Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

April Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

National Crime Victims' Rights Week is April 23-29, 2023. This year’s theme is “Survivor Voices: Elevate. Engage. Effect Change,” and “calls upon communities to amplify the voices of survivors and commit to creating an environment where survivors have the confidence that they will be heard, believed, and supported.”

Let’s make this into International Computer Crime Victims’ Rights Week!  

Here are some ideas to raise awareness of computer crime and to share ways to help prevent being a computer crime victim:

• Ask employees, co-workers, family, and friends to submit the name of a movie or TV show about computer crime that impacted them so much that they made changes in their lives to prevent being a victim themselves. Many know that a favorite of mine is “The KGB, the Computer and Me.” There are many lessons there! (Hey, did you know that I provided what I’m told is the first comprehensive list of such movies and shows in 2005 in the first edition of my book, “Managing an Information Security and Privacy Awareness and Training Program”? I updated that list in the 2nd edition of the book, and my team and I have been updating that list ever since!)  
• Have a poster contest to bring out the artistic interpretation of what computer crime in general, or a specific type of cybercrime or another type of computer crime, looks like to each person when they think about the crime.
• Provide a list of podcast episodes, TV shows, and movies about computer crimes to your employees, ask them to watch one, and provide a summary of the show. Then find a local restaurant or local retailer (or even your company cafeteria) to give a discount to participants. 
• Ask employees to write a short story about a computer crime. Then publish in your company’s next newsletter, on your information security internal website, or publish in some other way to recognize the creativity of your co-workers while at the same time raising awareness of computer crimes.

What other activities do you suggest for making your own International Computer Crime Victims’ Rights Week? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in April?  Let us know!

Here are a few questions we’ve received over the past few months about privacy, security, computer crime, and cybercrime. We’ve received many! Those we did not get to here may be included in an upcoming issue.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: What is the difference between “computer crime” and “cybercrime”?

A:  For some organizations and purposes, no difference exists. For others, the difference is significant. 

Computer crime has been around long before the internet. It generally applies to criminal acts, such as fraud, stealing intellectual property, bootlegging software, stealing or destroying computing devices, etc., that are committed through the use of or access to some type of computer. 

Cybercrime is generally computer crime committed on or through the internet, which is the “cyber” aspect of the crime. Many organizations view cybercrime as a subset of the larger topic of computer crime. Some universities also teach that definition. We have long viewed the terms from this perspective as well. For example, stealing laptops, software, and/or data on storage devices (USB drives, hard drives, etc.) usually does not involve the need for the internet, but are computer crimes. The destruction or damage of such physical property is also a computer crime. Modifying computer code on a corporate network to commit fraud would be another type of computer crime.

Something important to be aware of: Insurance companies usually view computer crime differently from cybercrime. Most computer crime insurance covers financial losses caused by employee dishonesty or error, physical damage to computing equipment, etc. Computer crime insurance typically covers business losses directly due to external operators misappropriating or misusing confidential information. Cybercrime losses covered typically include those caused by a security breach, fraud, or damage caused through access to data via the internet, etc. This is often carried out with the unwitting assistance of the company's employees, such as through phishing scams.

However, some countries, US government agencies, state and local governments, and various types of law enforcement groups use the terms “computer crime” and “cybercrime” interchangeably.

Q: What are some computer crimes committed in the healthcare industry? How does HIPAA impact the organizations experiencing these crimes?

A:  Ransomware, data theft through hacked systems and from insiders, distributed denial of service (DDoS) attacks, medical identity theft, and malware (viruses, worms, etc.) have been longtime computer crime problems. Surveillance through internet of things (IoT) devices is becoming more common. 

A new report, “Current and Emerging Healthcare Cyber Threat Landscape” from Health-ISAC and Booz Allen Hamilton, reveals some new computer crimes and cybercrimes. It reports that synthetic accounts are increasingly used to commit healthcare fraud and other cybercrimes. Criminals have used synthetic accounts for many years to commit financial fraud, but the healthcare application is relatively new.

Cybercrooks are exploiting healthcare website portal vulnerabilities with increased frequency. They use weak authentication credentials to gain access to patient information and associated health records. Another somewhat new, increasing activity is nation-state hackers targeting healthcare organizations to disrupt services and redirect digital payments.  

Certainly, HIPAA will apply when such computer crimes occur. The Security Rule requires ongoing risk management activities and the implementation of appropriate safeguards to mitigate the identified risks, including those new and emerging risks. If organizations do not stay on top of mitigating all risks, from the longest existing to the brand new, they will also face HIPAA non-compliance penalties, along with experiencing security incidents and privacy breaches resulting from computer crimes.

Q: What do you think about the privacy of the Clue tracker app?

A: Clue is described on their site as: “Clue is a period tracking app, a trusted menstrual health resource, and a thought leader in femtech. By combining science and technology, we are actively changing the way people learn, access, and talk about menstrual and reproductive health around the world.”

The founders provide a statement that they strongly protect the data they collect and that they do all they can to protect the data, and even call upon governments throughout the world to implement regulations that “guarantees the protection of health data against misuse, and helps consumers understand which apps actually work.”

The statements about health data privacy and security sound good so far. Let’s look at their privacy policy and terms. Their privacy policy points to a detailed description of what happens to your data after it has been collected. They provide the expected rights to their customers for their associated data and also give them choices for de-identified data, which we’ve not seen other companies do. 

We did cringe a bit to see that they allow login using Facebook, Apple, and Google credentials to authenticate to the app. We understand the effort to make authentication so that it is not as much of a hassle. However, those tech companies have had so many breaches we would advise against using them. It is always best not to use social media login credentials to access confidential personal data, such as health data, financial data, and other data that you would not want the whole world to know.

We are basing our opinion solely on their website information, and we haven’t done any technical testing. With this in mind, the short answer to your question is that the Clue app appears to provide more privacy protections and options than the other trackers of reproductive health data and associated events and activities. If you end up using Clue, please let us know if you discover any privacy or security concerns from actively using it.

Q: I love TikTok! What crimes are occurring through it? I’ve seen none! What are the security and/or privacy concerns and problems everyone is so worked up about?! 

A: TikTok brings all the same security and privacy risks that other social media sites and apps bring; tracking locations, vacuuming up data from the devices where they are used, and more. Beyond all these widespread types of security risks, you may have additional risks.

At least four possible types of security risks to national security have been identified by various federal agencies and other national security folks. Risks that:

• The company that owns TikTok, ByteDance, which is based in Beijing, China, is gathering all the data possible from TikTok users and then will weaponize that data in some way.
• The microphones and cameras of the devices where TikTok is loaded will be surreptitiously turned on without the users knowing, allowing for conversations and information in the vicinity to be spied upon.
• Information seen as damaging to China will be censored, and information that is not harmful to China will be the only information allowed.
• China will use TikTok to disrupt US society. Research published by Global Witness and the Cybersecurity for Democracy team at New York University gave an example when they suggested TikTok failed to filter large volumes of election misinformation in the weeks leading up to the US midterm elections November 2022.

TikTok also puts the personal data of others who don’t even use TikTok at risk.

And, while it is not a security risk of TikTok per se, many cybercrooks have been making fake TikTok apps for the past few years, such as a widely used scam app called TikTok Pro, to trick people into using them. Then they planted and spread malware, ransomware, taking over the device the app is loaded on, and vacuuming up even more data beyond the other types of data other apps can access. 

Q: Is ChatGPT being used for cybercrime?

A: Yes, it already is being used for such purposes. Here are two situations to consider.

A tainted version of the legitimate ChatGPT extension for Chrome was made available on the Chrome Web Store around February 14, 2023. It was designed to steal Facebook accounts and was downloaded and used by over 9,000 users. Once installed, and the users have allowed cookies to be used (which almost all do), the malicious code steals Facebook session cookies which the attackers then use to log in to the victim’s Facebook account and take over it and commit a wide range of crimes, such as identity fraud, using the Facebook credentials to log into other accounts, and other mischiefs. 

With regard to using the legitimate ChatGPT tool, there are concerns that people are asking questions and otherwise feeding information into the tool that includes their own personal data or the personal or otherwise confidential data of others. The risk is that such data is now within the ChatGPT system and available to be included in the answers that ChatGPT provides to all other users, exposing that personal data to misuse. 

ChatGPT requires vast amounts of data to train and improve its language processing capabilities, including the data provided within interactions. Sensitive information such as personal information, financial data, and confidential business information may be revealed to those who will use it for malicious purposes, which could cause significant harm to the associated organizations and individuals, including (but not limited to) economic loss, reputational damage, and legal liabilities. This is one of the important reasons for organizations to establish policies and procedures now that govern the use of ChatGPT and other similar types of AI tools.

To learn more about this topic, consider watching a conversation I had recently in a webinar, “Large Language Models (LLM) and the future of education and law,” with Tara Taubman-Bassirian, LLM, a French privacy advocate based in the UK, and Richard Self, lead academic on a KTP with Aquis Exchange, where we included discussion of such risks of ChatGPT.

Q: Is ransomware getting worse, or is it decreasing in occurrences?

A: Ransomware is evolving into a set of crimes expanding beyond simply requiring a ransom to decrypt data taken hostage. We’ve long seen the opportunities for cybercrooks to keep copies of the data that they are encrypting for ransom and then sell it and use it for other types of cybercrimes. Yes! The crooks finally admitted a few years after we pointed out this likelihood that they were actually doing such activities. Of course, they would! Crooks will do what makes them money.

