Category Archives: Privacy

Trust, But Verify

Doveryay, no proveryay is the Russian pronunciation of “Trust, But Verify.” I often heard this (in English) spoken by, and about, President Ronald Reagan in the 1980s, referring to U.S. and Russian nuclear disarmament treaties. That Ronald Reagan turned this rhyming phrase back on the Russians was probably lost on most Americans. It certainly was on me.

In the cybersecurity, privacy, and information systems audit industries, we use this phrase often to depict the need for quality.

I say “quality” here for a reason. Security and privacy are really business quality issues. Security and privacy related defects in business processes and information systems are really quality issues.

Trust, but verify, appears in the opening paragraph in Chapter 3 of CIPM Certified Information Privacy Manager All-In-One Exam Guide that is to be published in May 2021. The draft manuscript is complete; my colleague, J Clark, has completed his technical review. What’s left is copy editing (about half done), page layout (not started), and proofing (not started). Lots of steps. The excerpt:

Trust but verify is a Russian proverb that is commonly used by privacy and cybersecurity industry professionals. The complexity of information processing and management, which includes layers of underlying business processes and information systems, invites seemingly minor changes that can bring disastrous consequences.”

Protect your Black Friday and Cyber Monday shopping with a quick PC tune-up

Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

Note: If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

Several free anti-virus programs are worthy of consideration: AVGAvastZone Alarm Free Antivirus + FirewallPanda Cloud Anti-VirusI cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

LinkedIn’s “Intro” So Toxic It Could Dramatically Change BYOD

LinkedIn’s new “Intro” iOS app directs all e-mail sent or received on an iOS device through LinkedIn’s servers.

Yes, you’ve got that right.

Even so-called “secure” e-mail.

Even corporate e-mail.

Has LinkedIn been acquired by the NSA?  Sorry, bad joke, poor taste – but I couldn’t resist. It crossed my mind.

BYOD implications

So what’s this to do with BYOD?

Many organizations are still sitting on the sidelines with regards to BYOD. They are passively permitting their employees to use iOS devices (and Androids, Windows phones too) to send and receive corporate e-mail, mostly on unmanaged, personally owned devices. This means that organizations that presently permit their employees to send and receive e-mail using personally owned iOS devices are at risk of all of that e-mail to be read (and retained) by LinkedIn, by every employee that downloads and installs the LinkedIn “Intro” app.

LinkedIn talks about this as “doing the impossible.”  I’d prefer to call it “doing the unthinkable.”

Organizations without MDM (mobile device management) are powerless in preventing this, for the most part.

Every cloud has a silver lining.

This move by LinkedIn may finally get a lot of organizations off the fence in terms of BYOD, but employees might not be happy.  Organizations’ legal departments are going to be having aneurisms right and left when they learn about this, and they may insist that corporate IT establish immediate control over personally owned mobile devices to block the LinkedIn Intro app.

Corporate legal departments usually get their way on important legal matters. This is one of those situations. When Legal realizes that LinkedIn Intro could destroy attorney-client privilege, Legal may march straight to the CIO and demand immediate cessation. That is, once you peel the Legal team off the ceiling.

Nothing like a crisis and reckless abandon by a formerly trusted service provider to get people moving.

This article does a good job of explaining the evils of LinkedIn Intro.

My respect for LinkedIn could not be at a lower point if they publicly admitted that they were sending your content to the government.

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html

How to opt out from advertising tracking cookies

Bookmark This (opens in new window)

The truth is, I’ve been irritated about tracking cookies for over ten years. Ever since I was an advisor on a corporate privacy project, I learned just how extensively our Internet browsing habits and patterns are being recorded. I don’t appreciate that kind of “over your shoulder” scrutiny and personally consider it an invasion of my privacy. The ad agencies defend their position of tracking cookies as their way of enriching my browsing experience. Whatever. I turn a blind eye to most ads anyway, but the idea of tracking where I go puts us on a slippery slope of Internet usage tracking that is not unlike what I believe occurs in communist China today.

