Cultivate Privacy with
Precision Weeding
May is a time of renewal. Flowers bloom. Grass grows a vibrant green. People get in their yards, on their patios or in their community gardens to make them even more beautiful. Sometimes that means removing noxious weeds and unwelcome critters.

I often think of data security and privacy the same way. For each to bloom, we have to weed out the risks.

Just like tending to a garden, preventing cyber-scammers and security incidents from strangling our privacy is a constant battle. But it doesn't have to be a chore. It can even be enjoyable.

That's precisely what this month's Tips aims to do. Read on and enjoy! Think of the content below as fertilizer for your growing data security and privacy awareness.
May Tips of the Month

  • Data Security & Privacy Beacons

  • Privacy & Security Tips: Q&A

  • Privacy & Security News

  • Where to Find The Privacy Professor
"Peonies on my Desk" by Kelly Sue is licensed under CC BY-SA 2.0
Data Security & Privacy Beacons*
People and places making a difference
Credit card company Capital One sent Rebecca the message on the left because it spotted suspicious charges to her account. (You can see that both were identical charges.)

Not only is it a best practice for Chase to analyze cardholder transactions to weed out fraud, the company has also made sure the experience of disputing or approving the activity is user-friendly. That's a really important aspect of getting people to engage in fraud-protecting strategies like this.

Payment fraud is often an early indicator of much deeper problems, including identity theft. Having financial services companies with rich resources and deep pockets on our side is definitely Beacon worthy.




Eric Ravenscraft at Wired provided this timely article: How to Un-Setup Your Smart Home When Someone Moves Out. It's easy enough to connect most smart gadgets, but what about disconnecting? Eric's article shares tips on how to securely untangle shared devices and accounts securely.

Mailchimp produced an excellent resource for uses and the general public it calls a "Transparency Report." Among other things, it describes how and where the company has changed its data practices year-over-year. We’d love to see more organizations providing annual transparency reports.
 
Premier Credit Union in our home state of Iowa hosts an annual Electronics Recycling & Shredding Event. We love this. It's a simple-to-organize, yet a hugely impactful, way to keep a community data-secure and privacy-aware.

Researchers at Zimperium reported on how to protect Android phones from new 'System Update' malware. This malicious software is capable of stealing every single personal detail from infected devices.

Acting U.S. Attorney M. Rhett DeHart recently shared advice for keeping families safe online. Among the tips for children: Understand that people can pretend to be anyone online and that images can be altered or stolen.

The AARP & Marc Saltzman have put together a resource for members and the general public called, "The Definitive Guide to Reducing Robocalls." Following the recommended steps will cut back on "calls everybody loves to hate."

Apple is requiring iPhone users to opt-in for receiving ads, a good privacy move. When users do not opt-in, advertisers will still get data about ad performance, but purportedly that data will be aggregated, not associated with specific individuals. This creates a bit of a double-edged sword, however, as advertisers will be receiving even more data about the behavior of the iPhone users who do opt-in. However, being opted-out as a default is a definite win for iPhone users’ privacy.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
Photo by Zimuzo Duru on Scopio
Privacy & Security Tips
Rebecca answers 3 hot-topic questions
Below are a couple of questions Rebecca received about wardriving at the work-from-home security and privacy session she gave at the IIA Philadelphia Spring Conference. See more about this event, including a photo, in the section below about Rebecca’s speaking engagements.

Want to know more about why and how to do wardriving? Get in touch with Rebecca using clientservices@privacysecuritybrainiacs.com.

How can I get authorization to perform wardriving for my company?

It's critical to have executive support for programs like wardriving, which involves physically searching for wi-fi networks with vulnerabilities from a moving vehicle or on foot. Over the past year, the number of wi-fi networks has increased significantly, as the majority of the population moved to home offices. This resulted in a huge number of unsecured home wi-fi networks…which also then put the business, and business networks they connect to and the data stored within them, at risk. Wardriving is a useful tool in identifying unsecured remote wi-fi networks.

When you speak with decision-makers, explain the risks that unsecured, remote wi-fi networks create for the business. Help them see why it's important to perform the same types of testing on employees' remote spaces that you perform on business-owned wi-fi networks and connections.

Don't forget to consult with your legal counsel. In found in most cases general counsel is on board after they learn more about the purpose and methods of wardriving.

Reiterate that your aim is to protect the business, employees, customers, patients, students and others, and also to ensure compliance with data protection requirements. Hackers love remote wi-fi, including those from the wi-fi networks of home workers. The threat is real.

PRO TIP: Avoiding pushback to activities like wardriving can be simpler if you have remote wi-fi cybersecurity and privacy requirements within your HR and/or information security policies and procedures.


How can employees protect themselves from malicious wardriving?

Not all wardriving is performed by white hats looking to keep their companies and employees safe. In fact, the majority of wardriving carries malicious intent, and it's quite simple to do. Rebecca frequently uses access point identification tools, such as Wigli, in her own city to monitor trends in open wi-fi. With so many individuals working at home, she's found a much higher percentage in 2020 than in past years.

Protecting employees, and the company, from open wireless access points on home wi-fi networks starts with a wi-fi audit to determine if home office wi-fis are appropriately secured. All remote employees, but especially those who work with sensitive data, mission-critical files, operating systems or applications, should be instructed on how to set up a wi-fi network separate from their personal wi-fi network that is used only for work activities.

It is also a good idea for work-from-home employees to set up a separate wi-fi network specifically for their smart devices. This way a hacked smart TV, for example, computers will not be compromised at the same time. Your organization’s IT area should be able to help employees do this, or point them to instructions or a contracted service to help if you do not have the IT resources available.

It's important to consider that remote employees may be venturing outside the home now that COVID restrictions are loosening in some parts of the world. Public libraries, coffee shops, hotels and shared rented office spaces often provide access to the internet via unsecured public wi-fi. Some also offer public USB charging ports. If installed with data skimmers, USB charging ports pose another serious risk to the data and devices your employees may be using for work.

In these circumstances, both education and tools like a VPN or a juice jack blocker can help employees avoid walking into a cyber trap. 
"Happy Mother's Day" by maf04 is licensed under CC BY-SA 2.0
Below is a question Rebecca received from a Tips reader. Feel free to send in your own questions using rebeccaherold@rebeccaherold.com.

For Mother's Day here in the US, I’m thinking about getting my mother, who lives alone, a wearable IoT device to track her fitness, as well as reach me, her doctor, the police or others. How can I tell if the device has strong security and privacy protections in place?

This is a tricky one because IoT devices are so diverse. Some are very limited in their functions, while others are like tiny supercomputers. It sounds like the device you are considering has interfaces with other entities, which increases the risks.

Here are four areas to investigate to gauge adequate security and privacy:

Privacy notice. This should be clearly posted on the device's website. If you can't find one, that's a big red flag. If you do find and review the privacy notice, see if the emphasis is on your data rights or theirs. If they spend more time in the document talking about what they are allowed to do with user data vs. what their user is allowed to control with their data, look for a different device. Make sure the privacy notice has been updated since the release of the device you are considering.

Third parties. How many other entities will have access to your mom's data? And of those entities, which ones also share the data with their own network of partners? Write or call the device provider and ask. If they only give you a general response, such "only our trusted business partners," keep shopping.

Data control. Investigate whether you can delete your mom's data from all locations, including within the device itself, the vendor’s cloud storage, in their supply chain entities and any other locations it may be stored.

Security features. Check to see if there are certain features built in to provide a layered approach to data security. Can the device be inactivated? Is data that passes through the device encrypted? Does the vendor offer password protection with two-factor authentication?

Even if you are satisfied with what you find in your initial investigation, continue to monitor the device and its manufacturer, as well as that all-important privacy notice. One easy way to do this is to set an alert in your favorite search engine for the name of the IoT device, the vendor and the words “privacy” and “security.”

