Our enemies are increasingly unconventional and so too must be our defenses against them.  I praise those strategists and researchers who look outside of the box for answers.  Well, technically in this instance they are looking inside the box …  see video below.  It looks like a regular sniffer, right?  Actually, the box houses a team of trained mice who trip the alarm when they encounter the scent of explosives.  For the sake of accuracy, more than one mouse must agree before it alarms.  Who knew that mice noses are even more sensitive than man’s best friend?  A mouse has 1,120 olfactory receptor genes versus

a mere 756 for a dog.  The sniffer mice work in two to four hour shifts and retire from the job after 18 months.  Unlike dogs, they do not require a human escort to do the work and function autonomously.

Like any technology, the sniffing mice should be but one component of a larger security system.  I never thought I would be saying this but I for one would rather be sniffed by a mouse (!) than x-rayed or body searched.

But, can these rodents really compete?  In a system test at a large retail mall, 1,000 shoppers passed through the mouse system.  Of the 22 people who were carrying explosives, the mice identified 22.  Mighty accurate, Might Mouse.

Not all technology is equal in terms of its effective application to a given security challenge, and no one technology offers an ultimate solution to our terrorism woes.  Many travelers protest having to pass through the airport back scatter scanners.  I personally object for a variety of reasons but my main issue with the scanner isn’t an invasion of privacy but the approach of trying to scan everyone.  Randomly.

WeCu Technologies – an Israeli startup – has developed a biometric scanning system that looks for those individuals who react to stimuli that are associated with – for example – a potential terrorist threat.  The scan itself takes between 15 and 30 seconds and is basically non intrusive.  The system tracks heart rate, stress level, sweating, eye movement and other facial expressions in response to images or language displayed on a screen.  The idea is that a person will have an emotional or cognitive response when exposed to stimuli that are associated with a topic or deed with which that person is familiar.  So if they flashed a picture of my ex boyfriend, an alleged Mafia hit man wanted by the FBI, I would most likely have a very different cognitive and emotional response to seeing that image than would anyone else around me.  Likewise, a terrorist seeing a Jihadist favored phrase from the Koran.

At least with this kind of biometric technology (DHS is working on a similiar biometric solution), individuals are being screened in a context based on their connection to threat.  Now our system in the U.S. involves screeners rummaging through our underwear for a bomb because a would-be terrorist tried that hiding place last December.  Much better to also be thinking about the terrorists’ next moves, rather than only their last ones.  All viable technologies and methods should be applied in an effort to keep us several steps ahead of our enemy.  The more contingencies the enemy is forced to deal with, the better.

The Stuxnet worm was first identified back in January 2010. This weekend, Iran admitted that at this point, over 30,000 of its Window PCs have been infected, prompting renewed speculation about the worm’s purpose.

Stuxnet has been called the most sophisticated malware yet created. Unlike your typical worm or virus designed for financial gain, this one targets infrastructure – specifically, industrial control systems that manage and monitor machinery in power plants, factories, military installations and the like. Interesting characteristics of the worm’s design included its use of stolen, legitimate security certificates and taking advantage of four previously unknown vulnerabilities in Windows. Recently another element of Stuxnet has been identified. It seems able to reinfect a PC even after it has been scrubbed by [geek alert] injecting a malicious DLL into every Step 7 project (a standard software package used for configuring and programming SIMATIC programmable logic controllers) on a compromised PC.

Iran was the hardest hit (60%) by the virus, with India and Indonesia following, a fact which lead to speculation that an Iranian nuclear power plant was its primary target. Indeed, the worm was initially uncovered by security company in Belarus that was working for an Iranian client during a period when the Bushehr Plant was out of commission for several months. Iranian officials denied that SCADA was effected at the Bushehr Plant. The worm is designed to specifically target Siemens systems which are not used at that plant.

Experts claim the worm appears to have been designed to get the job done quickly, but not necessarily quietly as though it were more important to get it out there and working than to cover tracks. Given its level of refinement, many experts conclude that it is the product of a Nation/State and not an individual. Speculation on the origins and authors of the malware abound. No doubt, Stuxnet will be fodder for continued conjecture and digging for some time to come.

Facebook has been plagued with another viral scam – the false “dislike” button.  Of course the irony is that many Facebook users have been asking for such a button, to complement the existing, legitimate “like” button.  Apparently Facebook users want to be able criticize as well as show encouragement for user posts.  This demand was taken advantage of by scammers who offered up a malicious, faux dislike button installation that once it obtains access the user’s profile posts spam from the user’s account.

On top of this, the world is speeding up.  We are impatient and accept nothing less than instant.  According to a recent survey, it seems that college kids are finding email “too slow” and instead are opting for IM or SMS.  (SMS is winning the pack; it integrates with social networks and interacts over multiple platforms.

The combination of our impatience and dependence concerns me.  When we move too fast we tend to miss things, our awareness is down.  Dependence is another state of mind that also fogs up our thinking.  It makes for fertile ground and statistics show that the scams are outrunning us.  We are all clicking and sharing and up and downloading with great abandon.  For individual users, and depending on the situation, the worst case scenarios are pretty unpleasant: disruption of communication, identity fraud which could lead to fiscal fraud, social embarrassment.  I am getting the impression that as technology advances, our privacy is even less assured because the distance between malicious idea and defense against it is getting shorter.

We automatically and rapidly share and accept online communication and personal information on social networks, such as Facebook.  The line between what is public and private is diminishing.  Perhaps some people don’t consider that they have lost control of their data.  But once a photo, message or video is uploaded, you don’t know where it goes and can’t take it back.  Erasing your social identity is, basically, impossible.  Google security advises to watch out for suspicious links.  I agree but would also recommend, in general, to think twice before you hit ‘enter’.

I cannot live without my smart phone.  Take my car.  My cat (sorry Fluffy).  Just not the phone.  I use it for email both work and personal.  It houses not only all my contacts but all kinds of useful information in the form of notes and calendar appointments and to do lists.  I check my bank and credit balances on it.  I also depend heavily on its GPS tools to shepherd me through the world.

I am not alone.  This year, there are about 45 million smart phones in use, just in the U.S.  These numbers are growing fast.

Imagine my sinking feeling to read about the research team at Rutgers’s University who managed to:

* remotely pinpoint a phone user’s location using GPS.

* remotely turn on said phone’s microphone to eavesdrop on their conversation.

* drain the battery.

http://www.sciencedaily.com/releases/2010/02/100222121624.htm

It’s logical that an increase in threats follow the increase in use.  As technology expands, new paths for malware via bluetooth radio channels and text messenging appear.  But others argue that smart phones are less of a target for viruses, botnets and malware that go for more robust devices in big numbers.

The real issue with smart phones is related to the human factor.  Similar to laptop theft, the phone gets pinched for the personal information it can disgorge.  Think of all that precious data you carry with you and how with a tap or two, it’s in the hands of a malicious stranger.  We’ve all heard about the Apple employee losing his next generation phone at a bar in Silicon Valley.  His identity was easily found by looking at his Facebook page which was on the phone’s display.  Although his embarassing story was broadcast around the globe, at least the data was wiped pretty early on by Apple.

Indeed, there are applications that allow users a code they text to their phone to remotely lock it or wipe it clean, before (too much) damage is done.  Of course, using a password pin and making sure your backup is current are two easy ways to protect yourself in the event of a theft.  Once again, the best protection advice is to be proactive and aware.

Airport screening technology research seems to be moving away from looking only for malicious objects and towards looking also for malicious intent.

The U.S. Homeland Security Department has been funding a project called FAST: Future Attribute Screening Technology whose purpose is to use physiological cues (perspiration, eye movement, heart rate, body temperature, etc.) to detect people who intend on doing harm.  FAST builds on research that shows how one’s physical reactions reflect an emotional or mental state.  Simply put, twitching and sweaty = nervous. 

And nervous may mean you are up to no good.  Or, not.  An absence of factors would likewise be suspicious, according to project descriptions.

Similar efforts to build systems that use autonomic nervous system measurements to detect dangerous persons are ongoing in Israel and other countries, as well.  In addition to bolstering security, the goal is to streamline and hasten the screening process to something more palatable to travelers.

Looking at intentions is an important focus.  Means are easy to conceal, difficult to find, and moot if the perpetrator is determined and well trained.  But at the end of the day, any identified indicators have to link back to an actual aggressor’s method of operation.  The mission of a security screening process is to find terrorists and criminals, not nervous adulterers or stressed out petty thieves.  Having a thorough knowledge of how terrorists operate, how they conduct themselves through the various steps that lead to an attack is the number one bit of information that will result in prevention and mitigation.  We must know what we are looking for – on an operational level.