Don’t misunderstand me. I don’t surf to sites I don’t want anyone to know about. While I am at work I am implicitly accountable to my employer for all of my usage of corporate owned assets – Internet access and personal computer included. And when I’m at home or on the road with my MacBook, I use OpenDNS that records where I go and blocks access to unwanted sites. My accountability partner is free to see those records on request.

Anyway, back to my main point – those tracking cookies. There is a way to opt out from nearly all of them. Before you spring into action, however, you will want to read this article all the way through, as there are several notes at the end.

If you have time to visit a lot of sites to opt out, go here to the World Privacy Forum and click on each link to opt out of each of the sites (there are, at least count, 46 of these):

http://www.worldprivacyforum.org/cookieoptout.html

I went through each link and opted out of each site. It took me about 15 minutes (I’m a fast typer and clicker). You’ll also want to go to Google to opt out from their advertising (I don’t know whey they are not listed on the World Privacy Forum opt out page) cookies as well:

http://www.google.com/privacy_ads.html

If you want to do this the quick way, go here to the Network Advertising Initiative to opt out from many ad agencies in one single action:

http://www.networkadvertising.org/managing/opt_out.asp

Notes

Whichever option above you choose, know this: you will need to perform this on each browser (that is, Internet Explorer, Firefox, Safari, and so on) on your computer. Your computer’s cookies are managed separately by each browser, so you’ll have to go through the above procedures for each one you use. I use primarily Firefox on my Mac systems, and I’ve opted out of all of the sites I could find. I’ll have to do this later with Safari (which I use only occasionally).

You will need to do this on each computer you use.

Turning off cookies?

You may be thinking, why not just turn off all cookies (or at least all tracking cookies) on your browser. Certainly that would block all tracking cookies, present and future. Sure. But you would also certainly hamper the functionality of many of the websites you visit, particularly those you log in to in order to use the site’s services. But if you are into extreme measures and a little experimentation, I invite you to turn off cookies and see how things go. I will bet, however, that you will soon be turning them back on so that the important sites you use will keep working the way you want.

References

World Privacy Forum (http://www.worldprivacyforum.org/)

Electronic Privacy Information Center (http://www.epic.org)

E-mail security problems and the Canadian ISPs that are ignoring them

Bookmark This (opens in new window)

Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.

I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider.  It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them.  I also complained to Eastlink.ca, and heard nothing from them.

I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada.  I complianed to ica.net, several times, and never received a response.  I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!

I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.

Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox.  Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence.  I don’t read these messages.

Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.

I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.

I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.

This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me?  I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.

I’m also worried about my own liability in this matter.  I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?

There are several possible causes for this inadvertent e-mail forwarding:

  • Malware, tampering, or compromise of ISP e-mail server.
  • Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
  • Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.

There may be other potential causes, but I cannot think of any more.

If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away?  If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them.  If the intent is to harm me, I don’t see how this harms me.

Security question: being watched while watching videos

Bookmark This (opens in new window)

A reader asks: I have a friend who heard that we can be “watched” while we watch online videos. Any truth to it that you know of?

Answer: Theoretically yes, but only if you have a webcam (if you literally mean “watching”). I’ve heard of it being done.

If you mean “knowing what you are watching” (some kind of tracking), that is certain. Youtube remembers what you have seen (it can be embarrassing), and other vid sites do too. Sites do this with tracking cookies and other means to remember what videos you view, what pages you see, and the sites you visit.

India to issue 1.2 billion biometric ID cards

Biometrics for Dummies available immediately to fill the knowledge void

Biometrics for Dummies

Biometrics for Dummies

India has decided to issue biometric ID cards to each of its 1.2 billion citizens. Delhi recently established the Unique Identification Authority that will assign unique ID numbers to each citizen.

