KGW: Five Facebook Privacy Settings To Check Now

Many of us use Facebook every day.

But do we really know what information the social media giant is sharing with others?

I recently spoke with KGW-TV (NBC/Portland) Reporter Abbey Gibb about some of the most important settings and how to protect what others see about you.

Few take advantage of the updated security options - possibly because users aren't even aware they're available.

Of course, the tip not listed if you really don't want your information out there? Don't share it on the web at all.

For more perspective on this, or any tech story, drop Brian an email: techexpert AT brianwestbrook DOT com.

Personal data safe? Microsoft's Data Privacy Day

Microsoft invaded traditionally Hallmark turf earlier this week with their "Data Privacy Day" public-awareness campaign. The software giant encourages us to think about how we reveal personal information in a fun, if not somewhat corny, online quiz.

The quiz, which not surprisingly didn't work well in my Firefox browser, asks questions about your online activities and ranks your performance between "Your cover's blown" to "You're in deep cover", complete with secret agent icons.

Now, don't expect this campaign to change your world, make you a security and/or privacy expert... but it does serve as a great reminder that there are risks to sharing your personal information with online sites.

Here are some important tips to remember everyday, not just the so-called "Data Privacy Day":

• Be aware of what information you are sharing and how it will be used. If in doubt, refuse to give it out.
• Review a website's privacy policy and site terms. Sure, they're long legal documents and often a checkbox away from getting what you came for... but these agreements contain important details about what a website may and may not do with your data. (Of course, scrupulous sites will take advantage of your data anyway!)
• Review your accounts, passwords, and social networking profiles often for revealing (and incorrect) information.
• Change your passwords often. When was the last time you changed a password? Do it now!
• Be careful what you click. Emails may contain attachments that are ticking time bombs, websites that look sketchy -- probably are. And the IRS will never send you unsolicited email. A healthy dose of skepticism could save your identity and major headaches to follow.

Microsoft has also released a much-less corny video documentary with some solid recent data about online privacy from a variety of perspectives. It's five minutes, but worth watching. (Use some of that time you save each time you quickly and click 'Accept' on a website's privacy policy.)

My Privacy: Safely Navigating Life Online

For more information, visit Microsoft's "Data Privacy Day" website. While you're joining me in a collective eye-roll at the idea of a Microsoft holiday -- if you really want to get into the spirit of things -- hop on over to my Amazon wishlist and feel free to buy me a Data Privacy Day gift. (What, you didn't know buying me presents was part of Data Privacy Day?!?)

Sensitive data at Goodwill? Wipe that drive!

A recent story on KXL.com caught my eye today, one that has sadly become all-too frequent: a laptop with sensitive data is in public hands.

This latest episode of an ongoing saga involves a portable computer purchased for eight dollars from a Goodwill store in Portland, Oregon. The buyer got more than their eight bucks worth when they found a spreadsheet with medical records on the used laptop. According to the report, Goodwill generally erase hard drives before reselling computers. Apparently this one fell through the cracks.

So how can you protect yourself and your data when you pass along your computer for recycling or reuse? What should you do to keep your sensitive history from the bad guys?

Wipe that drive!

And of course (or I likely wouldn't have much to blog about ;-) ), it's easier than it sounds. Sorry folks! Simply erasing or formatting your hard drive isn't quite enough. When a hard disk drive is formatted, sure it makes the drive available for re-use and shows no files found, but a clever hacker or curious computer buyer can often dig up the digital remains.

To protect yourself, and be confident the data is gone, gone I recommend the following steps:

• Use a wipe utility that destroys the data completely -- formatting isn't enough as your files may still be hidden beneath the curtain.
  
• Remove the hard drive -- take the drive out and toss it in a shoebox, recycle it seperately, or: destroy it physically (also great agression-reduction therapy!)
  
• Send your computer to a computer recycle shop -- many of the specialists have policies and standards to wipe hard drives... ask when you drop off your old computer.
  
• A business subject to Sarbanes-Oxley controls should ensure their IT department is following appropriate handling of used hard drives.

