Not All is Merry and Bright


Generosity is in the air! With full tummies and warm hearts, holiday revelers across the globe may find themselves in a giving mood this time of year. And the fraudsters are counting on it.  

To truly enjoy your holiday season, pay special attention to those things that look or feel "off." Your own instinct can save you a sleigh load of trouble this holiday season. 


Just in case that instinct gets a little distracted with jingly bells and candy-cane visions, read on for some helpful reminders and friendly warnings to keep you and yours safe this holiday.   

It Doesn't Show Signs of Stopping...    

Playing on business owners' desire to service clients well, hackers are spreading a new phishing scam under the name of the Better Business Bureau (BBB). Just this week, I received the message below. I forwarded it to the BBB, and they confirmed the presence of nasty malware attached to the email.  
Should you or someone you know receive the above email or one similar to it, do *NOT* click the zip file attached! 
In the New Old Fashioned Way... 
A hoax can spread like wildfire on social media sites, especially Facebook. No matter how counter some of these run to common sense, they still seem to find a home on thousands of timelines.   

The most recent viral post is the "copyright protection" message Facebook users have been encouraged to copy and paste to their Facebook profiles. Rest assured, doing so provides the user no extra protection, as Facebook generally continues to have unrestricted uses of any images or content uploaded to its site.

For more on this story, see a good ABC News report. 


I Have No Gifts to Bring...


Costco users on Facebook may find themselves the target of a gift-giving scam this holiday. As
Information Week reports, scam artists are offering Costco customers vouchers to popular establishments like Starbucks. 


Be mindful of the information on Facebook, even when it appears to be coming from a trusted "friend." Often these scams begin by posting messages to people's timelines without their consent or even knowledge.  


Some red-flags to watch for in these messages include a time-sensitive offer, an offer that seems too unbelievably good to be true (as in the Costco scam), an unrealistic amount of "likes" or comments attached to the post or a username like "James Smith" or something similarly ordinary.  


Oh What Fun...
... it is to shop online. Billions of gifts will be ordered this week as Black Friday shoppers look to check-off those items during Cyber Monday Week they weren't able to pick up in stores the day after Thanksgiving. Thanks to reader Mike P. for pointing to these safe cybershopping tips.  
The Weather Outside is Frightful... 
Hurricane Sandy scams continue to pose problems as coastal residents clean up from the storm. Yet instead of the storm victims, many fraudsters are targeting those of us not affected by the storm -- those simply moved by the spirit of a helping hand.  
CNN put together a terrific list of potential scams related to the storm. Be sure to take a read of the article to educate yourself on the tricks these worst-of-the-worst criminals may try to pull on you. 
Gonna Find Out Who's Naughty and Nice...

From school superintendents to the intelligence elite, private emails continue to act as career poison. What makes the most recent headline-making email scandal so scary is that - unlike in similar cases - General David Petraeus was not using company email to communicate with his mistress. He was using Google's gmail service. Yet, as we all know, any expectation of privacy Gen. Petraeus may have had was horribly misguided, especially using a free web-based mail service where all messages are stored online... where anyone associated with Google can potentially access them.  

Remember this as you communicate with colleagues and friends in this new era of digital communication and cloud storage: Everything is being recorded. Even if it's on the up-and-up, it can all be edited or used out of context to support anyone's theory or accusation. Post online judiciously!    


Join the Chorus...


On January 28, I and information security and privacy experts world-wide will be spreading the word about the importance of privacy and security as we celebrate Data Privacy Day. In Iowa, we are working with the Governor's office to encourage him to again proclaim January 28, 2013, as Data Privacy Day in our state


As a precursor to Data Privacy Day, I will also be providing a free online webinar, "Are You Smarter Than Your Phone?" sponsored by EDUCAUSE on January 9 to discuss the privacy and security risks with using mobile apps.  


What will you be doing? Something similar? Something different? I'd love to hear of your plans for celebrating this important, comparatively new, tradition. Drop me a note to let me know what you and your teams are up to. 

If you're looking for ideas, visit the National Cyber Security Alliance website. They've established a great online resource full of items you can repurpose, from downloadable logos to social media posts.

You Better Watch Out...

The topic of my fourth quarter issue of Protection Information Journal
is mobile apps and the privacy and security issues arising from consumer and business use of the cloud.

If you are considering using a cloud service (e.g., to do your personal computer backups, to store your photos and videos, to do your income taxes, etc.), here are a few questions to help determine the risks.

* What security practices and data protection strategy does the cloud service have in place?
* Who has access to the information in these clouds?
* How does the cloud service keep their customers out of each other's data, and ensure customers' data is not mixed?

More will be included in this quarter's Protection Information Journal. (FYI, each subscription-based journal is customizable so you can add your company name and logo and then distribute to your own clients, employees, students or others.)

Are You Listenin'...





If you're in the healthcare field and a fan of podcasts, please listen to this free one I recently did. The second in a series for the healthcare community, the podcast discusses the secure use of fax solutions for healthcare information exchange, and how to address the related privacy concerns.



International Recognition

I was recently honored to be recognized by the Information and Privacy Commissioner of Ontario, Canada, as a Privacy by Design Ambassador!

As an Ambassador of the Commissioner's PbD (Privacy by Design) program, I am joining an exclusive group of privacy thought-leaders from throughout the world. Committed to ensuring the ongoing protection of personal information by following the Principles of PbD, this group will continue to advance the case for embedding privacy protective measures in technology, processes and physical design.

You can learn more about the program on the PbD website.

Term of the month


"Web Bug"


Embedded into a website page or an email, a web bug (also called a "web gif," "clear gif," "web beacon," or"tracking bug") is used to track when a user has viewed or used content on a given digital document or website. It is typically invisible and relays to the owner of the bug quite a bit of information, including such things as users' IP addresses, when the content was accessed and how the content was used (forwarded, copied, etc.).  


One way to avoid being tracked by web bugs in your email is to disable HTML, an option offered by many email clients. This stops the web bugs, which are usually invisible images, from loading. However, it is very hard to stop from getting web bugs from web sites; one more reason for being careful when choosing what sites to visit!


For more information about web bugs, see an article I wrote a few years ago, "Quit Bugging Me!



Thank you for a wonderful year of information security and privacy advocacy. I'm sure you are each doing your part to make personal information as secure as possible, and for that you should be proud. Keep up the good work, and hopefully, continue reading. I look forward to sharing more privacy and security tips with you in 2013 and well into the future!


I wish you all a very memorable and healthy, Happy Holidays,

Rebecca Herold, CISSP, CIPP
The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564, Business: 515.996.2199