SHARE:  
Join Our Email List

Why Are You Getting This?


You signed up to receive The Privacy Professor Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.  

Image from Freepik

Be Thankful for Good Privacy and Security Practices

The U.S. has a Thanksgiving holiday in November. Other countries also celebrate Thanksgiving, but at different times. As just a few examples, Canada celebrated Thanksgiving this year on October 14, Germany on October 6, and Australia is on November 27. Brazil is celebrating Thanksgiving this year the same day as the U.S.; on November 28. 


Whenever you formally observe a Thanksgiving holiday, or informally are thankful for anything in your life, it is good to be thankful for being more aware of vulnerabilities and threats to your privacy so that you can take actions to protect the security of data, and privacy, for you, your family, friends, co-workers, and anyone whose personal data you have access to and/or work with.

 

We hope you’ll find this month’s newsletter helpful. Feel free to share with your friends and colleagues this fall. They will probably be thankful!

 

We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.


We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.  


Thank you for reading!

Rebecca


We would love to hear from you!

Image from Freepik

November Tips of the Month


  • News You May Have Missed
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Where to Find the Privacy Professor

News You May Have Missed

We love your positive feedback about our news items! We continue to find more unique news stories to share with you. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.

 

We’ve provided just a few of the news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news that demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.

 

We limit the list to 15 news items, and then put them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog. Here are the 15 news items, most with associated quotes included, that our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!

Image from Wired.

1.   These Smart Glasses Will Read Your Emotions and Literally Watch What You Eat. A new type of smart glasses from Emteq Labs have cameras pointed inwards, aiming to track your life, quantify how you’re feeling, and what you’re eating. Among other activities that are tracked, the Sense glasses can track your food consumption, partly with a single outward facing camera that can be used to snap pictures of food, and partly with those sensors that can detect when you’re chewing.  Emteq Labs has partnered with an unnamed diet and weight loss company. They also take snapshots of how you’re feeling at the time, and more. Emteq is hoping to paint a picture of what works in your life and what doesn’t.

2.   Mets used facial recognition to profit on unsuspecting Citi Field fans: suit. Citi Field cameras “at the main fan entrance” collect “facial identifiers” from patrons as they enter the stadium, and the Mets have third parties processing the data to find people on the team’s “black list,” Dowling alleged in a Brooklyn Federal Court filing.

3.   Meet Len: The Offensive Hacker With 10 Microchips Implanted In His Body. Noe is one of a growing number of “transhumans” — people who implant microchips into their bodies in a bid to improve their technology capabilities. They enable him to bypass security protocols, let himself into buildings and hack into people’s smartphones. NOTE: Related to this issue is, “Our Cyborg Future: Law and Policy Implications.” 

4.   Hacked Robot Vacuums Hurl Racial Slurs, Show IoT Devices Risks. Owners of robot vacuums across the U.S. have reported that their devices have been hacked. One particularly alarming case involved a man whose Ecovacs Deebot X2 began yelling racial slurs at him. The incidents appear to be linked to a security vulnerability in the Chinese-made Ecovacs Deebot X2 model, according to a report by the Australian Broadcast Corporation.

5.   New FASTCash malware Linux variant helps steal money from ATMs. Cybercrooks have been using FASTCash to steal money from unsuspecting victims since at least 2016, stealing tens of millions of dollars per incident in simultaneous ATM withdrawal attacks in at least 30 countries.

6.   Why it’s time to take warnings about using public Wi-Fi, in places like airports, seriously. An Australian man was charged with conducting a Wi-Fi attack on domestic flights and airports in Perth, Melbourne, and Adelaide. He allegedly set up a fake Wi-Fi network, an “evil twin,” to steal email and social media credentials. People who are not careful with passwords, such as use of pet’s names or favorite sports teams as their password for everything, are even more vulnerable to an evil twin attack. Individuals who reuse username and password combinations online should be aware that once the credentials are obtained, they can be fed into AI, where its power can quickly give cybercriminals the key.

