Adventure Awaits
(So Do Cybercriminals)

Warm weather and a break from school sparks the spirit of exploration in many families. They hit the road, take to the skies and hop aboard trains, ships and all manner of transportation. The idea is to take a break from the mundane, to navigate new surroundings and to see what kinds of adventure awaits. 

That break can have a downside, however. Outside their comfort zones, people often ignore warning signs and red flags, attributing them to the fact they are in a new environment where everything feels slightly unusual. Criminals ( o f both the  digital and physical realm) count on this. High-travel time is high-crime time in their worlds. 

Stay vigilant as you travel. Prepare before you embark by scanning the environment to learn about the latest trips, traps and scams striking across the world. Reading through this month's Tips message is a great place to start. 

Feel free to write back with any specific questions and certainly share this with others. The more people we can reach with this information, the better!


us  Data Security & Privacy Beacons
People and places making a difference**

"Jim Browning" is the alias for a sort of digital Robin Hood. While his methods are questionable, Jim Browning is fighting the good fight... and beating cybercriminals at their own game. After reporting a series of robocalls from scammers and getting no response from authorities, Jim Browning took action on his own. Using his knowledge of computers, and remote access in particular, he played the victim, allowing the crooks remote access to his computer. He then turned the tables by accessing the scammer's computers and using malware to spy on their operations. Of course I don't recommend people go out and start putting malicious code on devices they don't own. The lesson here is for authorities, especially those in high-cybercrime areas: When something gets reported, investigate and keep people apprised of your findings. Internet vigilantes are fed up and obviously willing to take action!   

The FTC is  encouraging the general public to keep their software updated. The agency just released an important alert reminding consumers of technology (which is essentially everyone in the developed world... and many in developing countries) to install new version updates immediately as they become available. This is so important, especially as cyber crooks deploy technology that scans the connected world for technology that is NOT updated. As soon as they find that open door, they walk right through, helping themselves to all of your important files, data, photos and other potentially damaging information. 

Verizon, AT&T and T-Mobile are voluntarily following new rules established by the FCC. The rules make it legal for these companies to offer robocall-blocking technology to their customers by default. Before the new rules, the consumers had access to the technology but had to opt-in. Now, the companies can take action on behalf of their customers, using the data and intelligence they have on a particular call or number. Kudos to these companies for going over and above, implementing even  more actions than those allowed by new rules.

Google  has developed a new security tool that uses an updated cryptography method with tools called Privacy Join and Compute to protect user data. While the method is somewhat old-school (original versions date back to the 1970s), it is highly effective. This seems to indicate Google is at least as interested in privacy as they are in the latest and greatest tech -- an increasing rarity in Silicon Valley. The tool is open source, meaning any developer interested in integrating Private Join and Compute with his/her/its app can do so easily and inexpensively. We'll be keeping a close eye on this tool to evaluate its success. 

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
realMore Than a Dozen Mobile Carriers Hacked for Years in Secret          
Hackers had access to call and text records, geolocation data and more.

Researchers recently announced that more than a dozen mobile carriers in Europe,  Asia, Africa and the Middle East have been hacked since 2012. Per CNET, the hackers not only siphoned off hundreds of gigabytes of personal data from the customers of these networks, they also gained the kind of access that could cause major disruption to the mobile infrastructure of these companies.

"They have all the usernames and passwords, and created a bunch of domain privileges for themselves, with more than one user," security researcher Amit Serper told CNET. "They can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to." 

This news is another reminder of a few best practices where passwords are concerned:

1) Change your passwords frequently. 
2) Never use the same username and password combination in more than one place.
3) Enable two-factor authentication (2FA) whenever possible.

Why are the above steps so critical?

Good password hygiene drastically reduces the risks when hacker get your ID and password. Hackers feed that stolen date into machine learning and AI tools that scour the internet. Using a method known as credentials stuffing, they attempt to log in to email, social media and even bank accounts. The technology allows them to attempt hundreds of thousands of logins per second, so it's really only a matter of time before they find a winner. 

BlueKeep threat on track to be as bad as WannaCry... if we don't act now.
An advisory by the NSA says approximately a  million internet-facing machines are still vulnerable to BlueKeep, which targets a vulnerability in Microsoft's Remote Desktop Services. 

Anyone running Windows Server 2008, Windows Server 2003, Windows 7, Windows XP or Windows Vista is at risk of becoming a victim of the malware. Updating these systems ASAP should be a high priority. 

If for some reason upgrading your device to a supported version of Windows is not possible, experts recommend you avoid using Remote Desktop Services all together. 

Hackers take advantage of the trust and access MSPs have earned from clients.
Managed service providers (MSPs) are trusted by millions of businesses to keep their computers and networks safe from intrusion. The trust and access MSPs have earned from clients have actually become vulnerabilities, as hackers have set their sights on the MSPs themselves. 

Remote access to their clients' networks makes MSPs a smart target for ransomware attackers, and they are making the most of it. In one recent example, a mid-sized MSP was hacked and used to distribute the cryptolocking ransomware GandCrab to 80 of the MSP's clients.

