MY DATA, MYSELF

One Computer, Many Eyeballs

The Annoyance:

I keep sensitive files on my home desktop machine my banking records, old love letters, the chapters from my unfinished best-selling novel that are nobody else's business, damn it. How do I keep Nosy Nellies from walking up to my computer while I'm not there and rummaging around on it?

The Fix:

One way is to use a password-protected logon so that only you can gain access to your desktop's...er, desktop. If you're sharing the computer, you'll need to set up multiple logons, each with a unique password (see Figure 2-1).

To set up different identities in Windows XP, open the Control Panel, double-click User Accounts, click "Create a new account," supply a username and click Next. Under "Pick an account type" select Limited and click the Create Account button. XP will add the username to the group of accounts on your system. Select the new account in the subsequent screen by clicking its icon. Select "Create a password," then enter a password for the account. Do this for everyone who's likely to use your system.

If you want to be able to quickly switch between users without having to close all your documents and programs, make sure Fast User Switching is turned on. From the main User Accounts Window, select "Change the way users log on and off" and check the Use Fast User Switching box. Click the Apply Options button and close the User Accounts window.

When you first set up Windows XP, create a limited user account for your everyday use in addition to your administrative account. A limited account can't create passwords, install software, or perform other system chores; if bad guys hijack your system when you're logged on as a limited user, they won't be able to do as much damage.

annoyances 2-1. Sharing your computer with the entire family? Windows XP lets you create accounts for multiple usersmultiple users

Wait, you're not done yet. If you wander off while you're logged on to your PC, anyone can walk up to your machine and have their way with it. You have two options: you can "lock" your computer every time you get up, or you can set up a password-protected screensaver that will thwart the little sneaks.

To lock your computer, simply press the Windows Logo key (it looks like a tiny flag) and the letter L; Windows will display a blank desktop. Press the logo key and L again to get to a Welcome screen where you must log back in with a password. If your keyboard lacks a Windows key, you can force the logon screen to appear by clicking the Start button and selecting Log OffSwitch User (orLog Off AdministratorSwitch User). When you log back in, your computer will be just as you left it.

To password protect your screensaver, open the Display control panel. (If you're using Control Panel's Categories view, you'll find it under Appearance and Themes.) Select the Screen Saver tab, select a screensaver, set the delay, and check the "On resume, display Welcome screen" box. Anyone attempting to slip onto your machine while you're away will have to cough up a password.

If you use Mac OS X, this process is even simpler (naturally). Click the System Preferences icon (it looks like a light switch) on the Mac's toolbar; under "System" select Accounts. To add a new account, click the plus symbol (+) below Login Options, and enter the name and password for each new user. When you're done, click the padlock at the bottom of the Accounts window and close it to keep anyone else from changing your settings. Relaunch System Preferences and under "Personal" select Security; make sure the "Require password to wake this computer from sleep or screensaver" box is checked, then close the Security window. That's it.

Remember, the security of either scheme depends entirely on how tough a password you pick. (For sage advice on creating a password, see the sidebar "Pick a Peck of Passwords.")

Foil Hard Disk Snoops

The Annoyance:

What's to keep these busybodies from snooping around my files once they've logged on?

The Fix:

Not much unless you take a few more steps to cover yourself. For example, XP lets you make your files and folders private, so other folks who log onto your computer or home network can't open them. However, this feature only works if your hard drive uses the New Technology File System (NTFS).

To figure out what file system you're using, open Windows Explorer, select the drive where you store the files you want to protect, right click the drive letter, and select Properties. On the General tab you'll find an entry for "File system." If it says NTFS, you're golden; if you see FAT or FAT32, then you'll need to convert the drive to NTFS (for instructions on how, see the tip in the next column).

Once you're sure you're using NTFS, open Windows Explorer, right-click the folder you want to make private, and select Sharing and Security. On the Sharing tab, check the "Make this folder private" box and click OK. (If you haven't already set up a password for your user logon, you'll be prompted to do so now). XP will then make this folder and any subfolders private; when other users log on they'll see the name of the folder you've protected but won't be able to peer inside it. Files you drag inside the folder later will also be invisible to others.

The New Technology File System (NTFS) is more secure and efficient than Window's older File Allocation Table (FAT) system, which is why new Windows XP PCs ship with NTFS in place. If you've got an older system you can covert it from FAT to NTFS. The process is quite easy and not to worry, XP will keep your programs and data intact. To convert a drive, select StartRun and type "cmd in the Open box to bring up a DOS prompt. At the prompt type convert x: /fs:ntfs (where x: is the letter of the drive you want to convert), then press Enter. If files on the drive are in use (and if the drive holds the OS, they will be) you'll need to tell XP to convert the drive the next time you restart. Once you have an NTFS drive, you'll be able to make folders private, encrypt data, and do other neat tricks.