7.   Parking Meter QR Code Scam on the Rise. The city of Redondo Beach, California issued a warning to the public regarding a concerning rise in the parking meter QR code scam. Reports revealed that approximately 150 parking meters had counterfeit QR code stickers positioned adjacent to ParkMobile and PayByPhone labels.

8.   Researchers say an AI-powered transcription tool used in hospitals invents things no one ever said. NOTE: This could result in significant harms to the associated patients, and the healthcare providers.

9.   This Prompt Can Make an AI Chatbot Identify and Extract Personal Details From Your Chats. Security researchers created an algorithm that turns a malicious prompt into a set of hidden instructions that could send a user's personal information to an attacker. Related: Anyone Can Turn You Into an AI Chatbot. There’s little you can do to stop them. Character.AI lets users create bots in the likeness of any person—without requiring their consent. NOTE: There are many significant privacy issues involved with this. How soon until the lawsuits start? Maybe some are in the works already.

10. Studies Show AI Triggers Delirium in Leading Experts. There are a half-dozen or more logical fallacies responsible for stoking today’s fears about AI and the economy.

11. Where organizations invest after a data breach. Asking customers to foot the bill for data breach remediation will not prevent future data breaches or address the issues that cause costs to increase. Investment in employee cybersecurity awareness training reduces data breach costs.

12. The Doctor Behind the ‘Suicide Pod’ Wants AI to Assist at the End of Life. The death of an American woman inside Philip Nitschke’s latest invention, the Sarco machine, asks its users three questions: Who are you? Where are you? Do you know if you press this button, you will die? If the person inside the pod responds to the questions with the correct preprogrammed answers, a blue button lights up. NOTE: There are many concerns about this device; beyond the AI results risks, are concerns for misuse of the device. In addition to no apparent cybersecurity or privacy controls or capabilities.

13. Explainer: What do we know about the data breach at Intesa Sanpaolo? An Intesa employee at a branch in the small town of Bitonto, Italy, accessed the current account data of around 3,500 customers, including many high profile figures such as Meloni and her predecessor Mario Draghi between February 2022 and April 2024. The person had authorization to access the data with rules to do so only as required to support work activities. The rogue Intesa employee is alleged to have abusively accessed the accounts of around 3,500 customers about 6,600 times. NOTE: This is an insider threat exploitation of authorized access. This exists in most organizations and industries. A comprehensive security and privacy program that requires creation of data access logs, limitations for access frequency, alerts for excessive access, audits of access, and more, would prevent many types of insider threat exploits.

14. ‘Q Day’ Is Coming. It’s Time to Worry About Quantum Security. By the time quantum computers can actually break today’s encryption algorithms, it may be too late to do anything about it.

15. DARPA pays $6M to see fully autonomous Black Hawk helicopters. DARPA intends to outfit it with different types of sensors to see what's best at detecting and avoiding threats, obstacles and terrain, and will also use the testing period to develop standards for outfitting fly-by-wire aircraft with MATRIX systems. NOTE: Of utmost importance to cybersecurity, privacy and safety is following rigorous secure coding practices. This is a use case in our security and privacy engineering courses.

 

Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

November 2024

We continue to receive a wide variety of questions about security and privacy. Questions about HIPAA and personal health data are also increasing. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.

 

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Image from FreePik

Question of the Month:



Q1: What features should be within security systems used in apartments?


A1:


Many different types of factors should be considered when choosing the best home security system for an apartment. Such things as ease of use, installation challenges, size, portability, and the cybersecurity and privacy capabilities within such a system. Too many systems don’t even have such security and privacy capabilities. Most don’t go beyond the bare minimum password, which has often been one that is a default that is published publicly and known by anyone that does a simple online search. This makes that default password “security capability” more of a liability, and a flashing, “Here’s where I am!” draw for robbers.

 

Anyone looking for a security system to use within an apartment or other type of rental needs to look for some specific cybersecurity and privacy features. Here are the top key features and capabilities of an apartment security system that should be within any such system that is used.

