Ending the Year on a High Note
Mine is a family of music lovers (as evidenced by several photos below of my sons throughout their life playing various instruments, and a couple of me, as well).

While enjoying performances looks different these days, it's important to support the artists suffering greatly, financially speaking, from the impacts of COVID-19. If you have the means, find a way to experience music and support musicians this holiday.

Researchers have found (and I agree!) music is good for the brain, thinking processes, and I believe, for our souls. Musicians will certainly help us end 2020 on a high note!
New Look and Feel

You may notice a few style changes to the Tips. One is the use of a bold, amber font to draw your eye to key points. Let us know if you find it helpful.
December Tips of the Month

  • Data Security & Privacy Beacons

  • 20 Gift Ideas for Privacy Fans

  • Secure Messaging is Not Fool Proof

  • U.S. Election "Most Secure in History"

  • From the Desk of the T-Mobile Cybersecurity Engineer

  • FRESH PHISH: Facebook Phisherman

  • 3 Warnings You'll Want to Read

  • READER QUESTION: When is 2FA Worth the Effort?

  • Where to Find The Privacy Professor
Data Security & Privacy Beacons*
People and places making a difference
Global Privacy Control was built to enable users to control how their data is collected, shared and sold. Because trackers that collect as much info about us as possible are hidden within most websites, this is a privacy problem begging to be solved. Here's hoping this solution works and gains a good-sized userbase. There are some large organizations involved, which I imagine provides a lot of support for the initiative.

Canada's Innovation Minister Navdeep Bains has introduced a new law that would, among other things, force an organization to stop collecting data or using personal information if it violates Canadians' privacy. The Digital Charter Implementation Act would complement two of the country's previously established laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

Jacinta González and the Dutch privacy group SOMI are doing an excellent job of raising awareness around data analytics firm Palantir's data privacy practices. Jacinta was a recent guest on my podcast Data Security & Privacy with The Privacy Professor. Together, we talked through several issues related to surveillance, including how widespread these privacy-violating practices really are.

The U.S. Internal Revenue Services (IRS) is taking action to protect taxpayer privacy, something desperately necessary as we head into what could be one of the worst years for tax-related identity theft and related fraud. Among the steps the IRS is taking is the masking of sensitive data on business tax transcripts.

Kim Komando always does a nice job alerting consumers to tricks and traps that could cost them financial, reputational or safety issues. In a recent article, the online publication prepared a simple explainer on how to "take back your privacy" from smart TV manufacturers and streaming video channels.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
20 Gift Ideas for Privacy Fans
Check off your shopping list with these pro-privacy presents
It's easier than ever to find a privacy-friendly gift. Here are 20 great ideas for gifts that can enhance privacy beyond what is provided by the associated devices or products.
Happy shopping!

  • Privacy filters for computer and device screens
  • UPS (uninterruptible power supplies) and surge protectors
  • Backup USB or hard drives
  • Cable locks to prevent your computing device from being moved or taken
  • Remote locator, data wiper and activity logging/recording tools
  • Portable battery charger
  • Anti-malware software subscription
  • Backup service subscription with strong security and privacy practices
  • Encrypted USB drives for storage and sensitive docs
  • Webcam covers
  • Green screen with a background generator tool
  • RFID sleeve or wallet to protect credit cards, passports, etc.
  • Juice jack defenders
  • Portable VPNs
  • Pickpocket-proof clothing
  • Two factor hardware
  • Offline password manager
  • Microphone blocker
  • USB port blocker
  • Call blocker for landline phones
Secure Messaging is Not Fool Proof
Apps provide no privacy guarantee
Typical SMS text messages can be intercepted and read by third parties. Popular messaging apps like WhatsApp, Signal and Telegram, though, are designed to make messages unreadable by anyone other than the sender or recipient. 
These apps rely on a cipher to convert information into random characters or symbols. It's a good practice, but it's not perfect. Why? Because of the human factor: anyone with the encryption and decryption keys can access the encrypted messages, so if those folks are compromised by social engineers, or they are investigators who have become entrusted to have such keys, that encryption will do no good.
Fortunately, that was the tough lesson learned by the group of alleged conspirators plotting the kidnapping of Michigan Governor Gretchen Whitmer. In their case, law enforcement was able to read what they likely thought were private messages via a confidential FBI informant who was in on the group chats. (BTW, this is proof government-sanctioned encryption backdoors are not necessary; embedding personnel with suspected crime rings has worked successfully for centuries! See below for more on this...)

