|
Cultivate Privacy with
Precision Weeding
|
May is a time of renewal. Flowers bloom. Grass grows a vibrant green. People get in their yards, on their patios or in their community gardens to make them even more beautiful. Sometimes that means removing noxious weeds and unwelcome critters.
I often think of data security and privacy the same way. For each to bloom, we have to weed out the risks.
Just like tending to a garden, preventing cyber-scammers and security incidents from strangling our privacy is a constant battle. But it doesn't have to be a chore. It can even be enjoyable.
That's precisely what this month's Tips aims to do. Read on and enjoy! Think of the content below as fertilizer for your growing data security and privacy awareness.
|
|
|
|
May Tips of the Month
- Data Security & Privacy Beacons
- Privacy & Security Tips: Q&A
- Where to Find The Privacy Professor
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
|
Credit card company Capital One sent Rebecca the message on the left because it spotted suspicious charges to her account. (You can see that both were identical charges.)
Not only is it a best practice for Chase to analyze cardholder transactions to weed out fraud, the company has also made sure the experience of disputing or approving the activity is user-friendly. That's a really important aspect of getting people to engage in fraud-protecting strategies like this.
Payment fraud is often an early indicator of much deeper problems, including identity theft. Having financial services companies with rich resources and deep pockets on our side is definitely Beacon worthy.
|
|
Eric Ravenscraft at Wired provided this timely article: How to Un-Setup Your Smart Home When Someone Moves Out. It's easy enough to connect most smart gadgets, but what about disconnecting? Eric's article shares tips on how to securely untangle shared devices and accounts securely.
Mailchimp produced an excellent resource for uses and the general public it calls a "Transparency Report." Among other things, it describes how and where the company has changed its data practices year-over-year. We’d love to see more organizations providing annual transparency reports.
Premier Credit Union in our home state of Iowa hosts an annual Electronics Recycling & Shredding Event. We love this. It's a simple-to-organize, yet a hugely impactful, way to keep a community data-secure and privacy-aware.
Researchers at Zimperium reported on how to protect Android phones from new 'System Update' malware. This malicious software is capable of stealing every single personal detail from infected devices.
The AARP & Marc Saltzman have put together a resource for members and the general public called, "The Definitive Guide to Reducing Robocalls." Following the recommended steps will cut back on "calls everybody loves to hate."
Apple is requiring iPhone users to opt-in for receiving ads, a good privacy move. When users do not opt-in, advertisers will still get data about ad performance, but purportedly that data will be aggregated, not associated with specific individuals. This creates a bit of a double-edged sword, however, as advertisers will be receiving even more data about the behavior of the iPhone users who do opt-in. However, being opted-out as a default is a definite win for iPhone users’ privacy.
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security Tips
Rebecca answers 3 hot-topic questions
|
|
Below are a couple of questions Rebecca received about wardriving at the work-from-home security and privacy session she gave at the IIA Philadelphia Spring Conference. See more about this event, including a photo, in the section below about Rebecca’s speaking engagements.
How can I get authorization to perform wardriving for my company?
It's critical to have executive support for programs like wardriving, which involves physically searching for wi-fi networks with vulnerabilities from a moving vehicle or on foot. Over the past year, the number of wi-fi networks has increased significantly, as the majority of the population moved to home offices. This resulted in a huge number of unsecured home wi-fi networks…which also then put the business, and business networks they connect to and the data stored within them, at risk. Wardriving is a useful tool in identifying unsecured remote wi-fi networks.
When you speak with decision-makers, explain the risks that unsecured, remote wi-fi networks create for the business. Help them see why it's important to perform the same types of testing on employees' remote spaces that you perform on business-owned wi-fi networks and connections.
Don't forget to consult with your legal counsel. In found in most cases general counsel is on board after they learn more about the purpose and methods of wardriving.
Reiterate that your aim is to protect the business, employees, customers, patients, students and others, and also to ensure compliance with data protection requirements. Hackers love remote wi-fi, including those from the wi-fi networks of home workers. The threat is real.