With Mac OS X, file sharing is turned off by default. To make sure, open System Preferences from the toolbar, click the Sharing icon (it's under Internet & Network), and select Services. If Personal File Sharing is selected, you can turn it off by clicking the Stop button.

No Vault Insurance

The Annoyance:

I've got seriously sensitive work materials I need to protect, so simply making files private ain't gonna cut it.

The Fix:

Encrypting your data folders can help. (Encryption is an especially good idea if you need to protect notebook data. See "A Note About Notebooks.") If someone manages to circumvent your logon security and copy your files, they won't be able to read them. Windows XP Professional comes with an Encrypting File System (EFS) tool built in, though it only works on NTFS hard drives. To encrypt a folder using XP Pro, launch Windows Explorer, right-click the folder you want to protect, select Properties and click the Advanced button. Check the "Encrypt contents to secure data" box and click OK, followed by Apply. In the Confirm Attribute Changes dialog, choose whether you wish to apply the changes only to that folder or all subfolders and files within it, then click OK. You'll have to wait a bit while the attributes are applied. (If you use XP Home and/or want to protect just a single file on your computer, see the tip below.)

However, XP Pro shipped with relatively weak 40-bit encryption. (In general, the more bits used to generate the encryption key that scrambles your data, the harder it is to break. Researchers have broken 40-bit keys in about three hours using high-speed computers.) If you need to secure your files from crooks, hackers, or other serious threats, you'll want 128-bit encryption at a minimum, and that means turning to off-the-shelf encryption software for the PC and Mac, such as PGP Desktop Home ($69, http://www.pgp.com). PGP supports a wide range of different encryption methods, up to 4096-bit RSA, which means you could have a roomful of NSA agents with keyboards and supercomputers and they still wouldn't be able to crack it.

Mac OS X aficionados can employ the built-in 128-bit File-Vault to encrypt files and password-protect data. Click the System Preferences icon that light switch on the Mac's toolbar and select PersonalSecurity. Click "Turn on FileVault," enter your system password (if you have one), then click "Turn on FileVault again. The Mac will shut down any open data files while it's encrypting your Home folder.

Windows doesn't provide an obvious way to protect individual files in XP Home (thanks, Microsoft), but here's a workaround that will do the trick: put the file inside a compressed folder, then assign it a password. Open Windows Explorer or My Computer and right-click the file you want to protect. Select Send ToCompressed (zipped) Folder. Windows will create a zipped folder (with a little zipper icon next to it) inside the same folder where your file is stored. Double-click the zipped folder to open it in a new Explorer window. Pull down the File menu inside the new window and select Add a Password. (On some systems, you may need to select OptionsPassword.) Type your password (twice), click OK, and close the new window. When you want to open the file, double-click the zipped folder, then double-click the filename. Youll be prompted to supply a password. But remember to delete the original (uncompressed and unprotected) version of the file, or all your skullduggery will be for naught.

Hide in Plain Sight

The Annoyance:

I don't want to make a second career out of securing my hard drive; I just have a few files that I want to keep private. Isn't there a simpler way?

The Fix:

There is. Windows lets you hide any file or even entire folders so they won't show up in My Computer or Windows Explorer.

First, store your sensitive files in a subfolder and pick a boring name for it (like "spreadsheets" or "work"). (You don't have to do this, but it will make your files harder to find and appear less interesting to snoops.) In Windows Explorer, right-click that new folder, and select Properties. In the Attributes section check the Hidden box, then click the Apply button, then OK. Then select ToolsFolder Options and click the View tab. Scroll down to the item that reads Hidden Files and Folders and select the "Do not show option and click OK. Close Explorer and reopen it. Your folder will not be visible until you go back into your Folder Options menu and select "Show hidden files and folders" (see Figure 2-2).

You can do the same thing with individual files: Just right-click on the file, select Properties, check the Hidden box on the General tab, then click OK.

Remember, while this technique works fairly well to stop folks from accidentally stumbling upon your private stuff, it won't stop a savvy spy (or determined spouse) who knows what to look for.

annoyances 2-2. To keep snoops out of your files, mark them as hidden.

Complete Delete

The Annoyance:

I used to be a bad person, but I've reformed. I've also deleted every file on my computer that could get me in trouble with the law, my spouse, or the Recording Industry Association of America. But I hear that deleted files never really go away. Is that true? How can I make sure the stuff that I deleted stays deleted?

The Fix:

When you click "delete," the files stay in your Recycle Bin until you empty it. Even then they can be restored fairly easily using file recovery software such as Executive Software's Undelete ($30, http://www.executivesoftware.com). That's because the data isn't actually deleted; Windows just lops off part of the filename so your hard drive's filing system can't locate it. Eventually, an application will overwrite the file with new data, but that could take months. Meanwhile, the data is accessible to anyone with decent computer forensics skills.

The cheapskate's way of purging files? Erase the files, empty the Recycle Bin, and defrag the hard disk. This can overwrite erased files, making their secrets unavailable to snoops. To run the defragger, select StartAll ProgramsAccessoriesSystem ToolsDisk Defragmenter. Then go do your laundry or crack open a good book, because its likely to take a while.

But to be sure the data is really gone, you'll need an electronic file shredder such as CyberScrub Privacy Suite ($50, http://www.cyberscrub.com) that can overwrite deleted files multiple times so that nobody not even the spooks at the NSA can recover them. WinGuides' Privacy Guardian 3.0 ($30, http://www.winguides.com) can also wipe your Recycle Bin and shred individual files so they'll never be seen again. Both products can also wipe out data lurking in temp files, document histories, and much more. Best of all, you can tell them to clean out your old stuff on an hourly, daily, or weekly basis, so you never have to think about it again.

To make deleted files unrecoverable on Mac OS X systems, just open the Trash Can, click Finder, and select Secure Empty Trash. But to evict any file fragments or temp files still loitering on your hard drive, you'll need a tool like Jiiva's AutoScrubber ($60, http://www.jiiva.com).

Watch Your Backups

The Annoyance:

I am a backup fanatic I've got Zip discs full of backup copies of every file that's ever been on my computer. But that means my Quicken data and personal correspondence are also on these discs. How do I keep somebody from stealing my financial info by taking the discs?

The Fix:

You can turn your PC into a digital Fort Knox but still get burned by an errant floppy. You've got to protect your data everywhere it resides, but especially on your backup discs, since they're easier to steal and you may never notice they're missing.

WinBackUp ($50, http://www.liutilities.com/products/winbackup/) automates data backups, protects data using strong 256-bit encryption, and lets you assign passwords to backup data sets so only you can open them. If you're doing manual backups, you can also use PKWare's PKZIP ($29, http://www.pkware.com) or SecureZIP ($100) to compress and encrypt your data files, no matter where they reside. But PKZip encyption is fairly weak you can find free software on the Net that helps you crack it so SecureZIP is a better call for scrambling sensitive data.

The next issue: where do you plan to store the backups? A locked drawer in your desk may be fine if you're just stashing old love letters and other personal correspondence. But if you want to store tax or financial information, work-related documents, or anything else whose loss would keep you awake at night, you'll want to keep backups in a secure off-site location. Otherwise, any natural disaster (fire, flood, locusts) that takes out your home computer could also wipe out your backups. Smart thieves might also leave the heavy computer and take the highly portable discs, since they can make a lot more money by stealing your identity.

A safe deposit box at your bank is a reasonable storage option, though it can be a bit of a hassle going to the bank every time you make a backup set. (See Chapter 5, "Safety in Boxes?") Another option is online backup.

ISPs such as Earthlink (http://www.earthlink.net) and Microsoft Network (http://www.msn.com) and web services such as Yahoo (http://www.yahoo.com) offer some online storage space with each account enough for quick-and-dirty backups of data files. But you'll have to copy your files manually, and the data isn't protected as it passes from your PC to their servers. If you're running a small business or need to store sensitive stuff, get a dedicated online backup service that encrypts the data so hackers and other snoops can't get at it, and automates the process so you can set it up and forget about it.

Connected's DataProtector service (http://connected.com/solution/DataProtector.asp) offers backup plans ranging from $80 a year (for 250MB) to $800 (30GB), with a 30-day free trial. @Backup (http://www.backup.com) offers a similar service starting at $50 (50MB). Both make it simple to set up and schedule backups, and both provide enterprise-level security and redundant copies of your data, in case there's a problem with their servers. The downside? If your Net connection goes down, you can't get at your backups.

Microsoft Confidential

The Annoyance:

There are only a handful of Office files that are really for my eyes only I don't want to invest a lot of time and money in encryption products.

The Fix:

Microsoft Office 2000, 2002, and 2003 let you password protect and with 2002 and 2003, heavily encrypt individual files (see Figure 2-3). In Microsoft Word 2002 and 2003, open the file you want to protect, select FileSave As, click the Tools menu in the upper right corner of the dialog box, select Security Options, and then enter passwords in the "Password to open and "Password to modify" boxes, and click OK. (In Word 2000, select ToolsGeneral Options.) For corporate-level security thats hard to hack, in Word 2002 and 2003, click the Advanced button in the Security tab and select a more robust encryption scheme (such as 128-bit Microsoft Enhanced RSA), and click OK twice. In Excel, the commands are slightly different (FileSave AsToolsGeneral Options) but the effect is the same.

annoyances 2-3. Microsoft Office 2003 gives you loads of options for encrypting individual files so that nobody can unscramble them-including you, if you forget your password.