The key takeaway: Secure messages on your phone can be accessed, with or without an encryption app. Here are just a few of the ways that can happen:
  • Anyone included on a message could share it with someone else.
  • Your messages could be read by anyone who happens to see your screen or pick up your device, especially if you don't lock it.
  • Your messages could get into the hands of law enforcement if they issued a warrant and the carrier provided access.
  • Malicious software can be installed on your phone giving someone the ability to read your messages.
  • Phone monitoring software, called stalkerware, is used to spy on spouses or partners. Wired.com explains how to check for stalkerware.
  • Encrypted messaging apps may use unencrypted cloud backups.
  • Encryption may be available, but not enabled. Most iPhones automatically encrypt information when a phone is locked; however, for most Android devices encryption must be turned on.
  • Encryption apps could be subject to code vulnerabilities.

Backdoors are dangerous

Several misguided groups, countries and individuals are trying to compel tech companies to create backdoors to encryption. Simply put, this is a bad idea. Infiltrating and accessing messages is a much better way to combat criminal activity.

Backdoors are hardly for white-hat use only. Creating a backdoor can enable criminals, just as easily if not more so than law enforcement, to read encrypted files. It's just not worth the risk.

Again, encryption is good, but it's just one layer. Be sure to also deploy classic tactics like the ones regularly emphasized in the Tips Message: Create strong passwords, update them regularly, don't share them with others, lock your devices and never rely blindly on one single technology to keep your data secure and private.

For more insights and facts about encryption...

... and why building backdoors into encryption is a very bad idea, see the following from folks who have spent their entire careers studying and actively working with encryption in practice:

U.S. Election "Most Secure in History"
Agency releases evidence-based report
On November 12, 2020, the Elections Infrastructure Government Coordinating Council and the Election Infrastructure Sector Coordinating Executive Committees released a joint statement saying, “The November 3 election was the most secure in American history.”

The agencies go on to say there is no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised.
Christopher Krebs, the head of the Cybersecurity and Infrastructure Security Agency (CISA), also clearly explained why it was so secure in an informative interview he gave on 60 Minutes on November 29. Give a listen if you have any doubts about the security and results of the US general election. 

This makes complete sense. For the last four years, Secretaries of State and their teams, as well as a large number of data and cyber security experts who specialize in elections security, have been heavily focused on this election. When the pandemic hit, those teams had an additional hurdle to overcome. Yet, the various challenges of COVID-19 apparently did not deter them from working to ensure Americans were able to vote safely and securely. It’s comforting to learn that different states and federal government agencies of multiple political parties, as well as those who are independent, are saying the security worked – that these four years of ramping up were worth the effort. 

Voter security has been a hotly contested topic, and I’ve devoted numerous radio shows to it. You can listen to any of the episodes on-demand at Voice America or on your favorite podcast app:

Each of the above episodes features noted experts in their fields, which is really key when discussing topics that, unfortunately, get tangled in political messes. It’s important to look to people who know technology and procedures to find out what they are really seeing.
From the Desk of the T-Mobile Cybersecurity Engineer
Podcast guest shares privacy point of view
I am thrilled to be speaking with Dr. Cheryl Cooper, Cybersecurity Engineer for T-Mobile. Cheryl agreed to be my guest on the latest episode of Data Security & Privacy with The Privacy Professor.

Women and people of color are still a woefully small percentage of the IT and cyber/data/network/applications security workforce. Lack of diversity like this results in weak and flawed IT, security and privacy practices, applications, networks and data protection. Dr. Cooper and I discuss related issues, including:

  • How and why Dr. Cooper is working to change society through her mentoring work.
  • Advice Dr. Cooper has for displaced workers in their 40s, 50s and beyond, with no IT or cybersecurity background, who would like to start a cybersecurity career.
  • Common challenges that all ages of women and people of color face in cybersecurity careers, as well as the type of support members of WINS can provide. (WINS is a mentoring group Dr. Cooper founded.)
  • Dr. Cooper’s greatest career achievement.
  • Advice Dr. Cooper has for those who would like a career in cybersecurity but do not know where to start.