  • Strong user authentication. Require multi factor authentication (MFA). Prohibit user IDs/accounts sharing. If accounts are shared, all accountability for determining and making specific individuals accountable for associated activities will be lost.
  • Access control management. Establish and manage different access levels into security systems for different users (e.g., property manager, residents, guests). Guest access management capabilities should include time-based limitations.
  • Encrypted data. All data transmitted through the security system needs to be strongly encrypted. Otherwise, the risk exists for unauthorized individuals, some who may want to cause harm to apartment residents, may be able to intercept the transmissions. All data in storage, most critically personal data, also needs to be strongly encrypted.
  • Regular software updates. New vulnerabilities in security systems, and any other type of digital system, are discovered on an ongoing basis. Make sure the security system is automatically updated as soon as new vulnerabilities and bugs within it are discovered.
  • Network security and segregation. Establish a dedicated network for security devices, separated from the home dwellers’ network. Use firewalls to filter incoming traffic and prevent unauthorized access. Use the strongest privacy settings for camera footage; in most security systems these are turned off by default.
  • Camera privacy: Enable motion detection to limit recording to areas where activity is occurring. Establish privacy zones to omit, or blur, sensitive areas within camera view. Apartment dwellers should be able to control security system recording schedules, so that recording is not continuous, particularly for areas where activities occur that the apartment dwellers do not want to be records.
  • Monitoring and alerts: Real-time monitoring of system activity and alerts for suspicious behavior are sent to the apartment dwellers. Customizable notification options for alerts should be possible to allow apartment dwellers to also send notices to others they trust and choose to receive them.


In addition to the technical features built within a security system, here are additional tips for actions the inhabitants can take to make an apartment more secure, and more privacy protecting.

  • Remove unnecessary services and software. Cybercrooks love seeing unused services and software on their targeted victims’ security systems; crooks know they can use unused services and probably not be noticed. Disable all unnecessary services to reduce the ways in which robbers, and others who you don’t want snooping, can virtually enter the dwelling.
  • Change default and existing log-in passwords, usernames, and settings. Most network devices are pre-configured with default administrator passwords and settings to simplify setup. These defaults are not secure; defaults are widely known and publicized. The crooks know this, and will use them to gain unauthorized access to security systems to do an unlimited number of actions that can turn your security system into a robber’s break-in tool. And, changing existing settings prevents previous residents from being able to peek inside the new residents’ living spaces. 
  • Run up-to-date anti-malware software. This is a vital action to take for home security. A good anti-malware package can automatically detect, block, quarantine, and remove a wide range of malware (ransomware, viruses, worms, etc.) that could defeat the security system by turning it off, changing settings, or doing other harmful activities.
  • Use firewalls on all networks and computing devices connected to the security system. These will block robbers and other external threats trying to get into the security system and dwelling to disable it. These tools also can log those connections that are being made that could be malicious, and help stop sensitive data, such as live video streams, from being sent to outside recipients.  
  • Frequently back up security system logs and other associated data. These will be valuable to have in the event the system fails, a robbery occurs, crimes are committed, or other unexpected events cause other types of harms.
  • Stay aware of phishing messages. Phishing messages via emails, texts, and digital means are continuing to increase. More of them are pretending to be from legitimate security system companies. Don’t reply or click on any communication that appears to be the apartment security services without first ensuring it is from the legitimate company; if you do you could be handing your security system, and access to your dwelling, over to a crook.


For even more guidance and tips about these issues, here are some more of our resources: Visit our webpage; check out our blog; subscribe to our YouTube channel; follow us on LinkedIn.

Quick Hits:


Here are four more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.

Image from FreePik

Q2: Is using generative AI in healthcare beneficial or harmful, with regard to security and privacy?



A2: This is a hotly debated topic right now. I’ve answered similar questions increasingly more often this year, and also wrote a blog post about it.

 

In short, the possibilities for GenAI to be beneficial are many; and likewise, the possibilities for it to be harmful are also many.

 

Here is a summary listing for how accurate GenAI tools can be used to detect threats to health networks and systems…a significantly beneficial use!

  • For health systems intrusion and data breach detection and prevention.
  • To automatically initiate data encryption and other privacy protections when a threat is detected within the digital ecosystem.
  • For detection of health data access pattern anomalies to identify when authorized users are exploiting their access to perform fraud and other types of unacceptable and even criminal and physically harmful, activities.