This will create a demand for knowledge about how biometrics works. Biometrics For Dummies, published in 2007, meets that need. “This is a huge deal in the world of biometrics,” writes Mike Simon, co-author of Biometrics For Dummies.

“Like many populations, people may not embrace biometrics right away,” cites Peter Gregory, co-author. “Most people do not know how biometrics works, and whether biometrics can be used to pry into someone’s personal details.”

Biometrics for Dummies is available in many forms and from several sources, including:

Amazon.com

Kindle (electronic) edition

Online bookstores serving India:

Infibeam

Rediff

You may view the Table of Contents here (PDF)

Times Online article

Are more federal cybersecurity laws needed?

Bookmark This (opens in new window)

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Browsers are compromising our privacy

Bookmark This (opens in new window)

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

Sept Scientific American on security and privacy

Bookmark This (opens in new window)

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Apparent misdeeds result in free credit monitoring for millions

Bookmark This (opens in new window)

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

If you had a credit card or even a student loan between 1987 and 2008, you may be eligible.

This development could be enough to get millions more citizens signing up for credit monitoring, which could result in a small reduction in identity theft.  I say “small”, because despite the rate of fraud and identity theft, many will just be too busy to go to the trouble of signing up for credit monitoring, or they’ll have initial zeal but will lose interest after a short time.

But don’t take *my* word for it – here are some independent news stories:

KOMO TV Seattle

WSMV TV Nashville

Baltimore Sun

Kiplinger Magazine

Yahoo Answers

…and when you are convinced that this is real, go here to sign up and make your claim:

https://www.listclassaction.com/

In the settlement, Transunion has admitted no guilt.  And whether there is any actual wrongdoing or not is not my point.

Shortage of qualified security professionals continues

Bookmark This (opens in new window)

Security is a topic of great interest to IT professionals, business management, and the general public.  The wide proliferation of private information among organizations in the 1980s led to public outcry and the passage of privacy laws.  The explosion of e-commerce in the 1990s resulted in the theft of hundreds of millions of credit card numbers in thousands of security incidents that continue to this day.  Identity theft has also skyrocketed, largely because many organizations collect and store personal information and do not adequately protect it.  Many countries have passed additional data security laws intended to tighten up security and also require the disclosure of security breaches.  Things have only marginally improved since then.

These developments have led to a severe shortage of qualified information and business security professionals who are able to properly apply security controls required by applicable laws and regulations.  These professionals also need to be able to seek, identify, and mitigate other risks that could negatively affect organizations that collect and use sensitive information.

Introduction to an upcoming academic textbook on business and computer security

New severe home/small business router vulnerability requires attention

Bookmark This (opens in new window)

A severe UPnP flaw allows router hijacking. Experts believe that 99% of home routers are vulnerable. This is a potentially alarming development.

An attacker will most likely use the vulnerability to alter a home (or small business) router’s DNS settings, which will effectively direct every computer in the network to visit sites of the attacker’s choosing.

How the attack will work: attackers will place malicious code on web sites in SWF (Flash) or other active content that will contain UPnP commands that the router will intercept.

Things you can do:

1. Disable UPnP on your router. Most people don’t use it anyway. I use it but will probably deactivate it this week.

2. Implement OpenDNS or ScrubIT DNS on your internal systems. This will effectively bypass your router’s DNS, making a DNS attack on your router irrelevant.

3. Find someone who knows about home/SMB Internet router configuration who can tell you if your router has been compromised. Know your router’s configuration.

4. Change (or establish) the administrator password on your router. This is just a good idea anyway.

5. Contact your Internet service provider and ask for information about updates to counter this vulnerability.

6. Implement firewalls on individual systems in your network. If an attacker decides to deactivate the firewall function on your router, PC based firewalls will continue protecting them.

Links to information:

CERT Warning

Information Week story

Computerworld story

SANS Internet Storm Center article

Older story on home router vulnerability

Sears admits to loading spyware on computers

Bookmark This (opens in new window)

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/

Sears/Kmart loading spyware on computers?