In addition to the economies of scale (e.g., attack one company, the MSP, reach 80 others, the MSP's clients), the ransomware actors may be drawn to a couple of software solutions commonly used by MSPs. Certain customer relationship management and ticketing solutions have been called out as possible points of entry for the hackers

This circumstance is a terrific reminder of just how important it is to understand the risks presented by third-parties. Every company, regardless of its size, should practice good vendor management. Here are just a few of the basics I recommend organizations employ to protect their organizations against the threat of a vulnerable third-party product or service provider:
  1. Create a template of standard information security and privacy contract clauses.  Contracts should be customized for each vendor, but it's helpful to have a place to start.
  2. Establish and communicate a clear and documented breach notification process for the vendor to follow after a security incident. Include notification time requirements.
  3. Require monthly or quarterly security and privacy attestations from your high-risk vendors' executive management.
  4. Do not require a vendor to use an assessment that will cost more for the vendor to take than the amount you are paying them for their work or service.
  5. Be wary of assessments that claim "certified compliance." Compliance levels vary on an ongoing basis as changes in the business environment occur, new threats and vulnerabilities are discovered, and as new legal requirements arise. There is no such thing as "Certified 100% Compliance" or similar claims.
  6. Verify you are named as an insured on the vendor's security and privacy liability insurance.
  7. Make sure your cyber liability policy covers losses related to security events at a vendor (Contractors are often not covered.).
WANT MORE? Email me for a 6-page document listing more vendor oversight and risk management tips. Happy to send it, no charge!

 easyAmazon Back in Hot Water Over Alexa Recordings
An 8-year-old plaintiff is suing the company over privacy violations.
New lawsuits accuse Amazon of failing to gain permission to record the voices of its youngest users. Two sets of parents, who had purchased and installed Amazon Alexa devices in their hones, are bringing the suits on behalf of their kids, one of whom is 8 years old and lives in California, the other a 10-year-old from Washington state. 

In California, it's illegal to  record any oral communication from an in-state location without the consent of all parties to the communication. That's a fact that could bolster the plaintiff's argument. 

The timing of the claims is probably fairly troublesome for Amazon, which recently launched a kid's version of its Echo Dot. Amazon has been fairly vague about how it uses data collected on children. 

4 Tips for Kid-Proofing Your Alexa

Beyond privacy considerations, there are plenty of ways young people can get themselves into trouble with their voice-activated devices. Tom's Guide provides a good round-up of four ways to kid-proof an Alexa device:

1. Turn off voice purchasing (or add a PIN).
2. Set a filter for explicit content.
3. Disable the "drop-in" video conferencing feature.
4. Enable the "do not disturb" feature.


My doctor passed away, and the clinic closed. How do I secure my health data? 
I've gone to the same doctor for 25 years. I recently stopped by and a sign on the door said the clinic had closed due to the untimely death of my doctor! The phone number for the clinic no longer works. All my health records from the past 25 years were at that clinic. How can I get my health data back?

I'm sorry to hear about your physician. Here are a couple of actions I recommend:


Contact your state medical board to ask what has happened to your records and how you can access them. should have the contact information you need for the medical board in your state. FSMB supports America's state medical boards in licensing, disciplining and regulating physicians and other healthcare professionals, which includes helping clinics ensure patient records security and privacy. In addition to the best contact, they may be able to give you additional advice.

If you don't get what you need from the state medical board or the entities to which they point you, submit a complaint to the U.S. Department of Health and Human Services (HHS). Let them know you have been unable to obtain your health data, which is required by HIPAA. 

You have many rights under HIPAA, including the rights to access your health data, to obtain copies of it and to validate its security. Please follow up and let us know how it all turns out! If I gain your permission, I'll post an update for the Tips community to learn from in case this happens to any of them, as well. 
PPInewsWhere to Find the Privacy Professor  

On the road...

Here are a few of the places I'll be speaking, hosting or teaching courses on data security and privacy over the next few months. If you're in the area or attending the events, be sure to say hello. 

July 8-9, 2019: Getting to V1.0 of the NIST Privacy Framework: Workshop #3
September 5, 2019: Lunch keynote, "Corral Your Data or You'll Stampede Over Privacy," at FutureCon Des Moines CyberSecurity Conference, Des Moines, Iowa, USA

September 12, 2019: Keynote address, "Strategic Security Moves to Win Emerging Privacy Challenges," at 34th Annual SoCal Security Symposium, hosted by ISSA Orange County, Costa Mesa, California, USA

October 24, 2019: Giving two talks at PwC Cybersecurity Day, Luxembourg City, Luxembourg

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

Monthly Tips Message Syndication

Please reach out if you'd like to repost the Tips message with proper attribution, as the outlets below have done.  

Recent awards / honors

I was honored to be included in the new book, " Women Know Cyber: 100 Fascinating Females Fighting Cybercrime,"  published by Cybersecurity Ventures  and co-authored Steve Morgan and Di Freeze. 

Check out the free online PDF or find the hard copy (that's mine to the left!) in major online bookstores.

Advertising Now Available!

After repeated requests from some exciting brands, we've decided to open Tips of the Month up to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

My sons and me at Disney World, April 2007. 
There are few things I love more than a family vacation. Travel has always been a big passion of mine, but to see the world's most amazing sights through the eyes of children, or even your parents and spouses is just great. 

All that to say, I really enjoy traveling alone, too. The joys of getting to know yourself in a new setting are pretty special. 

Whether I'm alone or with friends and family, I'm extra, extra vigilant with my physical and digital security when I'm on the road. I certainly hope you will do the same on your adventures this summer!

Have a beautiful and safe July!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. July 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter