We all have a bad habit or two we'd like to kick. Some are worse or more pressing than others to address. At the risk of piling on, I challenge you to think through the risky data security and privacy behaviors you may need to quit, as well.
Fall is a great time to clear closets of old computers and piles of papers, both of which often contain heaps of personal data. The older they are, the more likely they are to house unencrypted or even blatantly obvious personal information. It's also as fine a time as any to freshen up your passwords by changing them to something extra strong... or to opt-in for a few extra layers of security, such as two-factor authentication.
Another good reason to tidy up your cyber safe lifestyle is that October is International Cybersecurity Awareness Month! Please participate by sharing this Tips message with friends, family, colleagues... anyone you think could benefit from the content.
Read on to learn more about the risks to your data security and privacy... and to see if there are a few bad habits you can tackle yet this year.
|
|
 Data Security & Privacy Beacons |
People and places making a difference**
Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!
Dr. Katina Michael has dedicated the past 20 years of her career to raising awareness of uberveillance and the risks associated with it. Uberveillance, a term coined by Dr. Michael's husband, Dr. MG Michael, and one she helped popularize, describes the intensive surveillance processes developed in the 21st century that open us all up to the inevitability of massive privacy intrusions. In a recent guest appearance on Data Security & Privacy with The Privacy Professor, Dr. Michael helped our listeners understand the various risks associated with COVID-19 contact tracing apps, one of many newly distributed surveillance technologies sure to amp up our everyday exposure to privacy risks.
The U.S. Postal Service's Informed Delivery Notification enables residential consumers to digitally preview their letter-sized mail. It's a service I've used for several years, and I love it. Special kudos to the USPS for making it easy to alert the them when a letter you were expecting to receive didn't show up. You simply click a link in the email notification to let them know the mail did not arrive as anticipated, and they launch an immediate investigation. This happened to me only a few weeks ago, and the USPS found my credit card statement had been erroneously delivered to a neighbor. Thanks to their quick assistance, I was able to get the statement back within just a few days.
Although I don't have any personal experience with the solution yet, Ubiquiti UniFi impresses me with the spirit of their new tool, the Dream Machine. Essentially a high-powered wireless router, the Dream Machine also offers a few ancillary features, one of which is the Intrusion Prevention System. While reviewing the router, tech writer Dave Gershgorn says that feature came in extremely handy when the device alerted him to the potential of malware on his network-attached storage device. "... the process led me to learning of a massive security breach of a company whose device I naively trusted," Gershgorn writes. This an excellent example of the impact data security and privacy-minded devices can have on the awareness of everyday technology users. Have any of you used this? Let me know!
Earlham Savings Bank, a community financial institution that operates in my neck of the woods (Iowa), is providing a great reminder to its customers about password security. Each and every time an online banking user logs into her or his account, a pop up provides a helpful tip, such as "Use a different password for every website." These kind of simple-to-execute strategies are really easy to emulate, and more companies should be engaging in this type of affordable, yet effective, education for its constituents.
**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
|
|
Just when you think no one's watching...
Amazon for Residential: Thanks to Tips Reader Susie for pointing out the latest Alexa risk. Turns out Amazon has developed an Alexa device specifically for landlords that could allow property owners and managers to spy on tenants. As reported by Gizmodo, "...your landlord could connect their own account to your device, giving them control over the Drop In feature." Drop Ins allow Alexa users to connect to each others devices. They don't have to be a part of the same household or account. Once connected, users can hear (and sometimes even see) what's happening in the other user's home.
Rite-Aid Facial Recognition: Spies in the ceilings of the stores you visit? Yep, it's happening. Artificial intelligence-powered facial recognition is combining with surveillance cameras to help retailers know more about the people shopping in (and stealing from) their locations. There are the standard worries about privacy invasion, incorrect assumptions and algorithms with built-in, undetected biases that generate incorrect results. And then there's the fact some of the technology used in these systems have ties China, which has earned a reputation for deploying technology to the U.S. in the hopes of procuring troves of data on Americans. The growing IIoT (Industrial Internet of Things) trend is worrisome to say the least.
Shapeshifting IoT Products: This trend, in which software updates completely transform a product's functionality, was recently explored by Rob Walker in an article on Medium. Using Amazon's Ring doorbell as the go-to example, he explained: "... there's something startling about an object as banal as a doorbell transforming itself without the user having any particular say in the matter." He points to several concerns with Ring, including security flaws, accusations of surveillance and what he calls a "too-cozy" relationship with law enforcement. Indeed, it's very important for consumers to stay on top of news about software updates and feature upgrades on the smart devices they've added to their personal space.
Smarter Coffee Maker: A security researcher hacked an IoT coffee maker, ironically called the Smarter Coffee Maker, to demonstrate how easily smart home devices can be taken over by malicious actors. After reverse-engineering the smart coffee maker, he was able to remotely turn on the burner, dispense water, spin the bean grinder and display a ransom message, all while forcing the device to beep repeatedly. Even more concerning, the research demonstrated that this smart IoT device can be misused for nefarious purposes such as network breaches, data leaks, ransomware attacks and distributed denial of service (DDoS) attacks. What's really interesting to me about this particular company is that they appear to have known about the security vulnerabilities because they fixed them before releasing additional products, the iKettle version 3 and the Coffee Maker version 2. Yet, it didn't publicly warn customers not to use the old devices. And, according to data from the WiGLE network mapping engine, plenty of the older units are still in use today.
|
|
Election Considerations for Security-Minded Voters
|
|
Voting smartly and securely in the age of misinformation
We can't go five minutes without hearing about the upcoming U.S. presidential election. With just over a month until the big day, news, social chatter, rumor and conjecture are flying at a fever pitch.
