Archive for the ‘privacy’ Category
Office Files and Hidden Personal Info
Leave a CommentYou do know that MS Office files contain more than just your document or spreadsheet, don’t you? They contain “metadata”, which is information like your Office-registered name and company, and possibly records of your edits and copies of previous drafts of the document.
This means you might be sending more information than you want to when you send somebody a Word document. This came to my attention due to many potential employers asking explicitly for Word format resumes.
A bit of background:
I’ve routinely collaborated on documents, and we’ve sent copies of one or more Word documents back and forth by email with Change Tracking enabled (menu: “Tools->Track Changes…”). Even when you accept the changes, Word will reportedly keep the old versions lying around in the file. This old version information (actually editing information) is part of a category of stuff called metadata. In such a situation, you are apt to end up with information in the file that you really don’t want released with the final document. In addition, the file will invariably contain the user and company information entered during the installation process for Office.
This has been recognized as an issue for a while now; both the BBC in 2004 and USA Today in 2006 published articles about it, so it’s not exactly breaking news…
Microsoft even offers a scrubber for Office 2003/XP files, that also appears to have been around since 2004. And for those of us with Office97 (yeah, I know, stone age), MS offers helpful advice for scrubbing the information, albeit a bit more labor intensive.
Wouldn’t it be nice to be able to find out what’s in an Office file, and to be able to clean it out if you want to, regardless of what version of Office you’re running?
Javacool Software (www.javacoolsoftware.com) has put out a very nice, simple, Office file scrubber called Doc ScubberTM (http://www.docscrubber.com/), that truly simplifies the entire process. They have also been nice enough to offer it as freeware for personal and educational use (Doc Scrubber 1.1).
I first ran into Javacool when I was battling spyware and adware; I found their SpywareBlaster and SpywareGuard products to really reduce the infestations, and I recommended them to my clients. They have a variety of other tools to help you maintain your privacy on your computer. Check out their download page.
I have no business relationship whatsoever with these guys; I just think they’ve got some good products that you should know about. If you agree, send them a couple of bucks by PayPal, or purchase the auto-update service for one of their products. Freeware guys put a lot of time into their products, and a little reward goes a long way.
Thanks, Javacool!
Various trademarks in the preceding are, of course, the property of their respective owners. Their use in this writeup are intended for information/educational purposes only.
Please Update Your Info with Our Bank
Leave a CommentNope, I’m not a victim; but I have been receiving phishing emails asking me to update my account information “from” a bank with whom I have no relationship. I sent the emails on to the bank and they’ve confirmed that it’s a phishing scheme. Here, I offer a few tidbits from the email to give you an idea of how this stuff works.
In the past week I’ve received two emails directed toward the same bank. (I have obscured the bank identification in this post, as it’s irrelevant to the discussion). One has subject line “IMPORTANT Upgrade to New Security System” and the other says simply “Account Update.” Both emails appear to come from the bank, and both have “Reply-To” addresses that appear legitimate (that is, both reference <bank>.com). Both explain that the bank has instituted new security measures, and request that I update my information through their new, secure server. Then they provide a convenient link to do just that. The link looks like this:
http://www.bank.com/secure/update/ssl.cfm
Sounds good, right? It even looks secure, what with that “ssl” and the word “secure” in the URL. But, looking “under the hood” (by way of examining the “page source”), the link really goes here:
http://xylus.ca/labradale/images/.www/onlineservices.bank.com/auth/
Now, I’m not sure who xylus.ca and the various subdirectories are, but I’m pretty sure they’re NOT my bank.com. It could be somebody’s website that is being victimized by the redirect, so I can’t even assert that xylus.ca is a bad guy. But the redirect is certainly cause for concern.
The rest of the email even grabs images and page reference from the bank.com site, to make things look more legit. And they offer you the phone number and email address for verification.
What purpose does this serve the bad guys? By using their site as an intermediary, they can either request information from you that you wouldn’t want others to know (like account numbers, usernames, passwords), or, more disturbing, they can simply “watch” your interaction with your bank to obtain the same information without you knowing your information has leaked. Then THEY have your username, account information, passwords, etc., to use as they wish. I doubt they’re planning on making deposits to your account.
This explains the experts’ advice that you NEVER click a link contained in an email. That is, assume any link in emails is suspect – especially if it concerns your finances, your accounts with anyone/anywhere, etc. CALL the bank or company ON THE PHONE. Use their published phone number, NOT the one provided in the email. Ask questions, and never assume an email is what it claims to be.
Caveat emailer.
Information Leakage
Leave a CommentThe following story was emailed to me. While I generally don’t publish stuff that’s been forwarded numerous times, this particular one teaches some valuable lessons to those who aren’t aware of how easy it is to inadvertently leak information online. The story came to me unattributed.
“After tossing her books on the sofa, she decided to grab a snack and get on-line . She logged on under her screen name ByAngel213. She checked her Buddy List and saw GoTo123 was on. She sent him an instant message:
ByAngel213:
Hi. I’m glad you are on! I thought someone was following me home today. It was really weird!
GoTo123:
LOL You watch too much TV. Why would someone be following you?
Don’t you live in a safe neighborhood?
ByAngel213:
Of course I do. LOL I guess it was my imagination cuz’ I didn’t see anybody when I looked out.
GoTo123:
Unless you gave your name out on-line. You haven’t done that have you?
ByAngel213:
Of course not. I’m not stupid you know.
GoTo123:
Did you have a softball game after school today?
ByAngel213:
Yes and we won!!
GoTo123:
That’s great! Who did you play?
ByAngel213:
We played the Hornets. LOL. Their uniforms are so gross! They look like bees. LOL
GoTo123:
What is your team called?
ByAngel213:
We are the Canton Cats. We have tiger paws on our uniforms. They are really cool.
