Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.
|
|
|
|
Bad Guys Look for Devices You Love
2022 kicked off with more cybersecurity threats from more sources than ever. Some of those sources include systems and devices we’ve loved using for decades. Who knows how many times bad guys have exploited that love?
News of these threats is prompting lots of questions from readers. Thank you for submitting them and your feedback on the most-read sections of the monthly Tips messages.
|
|
|
The Q&A, Privacy Beacons and pointers to sharable resources continue to be our most popular features.
Keep the questions and feedback coming. Your input is what motivates us!
|
|
Rebecca
We would love to hear from you!
|
|
February Tips of the Month
- Iowa Data Privacy...For the 14th Year in a Row!
- Safer Internet Day
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons
- Privacy & Security News
- Where to Find the Privacy Professor
|
|
Iowa Data Privacy Day…Once More!
January 28th
|
|
We mentioned in the January Tips that we had not heard from the Iowa Governor’s office about whether or not she would once more approve of our request to proclaim January 28 as Iowa Data Privacy Day. We are happy to report that for the fourteenth year in a row, Iowa’s governor has proclaimed January 28 to be Iowa Data Privacy Day! The proclamation has been declared across three different governor terms, including two Republicans and one Democrat, underscoring the critical and bipartisan nature of data security and privacy.
The Iowa holiday is held in conjunction with International Data Privacy Day, which was originally known as European Data Protection Day, introduced by the Council of Europe in 2007. Two years later on January 26, 2009, the US House of Representatives unanimously declared January 28 as National Data Privacy Day. For its part, the US Senate declared National Data Privacy Day to be January 28 in 2010 and 2011.
Since 2009, Rebecca has worked with the Iowa Governor’s office annually to support the formal proclamations of Iowa Data Privacy Day.
|
|
Safer Internet Day
February 8th
|
|
In honor of the holiday, Privacy & Security Brainiacs offers the following three suggestions for improving internet security:
|
|
-
If publicly available, remove your personal data (e.g., birthdate, phone number and email address) from all sites, including social media. Besides the human crooks who use this otherwise private data in harmful ways, millions of automated bots scrape the info and compile it into huge databases that get sold to other criminals.
-
Perform an online search for your name and/or your children’s names. If you find anything you don’t want published, get in touch with that website. As an example, you can submit a request to Google to remove harmful content.
-
Set up an automated search for your name at Google.com/alerts. You’ll receive alerts whenever new posts are made containing your name.
|
|
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
|
|
We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming!
Q: My neighbor's car was stolen. It has a wireless remote key fob. The police said the crooks used the key fob to steal the car. How is this possible?
A: Key fobs with keyless entry and start capabilities allow vehicles to be unlocked and started based on the physical proximity of a paired key fob.
Researchers have shown these systems are vulnerable to what is called “relay attacks,” which are frequently used to steal cars. Thieves only need to know the vehicle’s identifier, which is broadcast by the car in the “wake messages” that allow a key fob to work. These messages can generally be recorded by anyone nearby.
Manufacturers are slowly incorporating security mechanisms to prevent relay attacks into key fobs. However, the veracity of these mechanisms hasn’t been widely validated.
In the short term, owners of cars with keyless entry and start vehicles should place the key fob in a Faraday bag or metal box. Or, simply put the key fob in your refrigerator. This will block the RF transmissions from the key fob, essentially stopping the key fob from “asking” the car to broadcast the identifier. Without that identifier, car thieves are pretty much out of luck.
Of course, car owners should still take all the usual precautions, like locking the car and keeping keys outside of the vehicle when not in use.
|
|
Q: We just upgraded from Windows 10 Pro to Windows 11 Pro. We are a small healthcare laboratory clinic obligated to comply with HIPAA. Is the Windows 11 Pro operating system in compliance with HIPAA?
A: Windows 11 (including the Pro version) generally has the same security capabilities as Windows 10. It even has some additional security features. More importantly, Windows 11 is supported by Microsoft so you will get all the necessary updates, including security patches, as they become available.
That said, simply using Windows 11 and its associated upgrades does not make your organization HIPAA compliant. You must configure your Windows 11 Pro system to meet HIPAA requirements, as well as any additional requirements dictated by your internal policies, external contracts, state and local laws or industry standards (e.g., PCI DSS). This goes for all technologies that can support HIPAA compliance. In and of themselves, they are not “HIPAA compliant.” (Be wary of vendors that make this claim.)
For any readers who are considering “avoiding the hassle” by remaining on Windows 10, be warned. After October 14th, 2025 – the date Microsoft will no longer support Microsoft 10 – your organization will fall into non-compliance with many of HIPAA’s technical security requirements.
|
|
Q: I got a message through Facebook Messenger that said I was selected to win $100k. Then, a person in one of my Facebook groups sent me a message saying they received a similar notification, and that after they provided $2,000 for processing fees, they really got the money deposited in their bank account. This seems too good to be true. Am I right? Is this a popular scam you may want to warn other Tips readers about?
A: Yes! This is a years-old scam that has successfully victimized many Facebook users. Why? Because people continue to fall for it, and the crooks are getting rich. If it ain’t broke, don’t fix it. Facebook provides some pretty good information about the lottery scam and others online. Check it out and share the warnings (and your own cautionary tale) with others.
Q: I listened to one of Rebecca’s recent podcasts during which she warned against putting personal data online. She described how easy it is for people to use web scrapping to collect it. What does “web scraping” mean?
A: Web scraping, also called data scraping, is collecting personal data from a website, social media site or any other online property. It can be deployed by an individual, an organization or even a bot.
Many legitimate businesses use web scraping as part of their business practices, such as for creating marketing lists, searching for job applicants, analyzing student applications, or researching employees, customers, insurance claimants – the list is endless.
Most of these activities are not illegal, but some violate one or more laws. Businesses need to be careful, as data privacy rules and regulations are changing rapidly. A long-time web scrapping practice could be prohibited at any point in time with the large volume of ongoing new laws, regulations and standards.
|
|
Q: I am ready to punch a wall! For the third time now, I received an email that appeared to be from one of my friends and two different family members! I won’t even talk about the filthy content in the message. It is embarrassing! For both me and those who I contacted about them. How can we keep these messages from going out to people with their, or my, email addresses on the “from:” line?
A: Unfortunately, it is easy to spoof an email address to make it look like it is being sent from someone else. And, there is really nothing you can do about it. If the content is making certain types of threats, or presents a potential threat to national security, then you can get the FBI, and other law enforcement involved to investigate, and/or lawyers for any harms experienced. However, the technical capabilities that make it easy to spoof emails are also used for other purposes that are needed to support digital communications. So you generally cannot prevent someone else from spoofing others’ email addresses. However, there are signs indicating that a message is a spoof! And that can validate to the recipients that you really didn’t sent the message. This makes it really important for everyone using email to recognize a few of the indicators.
Look at the email properties. To do this in Outlook, open the email and click “File” at the top of the page; then click Properties. At the bottom of the box, you will see the “Internet Headers.” The “Return-Path” should be the same as what is shown at the top of your message in the “From” field. And should also be the same as the “Reply To” or “From” field. There is a lot of information in that box, so you will likely need to scroll down. Here is an example of what those fields look like that came from my friend Christine (We’ve X’d out her real email address, and we’ve snipped out most of the lines that do not have anything to do with spoofing, so you will most likely see a lot of these lines between the lines like those below):
From: Christine XXXXXXXXXXXXXX <christine@ XXXXXXXXXXXXXXtions.com>
Notice that the Return-Path is the same as the email shown in the From line. I know that this is from my friend. If they were different, that would tell me it was spoofed, and not to be trusted.
Now, here is one of the literally thousands of spoofed emails that I’ve gotten over the years. This one purportedly is coming from me! And sent to me. See the screenshot below. However, looking at the properties, like we did with the previous example, here is what is found:
Notice the actual email that sent this is shown within the “Return-Path” and in the brackets in the “From” line. Those aren’t me!
|
|
There are similar methods for looking at the headers in other types of email services, such as Apple Mail and Gmail. Here is a pretty good video that goes into some useful details for other ways to spot spoofed messages beyond those I provided.
Of course, other signs that a message is spoofed is if you weren't expecting a message from the proclaimed sender. Also, spelling or grammatical errors; legitimate businesses will almost always have their spelling and grammar correct. If the message is warning to do something quickly, claiming to have information about your that they will post online if you refuse to pay them, or some other types of claims that may make you panic because they are so unexpected, those could very well also be spoofed messages. If you still aren’t for sure, then pick up your phone and call the sender and ask if they sent you an email message.
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
-
Kristina L. Rice, of Spotsylvania High School in Spotsylvania, Virginia, and Sergio de Alba, of Miano Elementary School in Los Banos, California, are the 2021 recipients of the Presidential Cybersecurity Education Award.
-
The Juni Learning editorial team created a great resource for kids. Providing support to the cybersecurity pros of the future is admirable. A strong understanding of programming is so important for identifying errors, security vulnerabilities and privacy problems.
-
Scam Spotter developed a quiz to see how well people can spot fake text messages.
-
Microsoft provided easy-to-follow instructions on how to defragment Windows 10. Use it! It can really help your computer run a lot faster and more efficiently.
-
The Common Vulnerabilities and Exposures (CVE) catalog chronicles publicly disclosed cybersecurity vulnerabilities and related details. It’s extremely useful for leaders of information security programs. The CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and maintained by MITRE.
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security News
Visit the PSB News Page often!
|
|
The PSB News page contains news grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our clients and employees.
Due to the unprecedented volume of IoT and Log4j news of late, we created special pages for each of those topics, as well:
|
|
Where to Find the Privacy Professor
|
|
|
real-world topics within the data security and privacy realm.
Latest Episode
This episode first aired on Saturday, January 8th, 2022
Dr. Mich Kabay
The Log4j security vulnerability is ultimately a result of insufficient secure coding and/or testing practices for software that is used in billions of devices worldwide, now being actively exploited, causing a wide variety of security incidents and privacy breaches. Hear how to prevent this
and similar vulnerabilities.
Next Episode
This episode will first air on Saturday, February 5th, 2022
Khaled El Emam
There is more personal data than ever before. Such data is being used for medical and other types of beneficial research. However, privacy breaches are skyrocketing as hackers target that data. Synthetic data is created from personal data, while maintaining the statistical properties of personal data, to allow for research. But is synthetic data privacy preserving, or privacy harming?
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Info
You are receiving this Privacy Professor Tips message as a result of:
2) making a request directly to Rebecca Herold; or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
|
|
|
|
|
|
|