of this writing.

By using Google Sync, you can manage your contacts online or on your phone, and the changes are immediately mirrored.

Problem 3: Bad Dudes have your Data
I don’t even want to consider the possibility of some creepy dude sifting through my contacts, looking at the pictures that I have carefully added, choosing people to stalk, and then going to their homes to slit their throats in their sleep.

Wow, what a horrible thought!

The reality is, that’s probably not going to happen. The odds of your lost or stolen phone ending up in the hands of a serial killer are in your favor.

But a thief sure can have fun with your data!

• Do you keep any of your sensitive personal data in notes?
• Perhaps you have one note where you keep passwords for your online banking site?
• Can a villain gain anything by sending text messages in your name?
• Are your email messages all locally stored on the phone?

Protect your Secrets
If you are like me, you have tons of passwords and secret things that you can’t possibly remember. In my opinion, one of the essential applications for a portable device is a Password Manager application.

These applications provide a simple list of sites and passwords, protected by strong encryption. You provide a single main password to access the data within.

I have used two, and they are both excellent applications: SplashID and 1Password. There are others out there.

Recognize the Danger of Email in Enemy Hands
If you used the same email account for registering for any online services, then it is paramount that you prevent the bad guys from accessing your email. All a thief has to do is go to your online shopping sites and say “I forgot my password” and they will kindly send the password to the phone, in the hands of the enemy.

You would think that as soon as your provider blacklists the phone, nobody should be able to use its email; however, if your phone is Wi-Fi enabled, or if someone slips in a different SIM card, it is conceivable that the email client of the phone can still access your email service. 

Use IMAP Email or Webmail
If you use IMAP access to your email and contacts, such as with the Gmail IMAP and Google Sync options discussed earlier, you can very easily limit the access anyone has to existing data by changing your email password. Once your Gmail password has been changed, your purloined device will no longer be able to access your email.

It goes without saying that if you are using webmail alone, as soon as you change the email password, the bad guys have zero access to your existing email, but you most likely still have contacts on your phone.

It’s worth experimenting a little to see exactly what the “user experience” would be for a thief if you were to change your password.

Summary
Losing a cellular phone can possibly be an expensive proposition, especially if you are not aware of the factors involved.

Ask yourself “What could I lose without being sad about it?”

Ask yourself “What is the worst thing somebody could accomplish with my data?”

Weigh the risks carefully and take any action that you feel is sufficient, and sustainable, on your part.

A list of several useful hardware and software tools with which to arm yourself before you attack the file cabinet.

When I first became interested in woodworking, I checked out several books on the subject from the library. Invariably, within the first two or three chapters, there was an illustrated list of desirable hand tools for a woodworker’s workbench.

No one ever actually goes out and buys everything shown on those pages; they start with the essentials and build up a collection over time. And so it is with this list I give you of useful tools of the trade.

Staple Remover

Such a simple little device, but so important. My wife staples everything together, then she hands me a stack of old bills to be scanned in, complete with staples.

Don’t bother with those ones that have jaws. Get one of the stick kind, like this one.

Paper Cutter

I wouldn’t buy one unless I had lots of manuals and such to scan, but this is a device that can really speed things up. Just remove the staples from the spine and then start chopping through the centers of the pages, in small stacks.

If you have too much work for a paper cutter, you can always take the manuals/magazines to a professional office center and have them do the job.

Paper shredder

It’s a sad commentary on modern times that most people these days have a paper shredder in the house. Yours should be strong enough to do the job without overheating and should chop the paper into proper tiny bits.

Flatbed Scanner

This is where everyone starts. Nobody goes out and buys a sheet-fed scanner as their first scanner; the price is often prohibitive, and the devices are very task-specific.

Even if you have invested in a sheet-fed scanner, it is good to keep a flatbed scanner around to scan in things such as hard book covers or pages that you don’t want to remove from a book.

Sheet-fed Scanner

The most important part of a serious document scanning exercise.

The ability to scan in twenty or thirty pages in a minute, both sides, makes this expensive device stand head and shoulders above all flatbed scanners.

I use the Fujitsu ScanSnap S510M.

You might want to check out Terry White’s Tech Blog’s comparison of the NeatReceipts, ScanSnap S300, and ScanSnap S510M. He did a great video showing the three in operation.

OCR software

Without OCR software, your documents are not searchable. Fortunately, most scanners come bundled with some kind of OCR software. Mine came with both Abbyy FineReader as well as Adobe Acrobat Professional 8.

External backup drive

So important. Your data has to be in two places.

Backup software

Sure, you can manually copy files from your desktop to the backup drive, and I did this for a long time. It’s better to automate this process.

Backup software helps prevent accidental erasure of either the source or the target data, and it helps you perform the backups regularly and painlessly.

I personally use rsync scripts to do the job, though this may be a bit too geeky for some. Many external hard drives come bundled with quality utilities. You can even consider using online backups such as Mozy or Carbonite.

PDF editing software

A definite plus once you begin scanning larger documents. You want to be able to merge documents, rotate pages, and move pages around with ease.

For example, I just finished scanning in a tri-fold owner’s manual that I cut on the folds. The first sheet had page 1 and 6 on it, the middle sheet had page 2 and 5 on it, and the last sheet had page 3 and 4 on it.