To help separate the signal from the noise, we've rounded up a few resources to help you be as informed as possible -- and for those in the U.S., to inspire confidence in the security and soundness of your vote on Nov. 3.
DOJ Says Russian Went Beyond Election Disinformation - As enumerated in this InfoRisk Today article, ongoing and organized disinformation campaigns are still circulating. Be aware of them and always double check what you see, read or hear. Look for corroboration and avoid sharing something with your friends and colleagues unless you have verified its accuracy.
COMING SOON: Keep an eye on our Voice America radio show channel. Guests Jennifer Kavanagh and Quentin Hodgson will join us October 3 at 10am CDT. The show will be available for listening on-demand immediately after the initial airing. In the meantime, check out several of the reports and resources Jennifer and Quentin have created, including:
|
|
Facebook Set to Update Terms of Service
|
|
Social giant wrangles for greater control over disinformation
On October 1, 2020, Facebook will update section 3.2 of its Terms of Service. They've published a preview if you're anxious to get a sneak peek.
The changes are centered around what Facebook users can do and share on the social network. They appear to expand Facebook's ability to remove content if it feels the company could face legal ramifications because of it.
The preview contains the following language: "We also can remove or restrict access to your content, services or information if we determine that doing so is reasonably necessary to avoid or mitigate adverse legal or regulatory impacts to Facebook."
It'll be interesting to see if Facebook describes the removable content in more detail when the terms of service take effect later this week.
With it being an election year, Facebook appears to be making an attempt to be extra cautious about the potential spreading of disinformation on its platform. To be sure, some will label such action as censorship. Others will believe Facebook's intentions are good.
|
|
 |
Organizations can learn from the security mistakes of others
I was asked by Digital Privacy News to provide takeaways from the recent Department of Veteran's Affairs data breach, which exposed the personal data of 46,000 U.S. military veterans... and boy are there plenty! Here are just a few you may consider reviewing within your own organization. Firewalls are not enough: There are a multitude of endpoints into today's organizations, from personal mobile devices to third-party APIs. Each can serve as an open door for access to a network, its associated systems, applications and data repositories. Organizations must implement a good mix of strong access controls of all types: technical, human and physical.
Social engineering works: Cyber actors know it is often easier to trick humans via wetware techniques than to crack an organization's infosec. Comprehensive and frequent training for employees on the newest tricks and traps deployed by these criminals is essential. When is a good time to do something to raise awareness? October, International Cybersecurity Awareness Month!
Investigations can be lengthy: Breached organizations are often criticized for taking too long to report data breaches. However, it's important to consider that digging into what happened is vital to the protection of those whose data was exposed. Organizations must be able to accurately describe the details of the breach to those impacted, especially the specific types of personal data that was exposed. Beyond the very real harms that occur as results of breaches, the silver lining to each is that breaches opens minds to the realities of security vulnerabilities. These unfortunate incidents are known to have lit a fire or two under leadership to invest the time, resources and funds to mitigate future threats.
|
|
FRESH PHISH: Texts Promise a Package On the Way
|
Smishing attempts take advantage of pandemic-era behaviors
Over the last three months, I've received six separate text messages like the one on the left, each claiming a pending parcel of mine had been found. The texts promise instructions for claiming the package... if I just click the suspicious link in the text.
No thank you!
Several Tips readers and Voice America show listeners have reached out to share similar experiences with phishing via text message, otherwise known as "smishing."
With all the online orders we're placing for home delivery these days, many people are more susceptible to falling for this type of scam. Sometimes they are easier to spot, but this particular text addressed me by name and sounded fairly legitimate. Of course, I'm always cautious about clicking any links.
My advice: Never click any link until you have independently (and away from the suspicious communication) verified its legitimacy. If the text appears to be coming from a friend, give them a call. If it's coming from an organization, email them or dial up their customer service. Never reply to the text, as malicious actors are often waiting on the other end and are very good at claiming to be on your side.
Another thing you can do to test a text is check the URL on a free URL safety site, such as Trend Micro. After you type in the URL from the text message, they assign it a score of Safe, Dangerous, Suspicious or Untested.
Please consider sharing this information with friends, family and co-workers. If you're responsible for information security, privacy or IT at your organization, or you lead the entire organization as CEO or president, forward this resource and tips to your employees and contractors -- especially those working remotely. Those employees are out of their element, which often makes them extra vulnerable to the crafts of smishing artists.
|
|
Where to Find the Privacy Professor
|
|
On the virtual stage and studio...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show Data Security & Privacy with The Privacy Professor on the VoiceAmerica Business network.
Here are my newest shows:
Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!
I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.
All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm, iHeart Radio and similar apps and sites.
Some of the many topics we've addressed...
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
We have current sponsorship openings. If your organization wants to sponsor one show each month, I will cover topics related to your organization's business services and/or products.
|
|
|
Advertising Now Available!
Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people!
We have a variety of advertising packages to meet every budget.
|
3 Ways to Show Some Love
The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this email is sharable (I'd just ask that you follow
|
|
|
|  | | My sons and me, Halloween 2007. | |
No doubt, Halloween will feel a little different this year. But, look at it this way... we'll finally have consensus on wearing masks! :)
With special circumstances comes the need for extra precautions. There are some scary risks out there, and the bad guys are all too willing to leverage them for profit. As you find new ways to celebrate Halloween and many of the other holidays around the corner, remember to stay vigilant against data security and privacy threats.
Cheers to Halloween masks!
Rebecca |
|
|
