Why Are You Getting This?


You signed up to receive The Privacy Professor Tips, or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.  

Image from @Criativa Pix Fotografia on Pexels.

March Madness!

The best defense is a good offense. This is on full display throughout the U.S. in March when high school and college basketball fans and wrestling fans gather for the seasons’ championship tournaments. At the same time other sports, such as baseball, golf and track and field, are just beginning their seasons. It is often a month-full of sports madness, reflected in advertisements everywhere you look. Encouraging the athletes to hone their offensive skills is one of the best ways to defend against their opponents.


While some will do it simply for love of the game, others will be rooting for the team that will get them farther in the office pool. But while they're betting on basketball, criminals are wagering these happy fans and others are completely unaware of the game play they have in mind.


These concepts apply when it comes to defending against security and privacy threats as well. Read on for some fresh headlines, warnings and best practices for protecting yourself against these well-trained fraudsters.

We hope you’ll find this month’s newsletter helpful. Feel free to share with your friends and colleagues this fall. They will probably be thankful!

 

We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.


We hope you are finding all this information valuable. Let us know! We continue to appreciate, and love, the feedback you are sending us! We always welcome your messages. 


Thank you for reading!

Rebecca


We would love to hear from you!

Image from @Polina at Pexels.

March Tips of the Month


  • News You May Have Missed
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Where to Find the Privacy Professor

News You May Have Missed

We continue to find more unique news stories to share with you. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.

 

We’ve provided just a few of the news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.

 

This month we limited the list to 21 news items, and will then include them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog by the end of the month. Here they are, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!

Image from Tima Miroshnichenko at Pexels

1.   MIT builds swarms of tiny robotic insect drones that can fly 100 times longer than previous designs. NOTE: While not explicitly mentioned in the article, drones that look like insects, birds, and other parts of nature have long been used for surveillance through the built-in cameras. Privacy groups are concerned about such surveillance, and how the significantly extended flying time could also support extended surveillance in specific locations, or in locations further away.

2.   HP deliberately adds 15 minutes waiting time for telephone support calls. Stalling tactics designed to push print or PC users to online support, sorry, 'self-solve'. NOTE: This would impact the need to discuss privacy and/or security issues that may need immediate attention.

3.   Can someone just take over your address? In Iowa's loose business registration system, yes. “Fake filings are happening more often in the last couple of years, said Barbara Carson, an investigator with the Better Business Bureau of Des Moines. Organizers can use the legal filings with the secretary of state to create the appearance of legitimacy to potential victims.”

4.   An information technology expert who for decades assumed the identity of another man so convincingly that his victim was forcibly medicated and jailed for identity theft himself was sentenced Friday to 12 years in prison. Matthew David Keirans, 59, of Hartland, Wisconsin, pleaded guilty last April to federal charges of aggravated identify theft and making false statements to a National Credit Union Administration insured institution.

5.   Your boss wants you back in the office. This surveillance tech could be waiting for you. Warehouse-style employee tracking tech has expanded into job after job. Now, as millions are called back to the workplace, it’s finally coming for the office worker.

6.   Meta has fixed an error that caused some users to see a flood of graphic and violent videos in their Instagram Reels feed. The fix comes after some users saw horrific and violent content despite having Instagram’s “Sensitive Content Control” enabled.

7.   Restaurant owner turned sleuth to trap cheese thief. David Straker, restaurateur at William & Victoria in Harrogate, discovered a hooded thief had been snatching milk, cheese and butter from his outdoor storage box so he decided to conceal an AirTag tracker in a wheel of Brie to follow the cheese's movements.

8.   One Colorado police department is handing out Apple AirTags and Tile Trackers to citizens. The idea is people put the cheap tracking devices in their vehicles so if they’re stolen, police can find them quickly. 

9.   Smart device cyberattacks more than doubled in 2024. Should you worry?As smart device attacks rise, here's what you need to know and basic precautions that will keep your smart home safe.

10. A Department of Homeland Security (DHS) unit has eliminated policies preventing staff from gathering intelligence on an individual or group based solely on their LGBTQ+ status.

