Australia Bound!

 

Because Australia is in my business travel plans this month, I thought a Tips Message themed after the Land Down Under would be fun. So each of the article headers below includes what I understand to be a common Australian slang term (those in the know, feel free to correct me if I got any of these wrong!).
 

 

 

Australia's somewhere I've never visited, and I can't wait to bring you great stories and even greater pictures of the trip next month.

 

In the meantime, read on for the latest tricks, traps and tips in the wide world of privacy (and enjoy the Australian vocab!). 

Apple's 'Shonky' Data Protection


 

Shonky = dubious, unreliable

 

Right now the public is more skeptical about the privacy claims of businesses than ever before. However, that could change if more tech providers engineer their systems to adequately protect the data, security and privacy of their customers.

 

Apple is taking what may appear to its user base as an important step in this regard (good timing given the recent negative PR from its iCloud hack of celebrity photos). The tech giant says its new encryption will no longer allow it to bypass a customer's passcode to access data. This data includes that contained in text messages, emails, photographs and more.

 

Interestingly, CNN reported this encryption not only prevents creeps and crooks from accessing the data from iOS-powered devices; it also makes it difficult for anyone else, including law enforcement, to do the same.

 

However, there is at least one way police will work around this roadblock. Just as the celebrity-photo hacker gained his entry to sensitive photos through the iCloud, detectives and other government officials are likely to emulate this method. Apple has said it will comply with warrants to turn over information hosted on its servers, which is essentially what iCloud is - an collection of Apple-owned and operated servers.

 

In another move, Apple has said it is now working with two-step verification to ensure proper authentication of its users' identity. Two-step verification is good, and long over-due. Anyone with information security expertise can tell you that such verification has been recommended for decades. My own personal thoughts? Welcome to the cybersecurity club, Apple, we've been waiting on you for a VERY long time.

 

All mobile (and now wearable) device users should check to see if their devices are automatically backing up information to a cloud-based server. Often consumers have no idea this is even happening. You may be surprised of the private information about you floating around out there.  

 

If you're looking for tips on how to secure your iCloud specifically, check out this article by Jordon Golson.

 

'Larrikins' After Even Your Old Email Passwords

 

Larrikin = mischievous person

 

Speaking of two-step authentication, the method's use may have prevented another recent popular-brand hack attack. In mid-September, Gmail users were victimized by what appears to be Russian hackers who used malware on personal computers to steal some 5 million usernames and passwords.

 

This particular attack could have been prevented by what's called two-step authentication. Although, reports seem to indicate a majority of the accounts compromised were outdated. Therefore, Gmail's two-step authentication may not have been available to the account users at the time of setup. And if they were sleeping (never used) accounts, it's not likely the owners paid attention to the availability of it when the announcement came.

 

TIP FOR GMAIL USERS: To set up two-step authentication, hover over your profile picture in the upper right-hand corner and click Account, then Security, then choose to Enable "Two-Step Verification." This will prevent anyone (even you) from accessing your Gmail account without a code specific to the device attempting to access it.  


Companies 'Chokkers' with Potentially Dangerous Employees

 

Chokkers = completely full

 

Threats to data, security and privacy are all around us. Yet, not many people consider the threats may be right under their noses. Insider threat has become such a problem that the FBI and the Department of Homeland Security in the U.S. recently issued a bulletin warning companies about a spike in disgruntled employees stealing company information.

 

These employees are often at the executive level. Take the former security architect at Home Depot, for example. As pointed out by this Silicon Beat round up, the executive is right now serving a federal sentence for sabotaging the network of his previous employer, EnerVest Operating. (And we all know what happened to Home Depot!)

 

Here again, cloud vulnerabilities may be one technology exacerbating a long-time problem. According to that FBI bulletin, the theft of proprietary information in many of the insider incidents it investigated was facilitated through the use of cloud storage websites, like Dropbox.

 

Speaking of, I recently had occasion to sign up for a Dropbox account. Although I was not surprised by the tool's invasiveness, I was certainly appalled at how easy it is for the average user to grant Dropbox access to every file on his or her device.. without even knowing they did so. Even though I had told the system upon setup of my account that I did not want to share any of my documents, it still searched my computer for images and asked to upload them to its servers.    

 


 

 

'Not a Buckley's' We'll Be Attacked by Cyberthieves 

 

Not a Buckley's = no chance of that happening

 

Revelations about the Heartbleed Bug underscore the importance of being proactive in the security of our connected systems. It's no longer okay to simply 'hope' at attack will not happen. This is especially true for small businesses and other organizations that may consider themselves too far off the radar for hackers to attack.

 

In fact, it's those smaller systems that crooks are finding so valuable. Because consumers often use the same passwords to access their local community websites, social media accounts and online banking, stealing from the "little guy" can often give a hacker access to the "big guy."

 

If it's a question of affordability, consider two things: 1) there are inexpensive intrusion detection systems on the market; and 2) what would the cost of an attack do to your organization or two your customers? 

   

'Stickybeak' Apps Threaten User Privacy 

 

Stickybeak = nosey

 

Not surprisingly, a new report has found mobile apps are failing to provide users with basic privacy protections.

 

The report's authors put the failures they detected into three basic categories. Sixty percent of the apps they studied either:

 

  • Did not disclose how they used personal information
  • Required the user to give up an excessive amount of personal data
  • Communicated privacy policies in type too small to be read on a phone's screen

 

As the Wall Street Journal points out in this blog post, it's not currently required for apps to have a privacy policy. However, we may soon see changes in this area of the law, especially where health apps are concerned. Currently, there are more than 100,000 health-related apps just available via smartphones.

 

Be mindful of any app that does not include a privacy policy, and train yourself not to just hit "Accept" on those data-gathering permission requests that pop up after you download a new one. You should absolutely understand what you are being asked to give up to take advantage of the app. Is it worth it?


Privacy Professor on the Road

Two events remain on my calendar for 2014. I look forward to sharing with you my 2015 travel plans!

 

October 16 & 17: Providing a keynote at the Australian Information Security Association's National Conference in Melbourne, Australia.

 

November 11 & 12: Giving IAPP Foundations and CIPT training in Phoenix.

 


 

 

New Risk Awareness Evaluation Tool!

 

Over the years, I've seen a great need for organizations to be able to quickly and economically determine the high-level HIPAA compliance risks that exist throughout their organization. I've also done work for many covered entities (CEs) to determine the risk levels of their business associates (BAs).

 

I've had a vision for being able to provide this help online since 2010. Therefore, I'm really excited to have finally found a great business partner who has been able to create this first-of-its-kind HIPAA Risk Level Evaluator!  

 

For the next few weeks or months (I've not established a set time yet) I'm providing a scaled-back version of it free. I'd love for you to take a few minutes to answer the questions, view the report that is generated and give me feedback. I can then make any tweaks and changes based upon your feedback. 

 

After this initial free introductory period I will sell it for $295. Please Click Here to be taken to the evaluation. And again, please send me an email to provide your feedback! Plus, if you're curious about the additional features of the retail version, I can describe those to you also.

 

 

Need Help?

 

If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you! And for a limited time, if you purchase any of my new SIMBUS services, simply enter the discount code PRIV20 to get 20% off for life on the software service you purchase.

  

You Have My Permission to Share

 

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission does not extend to the images in this email. They have been purchased with a one-time use license that cannot, unfortunately, be passed to the readers of the Tips Message.** 

 

Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.comrebeccaherold@rebeccaherold.com.

 


 

The kids & I swimming with the dolphins in the Bahamas


 
Christopher Columbus reportedly said you can never cross the ocean until you have the courage to lose sight of the shore. I love that quote not only for it's inspiration for travel to parts unknown but also because it sets a tone for improvement -- of one's self, of our organizations, of our innovations. 


 

As you embark on your own journey, prioritize the privacy of yourself and your fellow man. It's a worthy cause and one that needs the world's explorers to push for its protection. 

 

Be safe, and see you next month!


 Rebecca

Rebecca Herold, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI 
The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564   

  

Logo