The episode will air first on Saturday, December 5 at 10am CST and then be available on-demand online and in your favorite podcast app. After you listen in, please share your perspective. I always love to get feedback on the show's topics and guests. It helps our team create even more applicable episodes in the future.
FRESH PHISH: Facebook Phisherman
Friend request goes awry
When “Kelvin Cork Morgan” sent me a friend request on Facebook, it appeared at first glance to be legitimate. I'm always open to new connections... after I complete some due diligence, of course.

The first thing I typically do is investigate how long the person has been posting on whatever channel they are asking to connect on. "Kelvin" passed that test. He appeared to have been posting on Facebook since 2018. Next, I checked to see if he had engaged with any online posts that were not his. As I was checking, he actually "liked" a few of my own posts. After that, I checked to see if he had "liked" any groups that would fit where he (purportedly) lives or the posts that he had liked. And, he actually did.

As an additional step, I performed an image search on his profile picture. Wouldn't you know it... "Kelvin's" headshot appeared in multiple places across the web, each with a different name. Either he was a prolific scammer or his picture had been taken over by one. Big red flag.

I shared the fact I'd been doing some research with "Kelvin." Scammers are typically scared off by this and either disappear, deleting their profile forever, or they simply let the request drop. "Kelvin," however, was not deterred. In fact, he expressed concern about his photo being all over the Internet, and we had an fairly intelligent back-and-forth. Here's just a tiny snippet.
Although our dialogue was conversational, something just didn't feel right, so I continued chatting with him. If he was a scammer, I wanted to see how far he'd go. If he was a victim, perhaps I could help.
Not too terribly long after I began providing tips for how "Kelvin" could protect himself, the conversation dropped. When I searched for the "Kelvin Cork Morgan" profile five days later, it was no longer on Facebook. Imagine that...after being an active profile on Facebook for almost three years! I wonder how many people he deceived during that time.

NOTE: As of the publication of this Tips issue, "Kelvin" is back on Facebook with five different profiles, all under the name "Kelvin Cork." Each uses the same photo, but with slightly different info about himself. And, at least one of these profiles contain likes and comments from folks in India, where many catphishing scams originate.

I've notified Facebook about these accounts. Appears the catphishers really like this man's photo, and the name "Kelvin Cork"!
Aside from the relatively "normal" conversation this catphishing artist and I had, another thing stood out to me. "Kelvin" had been liking a few of my posts for several days before asking to connect. He'd also posted to groups and pages I frequent. That's a lot of time to invest in a catphishing scam, and a pretty strong indication of the return on investment these con artists get from their tactics.
Digital criminals are becoming increasingly adept at making their schemes seem believable. Many have the help of advanced technology, such as artificial intelligence and automation, which helps them scale these scams across many different people and accounts at the same time.
As we go into the holidays and people are feeling especially open (or lonely), it's really important to have your guard up against friend requests from people you don't know. Trust your gut, perform your due diligence following the steps I recommend above... and never connect until you are satisfied the individual is legitimate. 
3 Warnings You'll Want to Read
Life in the "new normal" presents modern risks
The global outbreak of COVID-19 changed so many things it's difficult to keep track. From health worries to work-from-home to financial stressors, scammers have several new areas of exploitation through which to lay their traps. Read on for just a few of the emerging risks presented by the "new normal."

Drug Infusion System Flaw Could Lead to Attack: Newly discovered authentication weaknesses open healthcare systems up to denial-of-service attacks. During a time when the system is already overly taxed by the pandemic, this kind of cyber assault could lead to serious implications for patients, perhaps even death. This is one more reason it is so critical to have information security experts on staff or helping hospitals and clinics during this time when our over-worked and brave front-line healthcare workers are depending heavily on many networked devices to support saving their patients. Especially when ransomware attacks against healthcare providers are also increasing dramatically.

