Dumped hard drives with US defense data have turned up for open sale in a West African market.

A team of Canadian journalism students bought a hard drive containing information on multi-million dollar contracts between military contractor Northrop Grumman and the Pentagon for just $40 in a market near Accra, Ghana. The exercise was part of shooting a documentary on e-waste by Vancouver journalism students, researching what happens to the West's discarded and donated electronics.

"You'd think a security contractor that constantly deals with very secret proprietary information would probably want to wipe their drives," Blake Sifton, one of the three graduate journalism students told CBC. The team bought seven hard drives at a market in the port of Tema, a major point of entry for electronic waste from Europe and North America into Africa.

Northrop Grumman is reported to be investigating how an unencrypted hard drive containing sensitive data on the firm ended up on an African market, in violation of its established kit disposal procedures.

"Based on the documents we were shown, we believe this hard drive may have been stolen after one of our asset-disposal vendors took possession of the unit," Northrop Grumman told CBC.

A documentary of the students' research, Ghana: Digital Dumping Ground, aired in the PBS program Frontline/World on Tuesday. The disposal of electronic waste is controlled by European and US regulations but spare - often broken - kit often finds its way to Africa and other regions of the developing world where it is dumped. Cannibalized parts end up on markets while the rest of the kit is piled together and burned.

Sifton recalled seeing seven fires spewing "black, sticky, acrid smoke" at one Ghanian dump. "The ground is just scorched absolutely everywhere. Everywhere you walk, there's shards of plastic and metal and glass protruding from the ground."

The fires are used to extract scrap metal, valued at just 50 cents a kilogram, which locals use to scratch out a meager existence. It's the effect on the local environment and people of the West's throw-away culture around electronic kit - rather than the information security element, which is well understood - that Sifton and his colleagues are trying to highlight.

Sifton added that he did visit universities in Ghana supplied with computers donated from the West that would have otherwise been unaffordable.

I do not know about you, but for the past couple of days my inbox has received several e-mails claiming to be from Microsoft while touting links to updates for Microsoft Outlook and Outlook Express. :>) Naturally, I clicked on those links right-away and installed me some updates (not).

However, in all honesty, I was surprised at the level of effort that the sender went through in making this phishing e-mail look more "authentic". For example:

- First, the message itself is formatted to look like a Tech Bulletin from Microsoft.

- There are links within the e-mail that link off to valid addresses on the Microsoft site.

- Lastly, the sender took care in crafting the update (phishing) URL such that it almost appears to be going to update.microsoft.com and has a valid query path for the update.

In other words, at first glance, the e-mail looks valid. And, thanks to the sender's efforts within the social engineering arena, I'm sure that the number of people falling for this e-mail is much higher than the normally lame phishing e-mails that are sent out. Thus, unless the e-mail was blocked by some kind of inbound gatekeeper, it's up to the receiver to determine how to handle this e-mail: delete it or fall into trap.

In other words, for organizations and even consumers, the best defense in this case is awareness, training, knowledge, etc. and not some fancy security software. Ah... if only all solutions were so simple.

As one of the fastest growing social networking sites, with an estimated 200 million users, Facebook has come under some criticism for the access control settings of its portal. Some users complained that they had limited options when it came to controlling who could view their "Status Updates," the site's continually updated message board, and to whom they could push their messages out.

Though the site has options for privacy settings available, this week the site launched a new iteration that makes it easier for users to customize their privacy settings as they send out content. This option is available at the moment only to a small percentage of active users with settings configured so as to be visible to “Everyone.”

The beta roll-out of privacy controls will be available on “Publisher,” a panel viewable once logged in at the top of users' home and profile pages. This is where users add content, such as photos, videos or their text-based status updates. With these new settings, users will be able to grant access, depending on their selection, to everyone, specific groups or one individual.

With a mix of family, social and professional connections tethered together, Facebook users previously faced the dilemma of who exactly is among their audience. Content appropriate for one group of close friends, i.e., exploits of a night on the town, might not be suitable for cousins or work buddies checking in to the site.

When posting content via the Publisher tool, users will now have access to a lock icon in the lower-right corner of the panel that launches a drop-down menu. Using this, they can select various options to gain more control over to whom they communicate their personal journalism.

However, whether Facebook's improvements to its privacy options will be enough to make IT administrators within the enterprise comfortable is up for debate.

“With the advent of social media and networking services, security and privacy became a bigger issue, essentially opening new holes and windows for cybercriminals to prey on consumers,” Shawn Eldridge, vice president, marketing and products, BorderWare, told SCMagazineUS.com in an email on Thursday. “Facebook's recent announcement about new privacy measures is a great first step. However, there is no silver bullet to all security woes and in order to be truly effective, the company will need to continue to evolve with a comprehensive approach, including data loss prevention policies that meet their internal privacy and compliance standards.”

But, he said, this move signals that Facebook has moved from just a social tool to one that has business uses and power beyond its original purpose. In fact, Facebook's new privacy features should enable organizations that have previously banned the service on company machines to consider allowing certain measures of usage, Eldridge said.

With a caveat, however. It doesn't necessarily mean the service is completely safe and consumers/organizations can stop being vigilant, he said.

Others say that by customizing its interface to now enable targeted messaging, the move is an attempt by Facebook to broaden its reach to the entire internet and to entice more users who use other networking sites for social interaction, like MySpace, and networking sites for business purposes, such as LinkedIn. It also faces tough competition from Twitter, the microblogging site that enables users to push out their brief messages in real time to everyone.

"Facebook seems to be taking a step in the right direction to do its part, but will continue to need to be vigilant and move with the changing times,” Eldridge said.

A researcher at IBM has developed a way to analyze encrypted data without decoding it, according to a statement from IBM.

The breakthrough method leverages a concept called “fully homomorphic encryption,” and stems from achievements an IBM researcher, Craig Gentry, developed on a problem that has stymied researchers for nearly 30 years.

"Fully homomorphic encryption is a bit like enabling a layperson to perform flawless neurosurgery while blindfolded, and without later remembering the episode,” Charles Lickel, vice president of software research at IBM, said in a statement.

One of the benefits of the breakthrough could be the ability to work with encrypted data as though it was fully unencrypted – that is, without seeing any of the private data. Thus, a cloud computing service provider, for example, could work on a dataset without the originator – or holder of the encryption keys – having to divulge the means of encryption, according to the statement.

Other potential applications include enabling filters to identify spam, even in encrypted email, or protecting information contained in electronic medical records. The breakthrough might also one day enable computer users to retrieve information from a search engine confidentially, according to IBM.