How secure is my data?
10 November 2013
Firstly, the most likely attack vector is for someone to compromise the computer you're using with a virus, trojan or keystroke logger. These can be contracted through infected documents, websites and emails.
With a keystroke logger in place a hacker can easily access your password and other details.
Windows users are particularly vulnerable in this regard and should always have the latest anti-virus filters installed and regularly updated.
The next most common attack vector is for someone to find, guess or hack your password for a website or other online service. In recent years there have been a lot of cautionary tales of databases being hacked and thousands of passwords revealed.
If you use the same password for multiple services (email, Facebook, Twitter, other websites) then it only takes one of them to be compromised for someone to have access to all your accounts.
Even with just an email login or access to your mailbox someone can easily retrieve other passwords, unless the sites in question support Two-Factor Authentication.
With every request for a web page or file your browser and the web server have a conversation. If the item you've requested is secured with a password then you login details are also transmitted.
If the website is not using an SSL certificate (see below) then this information is transmitted unencrypted and could be vulnerable to interception. In practice this is unlikely, unless maybe you are using an unsecured Wi-fi network, but the possibility exists.
🔒 Secure (SSL) key
An SSL certificate enables the browser and web server to open an encrypted communication channel. All information sent to secure addresses or viewed on secure pages is protected from interception.
Your browser will indicate whether a page is secure by displaying a padlock. The page URL will also start with "https://" instead of the usual "http://".
Encrypted content is slower to download and can't normally be cached. For this reason only pages that display or accept sensitive information or require passwords are normally encrypted.
The cost of a standard SSL certificate can range from US$70/yr to $300/yr.
Data storage and backups
On our server we encrypt all user passwords using either APR1-MD5 or Blowfish encryption. Both are highly secure and difficult or impossible to crack in a reasonable time frame. Choosing a strong password is also recommended.
Our websites are secured by hardware and software firewalls as well as using reactive filters to block suspicious activity and login attempts. All remote communication with the servers uses secure protocols. It's unlikely that they can be compromised remotely.
All database backups are encrypted using a 4096-bit GPG encryption. Website files are also encrypted in a similar fashion for our cloud backups.
In a 'worst case' scenario we should be able to rebuild all websites and data at a new location within 24 hours.
Tips on staying secure
- secure your Windows computer with anti-virus software;
- try to avoid opening suspicions websites, emails or files;
- use strong passwords, and different ones for different services;
- don't write down your passwords where someone might find them, even in emails;
- be careful using public/open Wi-fi and other networks; and
- to be ultra-safe don't send private details by email or over other insecure channels.
Above all have a good backup system.