11. Airbus and Primoco’s Daring Drone Experiment Could Transform Military and Civilian Surveillance.

12. Arkansas on Wednesday sued General Motors and its OnStar subsidiary for deceptive trade practices, alleging the auto giant collected and sold consumer driving data to brokers who fed it to insurers. The data collection and sales, which occurred over the course of a decade, were used to raise consumers’ insurance rates and sometimes led to them being kicked off plans, the complaint says.

13. Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc.

14. Multiple security and privacy concerns about the DOGE access to large amounts of personal data. Here is a sample of related reports. NOTE: We received over a dozen questions about the security and privacy of the data being accessed through the DOGE team, so we are including a range of news reports about this topic to address most of the questions we received.

a.   DOGE is working on software that automates the firing of government workers. Operatives working for Elon Musk’s DOGE appear to be editing the code of AutoRIF—software designed by the Defense Department that could assist in mass firings of federal workers.

b.   Senators press acting social security head on DOGE access.

c.    DOGE’s grab of personal data stokes privacy and security fears. Twenty-one staffers of the U.S. DOGE Service announced their resignations Tuesday citing, among other worries, “mishandling sensitive data.”

d.   DOGE staffers at HUD are from an AI real estate firm and a mobile home operator. Elon Musk’s men at HUD come from the real estate sector. They have access to vast stores of personal and financial data—and control over who can access which HUD systems.

15. States eye bans on ‘surveillance pricing’ that exploits personal data.

16. The next wave of AI is here: Autonomous AI agents are amazing—and scary.

17. New Linux malware 'Auto-Color' grants hackers full remote access to compromised systems. Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, according to new findings from Palo Alto Networks Unit 42. "Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software," security researcher Alex Armstrong said in a technical write-up of the malware.

18. Amazon unveils its first quantum computing chip. Following Google and Microsoft’s quantum computing announcements, the tech giant says its new chip will lead to more reliable quantum computers

 

Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

March 2025

We continue to receive a wide variety of questions about security and privacy. Questions about current hot topics in society are of particular note. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.

 

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Image from Freepik.

Question of the Month:



Q1: We are researching the potential of using a VPN/intranet or a web service to keep our data secure from remote users. We need to create security settings and protocols that ensure compliance with the use of the VPN. What are your recommendations? I appreciate your thoughts. Thank you!

A1:


Implementing security technologies certainly can improve the security of data, and all the associated networks, systems and applications. However, the administrative (human) risks, and the physical access risks also need to be addressed.


First let's look at the using VPNs for all computing devices used for business activities, including employee-owned devices, to use to connect to corporate/business networks.


VPN servers are entry points into protected networks, which makes them attractive targets to a wide range of threat actors. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploiting the CVEs can enable malicious actors to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, read sensitive data from the device, obtain access into the associated networks, and many other harmful actions that can lead to large-scale compromise to business and personal networks.

 

That said, VPNs create secure tunnel connections between end-users and business networks, and allow for data to be sent through the tunnels which are hard to compromise the associated transmissions.


However, if bad actors, data or malicious code (e.g., ransomware, viruses, etc.) enter that tunnel through the end-user's device, those transmissions will go into the connected business or personal network, potentially compromising and damaging those networks and associated data, in the absence of tools to identify such bad actors before they leave the VPN and enter the network.


NIST provides a good resource, you can use for establishing technical protections; NIST SP 800-77 Rev 1: Guide to IPsec VPNs.

 

CISA and the NSA also have a helpful resource, "Selecting and Hardening Remote Access VPN Solutions." 

 

Another good tool to consider is Atsign; which eliminates many of the security vulnerabilities associated with using VPNs.

 

In addition to these technical protections, you also need to ensure your policies are updated to reflect the requirements for using VPNs. And then you need to provide training to your employees for how to securely use the VPNs. Including limiting and securing access to VPN servers and associated components.

Image from Freepik.

Quick Hits:


Here are five more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.

Q2: Is there a way I can audit my Facebook activity, to see the activities that Meta is tracking, such as the websites I visit online?


A2:

Great idea! Who can keep up with all the changes Facebook and other social media sites make to their privacy settings, and also all the things they are tracking about us; including off of Facebook? I'm a privacy professional, and it's difficult for me to stay up-to-date. That's why I recommend Facebook users perform occasional self-audits of their Facebook profiles and all associated data; at least annually. Similar types of activities should also be done at your other social media sites.


Chances are this audit will reveal that you are sharing, knowingly or surreptitiously by Facebook, WAY more information about yourself than you realized. Facebook provides detailed information about how to do this in their “Download a copy of your information on Facebook” resource. If you are an experienced programmer, you may also find this more detailed recent article from Dataquest helpful. 

Q3: Is it a HIPAA violation if someone asks you if you're vaccinated or not?


A3:


First, it is important to understand that HIPAA applies to the following types of entities and all the workers within them that generally have any type of access to protected health information (PHI):

  • Healthcare providers (hospitals, medical clinics, doctors, nurses, etc.)
  • Healthcare insurers (health insurance companies, portions of organizations that support self-insuring their employees)
  • Healthcare clearinghouses (public or private entities that process or support the processing of health information received from or sent to another entity in a nonstandard format into standard data elements or a standard transaction, such as billing services, community health management systems, etc.)
  • The businesses that support the previous three types of covered entities (CEs) in ways that give them access to PHI; these are call business associates (BAs)

 

CEs must not disclose PHI to anyone who is not directly involved with the treatment, payment and operations (TPO) of the associated individuals. There are a few exceptions such as for public health and safety emergencies, unless the associated individuals provided consent to allow their PHI to be given to specific others. So, if an individual’s employer asked one of their worker’s doctors if the worker had been vaccinated (vaccination information is PHI), the doctor generally could not provide that information to the employer without the individual’s consent. However, it is not against the law for the employer to ask.

 

Likewise, if someone asks an individual what their vaccination status is, that question in and of itself is not violating HIPAA.

 

HIPAA does not prohibit questions from others. However, it does prohibit sharing that data with others, if the source is a CE or BA.

 

It is important to also understand that there are many other laws and regulations that DO prohibit asking such questions of an individual. Those legal restrictions vary by location, and may exist at a local, state, or federal levels, or under legal restrictions for other countries that may be applicable to the associated individual. For example, some laws restrict employers from asking such questions.

Q4: I attended your keynote “Navigating the Privacy Maze in Emerging Technology and Digital Transformation,” at the February 19, 2025, ISACA Virtual Conference. You explained quite clearly several ways in which VPNs don’t provide enough security when we’re online. What can be used instead of, or with, VPNs, if they do not provide enough protection?


A4:


Thank you for attending, and for your feedback; I appreciate it! As a brief recap regarding this topic for our readers who didn’t attend, I explained the many threats and vulnerabilities that exist throughout the full digital ecosystem with online connections. Several of those vulnerabilities and threats were related to using VPNs. Yes, VPNs absolutely do provide protections when online! However, as with any cybersecurity protections, there are many other threats and vulnerabilities that are NOT mitigated or resolved by only using a VPN. The numbers of those threats and vulnerabilities are increasing all the time. I’m always on the outlook for new technologies to help fill the gaps in protections that other security tools do not fill when going online. I was very impressed when I learned of a type of technology that helps to fill those gaps, and provide a completely new type of security and privacy protection to transmissions and the associated data. Quite generally, it is a technology that protects each part of a transmission from where it originates through to the recipient. So, if the transmissions are accessed, they will not be meaningful to the interceptor, and the associated metadata is unavailable to any cyberspace interloper. This technology from Atsign has a really forward-thinking technology that does this, protects the transmission without it going through a VPN pipeline, and without allowing transmission origination or destination being revealed. Full disclosure, I’m on the advisory board for this company.

Q5: Are there any risks with using de-identified data for training AI?