PRO TIP: Avoiding pushback to activities like wardriving can be simpler if you have remote wi-fi cybersecurity and privacy requirements within your HR and/or information security policies and procedures.
How can employees protect themselves from malicious wardriving?
Not all wardriving is performed by white hats looking to keep their companies and employees safe. In fact, the majority of wardriving carries malicious intent, and it's quite simple to do. Rebecca frequently uses access point identification tools, such as Wigli, in her own city to monitor trends in open wi-fi. With so many individuals working at home, she's found a much higher percentage in 2020 than in past years.
Protecting employees, and the company, from open wireless access points on home wi-fi networks starts with a wi-fi audit to determine if home office wi-fis are appropriately secured. All remote employees, but especially those who work with sensitive data, mission-critical files, operating systems or applications, should be instructed on how to set up a wi-fi network separate from their personal wi-fi network that is used only for work activities.
It is also a good idea for work-from-home employees to set up a separate wi-fi network specifically for their smart devices. This way a hacked smart TV, for example, computers will not be compromised at the same time. Your organization’s IT area should be able to help employees do this, or point them to instructions or a contracted service to help if you do not have the IT resources available.
It's important to consider that remote employees may be venturing outside the home now that COVID restrictions are loosening in some parts of the world. Public libraries, coffee shops, hotels and shared rented office spaces often provide access to the internet via unsecured public wi-fi. Some also offer public USB charging ports. If installed with data skimmers, USB charging ports pose another serious risk to the data and devices your employees may be using for work.
In these circumstances, both education and tools like a VPN or a juice jack blocker can help employees avoid walking into a cyber trap.
|
|
For Mother's Day here in the US, I’m thinking about getting my mother, who lives alone, a wearable IoT device to track her fitness, as well as reach me, her doctor, the police or others. How can I tell if the device has strong security and privacy protections in place?
This is a tricky one because IoT devices are so diverse. Some are very limited in their functions, while others are like tiny supercomputers. It sounds like the device you are considering has interfaces with other entities, which increases the risks.
Here are four areas to investigate to gauge adequate security and privacy:
Privacy notice. This should be clearly posted on the device's website. If you can't find one, that's a big red flag. If you do find and review the privacy notice, see if the emphasis is on your data rights or theirs. If they spend more time in the document talking about what they are allowed to do with user data vs. what their user is allowed to control with their data, look for a different device. Make sure the privacy notice has been updated since the release of the device you are considering.
Third parties. How many other entities will have access to your mom's data? And of those entities, which ones also share the data with their own network of partners? Write or call the device provider and ask. If they only give you a general response, such "only our trusted business partners," keep shopping.
Data control. Investigate whether you can delete your mom's data from all locations, including within the device itself, the vendor’s cloud storage, in their supply chain entities and any other locations it may be stored.
Security features. Check to see if there are certain features built in to provide a layered approach to data security. Can the device be inactivated? Is data that passes through the device encrypted? Does the vendor offer password protection with two-factor authentication?
Even if you are satisfied with what you find in your initial investigation, continue to monitor the device and its manufacturer, as well as that all-important privacy notice. One easy way to do this is to set an alert in your favorite search engine for the name of the IoT device, the vendor and the words “privacy” and “security.”
Best of luck with your research!
|
|
Privacy & Security News
Ransomware, surveillance, software vulnerabilities and more
|
|
Software vulnerabilities and spyware
Tracking and Surveillance
• Your 'smart home' is watching – and possibly sharing your data with the police. Smart-home devices like thermostats and fridges may be too smart for comfort – especially in a country with few laws preventing the sale of digital data to third parties. ‘The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.’ ‘The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.’
• They Stormed the Capitol. Their Apps Tracked Them. Times Opinion was able to identify individuals from a trove of leaked smartphone location data. Such tracking may be useful to catch criminals. But, just consider how easily this data could be collected to track anyone whose smartphone data has been leaked, for any reasons, including nefarious reasons.