According to the new Palo Alto Unit 42 research report, “Ransomware and Extortion Report 2023,” ransomware crooks threatened to leak data from victims in about 53% of ransomware incidents between mid-2021 and late 2022. This has been an effective tactic, which has led to a 30% increase in using this data-leak extortion tactic. Additionally, DDoS attacks against victims are increasing for those that refuse to pay the ransom. And another emerging and increasingly used tactic is harassing ransomware victims when they refuse to pay the ransom. As described in the report:

“Threat actors call and leave voicemails for corporate executive leaders and other employees, send emails to personnel, or disclose victims’ identities on a leak site or social media. The purpose of these activities is to make it uncomfortable for an organization to avoid responding to the threat actors and their demands. Not only is the organization faced with responding to a ransomware incident, but now they also have a personnel public relations situation to deal with. During an 18-month span between May 2021 through October 2022, harassment as an extortion tactic grew from an average of <1% of Unit 42’s monthly ransomware cases to a monthly average of approximately 20%.”

Q: What computer crime cases would you recommend learning more about to anyone wanting to know more about such crimes and how they were committed?

A: Wow! I know of so many! Where do I start? One of the reasons I started my own podcast/radio show back in 2018 was to give me a good reason to reach out to people to discuss their own experiences, so others can learn from them. I’ve been grateful to have many people involved in such cases agree to be guests on my Data Security & Privacy with the Privacy Professor show. I recommend you listen to these episodes to learn more about the very wide range of computer crimes they describe. No matter how long ago these crimes took place, the same tactics could still be successfully used today, sometimes using newer technologies, but still, the tactics are similar. 

• How Rob Sand Caught the Criminal Who Committed the Largest Lottery Fraud in History Listen Now
• Catching KGB Hackers with 75¢ and a 2400 Baud Modem Listen Now
• Computer Hacking Crimes and Prosecutions (including the prosecution of Robert Tappan Morris, who unleashed the infamous Morris Worm). Listen Now
• Identity Fraud and Theft: Don't Be a Victim! Listen Now
• Curious Cases of Catphishing Executives and IT Pros Listen Now
• How Stalkers & Assaulters Track & Find Victims with IoT Tech Listen Now
• Fighting International Cybercrime and Cyber Security Threats Listen Now
• Cybercrime Trends and Changes in the Past 3 Decades Listen Now
• Defending Against Nation-State Hacking & Cyber Warfare Attacks Listen Now
• IoT Data Creates Frankenstein Profiles Claiming to Be You Listen Now
• Let’s Stop the Robocall Scammers! Listen Now
• A Cybersecurity Expert’s Real-Life Identity Theft Experience Listen Now
• “Romance Scammers Have Used My Photos Since 2016” Listen Now

Here are some other cases that I recommend you read about, learn about, and apply the associated lessons learned to your own life and work activities to help prevent similar crimes from occurring.

• A Byte Out of History: $10 Million Hack. A Russian’s hacking of a U.S. bank in 1994 may have been the first online bank robbery.
• Botnet Operation Disabled. Thieves tracked keystrokes on two million infected computers to steal users' information.
• The Billion Dollar Bubble. One of the largest frauds in insurance and stock market history is the Equity Funding Corporation of America (Los Angeles) fraud. This film deals with the creation, maintenance and coinsurance of bogus insurance policies by means of computer fraud.
• Stuxnet, the world's first digital weapon to cause physical harm. 
• Hotel managers and clients had nightmares due to one lock hack. Chaos resulted, panicking hotel managers and their customers after a burglar used online hacking tools to bypass the electronic locks on the guests’ doors.

Do you have others to add to my list? And some folks who have been involved with discovering, investigating, and/or solving computer crimes that you recommend I consider having on my show? Please, let me know!

• The US Federal Trade Commission (FTC) for their Cybersecurity for Small Business resources, Great stuff!
• The US Department of Agriculture for performing Privacy Threshold Analyses (PTAs) to determine if an information technology system contains personally identifiable information (PII), whether a privacy impact assessment (PIA) is required, whether a system of records notice (SORN) is required, and if any other privacy requirements apply to the system.  
• The US Federal Communications Commission (FCC) for proposing an update to the data breach rules. 
• Palo Alto and Unit 42 for their research report, “Ransomware and Extortion Report 2023"
• Health-ISAC and Booz Allen Hamilton for their new report, “Current and Emerging Healthcare Cyber Threat Landscape.” 

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page.

We just released our latest course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Please check it out! 

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard of before. 

We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Have questions about our education offerings? Contact us!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. April 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at [email protected]. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.