 

A5:


Actually, there are many risks, since different data sets can be combined and then analyzed resulting in re-identification of any de-identification that previously occurred. Consider AI use in healthcare. This is not only a personal data privacy and re-identification risk; you could be violating HIPAA (and other legal) requirements. Also, if the AI trained with PHI is not for your medical facility’s patient TPO, it would likely be considered as being an unauthorized disclosure of PHI, violating several specific HIPAA requirements, and a privacy breach. As AI becomes more powerful, these possibilities for re-identification increase.

Q6: Are there any risks with using post-quantum cryptography? And if so, is there even anyone using post-quantum cryptography?

 

A6:


Great questions! Post-quantum cryptography (PQC) is going to be necessary to maintain strong security with the advent of increasingly more quantum computing. However, while it brings security benefits, there are also risks, many of which involve the careful and responsible implementation of PQC algorithms. Here are a few of the risks:

  • PQC algorithm accuracy and trustworthiness. It is important rigorous, exhaustive testing is performed on the PQC algorithms. They may have significant vulnerabilities without such assurance activities. It is also important to continue testing them as time goes on, and as new attack vectors are discovered.
  • PQC algorithms will typically require much larger key sizes and computational power and bandwidth. If PQC use within the associated digital ecosystems are not well-thought-out, there could be significant network and system performance degradation and related problems. There are also needs for increased storage, which is another issue to address.
  • The conversion from “traditional” cryptography to quantum computing may be quite complex. Transitioning from the traditional to PQC can create some vulnerabilities based upon the configurations throughout the related digital ecosystems. These could possibly be exploited, putting the systems, networks, and those using them at risk.
  • There are also risks involved for lack of standardization, interoperability within the associated digital ecosystems, data management (e.g., when digital signatures are in use), and side-channel attacks (e.g., data leaks through timing, electromagnetic emissions, and power consumption during implementation).

 

Post-quantum cryptography is still in the early, adoption phase. Some of the early adopters include government and defense, such as the NSA and NIST who are standardizing PQC algorithms to protect sensitive national security communications. Google, IBM, and Microsoft are testing post-quantum encryption in cloud services and VPNs. Mastercard and Visa have started pilot programs to evaluate PQC encryption for increased payment security. Nokia and Verizon are looking at using it for telecommunications. The transport layer security (TLS) protocol (the most widely used protocol for implementing cryptography on the internet) may be updated with PQC capabilities. Cryptocurrencies are considering PQC incorporation; there are likely many others as well.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

Check It Out!


We are going to be posting more videos to our YouTube channel this year! We know; we are behind. We will be better at getting more online content created in 2025! To date we have not formally promoted it. As we start getting a good number of some video shorts, as well as medium- to long-length videos, posted, we will be doing some traditional promotions. In the meantime, please check it out, let us know of any topics you suggest we cover, “like” the videos, and subscribe. And of course, add comments for topics that motivate you to do so.

 

What topics would you like to see us create videos, and more formal online courses, for? Let us know!

 

Have questions about our education offerings? Contact us!

Where to Find The Privacy Professor

Rebecca delivered a well-received Opening General Session and Keynote at the ISACA Virtual Conference on Wednesday, February 19, 9:30 AM - 10:45 AM CST, “Navigating the Privacy Maze in Emerging Technology and Digital Transformation.

Check it out!

 

We have found that our recently created video shorts are receiving a lot of engagement! These are some wise and useful quick tips and facts from Dr. Mich Kabay, our premier Privacy & Security Brainiacs Master Expert. Check them out here:

Sign up!

 

Rebecca will be providing the Central Iowa ISACA chapter presentation at the April 15 meeting. Sign up here.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website
Facebook  Twitter  Linkedin  

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:


Source: Rebecca Herold. March 2025 Privacy Professor Tips

www.privacysecuritybrainiacs.com.


NOTE: Permission for excerpts does not extend to images.


Privacy Notice & Communication Information


You are receiving this Privacy Professor Tips message as a result of:

 

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn


When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com

 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.

The Privacy Professor | 625 42nd Street | Des Moines, IA 50312 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact