You wouldn't post your credit card number on your blog.
You wouldn't post your bank account number on your Facebook page.
You wouldn't respond to a stranger's e-mail request with your current address.
But, have you considered how you protect that information?
In a recent Scientific American article, How I Stole Someone's Identity, Herbert H. Thompson describes how a casual acquaintance gave him permission to try to break into her bank account using only few facts that he knew about her, plus the information that was freely available on her blog and an online resume.
Using "forgotten password" questions, he broke in easily.
You know, those questions that you need to answer when you forget your password—your mother's maiden name, the street you grew up on, name of your first pet.
According to several news reports, last week a hacker broke into the personal e-mail account of Republican vice presidential candidate Sarah Palin using the same technique. According to the Wired Threat Level blog, Palin's password question was "Where did you meet your husband?" The hacker did some research and some guessing and came up with the answer – "Wasilla High."
What I learned from these two articles is that we should be very careful when we choose those password recovery questions.
The questions are usually pretty random, but sometimes we provide the answers to the world at large on our blogs and social networking sites.
After I read this article, I checked my accounts and changed my questions.
For more, read about how to choose strong passwords and keep them secret.
The way that online identities are managed today cannot withstand the increasing assaults from expert criminals.
With financial losses from offline and online identity theft totaling $45 billion in the United States alone in 2007, and with e-commerce suffering the consequences of consumer fear of phishing and fraud, it's clear that the Internet needs a fresh approach to protecting personal information.
A new Microsoft white paper argues that this approach should center on the creation of a technology called an "Information Card," which makes it possible to create more powerfully secure identities.
Information Cards would rely on a third-party ID provider that would act as a buffer in two-party transactions.
The ID provider could use real-world data and sources to verify that individuals and sellers are who they say they are. This way, online buyers could remain anonymous to online sellers (or vice versa), but still have a trustworthy, authenticated ID.
Minimal personal information would need to change hands between buyer and seller.
Microsoft notes that the Information Card approach would have to be supported by individuals, companies, and governments, and would have to be bolstered by:
For more information on this new approach, download the Online Identity Theft: Changing the Game white paper.
Today Microsoft released 4 new security bulletins.
• MS08-052 addresses a vulnerability in Microsoft Office and Microsoft Windows, .Net Framework, Visual Studio, Visual FoxPro, Microsoft Works, Microsoft SQL Server, Microsoft Forefront, and Microsoft Digital Image Suite (KB 954593)
• MS08-053 addresses a vulnerability in Microsoft Windows (Windows Media Encoder) (KB 954156)
• MS08-054 addresses a vulnerability in Microsoft Windows Media Player (KB 954154)
• MS08-055 addresses a vulnerability in Microsoft Office (KB 955047).
To get the updates, go to the Microsoft Update Web site. To get updates automatically from now on, turn on automatic updating.
To get more technical information about the bulletins, visit Microsoft TechNet.
Your local rotary club did a great job of cleaning up that old playground down the street. But who's taking care of the other places where kids play these days—the online places?
We like the idea that there are separate spaces for adults and kids online, but how do we keep those spaces separate? Online identity and age claims are challenging to verify. Microsoft aims to help.
Read about the new technology framework designed to improve the authentication of online identity and age claims, so that online service providers can create safer online communities for kids.
Digital Playgrounds: Creating Safer Online Environments for Children
Earlier this year, we told you about the new Microsoft End to End Trust initiative and invited your comments and feedback.
Since the launch of the initiative at the RSA U.S. Conference in April 2008, Microsoft has also talked with industry partners, customers, and governments about how to give people control over who and what to trust online.
Check out the feedback we've received so far and how we’ve outlined an approach to make the Internet safer for children.
September 2008—End to End Trust Update
Then join the conversation.
Some employees have replaced the daily computer solitaire break with a daily check of Facebook, LinkedIn, Twitter, MySpace, Windows Live Spaces, or other favorite social networking site, many workplaces report.
Online social networking might be a more interactive distraction for employees than playing cards, but it's a lot more dangerous to the health of the corporate network.
Several recent reports attest that phishing scams, viruses, spyware, and other unwanted software are spreading through social networks and into workplace networks. These outbreaks can damage computer systems and might even steal sensitive information from your company.
Some workplaces block social networking Web sites, but because these sites can also be a valuable tool at work, you still might have access.
If you do, here are some ways to use that access more safely:
· Find out if your company has a policy about visiting certain Web sites using your corporate network.
· When you sign up for a social networking site, use your personal e-mail address, not your company e-mail address.
· Use caution when you click links that you receive in messages from your friends on your social networking site. Treat links in messages on these sites as you would links in e-mail messages. (For more information, see Approach links in e-mail with caution.)
· Be choosy about who you accept as a "friend" on a social network. Identity thieves may create fake profiles in order to glean information from you. This is known as social engineering.
· Be careful about the information you reveal about your workplace or company on your social networking site. (This is a good rule to follow for blogs too.) For more information, see How to protect your privacy in online communities.