Privacy Paramount to Success of Next Generation

 

Across the globe, the next generation is preparing to receive their diplomas and degrees. With these coveted pieces of paper and the knowledge they represent, the world's young people will build and collaborate for tomorrow.

 

As they do, it will be paramount for this generation of innovators to remain diligent in the security of data and the protection of privacy. Training, awareness and a lifelong commitment to continuous learning will be important for those of us charged with mentoring the up-and-coming.

 

  

 

Read on for the latest threats, traps and tricks posing challenges to every generation working to maintain our right to privacy.  

 

Buzzing Your Once-Private Backyard  

You may recall from last month's Tips Message that Facebook had been in talks to buy Titan Aerospace, seemingly attracted to the company's drone expertise. Well, Facebook has been ousted from the buy, and by none other than its Internet-giant rival, Google. On the surface, the deal is designed to help Google bring Internet access to remote parts of the world

 

However, the data machine that Google has become has many concerned about the ways in which the company will ultimately use these super-quiet, high-flying, solar-powered units. A recent Contra Costa Times editorial articulated the concern best: "People won't want [drones] buzzing their once-private backyards, cameras rolling, or tracking their movements based on smartphone signals."

 


What You Need to Know about Heartbleed

The Heartbleed bug had media very interested in coverage of cybersecurity issues last month. As a result, I was asked to stop by the Great Day morning show to explain what I know and recommend for consumers concerned about vulnerabilities related to the flawed OpenSSL code.

 

The basics of Heartbleed are that a common building block used by millions of web developers was mistakenly engineered in a way that allowed access to the information in the memories of the servers and devices online. This includes passwords and other types of sensitive personal data.

 

For websites that have not yet fixed the flaw by updating their code, changing a password is only a band-aid solution. In these cases, new passwords would remain just as vulnerable as the old. That said, consumers should begin changing their passwords at sites where they have provided passwords and other sensitive data over the past couple of years. If this seems too overwhelming, then do it for the websites you've visited at least in the past couple of months. It's a good practice to do this annually any way. Another good rule of thumb is to use different passwords for each type of site, at least between financial and social sites.

 

If changing all of your passwords seems overwhelming, you can narrow your need to do so by visiting this terrific resource put together by Mashable: The Heartbleed Hit List: The Passwords You Need to Change Right Now.

 

For more about Heartbleed, see my most recent blog post covering the topic. 

  

  

OpenSSL Raises Questions about Volunteer Developers

In a case of classic irony, I was attending the Privacy Engineering Workshop hosted by the National Institute of Standards and Technology in Washington, D.C., when news of the Heartbleed bug broke. At the event, colleagues talked about the need to build privacy protections into all new innovations and to rigorously test such protections.

 

OpenSSL is not the only technology vulnerable to flawed engineering. As has become common in the tech community, much of the innovation we've come to both admire and ultimately use has been built in a similar fashion to OpenSSL- by what Mashable calls "a small group of committers and volunteers."

 

I recently wrote about the issues using such open source code written by volunteers in  my article, "Would a Proprietary OpenSSL Have Been More Secure than Open Source?" I also provided some thoughts about the benefits of having more structured programming vetting practices in the Data Breach Today article, "Securing Open Source Post-Heartbleed."  

    

Google Turns Private Detective Agency

Here in my home state, the workforce development agency has recently amped up its insurance fraud detection system. Their partner in crime prevention? Google. Using Google analytical tools, the system is said to be able to "detect and prevent improper unemployment insurance claims and state unemployment tax avoidance schemes by employers."

 

This is a perfect example of how Big Data analytics can be used legally to essentially "spy" on consumers and businesses for the purposes of identifying anything "fishy." There are many who will argue that fraudsters deserve to be spied on. But what about those who are dutifully following the rules? Should they be investigated? And to what end? 

 

Along with all the true potential benefits, an unfortunate side effect to Big Data analytics is that different pieces of information taken out of context and then melded together to paint a picture is an imperfect system. And one that puts the privacy of legitimate, law-abiding people at risk.  

 

Privacy isn't about avoiding capture while doing bad things; it's a matter of being able to do what you want and controlling what the world does, or doesn't, need to know about those activities.

 

What is Your Consumer Score?

Another example of Big Data analytics is the concept of the "consumer score." Said to be similar to a credit score, a consumer score is based on past consumer behavior and used to predict future behavior. But unlike credit scores, consumer scores are completely unregulated and behind-the scenes.

 

The World Privacy Forum recently released "The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Future." In the report, the forum says one problem is that these scores are developed and used without consumers' knowledge. Another problem is that there is no information provided (or legally required) to describe the information that goes into a score, or how fair, valid or accurate the score is. In short, there is no way to validate the accuracy or appropriateness of consumer scores.

 

Especially troublesome, according to the Credit Union Times, is that consumer scores are increasingly being used to determine credit worthiness. So the next time you go for a car loan, the credit union or bank may very well be using this unregulated score in their decisioning. Don't be afraid to ask, as you have every right to understand how your application is being analyzed.  