Cleaning up for Charity

The Annoyance:

I've got an old computer that's too slow to be used as anything but a doorstop. I was thinking of donating it to a local charity and getting the tax deduction, or maybe selling it as an antique on eBay. But it still has old financial records of mine. Should I worry?

The Fix:

Old hard drives, even ones its owners think are clean, can be packed with sensitive information that's nobody else's business. In June 2004, Pointsec Mobile Technologies, a security firm based in Stockholm, purchased 100 old hard drives on eBay. Approximately 70 had data that could be recovered; one drive contained the customer records of a leading European financial services firm. (The cost of said drive? $10. The information? Priceless.)

If you don't need any of the data on the system, the best thing to do is reformat the entire hard drive (and, if you want to be truly nice, reinstall a clean copy of the original operating system). If you've still got the CDs that came with the machine, you should be able to find instructions on how to do this. If you've lost the CDs (or the system is so old it didn't come with CDs), you can manually reformat the disc. Here are the two basic ways to reformat a hard drive:

1. First, create a startup disk. After inserting a floppy disk into the drive, launch Windows Explorer and right click on the A: drive and select Format. In the next dialog box, check the "Create an MS-DOS startup disk" box and click the Start button. When Windows warns you that all data on the disk will be overwritten, click OK. Click OK when the "Format complete" window appears, then click the Close button.

   A NOTE ABOUT NOTEBOOKS Notebook PCs present an even bigger privacy challenge than desktops, since nogoodniks can simply walk off with them, taking your personal correspondence, address book, financial information, and more in the process. So you need to be careful (approaching paranoia) about keeping your laptop in reach of your lap. Use an old bag. Nothing screams "steal me!" quite like a fancy leather laptop bag in an airport. When you travel, put your machine inside something less obvious, like a briefcase (the more worn out, the better) or a backpack. Be sure to add sufficient padding to avoid jostling the hard drive too much. Take a number. Write down your machine's serial number and stick it a safe place (i.e., not in a Word doc on your laptop). This will come in handy later if the machine is recovered. Let a password be your watchword. This almost goes without saying, but the logon precautions you use on a desktop are de rigueur for anything built to move. If you've got both a desktop and a laptop, choose a different password for each. Encrypt your data. Even if a thief manages to circumvent your logon security, he or she won't be able to get at your data if it's encrypted and password protected. (See "No Vault Insurance"). Tell it to phone home. Software such as CyberAngel Security ($60 annually, http://www.sentryinc.com) and Computrace Personal ($99 for three years, http://www.computrace.com) can help you track down a stolen notebook by secretly sending you an alert if the thief logs onto the Internet with your machine. Be alarmed. Make thieves think twice by adding an alarm to your notebook. The Targus PA480U DEFCOM MDP ($100, http://www.targus.com) plugs into your laptop's PC card slot and emits an 110db shriek if anyone tampers with or tries to abscond with your machine. Lock it down. Even when you're not on the road, your notebook is at risk from burglars or light-fingered co-workers who prowl the cubicles looking for swag. Secure-It (http://www.secure-it.com) and Kensington (http://www.kensington.com) offer cables that plug into your laptop's security slot and lash the notebook to anything immovable, starting at just $30.

   
   

2. Second, use that startup disk to format the drive. With the floppy still inside the machine, restart Windows. It should boot up to a DOS prompt. At the A:> prompt type format c: /s (assuming that the C: drive contains your system files). When it warns you that your data will be lost, type Y to proceed.

If you get a "command not found" error, you may need to manually copy the ancient DOS program Format.com to the floppy. You should be able to find it in the \Windows\System32 folder.

If your drive is split into other logical partitions (D:, E:, and so on), you'll need to follow the same steps, but substituting the appropriate drive letter for C: and leaving off the /s switch (since those drives won't contain system files).

However, even a reformat isn't entirely bulletproof. If your old data is truly sensitive (e.g., secret plans for a missile defense system, Britney Spears' unlisted home number), you may want to wipe the disk first. One free alternative is Darik's Boot and Nuke, a program you can download at http://dban.sourceforge.net/. After you install it onto a floppy or CD, just insert the disk into the drive of the machine you want to wipe, reboot the machine, and follow the prompts.

If that's too geeky for you (and it probably will be), you can also pony up for a product such as CyberScrub or Privacy Guard (see "Complete Delete"), or Symantec's Norton SystemWorks 2005 ($70, http://www.symantec.com). These will all allow you to wipe your old system so that even the NSA wouldn't be able to reconstruct your data.