A handwriting-recognition feature in Windows collects data and stores it, which could represent a security threat, according to a digital forensics expert.
“If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years,” reports ZDNet.com.
Windows could be storing passwords, emails, and more according to Barnaby Skeggs, who tested the WaitList.dat file.
The file, Skeggs indicated in the ZDNet.com report, “is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature” which converts touchscreen writing to text.
“The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others,” the article notes.
According to a Hacking.land report, the WaitList.dat file can be on a computer for years without the person knowing it.
Here is how it works. The file is created as soon as someone starts using the handwriting-recognition function. The text of any document or email is indexed in the Windows Search Indexer service stored in WaitList.dat, including file names and metadata, as well as the written text itself. Windows can store your passwords; even deleted files can be stored.
According to Hacking.land, “An attacker would only have to steal WaitList.dat instead of scanning the entire PC.”
The Avira blog warns, “Imagine you would delete a file. While it would be gone from your system, it would still be stored in WaitList.dat. You stored your passwords and usernames in a text file before starting to use a password manager? It’s very likely that you will find it in WaitList.dat, too.”
While today’s technology provides time-saving solutions, like handwriting recognition so you can just take notes with a stylus rather than using a keyboard, it often taps into more and more of your data to offer you up the convenience.
One of the first lines of defense remains strong passwords, as well as where you store them.
Here are some tips for generating secure passwords:
Generate a different password for each online account
Make a random 2- to 4-word phrase that does not include any elements from your name, organization, address or any information associated with you
When generating your own password – or passphrase, it should contain upper and lowercase letters, punctuation, a number and be a minimum of 14 characters long
Change your passwords every 3-6 months and don’t reuse them
Use two-step verification on all services that provide it
Do not store your password list on your computer or in a personal fileshare or Google account, instead, consider a password management tool
There are several password management solutions that can help you generate, manage and store secure passwords for your online accounts. CNET has a list of “The best password managers for 2018,” if you don’t have a preferred solution.
Of course, there is always the risk that the password management company itself could be hacked, but most use multifactor authentication, so access to your stored passwords, or master vault, is granted only with both a correct password and a correct authentication code. Since that authentication code gets sent to a device you own, it limits the risk that someone can gain access to your information.
Password management solutions also encrypt your password information locally before it leaves your device to further protect your passwords on the master vault. That information is encrypted and stored on their servers.
“In most cases, this is strong enough security,” suggests CNET.
If you have any questions about data security or which password solution is right for your organization, contact Sinu. We can help you find the technology solution that finds the right balance between security and ease-of-use to keep your data safe and your employees productive.