Microsoft Free eBook on Security and Privacy for Office 2010 Users

imageThese days security is on almost everyone’s mind, especially if you work in industry or for a Government agency (I work in the UK Health Service “NHS”)or even a security conscious home user.

With all the sensitive documents you may have to create be they industrial ideas or research work, at times we overlook the security aspect of a Word or Excel file, it may contain very sensitive or secret data.

So to help secure our documents Microsoft Press have released for FREE yes FREE to download the fantastic book by Mitch Tullock (a well respected Microsoft MVP in Windows Administration) on Security and Privacy for Microsoft Office 2010 Users.

“Take control—and put the built-in security and privacy features in Microsoft Office to work! Whether downloading documents, publishing a presentation, or collaborating online—this guide offers concise, how-to guidance and best practices to help protect your documents and your ideas.

• Get practical, proactive guidance for using the security and privacy management features in Office 2010 and Office 365

• Walk through everyday scenarios, and discover everyday techniques that help you take charge

• Understand common risks and learn best practices you can apply right away”

The book covers many aspects of “Why should you care” to “Encrypting a Document”, the chapters are laid out clear and simple that anyone who uses Office 2010 should be able to follow.

image image

The book has great images (samples above) to go along with the steps for each topic, I’m a great fan of using images to help describe a step by step guide. I think this book is a well worth download for any user of Office 2010, be you a corporate or home user.

Read the rest of the article and download the free eBook at Microsoft Press HERE

Old Hard Drive’s and left over data

Hard DriveSome new information out today from the UK Information Commissioner’s Office (ICO) in that they found out of the Hard Disks that they tested, about 11% still held data on them and a lot of this data was personal/private information about a person. This data if pieced together from other data on a Hard Drive about a person, could actually help a criminal create a bogus identification (ID).

“One in 10 second-hand hard drives still contain the original user’s personal information, suggests an investigation by the UK’s Information Commissioner’s Office (ICO).

It purchased devices from auction sites such as eBay and computer fairs.

Of the 200 hard disks collected, 11% contained personal information.

At least two of the drives had enough information to enable someone to steal the former owners’ identities, the watchdog said”

Read full article at BBC Technology News HERE and the Information Commissioners Office (ICO) information on data issues and destruction HERE

My Suggestions

However we do have a few options here, in that you can securely erase any deleted or specific folder locations on your daily production/used PC or if you are selling your PC or are RMAing you can erase the whole Hard Disk Drive (HDD) so that  no data can be recovered by conventional data recovery means.

Disposing of or Dead HDD

If you have a dead HDD or are just disposing of a HDD then you can do two things depending on if you can access the HDD, if you cannot access then HDD then I would get a good power drill and tungsten bit and drill through the HDD, this should damage the platters that hold the data. Warning is that this is a potential dangerous task, so use any protective clothing you can (goggles, protective gloves etc. or get someone else who is handy with tools to do this.

If you have access to the HD then you can use a drive erasing tool such as Secure Erase to erase the HDD securely, but do note that the best erase methods as in “7 pass secure erase” will take some hours to run its course, depending on size of HDD, plus these methods need a little bit of tech knowledge as you will need to either know command line or how to create a boot disk.

Some may say you can also if you have access to a high powered magnet, run it over the HDD and this will corrupt the data, but not everyone has access to these magnets. (thought I would throw this one in as a random)

Current PC you are still using

At times we all have personal or sensitive data we delete and think that it’s gone, but sadly the normal delete in Windows does not securely delete this data, it can be recovered (if not overwritten by new data, as deleted data is only flagged as delete and not actually deleted) by a wide range of free Data Recovery Software.

So what you can use to securely delete the deleted data is something like CCleaner as it has a secure delete option build in, just needs to be setup. Start by downloading and installing CCleaner from Majorgeeks (do also have a video guide on the site on how to use all the functions of CCleaner) or Piriform.

Once installed and run, click Options > Settings and in the Secure Deletion settings click “secure file deletion (slower) and choose at least “7 Passes” option, the “35 Passes” option will take many more hours than 7 Passes to complete.

    • 7 Passes is the U.S. DoD 5220 method
    • 35 passes is the Peter Gutmann method

CCleaner SE01

Then once set to the option you want, just click Cleaner menu option and Run, then this will securely deletewipe any files you have deleted as well as removing Internet History, Temp files etc, so do watch the Majorgeeks video guide to help with settings.

You can also with CCleaner if you add the old or due to be sold as 2nd hand HDD as a slave option in a Desktop PC, then run the Drive Wiper option in CCleaner, found by clicking Tools > Drive Wiper and once chosen an option Wipe.

CCleaner SE02

There are other applications both free and retail that can securely erase data, and I have only covered a few methods, so please feel free in the comments section to tell us your own methods or applications used.

WARNING – Secure data deletion is permanent so be very sure that the data you want erased is not needed. Always create backups of your data on external devices just in case of accidental deletion as well as hardware failure.

Can you spot a Phishing website?

Privacy 001Are you a Phishing Ninja or a Phishing Pole?  well in this day and cyber-age it has become a very major issue in that criminal gangs now find it much easier to try and steal your personal information to allow access to your Bank account etc. than to come rob your home.

Phishing is one such way that they try this and at times if you are unsuspecting or a novice to the perils of the internet age this can be very difficult to know if a website is real or not.

OpenDNS have a quick test to see if you can spot the Phishing (fake) from the Real website of many a company you may use. Click the link below to take the test.

OpenDNS Phishing Quiz

Here is my result below, yeah I’m a sneeky silent Ninja!! 

me_ninja

but then I do have knowledge of what Phishing websites look like and how to tell them apart from genuine sites, a few tips are below.

  • Your bank, Financial, Shopping sites will not send you emails asking for you to verify or re-enter your username or password.
  • Companies like Microsoft will not email you to say your PC is not up to date or has malware/virus.
  • Check the website address in and email by hovering over it with your mouse and if its not the same as your normal websites then its not real, and if its in the form of an IP address (123.123.123.123) as an example then defiantly do not click.
  • Check the email address that sent you this email, is it actually from the company or not, as an example this is one I was sent from the US Internal Revenue Service (IRS) today.

phish1

Note that the email address in the senders position is not the same as the one to reply too, which looks genuine but is not, so if you do get one of these emails but are a non-US citizen then delete, if you are a US citizen its worth letting the actual phishing side of the IRS know and email is HERE on this page.

So best practice is to double check any emails that are asking for finance details and user name and passwords via phone, in person or to the actual companies fraud, phishing customer service dept.

More info on how to spot a Phishing attempt from Microsoft HERE

Hackers take on Secure ID Tokens

hackerI would say not the best security in the world to let this information out in to the wild and for hackers to actually get to the data, while RSA state that its not as bad as portrayed, I can imagine its not good either.

“Hackers have stolen data about the security tokens used by millions of people to protect access to bank accounts and corporate networks.

RSA Security told customers about the “extremely sophisticated cyber attack” in an open letter posted online.

The company is providing “immediate remediation” advice to customers to limit the impact of the theft

It also recommended customers take steps, such as hardening password policies, to help protect themselves.”

Read full Article HERE at BBC Technology News

Windows Vulnerability in MHTML

securityBigMicrosoft have released a Security Advisory KB2501696 for Windows Operating System in which an attacker can affect Internet Explorer, and while this was release last week, I thought it maybe prudent in the light of a few news agencies now posting this information to highlight the information and workaround, until the full patch fix is released.

“The main impact of the vulnerability is unintended information disclosure. We’re aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven’t seen any indications of active exploitation.”

While this is a serious issue, it can be blown out of proportion by the media, when in reality its only a proof of concept and may not be exploited, however its always wise to keep your Windows version and all software fully up to date.

“The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities.  For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session.  Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user’s experience.”

More info HERE

Just click the FixIt logo below to enable and disable the workaround fix.

FixIt

Keep Yourself Safe Online for Parents and Teens

securityBigIn this day and age of the internet and the amount of social networking that teens do it is a good thing to be aware of the perils of the internet and giving too much information out, the below book is a great insight into security online.

“Help teens ‘own their space’ online. Whether you are a parent, caregiver, or educator, you can keep up with the latest computer and online safety issues and help kids learn to avoid them. In partnership with security expert and author, Linda McCarthy, we offer a free downloadable version of her new book, “Own Your Space – Keep Yourself and Your Stuff Safe Online.” Written for Internet savvy “tweens” and teens specifically, this book is also a useful resource for the adults they rely on.”

Download the e-books HERE

Avoid Windows Telephone Support Scams

virus_alertsI have in the past heard of many of these scams and people who have been duped into thinking the call is actually from Microsoft stating that they have a problems with their PC.

These tend to be bogus as Microsoft will not phone you up stating that they have scanned your PC and found malware or issues that you need fixing.

Cybercriminals have been calling people on the telephone, claiming to be from Windows or from Microsoft, and offering to help solve their computer problems. Once cybercriminals have gained your trust, they can:

  • Trick you into installing malicious software on your computer.
  • Take control of your computer remotely and adjust settings in order to leave the computer vulnerable.
  • Request credit card information so that they can bill you for the phony services

Read more HERE from the MSDN Security Tips Team