GoTo123:
Did you pitch?
ByAngel213:
No I play second base. I got to go. My homework has to be done before my parents get home. I don’t want them mad at me. Bye!
GoTo123:
Catch you later. Bye
Meanwhile……GoTo123 went to the member menu and began to search for her profile. When it came up, he highlighted it and printed it out. He took out a pen and began to write down what he knew about Angel so far.
Her name: Shannon
Birthday: Jan. 3, 1985< BR>Age: 13
State where she lived: North Carolina
Hobbies: softball, chorus, skating and going to the mall. Besides this information, he knew she lived in Canton because she had just told him. He knew she stayed by herself until 6:30 p.m. every afternoon until her parents came home from work. He knew she played softball on Thursday afternoons on the school team, and the team was named the Canton Cats. Her favorite number 7 was printed on her jersey. He knew she was in the eighth grade at the Canton Junior High School. She had told him all this in the conversations they had on- line. He had enough information to find her now.
Shannon didn’t tell her parents about the incident on the way home from the ballpark that day. She didn’t want them to make a scene and stop her from walking home from the softball games. Parents were always overreacting and hers were the worst. It made her wish she was not an only child. Maybe if she had brothers and sisters, her parents wouldn’t be so overprotective.
By Thursday, Shannon had forgotten about the footsteps following her.
Her game was in full swing when suddenly she felt someone staring at her. It was then that the memory came back. She glanced up from her second base position to see a man watching her closely.
He was leaning against the fence behind first base and he smiled when she looked at him. He didn’t look scary and she quickly dismissed the sudden fear she had felt.
After the game, he sat on a bleacher while she talked to the coach. She noticed his smile once again as she walked past him. He nodded and she smiled back. He noticed her name on the back of her shirt. He knew he had found her.
Quietly, he walked a safe distance behind her. It was only a few blocks to Shannon’s home, and once he saw where she lived he quickly returned to the park to get his car.
Now he had to wait. He decided to get a bite to eat until the time came to go to Shannon’s hous e. He dr ove to a fast food restaurant and sat there until time to make his move.
Shannon was in her room later that evening when she heard voices in the living room.
“Shannon, come here,” her father called. He sounded upset and she couldn’t imagine why. She went into the room to see the man from the ballpark sitting on the sofa.
“Sit down,” her father began, “this man has just told us a most interesting story about you.”
Shannon sat back. How could he tell her parents anything? She had never seen him before today!
“Do you know who I am, Shannon?” the man asked.
“No,” Shannon answered.
“I am a police officer and your online friend, GoTo123.”
Shannon was stunn ed. “That’s impossible! GoTo is a kid my age! He’s 14. And he lives in Michigan!”
The man smiled. “I know I told you all that, but it wasn’t true You see, Shannon, there are people on-line who pretend to be kids; I was one of them. But while others do it to injure kids and hurt them, I belong to a group of parents who do it to protect kids from predators. I came here to find you to teach you how dangerous it is to talk to people on-line. You told me enough about yourself to make it easy for me to find you. You named the school you went to, the name of your ball team and the position you played. The number and name on your jersey just made finding you a breeze.”
Shannon was stunned. “You mean you don’t live in Michigan?”
He laughed. “No, I live in Raleigh. It made you feel safe to think I was so far away, didn’t it?”
She nodded.
“I had a friend whose daughter was like you. Only she wasn’t as lucky. The guy found her and murdered her while she was home alone. Kids are taught not to tell anyone when they are alone, yet they do it all the time on-line. The wrong people trick you into giving out information a little here and there on-line.. Before you know it, you have told them enough for them to find you without even realizing you have done it. I hope you’ve learned a lesson from this and won’t do it again. Tell others about this so they will be safe too?”
“It’s a promise!”
<end of story>
Like Crosby, Stills, Nash and Young once sang: “Teach your children well.”
Home network security – one perspective
Daily Cup of Tech (one of my favorite blogs) recently posted an article about home network security, and making your home (wireless) network less attractive to casual snoopers, responding to criticism received in a comment to a previous posting. The suggestions he provides aren’t designed to make your network hacker-proof – as even he discusses.
They do, however, help lower your network’s profile in a potential sea of available access points. Good advice he offers: disable SSID broadcast, use encryption, employ standard security measures (like changing administator password) available on your router, etc.
Experts will argue about whether one kind of encryption is superior to another (yes, WPA is better than WEP, etc., etc.), whether disabling SSID broadcast represents any measure of security at all (only nominal), etc., but the bottom line is that any measures you employ to improve your security are better than what you had before. It is, as they say, a step in the right direction. And it might just be enough to discourage a snoop… you never know.
Router vulnerability (potential)
A new attack approach was documented in February by researchers at Indiana University and Symantec in which an Internet user need only visit a bad guy’s web site to become a potential victim for a variety of crimes, including possibly identity theft. At the very least, it exposes any and all information that you send over the Internet to snooping by unknown parties. The attack uses Javascript to change settings in your router so that all of your Internet traffic is sent through the bad guys’ computer system. Once your router has been compromised, it is very difficult to detect the problem, since everything will appear to act normally. The various antivirus, antispyware, etc. measures cannot detect this attack at present, and will be unlikely to detect a compromised router in the future.
The fix: MAKE SURE YOU HAVE CHANGED YOUR ROUTER’S ADMINISTRATOR PASSWORD FROM ITS FACTORY DEFAULT SETTING!! While you’re at it, be sure you’ve enabled encryption on your wireless.
Of course, you should also check the DNS settings in your router to be certain they belong to your ISP. If this doesn’t make sense to you, get a professional involved.
Technical reference: http://www.cs.indiana.edu/pub/techreports/TR641.pdf (checked 2/27/07)