When the document went through the scanner, I had a PDF with 1,6,2,5,3,4 page order. It was a breeze to drag the pages into the correct order.

I use the Preview app from Mac OS X for this. Adobe Acrobat does the job quite nicely as well.

Document Management software

This is the repository where you keep your documents. I have mixed feelings about document management software.

On the one hand, these products are very good at what they do and they certainly make it easier to organize documents.

On the other hand, as soon as you commit yourself to one document management tool, it is difficult to migrate your collection to a new tool, should you need to switch in the future.

That said, I use a tool called Yep for this purpose. One of the other major players out there is DEVONthink.

Keyboard macro software

I find myself doing certain repetitive tasks from time to time that require multiple clicks or keystrokes. For example, when I am reviewing a scanned document, I scroll through the document looking for pages that were accidentally rotated 90 or 180 degrees by the scanning software.

The tool I use for previewing and editing (the Preview app from Mac OS X) supports rotating single pages, but it asks you each time “Do you want to rotate the current page only or the entire document?”

After tiring of clicking through that question every time, I used my macro software to write three keyboard macros, and I assigned them to ⌘-Left, ⌘-Right, and ⌘-Up, for Rotate Left, Rotate Right, and Rotate 180. Now I can quickly browse through a document, flipping and rotating any pages that need it.

I use Keyboard Maestro for this job.

File management utilities

As soon as you start juggling hundreds of files around and renaming them and moving them into different folders, you find yourself performing certain repetitive tasks, that can often be made easier by software.

I use a tool called A Better File Renamer for the Mac that allows me to rename large numbers of files, following dozens of customizable rules. This tool allows you to package renaming scripts into a “droplet” on the desktop, where you can drop files.

One of my droplets adds the file creation date to the filename as a prefix. Another droplet converts filenames with embedded dashes and underscores into “title case” names with spaces.

I recently bought a folder management utility called The Big Mean Folder Machine that allows easy creation of folder hierarchies, such as by automatically splitting files into groups of 100. I haven’t used it much yet, but I sure love the icon!

Encryption utility

Gotta have it if you are putting your intimate personal information into digital form. Anything with your SSN or your credit card numbers should be protected. Remember, even if it’s on your home desktop machine, a burglar would take the whole machine, and happily sift through your personal data looking for info that could be stolen.

For some things I use encrypted volumes on Mac OS X; for others, I use TrueCrypt.

Assortment of Thumb Drives

What better way to move your digital documents around? They don’t even need to be that large. Cheap throwaway thumb drives these days have the capacity to hold a lifetime of digital documents. But make sure you protect sensitive data!

[Update: Added a link to Terry White's scanner review]

Those tiny USB drives we so casually toss about are convenient and easy to lose. Here’s some thoughts on making sure you don’t lose your secrets to strangers.

While my family was on vacation over the holidays, I managed to calmly back our rental car into a concrete column in a parking garage, denting the rear bumper. Today, I finally got around to sifting through the documents I will need to provide for the insurance claim.

They need printouts, so I put copies of the nine different PDF documents onto a spare thumb drive I found kicking around somewhere in the desk drawer, ready to take to work tomorrow to print out on a nice printer.

I then realized that these PDF documents contain personal information that I did not want made public, for example, a copy of the credit card billing statement for the rental. No problem—I had the right tool ready for the job.

Many people store large quantities of confidential information on thumb drives—this article is not for them. In all likelihood, those folks are already using some encryption software that came with the thumb drive.

This article is aimed at the average person who just needs to cart around a couple of sensitive documents once in a while or perhaps wants to send a little bundle of secrecy to a friend via e-mail.

TrueCrypt

Of many options available, one of my favorites is TrueCrypt. This free open-source application allows you to create secure encrypted “disk image” files that you can then open up just like any other external drive.

TrueCrypt supports Windows Vista/XP/2000, Mac OS X, and Linux.

As a quick demonstration of flexibility, I made a small encrypted disk image called Mustang on my Mac. After creating the disk image, I mounted it and dropped in a couple of super-secret files.

You can see the Mustang file in the top right, with the mounted SUPERSECRET drive directly below it. And below that is the contents of SUPERSECRET—a couple of Word documents.

Then I unmounted the drive and took the super-duper encrypted Mustang file over to a Windows XP machine.

There, I used an XP version of TrueCrypt to mount the encrypted volume.

You can see here that I was able to successfully mount Mustang as Local Disk (E:), and my two word documents are found within, along with a little bit of Macintosh cruft.

For the whole story on how to create encrypted disk image files using TrueCrypt, check out this article:

Create Secure Storage Space on a USB Flash Drive with TrueCrypt

Final Thoughts

Take advantage of a powerful encryption tool such as TrueCrypt to create small totally portable files that can be used as containers for protected documents. Keep in mind that this is one of several free or low-cost options available for encryption. Pick one and use it.

The TrueCrypt utility is able to do far greater things than I even hinted about here; this is just the tip of the iceberg. But it sure is easy to get started by making these small encrypted disk images.

I have the confident assurance that if I copy the Mustang file onto a thumb drive and then toss it on the floor in the local mall, I have nothing to fear—my personal information is safe.