No doubt, high tech is cool.  Many tools are useful.  Let’s just make sure that all the pieces of a security system are related to an intelligent foundation based on the aggressor’s MO.

A Russian hacker who says he is living in New Zealand, going by the name of Kirllos has claimed on various hacker forums that he has managed to steal the account information for 1.5 million Facebook users and he’s offering those accounts at very low pricing.

Kirllos is offering the user names and passwords of 1.5 million Facebook users for between $35 and $62.70 per 1000 accounts sold on an underground hacker forum. The New York Times reported that the login details of as many as 700,000 Facebook had already been sold.

Little is known about Kirllos, although his ICQ account says he is a 24-year-old who was born in Russia and speaks English, French and Russian.

While the accounts themselves do not contain enough personal information to commit outright identity theft, some social engineering could produce enough to possibly compromise more sensitive online services the account holder may use. Another avenue is the spreading of malware through the compromised user’s friend network.

The incident underscores the growing security concern around Facebook, which has more than 400 million members worldwide. This particular case shows that cybercriminals are beginning to look beyond their own geographies to international platforms such as Facebook.

Here is a news report exposing some of the secrity risks with facebook:

According to an article in the Jerusalem Post, the Israel Airport Authority (which declined comment) has implemented a policy of sending suspicious animals through X-ray machines to confirm that bombs have not been hidden inside their bodies by terrorists.  When you note that effective terrorist threat mitigation requires keeping ahead of terrorist methods, it doesn’t sound as silly.  There have been numerous instances of using animals (dogs, donkeys) and recently humans to conceal bombs (Abdullah Asieri carried a pound of explosive plus detonator in his rectum in a failed attempt to assassinate a Saudi Prince).

Intelligent screening always takes into account threat based on terrorist MOs, and if the passenger – and in this case their furry four legged traveling companion – are suspicious vis a vis a given MO.  I’m pretty sure that no screener at Ben Gurion would engage your pet in questioning about the nature of his trip (“Fido, did you keep your water bowl in view at all times?” Not because of the language barrier, but because like anything else, not every pet is threatening.  Likewise, not every pet is built for a bomb.  Too small to artfully conceal a bomb, the diminutive Chihuahua is probably safe from xray screening altogether.  On the other hand, if Richard Reid had been carrying a poodle, that poodle would be scrutinized, along with the rest of Reid’s possessions.

The U.S. Department of Homeland Security and its Technology Directorate division want to help create 40 prototypes, by the end of this year, of cell phones that can detect toxic chemicals in the air. Upon receiving an indication of a potentially toxic gas, the cell phone will alert the user and will send an anonymous notification to the local authorities.

The new application should also handle false positives by cross referencing indications from other cell phones. For example, suppose a poisonous gas was released at a train station. The service would look for correlated reports across a number of devices in a particular location. This capability will allow law enforcement and first responders to pinpoint the exact location of the incident.

Qualcomm, NASA, and Rhevision Technology are teaming up to work on the next step of the testing phase: proof of principle. Also, Homeland Security’s Science and Technology arm is actively engaging Qualcomm, LG, Apple, and Samsung — with research and development agreements to hopefully use your phone as the digital sniffer of the future.

The following is a comprehensive list of “do’s and don’ts,” a guideline for safe online behavior, written with the non technical user of the internet in mind.  We discuss tips for safe use of the internet be it emailing, shopping or using social networks, and how to avoid unwanted exposure for you, your family and friends.  We review the tracks you make online that are used by criminals and harassers to exploit, manipulate and even attack an online user.  We explain your digital identity – those footprints left behind whenever we use the internet, and how these traces can be used to gather intelligence on you.

Some of the suggestions are related to our behavior and online habits.  Other implementation suggestions are related to technology and could be passed on to your IT support person.  The bottom line is that in this day and age, we need to educate ourselves and act proactively to be cyber secure.

First, why you should be concerned?

There is a direct correlation between the explosion of the internet across the globe and criminal attempts to exploit our use of it.  And the good guys are having a hard time keeping up with the bad guys who are funded by mafia, supported by nation states, creative, technologically savvy and unfettered by legal concerns.

