In Like a Lion, Out Like a Lamb
Before the week is out, it'll be March. Yay! In my neck of the woods (central Iowa), we can't wait for spring. We've had more than 25 inches of snow... just this month!
The old saying that March comes in like a lion and out like a lamb reminds me a lot of the technology we've let into our lives, just in reverse. We download apps, add smart devices to our homes, join new social networks... all with the notion we are in charge. And yet, so often there are data predators lying in wait, licking their chops at the prospect of dining on our delicious data.
Technology: In like a lamb, out like a lion.
Of course, the news isn't all bad, and we've rounded up a set of admirable companies, organizations and individuals to reassure you there are people out there going above and beyond to protect us and our most private information.
Read on to learn some of the latest risks to your data security and privacy, as well as hear about the beacons of data security and privacy setting a new standard for excellence.
Data Security & Privacy Beacons
4 data privacy stewards deserving of our admiration
dramatic internal awareness activity
that really got its service members thinking. The agency catfished its own people! The test was to see
how much they could influence soldiers' real-world actions through social media manipulation. The entire exercise cost $60!
has not only studied the issue of employee data vulnerability, but has prepared a
for how employers can protect employees. It's great to see an organization addressing privacy beyond customer data.
A Stanford student found and reported a huge security and privacy flaw in the university's student records system. Concerned that the Social Security numbers of other students were accessible to anyone with the right knowledge on web development, the student spoke up. This is an excellent example of "See Something Say Something" done right.
Internet giant vulnerabilities exposed, penalized
Technology firms continue to find themselves in hot water over careless mistakes, and sometimes what appears to be wanton disregard, over data privacy protections. Here's a quick roundup of just a few news items from Facebook, Twitter and Apple's Facetime.
Germany and Great Britain Lower Boom on Facebook
At the same time, a British parliamentary committee, which also conducted an investigation into Facebook, found the Internet giant has broken data privacy and competition laws. As a result, the committee is calling for new regulations that could potentially impact the entire technology industry.
FaceTime Bugs Lets Callers Hear You Before You Answer
Have you ever chosen not to take someone's call and then hoped they weren't across the room watching you ignore it? Well, a vulnerability in Apple's FaceTime, the video calling app, enabled something pretty similar. The bug let callers listen to the conversations of the people they called, even if you they didn't answer the call!
And Then There's User Error...
It isn't always a known vulnerability or bug in social media that gets people into trouble. Sometimes, it's their own irresponsible use of the technology. Take the president of Brazil, for instance. He and his son recently published images that could expose the country to cyber attacks.
Read more about the incident on A Agencia
,including my comments on some of the risks (You may need to use your browser's translator if you require English language.).
Recently weakened laws have made it easier to access the data of children
Today, student data can be shared with anyone authorized by a school district, including for-profit companies.
Most concerning of all, this data can be shared without parental permission or even notification.
The other thing to keep in mind is that the school may not even be aware of all the ways student data is being collected on children within their systems. Google, for instance, has admitted to mining the data of students who use their educational apps.
In many cases, there may be legitimate use of student data to make the educational lives of children better. But for every ethical use of data, there are 100 unethical, (perhaps even criminal) ones. See the
for one such circumstance.
What can parents, caregivers and guardians do?
First, ask questions of your school administration, including what data is collected, how it is stored and with whom it is shared. You may be surprised at the answers.
Randi Weingarten, president of ABT and a
passionate privacy in education advocate, was a
recent guest of my radio show
, Data Security & Privacy with The Privacy Professor.
Two additional guests,
Leonie Haimson and Marla Kilfoyle, talked on a separate show about creating the "Educator Toolkit" to mitigate teacher and student privacy risks.
Listen to the archived episodes anytime; the shows are available at the
Voice America website
and on nearly every podcast app imaginable.
Scam Targets International Students in the U.S.
Crooks pose as embassy agents, extort students for money
In the U.S. state of Ohio, a university student from China began receiving ominous phone calls from people who pretended to be with the Chinese embassy in New York. The callers threatened to turn the student into the FBI for fraud if they didn't receive money.
International students are increasingly under attack from fraudsters taking advantage of the U.S. political climate, in which ongoing immigration debate has created a fear of unjust deportation in many communities.
If you know an international student in the U.S., share this warning with them, along with the following red-flags and tips:
Government agencies in the U.S. will not call students regarding suspected fraud, tax bills or fines. Nor will they
require you to pay fines or bills immediately. Government offices will never require you to purchase gift cards, go to Western Union or ask you how much money you have available.
If you get a call from someone saying they are from one of these agencies, follow these steps:
- Ask what the call is about. Take specific notes about what the caller is saying and requesting, and if you can record the conversation, even better.
- If the caller threatens you, say you will call back with your attorney. The scammer may say you are prohibited from disclosing the conversation with anyone, even your lawyer. That is not correct.
- Get the self-proclaimed agent's full name, agency, government ID and direct phone number. If the caller refuses to give you this information, it is probably a scam. Hang up.
- Report the incident in one or more of the ways recommended by the FBI.
Look out for LinkedIn look-alikes
A university president from my home state of Iowa was recently impersonated on LinkedIn
. The scammer behind the look-alike profile secured several LinkedIn connections and then asked for money... in the form of $500 iTunes gift cards. The scammer would then ask for
the victim's bank account information so they could be paid back.
There are several things you can do to reduce the chances of someone using your name or likeness on LinkedIn:
- Once each quarter, perform a LinkedIn search of your name. Search not only for your full name, but also common nicknames associated with it. Check to see if any of the resulting accounts, aside from your own legitimate profile, display your photo. Also check their posts to see if they are similar to yours and how many people they are connected with. New fake accounts often have 0 to just a few connections.
- Capture images, such as screenshots, photos, and/or videos of the false identity and save them, along with the date and time, in case you need them later. (See below for the screenshot I took today of a my own look-alike profile. Notice it used a nickname I never do, but could fool someone who didn't know me well. I'll certainly be keeping my eye on this account.)
- If you believe someone is attempting to impersonate you, report it to LinkedIn by following these steps:
- Click the "More" icon on your profile.
- Click "Report/Block."
- Select "Report this Profile" in the "What do you want to do?" pop-up.
- Select the applicable reason for flagging the profile in the "Describe the situation" pop-up.
- Click "Submit" to complete the report or "Back" to review your options.
A Class You Won't Want to Miss
SecureWorld Expo course on tools that prevent privacy missteps
I'm so excited to be hosting another SecureWorld Expo class in May. If you are planning to attend the conference, or to be in the Kansas City area on May 7, I hope you'll consider sitting in.
If you can't make this one, keep an eye out for
this class at
events throughout the year.
I'd love to see you at one of these classes in 2019!
Here's a bit of what you can expect...
This course will provide an overview of privacy frameworks and techniques to support a privacy program and to perform a privacy impact assessment (PIA).
Attendees will receive:
- An overview of the most widely used privacy frameworks, along with an update on the NIST privacy framework currently under development.
- Training on how to recognize and distinguish between privacy risks and privacy harms.
- A richer understanding of tools and methods to mitigate privacy risks and harms that also support legal requirements for personal information protection.
- An overview of how to perform a PIA and to identify the associated risks and harms mitigation actions.
- A walk-through of several PIA case studies.
I'm honored to be a part of the core working group developing the NIST Privacy Framework, which is coming together in stages to enable the greatest amount of feedback from the public. Please take a moment to review
our working drafts
and let us know what you think.
March is Women's History Month
Let's celebrate the many female leaders who have improved security
In addition to marking the beginning of spring in the Northern hemisphere, March also honors the contributions of women throughout history with
Women's History Month.
Not coincidentally, the theme for this year's SecureWorld Expo shines a light on
, whose contributions to cryptography and code-breaking have long been overlooked, or in too many cases, dismissed.
I will be dedicating one of my March
to Elizebeth Friedman and her contributions. Please be sure to tune in, and if you have suggestions for other women I should discuss on shows this month,
give me a shout
Where to Find the Privacy Professor
In the classroom...
On the road...
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet,
please get it touch
On the air...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show
Data Security & Privacy with The Privacy Professor
VoiceAmerica Business network
. All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites.
Hear the perspectives of incredible guests as they talk through a wide range of hot topics.
Some of the many topics we've addressed...
- identity theft
- medical cannabis patient privacy
- cybercrime prosecutions and evidence
- government surveillance
- career advice for cybersecurity, privacy and IT professions
- voting / elections security (a series)
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
In the news...
3 Ways to Show Some Love
Privacy Professor Monthly Tips
is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this e
mail is sharable (I'd just ask that you follow
Hopefully the weather is perfect where you are, and not causing you any headaches or wish for change. We'll keep our fingers crossed here in the U.S. Midwest that the snow will begin melting soon.
So many of you have reached out to ask if you can share these tips with your own audience, and I always respond with a resounding Yes! That's the entire purpose behind this monthly email, so please, share far and wide. (See more about this in "Permission to Share" below.)
Here's to a wonderful spring, wherever you are,