My favorite computer recycling facility is Free Geek and they have the type of policy you should look for to ensure your hard drive is properly wiped:

At FREE GEEK, we will never boot from a hard drive before it has been wiped of data. Hard drives we are going to keep first have their partition table removed, and then are overwritten five times in the process of testing. If we are not going to reuse a hard drive, it is physically destroyed in our facility before we send it to a responsible e-waste recycler. We do not give or sell hard drives to places that do not have a similar policy. Data on donated hard drives is safe.

(freegeek.org)

I've talked about computer recycling (and Free Geek) on Portland's Morning News before, in case you missed it -- I've got an archive from my hard drive here: kxl_techexpert-recyclepc_20060724.mp3

Finally, if you're looking for tools to wipe a drive, here are a few that do the trick (Please use these tools CAREFULLY -- especially around drives with data you intend to keep, I can't be responsible for their use or misuse):

• Dariks' Boot and Nuke
  
• Kill Disk

Hijacked Myspace page could mean trouble for everyone

Tech Expert Bonus Post

It might not be a jumbo jet, but a hijacked Myspace page can open the door to many problems -- identity theft, stolen data, or an inbox full of spam. It can affect not only the owner of the hijacked Myspace page -- but anyone who visits the page.

Since I get asked this question quite a bit -- I figured I'd post (if anything so I can point users here rather than re-typing the story... lazy? yup!).

Background
Typically the Myspace hijack is introduced when a page owner decides to pimp their profile out with one of the many available "free layouts" abundant on the web. Installing this code on your page can introduce a trojan-like code that will result in those visiting the site in being phished of their myspace login. Here's how...

Threat Details
While browsing Myspace (or a similar site), an unsuspecting user / victim clicks a link appearing to be from a myspace "friend" (often this link is to "Send Message" or "Add as a Friend". (See screenshot with this post, personal information hidden to protect the innocent.) The link you click then prompts you with a "you must be logged in to do that" page... and without too much thought... ("oh, myspace must've logged me out or something, right?")... . and without checking the URL (i.e. look for "login.myspace.com"), you've actually provided your myspace login information to the bad guys (who then cleverly re-direct you to the content you originally requested / your myspace home / someplace else that seems logical and doesn't raise your suspicion). The bad guys can now post bulletins / messages as YOU and spread the illegitimate login link to other victims...but wait, there's more...

Now where this gets *really* bad is when you've used the same password in myspace as you have for your email account.

Let's say your Myspace login is your email address (myspace@yourdomain.com) and a password (hijackvictim). If you, like many other users, have set your myspace password to be the same as your email password... I (representing evil-doers everywhere) can now log into your email account. Muhahaha....

And, as I'm sure you know, once I've got access to your email address... I can use the "forgot my password' link for a variety of sites -- obtaining access to bank accounts, ebay, etc. etc... (Click this link [mp3] for my 12 Feb 2007 report for Newsradio 750 KXL on identity theft.

Recommendation
My suggestion: Change your myspace password immediately to something VERY DIFFERENT from anything else associated with that email address. Change every other login that uses the same password to something new and unique to your myspace account -- do it now.

While not foolproof, some users pick a default password ("D0n't@sk!" and change it for every site... slighty... say, "D0n't@sk!a" for myspace.com since "A" is the first vowel... something you can remember, but that keeps your passwords unique... it's a start. (For more on good password techniques, listen to my report from 19 Feb 2007 here [mp3])


Quick Tips:

1. Change your myspace password to something unique (even if you don't think you've been hijacked, change it now!)
   
2. Don't use the same password for myspace as you do email, bank accounts, etc. (this is good advice in general, but especially for sites like myspace)
   
3. If in doubt, follow these steps: Open a new browser window to the site you're trying to view.
   
4. Just because it *looks like* Myspace (or your bank's site, etc.) -- doesn't mean it is!
   
5. Avoid clicking links in emails or online messages from strangers (and even then, do so with caution!)
   

For more on this story, visit:

• OnGuardOnline.gov Phising page - http://www.onguardonline.gov/phishing.html
  
• FTC (anti-)Spam site - http://ftc.gov/spam/