Malware (malicious software) is epidemic – rising from under 200,000 unique samples in 2004 to almost 6,000,000 unique samples in 2008.  Google claims that 1.3% of their search queries return malicious content.  Examples of malicious software include viruses, worms, trojans, rootkits, spyware, adware and other rogue applications.  A botnet (robot network) consists of multiple hijacked home computers used by spammers to send emails remotely.  Botnets are also used to automatically generate traffic to web sites, ad clicks and blog comments.  Forty percent of spam is sent via botnets.  Vinton Cerf (father of the internet) claims that one quarter of all PCs are part of a botnet which translates to 100s of millions of computers.  And yours may be one of them.

With all these bad guys out to get us, it’s reasonable to adopt a mildly paranoid attitude informed by the knowledge of how the adversary operates.  Thinking a bit like a criminal or hacker results in a healthy, defensive behavior online.

Malware

Malware is malicious software designed to infiltrate or damage a computer system without the owner’s knowledge or consent.  Methods of infection include:

• Unknown attachments
• Fake e-cards
• Random popups (on malicious websites)
• Fake patches
• Joke programs
• Freeware utilities
• Unknown links
• P2P programs

For example, recently a new Trojan has been reported called URLzone.  It encompasses a botnet of about 6,000 systems, conducts bank transactions on the users systems, monitors internet usage for bank site http addresses and modifies user transaction numbers so that activity fades into the background.  The gang using this botnet stole between $4-15K from each account hacked, picking numbers randomly to evade anti-fraud systems.  These attackers work mostly in Europe and made about €300K in 3 weeks.  But the system could work on any continent.

One basic rule of thumb for avoiding detection is to not open an attachment if you are unfamiliar with the sender, and certainly not if the file extension is .exe (indicating an executable program).  And likewise don’t click on popups or programs about which you can’t be certain.  Think before you click.

P2P or Filesharing

Peer to Peer (P2P) networks were first popularized by Napster as an MP3 sharing environment.  File-sharing allows you to connect your computer with an informal network of computers all sharing the same data, potentially connecting millions of users at any time.  There’s a wealth of games, music and software out there to share.  If you have teenagers at home, it’s likely they are using one.  BitTorrent and FastTrack are examples of P2P (peer to peer) networks where you can share music, DVDs, video games and the like.  But the risk of file sharing absolutely requires that you be careful about your access setting to prevent sharing personal files – account numbers, tax returns, photos and personal documents.  Also, if you decide to use a file-sharing software, carefully read the End User Licensing Agreement terms and conditions to make sure you understand the risks not only to your own data, but the consequences of downloading materials.

Here’s a link explaining how exposed you can be via P2P:

Phishing

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity in an electronic communications.  Criminals phish using emails, pop ups and websites that may look like they represent legitimate agencies or businesses.  Some of these messages look very legitimate, especially at a glance.

So keep in mind that you shouldn’t reply to an email or pop up message, or click on links or open attachments that ask for personal or financial information.  Instead go directly to the company’s (for example the bank or agency’s) legitimate web address or, call them.  If you receive an email message that asks you to call a phone number to update your account or give personal information, do not call.  Always call the number that appears in a legitimate directory or on a statement.

Some criminals bombard businesses with targeted spam that looks and feels like internal messaging, from a company’s Human Resource or IT department.   Whether you are being phished at home or at the office, the general criminal idea is to dupe people into revealing credentials that would allow attackers to exploit or infiltrate, easily.

Laptops

Treat a laptop as though it were cash.  Never leave a laptop in a car, unattended or on the floor in a public place.  Keep it locked and physically separate from your passwords.  When traveling, consider putting your laptop in a non laptop looking case.  Be especially vigilant passing through airport security where laptops are easily stolen in the confusion of the checkpoint.  Use the hotel safe if you must leave it behind.  Consider an alarm that goes off if the laptop moves outside a set perimeter; that automatically reports its location as a stolen laptop upon connection to the internet.

If you use a Blackberry or its equivalent, which is after all like a mini laptop, make sure you add a password lock code on it – in addition to using the security protocols listed above.

