Have you ever heard of the Electronic Communications Privacy Act of 1986? I hadn’t either, not until Senator Patrick Leahy (D-Vermont) moved to update it this year with a new amendment that make it more difficult for government agents to access data on remote servers containing information about who you’ve been talking to, where you’ve been and what you’ve seen.
It’s called the ECPA Amendments Act of 2011, and if you’re concerned about keeping your private data secure, it’s legislation worth supporting. “Today, this law [the ECPA] is significantly outdated and out-paced by rapid changes in technology,” said Leahy while proposing to amend the ECPA in May. “Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security.”
Our social networks say a lot about us. When you register with a Website like Facebook, you voluntarily give up personal information like your name, photo, and phone number in exchange for the privilege of access to a network that makes it easy to keep in touch with friends and family. Facebook then makes money aggregating that information for sale to advertisers looking to target groups of potential customers with specific ages and interests. It’s an information economy, and to be clear, Facebook cleaves to a privacy policy that only permits the sharing of “non-personally identifiable attributes” with advertisers.
The problem is that it’s up to the folks at Facebook to decide what connotes “non-personally identifiable attributes.” We’ve written at length about the problems with Facebook’s protean privacy policies, and the company has done an admirable job of addressing user privacy concerns by offering users the option to disable troublesome features like “Instant Personalization,” which allows third-party websites like Huffington Post and Pandora to access your Facebook data in order to customize their services with ads you might click on.
Though encryption is a strong way to safeguard passwords, personal information, and other sensitive data, it can be confusing due to the acronyms and technobabble that surround the topic.
Many encryption utilities--such as the BitLocker feature in Windows 7 Ultimate, or the Rohos Mini Drive utility for protecting info on a thumb drive--are available. But my favorite tool covers all the bases: It's free, it's easy, it's effective, and it works on all major operating systems. TrueCrypt lets you create virtual encrypted drives. Versions are available for Windows, Mac OS X, and Linux; if you install it on several machines running different OSs, you can open your encrypted files from a network share, thumb drive, or other shared storage device.
The tool has plenty of advanced options, but the simplest approach--and the one I use--is to create an encrypted file protected by a strong password. When you open your TrueCrypt file, it acts as an additional hard drive with its own drive letter. You can interact with that virtual drive the same way that you might with any storage device: You open, save, drag, and drop files to and from the data store. TrueCrypt handles all the encryption and decryption in the background. When you close the encrypted file, the data is protected until you give the password to open it up once more.
Responding to yet another user uproar, Facebook recently made efforts to simplify its privacy controls and introduce some other welcome changes. They're good steps to take--but considering that Facebook had to be forced to respect users' basic wishes regarding their own information, it suggests a serious disconnect in how the company and its users view privacy.
In January, CEO Mark Zuckerberg had said that his company was updating its systems to "reflect what the current social norms are." So when Facebook announced in April that it would automatically enroll users into new features such as Instant Personalization--which handed users' publicly available Facebook info to selected Websites that users visited--the implication was that users' wishes, not the company's bottom line, prompted the move from a largely private system shared only with approved friends to a largely public system that freely gave data to search engines, marketing companies, and anyone else who wanted it.
Attacks employing poisoned PDF files have leaped to the top of the threat list, according to statistics from major security companies. Symantec reports that suspicious PDF files skyrocketed in 2009 to represent 49 percent of Web-based attacks that the company detected, up from only 11 percent in 2008. The next-most-common attack, involving a good old Internet Explorer flaw, was far behind at 18 percent.
In a typical scenario, crooks might hijack a legitimate site and insert a PDF file made to exploit flaws in Adobe Reader. They then link to that PDF via social-engineering lures such as spam or comments on a blog or social network. Even astute users who check the link would see a legit domain. Not knowing the site was hacked, they would be more likely to download and open the file.
Now, a new threat allows for launching malware hidden inside a PDF file. In this type of attack, discovered by researcher Didier Stevens, opening the PDF file triggers an attempt to install the malware. The action causes Adobe Reader to produce a confirmation pop-up, which gives you a chance to halt the attack by clicking the ‘Do Not Open' button--but Stevens found that attackers could tweak the pop-up's message. His example reads, "To view the encrypted message in this PDF document, select ‘Do not show this message again' and click the Open button!" Using such a message, attackers could allay potential victims' suspicion.