• New Sony technology can read lips. Sony’s new Visual Speech Enablement uses cameras and artificial intelligence to read lips. Are its accessibility benefits overshadowed by the potential for privacy violations? If you’ve seen 2001: A Space Odyssey, you know what could happen…look what happened when the H.A.L. 9000 read the lips of the astronauts!
Cyber Warfare
• Microchip security continues to confound Pentagon. Nearly nine years ago, the Senate Armed Services Committee reported the results of an investigation of counterfeit electronic parts in the U.S. military. The year-long probe found fully 1 million bogus parts, including components for several types of combat aircraft. Worries have only grown since then that technology that was made or modified in China, including everything from computer chips to servers, can be not just counterfeit but also malicious if it carries spyware.
• A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. New information beyond what has been reported to date.
Ransomware
• Hackers breach Broward schools’ computer system. They’re demanding millions in ransom. Schools continue to be popular targets. It seems ironic that educational institutions still need more education about ransomware, how to prevent being a victim, how to make their own staff aware of identifying the indicators for ransomware, and how to make frequent backups and follow current disaster recovery plans so they do not have to pay large amounts of money to the cybercrooks. That money could be so much better spent on students’ needs and teachers!
Work from Home
• “Slack Connect” Direct Messaging Feature Revamped in a Matter of Days Due to Serious Security Concerns. Many organizations have started using Slack as a tool to keep remote and work from home employees and contractors connected and communicating. At the end of March Slack debuted its long-awaited “Connect” direct messaging feature, which allows users to send invites to other users via an email address. Within just a few days it was already in need of major repairs due to a technical oversight that created major security concerns.
• 55% of remote workers have been the target of cybersecurity threats over the past year. Despite two thirds (66%) claiming to be more aware of cybersecurity threats since shifting to home working, they aren’t helping themselves or their companies with their behavior. Work devices are being used for personal habits like connecting to third party apps and are being loaned to friends and family – trends that are putting businesses in jeopardy.
Miscellaneous
• Tech Firms Train Voice Assistants to Understand Atypical Speech. Voice assistants like Alexa and Siri often can’t understand people with dysarthria or a stutter; their creators say that may change. This certainly sounds useful. However, have they created the AI involved in a way to protect privacy, and to limit, or even ideally prevent, bias, for how the results are used?
• Scammers target loved ones of COVID-19 victims. Government imposters may have hit a new low with a scheme that targets the grieving survivors of people who died of COVID-19 by offering them help paying for their loved one’s funeral expenses. The program just began on April 12, but even before it started, FEMA said it had reports of scammers contacting people and “offering” to register them for assistance.
• 90-year-old Hong Kong woman loses $32 million in phone scam. The woman said she had received a call in August 2020 from someone who claimed to work in law enforcement in mainland China. Then a man who purported to be a mainland law enforcement official visited her home and gave her a cellphone with which to communicate with them. The woman then made a series of transactions to two bank accounts as instructed by the criminals.
|
|
Where to Find the Privacy Professor
|
|
Podcasts, webinars, news articles and other content featuring Rebecca's insight
Plus new recognitions announced in April
|
|
Security & Privacy Compliance in Work From Home Situations
|
|
Managing Risks of Emerging Tech Trends
|
|
FutureCon Virtual Eastern CyberSecurity Conference CISO Panel, Mar. 31, 2021
|
|
NIST Workshop April 22, 2021
Addressing Public Comment on NIST Cybersecurity for IoT Guidance on April 22
|
|
Onalytica Named Rebecca Herold among the
"Who's Who in Risk Management" in two categories:
Key Opinion Leaders discussing Risk Management
Finance, ERM & Cybersecurity
Get the full report here.
|
|
New Free HIPAA Resources from Privacy Security Brainiacs
|
|
|
Latest Episode
With Genya Coulter, Polk County Florida Election Clerk for the Supervisor of Elections
Next Episode
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
|
|
|
|
|
|
|