Many of us, on a business trip or over coffee at Starbucks, use public Wi-Fi to connect to the internet.  Be aware of a ploy used to phish critically sensitive financial information from you as you finish your double tall nonfat latte.  The criminals simply set up their own Wi-Fi network on a laptop in, for example, a hotel lobby.  Others in close proximity are lured into logging in to the bogus network, divulging information in the process.  Always know what you are connecting to.  Ask the hotel staff directly for instructions for logging in to a Wi-Fi network.  And if in doubt, plug in to a fixed network, rather than using a wireless local area network.

Working and Shopping Online

Whether you are working or playing online, be aware of how you browse.  As you move from site to site know that malicious code is found in parts of a site not controlled a site’s owner, such as in banner ads and widgets (a portable chunk of code for example, an on-screen clock).

Many online retailers are prepared to take your credit card and purchase information over the phone.  For those shoppers who want to avoid digital distribution, this is one way to try and shop securely.  For those who would rather not pick up the phone, there are some simple rules of thumb.  Don’t share personal or financial information through a company’s website until you have checked its security.  Is there for example a lock icon near the URL address line, which should read “https:” … where the ‘s’ refers to a secure site?  Also read through the online company’s privacy policy to understand what information they collect, how they use it and with what third parties, if any, your information is shared.  What measures do they take to secure your information and is it their policy to allow you to see what information they are holding?  Sometimes, it best to pass on a company than to take the risk.

When dealing with an online seller for the first time, check out that they are who they say.  Call their number to confirm the company’s viability.  Google the company name for unfavorable reviews.  Consider toolbar software that shows ratings and warnings for sites by experts and other users, like MyIdentityDefender.

Social Networks

How many of us, our families and friends use Facebook, Myspace, Linked-In, Twitter, Second Life and other social networks?  It seems like everyone these days is on at least one.  A danger inherent in these virtual communities is the false sense of anonymity we feel when online.  Our natural defenses are lower because there is no physical contact.  And it all combines potentially to the disclosure of information we surely would not share if we were meeting these folks in person, at a social gathering.

Things to Avoid:

• Over sharing information about your company’s activities and its intellectual property.
• Mixing the personal with business in what is a very public domain.
• Posting or ranting out of anger.
• Not verifying a contact request before you accept it.  There’s no prize for having the most friends or contacts so think quality over quantity.
• Don’t use the same password for a social network that you do for a bank account or other sensitive account.
• Don’t get click happy.  Think before you link to avoid drive by downloads and zero day attacks.
• Don’t divulge personal information like a birth date or details about family or children on a social site; it’s an invitation to ID theft and worse.

Many social networking sites have privacy settings.  Use them.

Once you’ve posted a document, message, video or photo on line, there’s no way to undo it.  Even if you delete the item, a version could already reside on another computer, have been copied or forwarded.  Think before you post.

Take a look at this video about social networking scams:

Social Engineering is another component of successful exploitation.  Often, it’s a lot easier to dupe a password out of a human being than it is to hack or phish it.  The characteristics of an adept social engineer are the same the world over.  Here’s an interesting talk by one of the best:

Reporting

If you discover that you’ve been a victim of commercial fraud here are some U.S. government agencies you can contact:

Federal Trade Commission – e-commerce fraud, you suspect you’ve divulged personal info that could result in identity theft  www.ftc.gov

Anti Phishing Work Group – reportphishing@antiphishing.org

Deceptive Spam – spam@uce.gov

Hacking – contact the FBI www.ic3.gov

For Computer Viruses – contact your ISP

Public Information

Be aware that a good deal of information is available about you online, simply as a matter of public record.  Property transactions, legal cases, campaign contributions are available online.  Addresses, participation in community and alumni activities are also out there in abundance.  So, start by googling  yourself.  Research yourself to find out what information is available publicly.  Intelius is an example of a company that maintains a large database of public information about people for the purposes of background checks.  In many cases you can request that contact information be deleted from a given database.  Here are the instructions for doing so with Intelius:

In order for Intelius to “opt out” your public information from being viewable on the Intelius website, they require faxed proof of identity. Proof of identity can be a state issued ID card or driver’s license. If you are faxing a copy of your driver’s license, obscure the photo and the driver’s license number. They only need to see the name, address and date of birth. Please allow 2 to 3 weeks to process your request.

Please fax your information to their customer service department at (425) 974-6194.

If you are not comfortable faxing us the information, you can send a notarized form proving your identity.

Please Note – removing the data in this way does not prevent public records from sending Intelius new information in the future. To permanently have your records sealed, you will need to contact your county’s records department.

As for public transactions, one way to avoid exposure is to operate under a company or DBA, or under the name of a family member.  Likewise, property transactions conducted under a company or trust whose name does not mimic your own, would help safeguard you from public scrutiny.  The same holds true of political donations which under federal law cannot be anonymous.  It is difficult but not impossible to mitigate your inclusion in things like alumni newsletters or charity announcements, but it usually means choosing to not be involved at the same level you would have before the onset of the internet.

Passwords

Here are some commonsense rules of thumb for protecting your passwords:

• The longer the password, the harder it is to break.
• Don’t use common words or numbers, your name or login.
• Don’t leave your passwords in plain sight.
• Don’t share your password(s) by email or over the phone.
• Change your passwords often, no less than every 90 days.
• Don’t use the same password for multiple online accounts.

Emailing

Despite legal protections and the daunting amount of email being sent at any moment (a false sense of protection through numbers), our email privacy is not guaranteed.  It could be as simple as a recipient forwarding a message, intentionally or unintentionally, that includes sensitive information, contact emails, name and the like.

In the United States, the law dictates that email correspondence sent over a company’s system is that company’s property, and subject to being accessed by its management.

Email is delivered over multiple routers and email servers.  A hacker could theoretically access a less protected router.

Unprotected backups are automatically conducted that store email messages that can be accessed at a later date.

When you open an email message that has an embedded image, that image needs to be downloaded from the server on which it resides.  In the process, information about you is gleaned: that your email is legitimate and active, your IP address, and confirmation that you have opened a given message to read it.  To avoid such disclosure, you could consider reading your emails offline.  This approach while effective is pretty inconvenient, especially at the office.  Another method is to forego your html enabled client and work with text only.

There are also ways to configure your particular email system (Outlook, Gmail, Hotmail, Yahoo, etc.) for optimal protection.  Your email provider can supply specific information.  Under their help section, look for tips related to Privacy and Security.  Here are links for Gmail and Yahoo security information.

If you want to play it very safe indeed you could consider using disposable e-mail addresses.  And when you use a different alias for each entity to whom you give an email address, you can easily track who is spamming you.  For example, you sign up for membership to ABC Widgets Online with an alias like tomsmith.abcwidget@disposablemail.com.  You can easily identify the source of mail, including unwanted mail using this device.  One recommended sit is www.guerrillamail.com

Infection Symptoms

Given the surreptitious nature of malware, you may not know or may not be sure whether or not you have a problem.

• Computer runs comparatively slower than normal.
• Computer stops responding or freezes up, often.
• You notice unusual network traffic.
• Computer crashes and restarts suddenly.
• There are usual error message popping up.
• You suddenly see distorted menus and dialog boxes.
• You notice the presence of unknown toolbars in the browser.
• Task manager, registry editors, folder options are disabled.
• Browsers are redirected to unknown websites.

Security Software

Make sure that your security software package runs automatically and updates at least daily.  The lag time between a virus breakout, its fix and the dissemination of that fix to users makes it impossible to keep entirely safe.  But keeping your security software updated surely helps.

Anti Virus – Defends your computer against viruses that can corrupt or delete data, interfere with the performance of your computer or even allow spam emails to be sent from your computer.

Anti Spyware – Installed without your consent, spyware software monitors or controls your use of your computer. It can record your keystrokes and which could lead to the theft of personal information.  Signs of spyware include: your computer won’t shut down or restart, it is slow, repeats error messages, displays pop-ups when you are not surfing the web.

Firewalls – A firewall is part of a computer or network whose purpose is to block unauthorized traffic while permitting allowed traffic and communications to pass.  Like anything, an improperly configured firewall could be worthless and it’s important to make sure yours is set up correctly.

Miscellaneous – Keep your operating system (OS) and web browser software up to date.  Software companies’ security patches are published regularly.  Automatic updating to insure you have the latest patches in place.

You can also upgrade your browser security by changing the default security and privacy settings which are located under the options and tools menu tabs.

And if you won’t be using your computer for an extended period, disconnect it.

Create a Backup

It seems so obvious, yet many of us don’t both maintaining a current backup.  Clearly it’s a good idea to backup your data to an external hard drive or other media and keep it in a safe place.  The time it takes to keep current backups is well worth the effort.