 

Here is how GenAI tools can be used to detect unauthorized access to patient data

In addition to those benefits described previously, additional possibilities for beneficially using accurate GenAI tools include identifying and preventing activities that could result in a wide range of fraud:

  • Unauthorized access to protected health information (PHI)
  • Unexpected/unusual use of PHI
  • Attempts to exfiltrate PHI and other types of sensitive data, such as medical intellectual property (IP)
  • Cybersecurity incidents resulting from leaked IT specifications, administrative settings, etc.
  • The creation of additional attack vectors that would allow hackers to enter the healthcare organization’s digital ecosystem
  • Leaking network and system parameters, access points, etc.
  • Commercial losses from stolen, unreleased products and treatments, pricing plans, etc.
  • Violations of security and privacy legal requirements

  

Thoughtful, risk-aware use of GenAI can also improve threat detection and fraud mitigation throughout the full healthcare organization’s digital ecosystem.

However, GenAI tools are also being used for harm. GenAI tools are being used by those health-data-loving cybercrooks to trick victims through the use of new and more effective social engineering (phishing) tactics added to their landscape of attack tools. Here are a few examples.

  • AI tools can impersonate quite convincingly the images and voices of healthcare leaders, such as hospital CEOs and Medical Directors, such as to impersonate the hospital CEO to direct staff to do a wide range of frauds and other crimes.
  • Cybercrooks use GenAI to find the open digital windows and unlocked digital doors in organizations’ networks, and they can do this from the other side of the world.
  • AI tools can be used by cybercrooks to cause a wide range of physical harms to patients. 

 

Read my full blog post about these issues here.

Image from FreePik

Q3: What are holiday time scams and cybercrimes to be on the lookout for?

A3:

Great timing! I just read a nice article from Experian about this. They listed seven scams that are becoming increasingly more common during the holidays.

a) Online shopping scams.

b) Scam postal service delivery texts.

c) Scams using stolen or guessed passwords.

d) Scams and frauds using data stolen from your computing devices via skimming devices.

e) Scams and crimes committed via unsecure public Wi-Fi.

f) Get-rich-quick-from-home-job scams.

g) Scam requests for charity donations.


Check it out here, at, “7 Tips to Avoid Holiday Scams and Protect Your Identity in 2024.

Q4: Does HIPAA Apply to AI chatbots and other types of digital personas?


A4:

First, keep in mind that the Health Insurance Portability and Accountability Act (HIPAA) generally covers the protected health information (PHI) of individuals (“humans that were born alive”) that a covered entity (CE; a healthcare provider, insurer or clearinghouse) has about that human to support healthcare treatment, payment and operations (TPO) activities, where some of that data is in digital form. That PHI must be protected as required by HIPAA, and cannot be used or shared beyond the purposes described within HIPAA.


There are a couple of ways in which your question can be interpreted.



  • If you are asking if the chatbots have rights for data they communicate to others as a chatbot, in the same way as a human individual has rights, then no. Chatbots are not humans, so HIPAA does not give rights to chatbots. 
  • If you are asking if the data that is received and created by chatbots is PHI, and therefore must be protected per HIPAA requirements, the answer is: possibly. If you are communicating with a chatbot provided by a CE in the U.S., or a BA (located anywhere in the world) on behalf of a CE in the U.S., to support TPO activities, then generally, yes, that information would be covered by HIPAA, and must be protected and used in compliance with HIPAA requirements.

Image from FreePik

Q5: Do you have some security, privacy and safety gift ideas for us?


A5:

Yes! For the past few years, we’ve been updating our security and privacy gift list regularly. You can see and download our updated Privacy and Security Gifts” list here.



For those of you considering a gift for those who have a trip coming up or travel often, you can see our updated Protecting Privacy and Security While Traveling” here.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

Check It Out!


Have you watched episode 4 of our “2-Minute Warning” security and privacy videos yet?

PSB 2-Minute Warning Episode 4: Harms Caused by Posting Personal Data to Online Sites

We will soon be publishing the next episode of our 2-Minute Warning videos. I know; we are behind. It’s been a super busy year.