 

How 'Friends' Can Fool You

Did you know social network users can actually purchase followers, fans and friends? It's true. For a price, you can make your fraudulent social account look as legitimate as that of the innocent people you are likely hoping to fool.

 

My friend Lisa, who is a very savvy, privacy- and security-aware individual, recently fell for the legitimacy of such a scammer. An exceptionally patriotic ex-pat, she is always willing to give members of the military - even ones she may not know - the benefit of the doubt. When a high-ranking general with hundreds of friends, including some she knew, asked to be friends with her on Facebook, she accepted.

 

A few weeks into their "friendship," the warning flags began to fly. The general was asking for money, a tell-tale sign that a social friend is not who he claims to be. As it turns out, the general was not real, and the fraudster behind the scenes had likely purchased his (or her!) contacts or tricked them into social friendships.

 

Stories like these are terrific examples of how fraudsters are becoming even more cunning with their social profiles. Although I don't like to encourage paranoia, I will say this: Keep your guard up and watch for odd behavior from your social connections. If something looks odd, chances are there's a problem. 

Know Your Neighbors

I'm an active member of a neighborhood-focused social media site called NextDoor.com. In fact, you may recall me reporting on my experience with the site here in the Tips Message. Generally, I've been happy with their privacy protections and published policy. However, the longer I'm a member, the more I'm learning about this network. Unfortunately, a big drawback has come to my attention.

 

Nextdoor.com claims to be a "closed" social network, in which neighbors are only able to view your content if they actually live in your neighborhood. But what I've come to learn is that nearby neighborhoods can communicate with your members and even see the posts made by your neighborhood. Depending on your city, your comfort level with neighbors even a few streets away can be quite different than neighbors living on your street.

 

My friend Kelly was recently contacted by a "neighbor" who lived in an apartment complex nearby her neighborhood. The complex, she knew, housed at least two residents on the sex-offender list. She had no idea that when she set up a NextDoor.com account for her neighborhood that the apartment residents would be able to communicate with the members of her "closed" account. The apartment resident posted a message that said she was "down on her luck" and in need of everything from money to furniture. My friend was surprised to see many of her smart, and presumably aware, neighbors begin to interact with this individual and share really too much information.

 

I've had similar experiences with NextDoor.com and have actually contacted them to see if they can work on making this an option. Although they have responded to say they are happy for the insight, there have been no changes made to the way the site works.

 

So, if you're interested in establishing an account with this service for your neighborhood, just be sure to do so with your eyes wide open, and to practice good social safety skills. Never post about your travel plans or times when you will be away; and keep your guard up when "neighbors" post of their needs.

 

 

  

Love for Grandkids Exploited by Criminals 

Grandparents are a primary target of scammers. The tenderness and affection grandparents have for their grandkids and the tendency for many to be less up-to-date on the security risks of new technology is a dangerous combination. Here's a quick roundup of the newest scams targeting seniors with grandchildren. 

 

Great Compliments for the Privacy Professor

 

I was just named the #9 top information security executive and expert to follow on Twitter.

 

InfoSec also recognized me as a Top 5 Female InfoSec Leaders to follow on Twitter.

 

If you're not already following me on Twitter, please do. I'm @PrivacyProf.

  

 

Privacy Professor on the Road

I love traveling the country and beyond to raise awareness of data security and privacy. Following is my spring and early summer schedule. If you're in the area, stop by to say hello!

 

May 1: Presenting a session about privacy auditing and metrics at the ISACA North America CACS conference in Las Vegas

 

May 12: Conducting a workshop for Medical Device Security and Privacy at the 10X Medical Device Conference in Minneapolis

 

May 19: Presenting a HIPAA session at the Long Term Care Solutions Summit

in Kansas City

 

June 16: Providing the keynote about privacy and the Internet of Things at the International Information and Computer Security Conference in Bogot�, Colombia 

 

August 19: Providing a session called "Cybersecurity & Business Data Privacy" at the IT Service Management Leadership Forum in Scottsdale, AZ

 

October 16 & 17: Providing a keynote at the Australian Information Security Association's National Conference in Melbourne, Australia. 

 

 

Need Help?

 

If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my Compliance Helper site or get in touch with me; I would love to help you!

  

You Have My Permission to Share

 

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.

 

Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.com[email protected].

 

 

Graduation is such a thrilling time for young people and their parents, teachers and mentors. This photo was taken when I got my Masters degree a few (er several) years ago. If you have a graduate in your midst, there's plenty of sage advice I'm sure you're anxious to impart. I hope protecting themselves and their information is a part of the discussion!

  

Have a blessed Spring and fun, but safe, graduation parties!

  Rebecca
Rebecca Herold, CISSP, CIPM, CIPP/US/IT, CISM, CISA, FLMI 
The Privacy Professor�
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564