Bookmark This (opens in new window)

Update: Sears admits to installing spyware, claims it is disclosed in its 54 page privacy statement

A report published yesterday by Ben Edelman, an assistant professor at Harvard Business School, indicates that the retail giant is violating Federal Trade Commission policies in its distribution of ComScore, an application that tracks Web browsing activity. If the allegation is true, this could erupt into another privacy scandal, such as Sony’s loading rootkits on music CDs (story).

Is this another case of technologists doing what they want and not following company policy or the law? Too often, technologists design and build systems to their own specifications without having informed outsiders review those specifications. This could also be a case of poor product data management, if a low-level person sneaked the spyware into the final system image without getting anyone’s approval.

Or was this a brazen and deliberate violation of the law? Time will tell.

News story here.

Defend Privacy: support EPIC

Submit: Add to your del.icio.us Digg This Slashdot GotNews StumbledUpon Reddit

“EPIC is on the front lines of the most important civil liberties issues of our age, defending privacy, promoting open government, and encouraging critical public debate about the technologies that are transforming our lives. I support EPIC and I hope you will, too.”

– Bruce Schneier, internationally renowned security technologist and author

Dear Friends,

Every year EPIC sends a fundraising request to EPIC Alert subscribers to ask for a contribution to EPIC. Individual contributions are critical for the continued success of EPIC.

Here are a few of EPIC’s current campaigns:

– EPIC is seeking the legal memos from the Department of Justice concerning the President’s domestic surveillance program. We believe those memos should be made available to the public before any new surveillance laws are passed.

– EPIC is pushing for greater scrutiny of the surveillance programs funded by the Department of Homeland Security, such as video surveillance systems, “fusion centers,” and other programs that track and monitor Americans.

– EPIC is asking Internet companies to do a better job of developing privacy technologies, to give consumers more control over their information, and to limit the collection of personal data where possible.

– EPIC is promoting privacy standards for the WHOIS database. That database contains detailed information of people who register web sites; personal information should be protected.

– EPIC is pushing for privacy safeguards in the Google-Doubleclick merger. We believe there should be some limits on the profiling and tracking of Internet users.

These efforts have real consequences for your privacy, and we need your support to continue our work.

You can contribute to EPIC in two ways:

– Send a check to “EPIC,” 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009

– Donate online at http://www.epic.org/donate

EPIC is a non-profit, charitable organization. Your contribution to EPIC is tax-deductible.

Thank you for your contribution.

And best wishes for the holiday season from all of us at EPIC.

Sincerely,

Marc Rotenberg
EPIC Executive Director

P.S. If you have friends who might be interested in supporting EPIC, please forward this message.

Learn more about safe computing

viruses.jpg

Bookmark This (opens in new window)

Previous tip | Next tip

Order a copy of Computer Viruses for Dummies – this is a smaller-format Dummies book that talks about Viruses and also spam, spyware, firewalls, and other steps you need to take to make your computer safer.

Purchase hardcopy from Amazon.com

Purchase e-book

Change your Wireless network to WPA

Bookmark This (opens in new window)

Previous tip | Next tip

I have written in the past about how the old wireless WEP protocol is no longer safe. You need to upgrade your WiFi access point and the computers in your house that use WiFi from WEP to WPA. The WEP protocol that is still the default on most WiFi access points and routers can be easily broken by any clever computer user with a few simple tools.

Instructions: upgrade your router and computers from WEP to WPA.

Make separate user accounts for shared computers

Bookmark This (opens in new window)

Previous tip | Next tip

If any of your computers are shared among family members, make separate user accounts for each user. Put passwords on each account and do not share your passwords. Make only one account an “administrator” (you – since you are reading this!) and make all other users a “Limited account”. Turn off the Guest account.

Windows KeyWhen a family member is done with the computer (even for a minute), get everyone into the habit of locking the screen, which requires a password to unlock. This will prevent one person from using another person’s computer account. Click here for instructions.