What topics would you like to see us create online courses for? Let us know!

 

Have questions about our education offerings? Contact us!

Where to Find The Privacy Professor

Rebecca will be providing the following three presentations at the IANS 2024 Minneapolis Information Security Forum:

  • Bolster Your Team Through Systematized Training Programs: 1:05 PM - 1:45 PM
  • Align Security and Privacy with a Common Vision for Excellence: 3:10 PM - 3:50 PM
  • Keep Pace with the Proliferation of State Privacy Laws: 3:55 PM - 4:35 PM

 

Sign up!

 

Sign up to attend Rebecca’s 2-day course with EPIC live, online training November 21-22, “Cybersecurity for Engineers and Technical Professionals.”

See the recording now! "Ask Me Anything!" Privacy & Security Brainiacs Live: Dr. M.E. Kabay on Secure Coding


During this hour, Dr. M.E. Kabay provided great discussion about secure coding, his new Secure Coding Master Expert course available from the online training platform Privacy & Security Brainiacs, and his latest textbook, “The Expert in the Next Office: Tools for Managing Operations and Security in the Era of Cyberspace.” Check it out! Post your questions under the video in our YouTube channel. Or, send any questions you have for Dr. Kabay to us using info@privacysecuritybrainiacs.com.

 

Was featured in a Healthcare IT News article!

 

Rebecca was recently featured as a representative of IEEE in the article, “IEEE deep dive: What you really need to know about AI and cybersecurity.

 

Provided the closing keynote for SecureWorld!

 

Rebecca recently provided the closing keynote for the 2nd Annual SecureWorld Manufacturing & Retail Virtual Conference. Her talk was, [Closing Keynote] Navigating the Future: Privacy and Cybersecurity Challenges in the Era of an All-Connected World.”

 

Spoke at the IT GRC Forum!

 

Rebecca was recently a panel member for the session, “GRC: Driving Compliance Decisions by Using Data Repositories Effectively.

 

Was featured in Reader’s Digest!

 

Rebecca was recently featured in Marc Saltzman’s article, “How to Clear Cookies on iPhone and Android—and Why You Should.”

 

Was featured in Technopedia!

 

Rebecca was recently featured, representing IEEE, in Linda Rosencrance’s article, “Why Zero Trust Needs MFA to Succeed: Expert Analysis.”

 

Was featured by Solutions Review!

 

Rebecca was featured in William Jepma’s article, “Cybersecurity Awareness Month Quotes from Industry Experts.”

 

Interviewed for Aerospace Manufacturing and Design!

 

Rebecca was recently interviewed by Eric Brothers for his article, “FAA addresses aircraft design cybersecurity.”

 

Featured in an IANS webinar!

 

Rebecca was featured, along with Jeff Brown, in the IANS service spotlight webinar, “The Privacy Implications of AI and IoT.”

 

Featured on Security Informed!

 

Rebecca was recently featured in How Is The Internet Of Things (IoT) Impacting Physical Security?. Thank you, Larry Anderson!

 

Featured on the Optery website!

 

Rebecca was recently featured on Optery Blog: Privacy Protectors Spotlight. Thank you, Sara Trammell, for the recognition and wonderful article. We appreciate you!

Featured as the host of a Rariton video, “DCK Fast Chat - Advancements in Rack PDU Firmware Supporting Security, Access, Control, and Uptime.”

 

Featured as the host of a Server Technology video, “DCK Fast Chat - Advancements in Rack Level Power and Power Quality Monitoring.”

The Privacy Professor | Website

Privacy & Security Brainiacs| Website
Facebook  Twitter  Linkedin  

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:


Source: Rebecca Herold. November 2024 Privacy Professor Tips

www.privacysecuritybrainiacs.com.


NOTE: Permission for excerpts does not extend to images.


Privacy Notice & Communication Information


You are receiving this Privacy Professor Tips message as a result of:

 

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn


When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com

 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.

The Privacy Professor | 625 42nd Street | Des Moines, IA 50312 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact