Archive for September, 2010

by Ondrej Krehel

Last time we looked at and how the images we take with our GPS-enabled smartphones can broadcast more than a pretty picture. The same applies to our Microsoft Office files and Adobe PDFs.

When it comes to metadata, there are two types: file system metadata and metadata embedded in the document itself. Especially metadata inside of the document provide valuable history information about document.

The came in 2003, during the walkup to the Iraq war. Tony Blair’s administration published a dossier on Iraq security and intelligence operations. Colin Powell famously quoted it during his address to the United Nations. But after the British government made the dossier public, it became clear via metadata that much of the information was cribbed from a U.S. researcher. The dossier’s metadata history soon spoke more than the information itself.

If the British government has metadata problems, the how do humble business and home users handle it? Actually, it isn’t that hard.

Each computer document format has its own set of metadata fields. They can range from “document creator”—usually the computer username or name of the software was registered to—date, time, computer information and sometimes even IP address, which sophisticated computer users can trace.

This actually has a host of benefits. Search engines, for example, can pick up keywords from metadata buried in MS Office and PDF files. Computer investigators routinely look at metadata to pinpoint when files were created, modified, printed and often recognizing backdated documents. As with and , the key with metadata in office files is to be aware of what you’re sending when you’re sending it.

There’s a very easy way to see metadata in your office files. Simply right click on the file and select Properties. Under the Detail tab you’ll see what metadata is associated with that document. If you’re posting the file online and want to remove that information it is as easy as clicking “Remove Properties and Personal Information” at the bottom of the screen that is available in MS Office 2007:

security

If you want to have more granular control use “Document Inspector” in Office 2007, which is an integral metadata removal tool that strips Word, Excel, and PowerPoint documents of information such as author name, comments and other information.
This trick works for both Microsoft Office and Adobe PDF files. Or, with Word files, you can save your file as a PDF before sharing online.

In MS Office for Mac OS, metadata can be striped before saving the document by enabling the option “Remove personal information from this file on save” on the Preferences menu, under the Security tab. This applies to MS Word and MS Excel.

This conversion scrubs metadata and is available with MS Office 2007 as a save option (check document properties to edit saved metadata), or with and free programs such as .

For more software specific information, see:

There are also commercial software toolkits that one can use. from BEC Legal Systems, or from Esquire Innovations, are a good place to start.

For the technical minded, the National Security Agency published a report in 2008 on the risks, and countermeasures, associated with metadata in PDF files, .

Life is tough, and technology can make life easier. But life is tougher if you are not educated aware technology user.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Ondrej Krehel

Adam Savage of television’s Myth Busters . He inadvertently posted his home address to his thousands of Twitter followers.

That information, the GPS coordinates of where he stood when he snapped the picture with a camera phone, was embedded in the image file, which Internet surfers could easily see with the right software, such as the for Firefox.

iPhones, BlackBerrys, other smart phones and a host of higher-end digital cameras have the ability to “geotag” pictures and videos. It can be a convenient feature, but shouldn’t be your default setting if you regularly share photos online.

Different photo formats record different kinds of information within the picture, which we call metadata. This amounts to the “story” of the photograph and can include fields like date and time the picture was taken, exposure, camera type, file size and, if it’s GPS-enabled, location.

Metadata can be a huge help to professional photographers interested in just how they captured that particular photograph or to amateur photographers on vacation looking to immortalize that exact spot.

But there are moments in our life when we want a little more privacy. When we post photos of our home, or the car in our driveway, we could also be sharing where we live—and in some cases, when we are or aren’t at home.

Some sites, such as Facebook—and now Twitter following the Savage story—automatically delete or scramble metadata before posting, but to be safe, you should know your hardware.

If you have a camera with GPS your best bet is to read the manual. There is likely an easy setting for turning geotagging on and off. To learn how to toggle the feature on an iPhone, Android phone or BlackBerry, visit .

To look at the metadata on your old photos, is open source (free), and easy to use. is another good option for reading, writing and editing your metadata. You can quickly remove metadata from your image files, without affecting the image quality, with ExifTool, or .

Remember, awareness is the most important factor in safe computer and mobile usage. Know the real value of information before you release it to the public.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Surf Smart, Surf Clean

by Ondrej Krehel

Are you aware of that just by clicking on a picture you can get a virus, malware, or a Trojan horse?

Cameron Diaz recently made headlines as the Internet’s most dangerous celebrity—and not because of her .

McAfee, the antivirus software company, listed because cybercriminals use her name and pictures more than any other celebrity to lure unsuspecting Internet users to dangerous websites. Julie Roberts and Jessica Biel were not far behind in the No. 2 and No. 3 spots.

What makes a web surfing dangerous? Malware: malicious software, which can range from a computer virus, to programs that collect your personal information and credit card numbers, to backdoors that give hackers access to your computer. And let’s not forget tracking cookies for behavior marketing purposes or invasive content such as spam.

According to , the antivirus company, the countries where it’s most dangerous to surf online are .

There are several free programs available for personal use that will scan your system for malware, such as , and , but just like your own health and wellness, an ounce of prevention is worth a pound of cure. (Windows Vista and Windows 7 has a good built-in malware scanner, Windows Defender.)