Tips to SEC Surge as Working From Home Emboldens Whistleblowers: With more people working remotely, they have a potentially false sense of privacy. Lawyers believe this is contributing to the 35% increase in complaints and referrals of possible corporate wrongdoings the SEC received from mid-March to mid-May 2020. Do your work from home information security and privacy policies cover these issues?

US Government Clears Debt Collectors to Go After Americans through their Social Media Accounts: Your next friend request could be from an agency collecting on an unpaid medical bill or car payment. Keep this in mind, however: The new law allows you to direct a bill collector not to use social media to contact you. If you do, they must stop. And, if you want to take an additional step, you can report the incident to your State Attorney General's office and the SEC. 
When is 2FA worth the effort?
I use different, strong passwords for every site. I know 2-factor authentication is even more secure. However, how do I know when the added security is worth the effort?

Perform a quick risk assessment. Ask yourself, if someone got into the account, how much damage could they do?

Would they be able to access your personal data, which may lead to identity theft and fraud? Could they determine your location, putting your physical security at risk? Might they even be able to change your data, resulting in erroneous medical or financial records? Would they be able to steal your money or other assets by siphoning them from your accounts to theirs?

If the potential harm outweighs the hassle of multiple passwords, it's worth it.

An alternate, simplified tactic is to use different passwords for different types of accounts. For example, use one password for your personal social media accounts, but do not use it for access to your employer's systems. Use one password for your deposit accounts and a different one for your credit cards.

What do you think of LastPass?

I can offer two warnings:

  1. LastPass Families stores your passwords in its cloud. That becomes a single point of failure for you and all your passwords. Even if it's not breached, it can experience downtime or outages. The more sensitive the data, the more reason not to store it in the cloud.
  2. LastPass has already experienced a major security breach. But, they are certainly not alone. Every type of technology is susceptible to breaches (and outages!).

I recommend offline password managers instead.
Where to Find the Privacy Professor
Here are just a few of the podcasts I've visited recently.
On this Trility podcast, we discussed infosec and privacy specifically for senior living facilities.
Listen in to learn more about pandemic-era threats to consumer data security and privacy. 
The topic here was how to protect your home, kids, finances, health data and business from hackers. 
Privacy Piracy
It's always a pleasure to talk with Mari Frank. My recent visit to her show, Privacy Piracy, was a blast. We discussed the many different facets of data security and privacy within work-from-home circumstances, which happens to be the basis of both my new service Privacy Brainiacs and my upcoming book, "Security & Privacy When Working from Home & Travelling."
A couple recent industry articles to which I've contributed thoughts...
Defense-in-Depth (DiD) Strategies: Protect Higher Ed Users Against Cyberthreats
VA Did Not Disclose Huge Data Breach for 7 Weeks
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

Coming Soon!

NIST Wants Your Feedback
In this video, Michael Fagan, technical lead for the NIST Cybersecurity for IoT program, and I, a subject matter expert (SME) on the NIST Cybersecurity for IoT program team, describe the path that led to the GitHub posting and its role in developing the Federal Profile.
Help Wanted: Growing a Workforce for Managing Privacy Risk
I was honored to be part of all three days of this important NIST virtual workshop, hosted by IAPP.

See the closing session, which includes takeaways from each of the breakout session leaders.

Cybersecurity Risks in Consumer Home IoT Products
Especially ahead of the holiday buying season, this session contains vital information for consumers.

Watch Part 1 of the workshop, which highlighted many considerations impacting the cybersecurity of IoT products.
Music to Our Ears
Human ingenuity has combined with digital technology in really surprising and beautiful ways this year. For instance, our family has really enjoyed watching the Des Moines Symphony's artists play for us over Zoom from the safety of their own homes.

If you have tips for how to enjoy the arts during lockdown, please share them. And, any feedback you're willing to provide about the Tips is always welcome... compliments or constructive criticisms... are all music to our ears!


Photo on the right courtesy Des Moines Symphony. Donate here!
The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. December 2020 Privacy Professor Tips. www.privacyguidance.com.

NOTE: Permission for excerpts does not extend to images.