Best of luck with your research!
"peony-2" by ballookey is licensed under CC BY-NC-ND 2.0
Privacy & Security News
Ransomware, surveillance, software vulnerabilities and more
Software vulnerabilities and spyware

New Android spyware designed to look like a system update, but was never in the Play Store. Recently, a security firm uncovered a worrisome bit of spyware on Android that disguises itself as a system update.

Palestinian Hackers Tricked Victims Into Installing iOS Spyware. The groups used social engineering techniques on Facebook to direct targets to a wide range of malware, including custom tools.

100 Million More IoT Devices Are Exposed—and They Won’t Be the Last. The Name:Wreck flaws in TCP/IP are the latest in a series of vulnerabilities with global implications.

Tracking and Surveillance

Your 'smart home' is watching – and possibly sharing your data with the police. Smart-home devices like thermostats and fridges may be too smart for comfort – especially in a country with few laws preventing the sale of digital data to third parties. ‘The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.’ ‘The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.’

They Stormed the Capitol. Their Apps Tracked Them. Times Opinion was able to identify individuals from a trove of leaked smartphone location data. Such tracking may be useful to catch criminals. But, just consider how easily this data could be collected to track anyone whose smartphone data has been leaked, for any reasons, including nefarious reasons.

New Sony technology can read lips. Sony’s new Visual Speech Enablement uses cameras and artificial intelligence to read lips. Are its accessibility benefits overshadowed by the potential for privacy violations? If you’ve seen 2001: A Space Odyssey, you know what could happen…look what happened when the H.A.L. 9000 read the lips of the astronauts!

Mexico will require new cell phone users to provide biometric data to the government. The nationwide registry of cell phone users will contain the biometric data of the user, along with a long list of other personal data.

I fell for a dangerous Google Voice scam. This is how it works and how to avoid it.

Cyber Warfare


Microchip security continues to confound Pentagon. Nearly nine years ago, the Senate Armed Services Committee reported the results of an investigation of counterfeit electronic parts in the U.S. military. The year-long probe found fully 1 million bogus parts, including components for several types of combat aircraft. Worries have only grown since then that technology that was made or modified in China, including everything from computer chips to servers, can be not just counterfeit but also malicious if it carries spyware.

Hundreds of electric utilities downloaded SolarWinds backdoor, regulator says. About a quarter of roughly 1,500 electric utilities sharing data with the North American power grid regulator said they installed the malicious SolarWinds software used by suspected Russian hackers.

A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. New information beyond what has been reported to date.

UK Counterintelligence Campaign Warns Over 10K Targeted on LinkedIn. By Christopher Burgess. A warning is being pushed out to over 450,000 UK civil servants and members of industry and academia carried with it the ominous news that over 10,000 in UK government, business and academia have been targeted within the last five years.

• To hear an interesting discussion about cyber warfare, tune in to Rebecca’s May VoiceAmerica episode with 30-year US CIA veteran Christopher Burgess, the author of the previous article, as he discusses the issues.

Ransomware

Hackers breach Broward schools’ computer system. They’re demanding millions in ransom. Schools continue to be popular targets. It seems ironic that educational institutions still need more education about ransomware, how to prevent being a victim, how to make their own staff aware of identifying the indicators for ransomware, and how to make frequent backups and follow current disaster recovery plans so they do not have to pay large amounts of money to the cybercrooks. That money could be so much better spent on students’ needs and teachers!

Apple’s Ransomware Mess Is the Future of Online Extortion. Hackers stole confidential schematics from a third-party supplier and demanded $50 million not to release them.

Cyber Insurance Firm Suffers Sophisticated Ransomware Cyber Attack; Data Obtained May Help Hackers Better Target Firm’s Customers. Do you have cyber insurance? If so, give them a call and ask them if they have security and training in place to prevent being a victim of this types of ransomware attack.

A new headache for ransomware-hit companies. Extortionists emailing your customers.

Work from Home

The agency that controls U.S. nukes had its Twitter account accessed by a child. Twitter users jokingly feared that the agency responsible for the U.S. nuclear arsenal had been overtaken. An unintelligible tweet made by U.S. Strategic Command (USSTRATCOM) was produced by a small child. While this situation was funny, it demonstrates one example of the risks of work-from-home situations.

“Slack Connect” Direct Messaging Feature Revamped in a Matter of Days Due to Serious Security Concerns. Many organizations have started using Slack as a tool to keep remote and work from home employees and contractors connected and communicating. At the end of March Slack debuted its long-awaited “Connect” direct messaging feature, which allows users to send invites to other users via an email address. Within just a few days it was already in need of major repairs due to a technical oversight that created major security concerns.

55% of remote workers have been the target of cybersecurity threats over the past year. Despite two thirds (66%) claiming to be more aware of cybersecurity threats since shifting to home working, they aren’t helping themselves or their companies with their behavior. Work devices are being used for personal habits like connecting to third party apps and are being loaned to friends and family – trends that are putting businesses in jeopardy.

• From the Netherlands: 13% of all people working from home are being constantly monitored by their employers. “Over half a million people working from home are constantly being spied on by their employer. The figure is probably higher because not everyone is familiar with the company software.”

Cybercriminals Target Remote Workers. FBI warns employers about new wrinkle to old scams.

Miscellaneous

Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables. An interesting new blog post from NIST that readers who work with differential privacy with database queries may find useful. In this post, NIST discusses the challenges of differential privacy for queries with joins, and describe some of the solutions for this setting.

Tech Firms Train Voice Assistants to Understand Atypical Speech. Voice assistants like Alexa and Siri often can’t understand people with dysarthria or a stutter; their creators say that may change. This certainly sounds useful. However, have they created the AI involved in a way to protect privacy, and to limit, or even ideally prevent, bias, for how the results are used?

Scammers target loved ones of COVID-19 victims. Government imposters may have hit a new low with a scheme that targets the grieving survivors of people who died of COVID-19 by offering them help paying for their loved one’s funeral expenses. The program just began on April 12, but even before it started, FEMA said it had reports of scammers contacting people and “offering” to register them for assistance.

90-year-old Hong Kong woman loses $32 million in phone scam. The woman said she had received a call in August 2020 from someone who claimed to work in law enforcement in mainland China. Then a man who purported to be a mainland law enforcement official visited her home and gave her a cellphone with which to communicate with them. The woman then made a series of transactions to two bank accounts as instructed by the criminals.

What Is Logic Bomb Malware and How Can You Prevent It? A logic bomb attack can delete data or send it to a malicious hacker. Fortunately, you can take steps to prevent logic bombs.

Photo by Zuzi Janek on Scopio
Where to Find the Privacy Professor
Podcasts, webinars, news articles and other content featuring Rebecca's insight

Plus new recognitions announced in April 

Security & Privacy Compliance in Work From Home Situations
FutureCon Virtual Eastern CyberSecurity Conference CISO Panel, Mar. 31, 2021

NIST Workshop April 22, 2021

Addressing Public Comment on NIST Cybersecurity for IoT Guidance on April 22 
Onalytica Named Rebecca Herold among the
"Who's Who in Risk Management" in two categories:
Key Opinion Leaders discussing Risk Management
Finance, ERM & Cybersecurity

Get the full report here.
My Radio Show
If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of real-world topics within the data security and privacy realm.


Latest Episode


With Genya Coulter, Polk County Florida Election Clerk for the Supervisor of Elections



Next Episode

Nation-state Hacking, Russian Threats and the Need to Beef Up Critical Infrastructure Cybersecurity with Christopher Burgess, nation-state cyberwarfare expert, security issues writer, speaker and commentator, and the former Senior Security Advisor to Cisco. Mr. Burgess served 30+ years in the US Central Intelligence Agency.

The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. May 2021 Privacy Professor Tips. www.privacyguidance.com.

NOTE: Permission for excerpts does not extend to images.