I found this article while reading Geek News Central. I have never understood why people have some expectation of privacy while on a cell phone. When the average person gets on the cell phone, they tend to tune out the outside world, and expect the outside world to tune them out. And in general, this is a reasonable expectation; no one cares if your talking to your kids about their chores, or your buddy about Sunday’s football game. But those expectations are false when your talking about personal information. You are broadcasting to everyone close enough to hear your voice, and while a number of automatic filters click into place for the average person while talking about minutia, when you start talking about your bank account, a lot of people start listening. The illusion of privacy is just that, an illusion, and if you’re talking about something interesting, people will listen. And there are a lot of people who will find your bank account information interesting.
If you’re worried about the 0-day Microsoft vulnerability in the handling of WMF files, you can try this hint that Dave Klienman suggested on the CISSP mailing list:
Actually just change:
And reboot. Or unregister the image view DLL;
To un-register Shimgvw.dll, follow these steps:
Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround:
The Windows Picture and Fax Viewer will no longer be started when users
click on a link to an image type that is associated with the Windows
Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
The unregister steps were directly from the Microsoft advisory on this vulnerability, but in typical Microsoft fashion, they were three levels in and somewhere the average, or even above average user, would never find them. I wouldn’t have found it if not for Dave’s post and the fact that other, similar vulnerability alerts had listed the same steps in an easier to find fashion.
I’m not going to be doing this to my computer, and I’m not really suggesting you do this either. I’m just letting you know that this is an option. A better option would be to upgrade to Firefox 1.5, which doesn’t use the vulnerable DLL when viewing WMF files.
Here’s just one more reason to encrypt the entire database whether you consider the information sensetive or not. Marriott International lost computer backup tapes containing sensitive information for more than 200,000 people. That’s a lot of people. Was this the incident that sparked the mysterious reports of a breach over the weekend, or does that incident have yet to be revealed?
How does a company manage to lose a backup tape anyways? Most of the companies I’ve worked for have a rigid policy concerning backup tapes. When they come out of the computer, they go immediately into a lock box that is stored in a secure off-site location, with several layers of tracking to follow them. If they disappear along the way, it’s usually pretty obvious where in the system the tapes were interecepted.
There are two levels of encryption that could or should have been employed on these backups. First of all, encrypt the data in the database. Encryption has a cost, which is mainly measured in the speed of your databases and the CPU usage on the server. Secondly, many backup services today offer the option of encrypting the data on the tapes. Use that option. Here, the trade-off is similar; it slows down the backup and can cause recovery issues if you lose the key. But it’s worth the added level of security. Encryption is cheap, rebuilding your reputation is not.