Just like we all brush our teeth and comb our hair (well, most of us at least) there are some regular hygiene steps you want to incorporate into your Internet routine. They will keep your system running fast and clean.

The first, and most important, is general awareness. If you’re on a website that you’re not familiar with, or that doesn’t look professional, don’t just OK pop-up requests for information. Often malware pop-ups look like Windows icons, designed to confuse you, which offer help with some threat detected on your computer.

Also, your computer operating system should be updated with the latest security patches, which can be set to update automatically. And it goes without saying that you should be running antivirus software and have a firewall enabled. Even if you’re on a MAC or Linux system. AVG provides free antivirus for personal use. From time to time, cross check your PC health status with free online scans from the major antivirus vendors, such as Kaspersky, Eset, McAfee and Symantec. Mac users can use free while Linux and BSD users have .

Make sure, too, that your web browser is the latest, most-secure version. The newest versions include phishing filters, pop-up blockers and malware protection. More technical users can leverage advanced features such as Firefox (e.g ), and options for disabling scripts, and many others.

Again, the most important thing is to use your judgment. If you’re clicking around for Cameron Diaz photos and nothing pops up, or worse, your computer freezes for a few seconds, you’re probably not on the safest website. If you really need to surf celebrities instead of Wikipedia, try Leonard Bernstein, Antonin Dvorak or Mike Bloomberg.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Eduard Goodman

You’ve been lambasted by the media, academics, politicians and privacy advocates regarding privacy issues. It’s really not fair. When it comes to privacy, rather than being criticized, you should be commended, at least on a couple of levels.

First, thank you for significantly contributing to the global dialogue between the public, governments and the business community about privacy in the 21st century. Prior to Facebook, the subject of privacy tended to be relegated to small esoteric discussions among lawyers, academics and the like. The public didn’t think much (or frankly care much) about the issue. We all failed to recognize how much information we were revealing about ourselves on a daily basis. More importantly, the public didn’t think much about who was collecting that information and what it was being used for. But thanks to you, our awareness around privacy has grown considerably. The side effect of our willingness to reveal more information about ourselves has resulted in greater self-reflection by the public on the subject of privacy.

When you combine this philosophical reflection on privacy with your “ever evolving” corporate attitude on the subject (reflected in no less than six revised versions of your privacy policies since 2004), it makes sense why you have fueled the discussion around privacy by our society at large. Now the academic discussion on privacy by a few specialists has morphed into a conversation at cocktail parties and PTA meetings. We have you to thank for this.

But I also want to thank you for teaching the business community lessons about the importance of “Privacy by Design.” This term, coined by Dr. Ann Cavoukian, the privacy commissioner of Ontario, Canada, is really just “…the philosophy of embedding privacy proactively into technology itself—making it the default.” Unfortunately, you have become the poster child for the negative consequences of not thinking through the privacy implications when launching a product or service. Frankly, you have also paid the price in the form of negative PR and congressional attention for failing to make privacy the “default.” But your failures are also the business community’s lessons.

For the record, I don’t think that you are an evil company. I use Facebook. My family and friends use Facebook. You’ve been pretty open and honest about your changing views on privacy and have willingly demonstrated on the global stage just how difficult it is to ever really get it right. And so I wish you good luck and thanks again.

Sincerely,

Eduard Goodman, J.D., LL.M., CIPP
Chief Privacy Officer
, LLC

Eduard Goodman, Chief Privacy Officer,

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.
Image:

by Ondrej Krehel

If you’re connected to the Internet, you need to ask one basic question: Am I safe?

A bank, insurance company or investment firm may have a database of tens of thousands of customers—their names, addresses, birth dates, even social security numbers. That client list left unprotected could be a boon to rival companies or, even worse, identity thieves. Information security amounts to protecting that corporate asset from unwanted eyes. It is a set of tools and techniques that security professionals use to keep intruders out while making information secure, keeping it confidential and available to trusted employees.

You’re not very different from that financial institution.

Many of us shop online using our credit cards, send private emails or Facebook messages we wouldn’t want the whole world to see, some of us even manage our bank accounts and investments on the Internet. All that information is stored on your Mac or PC. So what tools and techniques are you regularly implementing to keep those personal assets safe? Is your web browser up-to-date? Do you have a firewall running? Antivirus software? Mal-ware protection? Are you a “smart” Internet user?

In this new Privacy & Security column on , we’re going to discuss security basics, to ensure your system is running as clean and safe as possible. We’re going to look at technical changes you can make on your home computer along with more holistic human or user changes—like upping your level of basic online awareness. We’re going to look at best practices when shopping online, the secret information buried in the files we share and offer user tips like “hygienic browsing”—you brush your teeth, but do you brush your browser?

For more than a decade as a computer security professional, I’ve helped governments, corporations and individuals evaluate security risks and respond in force to a broad range of technology crimes. As the chief information officer for —the nation’s premiere identity management, enterprise-level fraud solutions and consumer education service—I’ve helped businesses and individuals reevaluate their network security and have conducted numerous computer forensics investigations. Even stealthy cyber criminals leave fingerprints behind.

So whether you’re a Fortune 500 company or first-time computer user, ask yourself, Is my digital information safe? To help answer those questions, and to learn more about information security and computer forensics, stay tuned.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.