New Year, New Focus on Privacy and Security

 

Consumers are (rightly so) on high alert. Major data breaches at retailers like Home Depot, mega corporations like Sony Pictures and government properties like the White House have people paying attention to the threat of hack attacks like never before.


With any luck, this increased awareness of privacy and security vulnerabilities created by increased hacking, increased fines and penalties, and all the new risks brought by the "Internet of Things" will inspire change. As we're sitting at the beginning of a new year, perhaps resolutions will be less about fitness and finances, more about passwords and security and privacy protections.


 

This month, the globally recognized Data Privacy Day (DPD), taking place on January 28, will generate even more awareness of the challenges faced by our connected world. I am proud to once more, for the 8th year in a row, be a DPD champion!


How will your organization celebrate? Educational initiatives are one of the least expensive, yet most impactful ways to acknowledge and support the cause. Feel free to use the material from this newsletter to jump-start your own Data Privacy Day activities. 


 

EXCITING NOTE: I'm thrilled to report the governor of my home state, Iowa, has joined the global movement and, at my request, declared Jan. 28, 2015, Iowa Data Privacy Day! (You may consider contacting your state's governor to see if you can initiate a similar proclamation in your area!) Below is a copy of the parchment proclamation with gold seals I was provided in return. This is the 6th year in a row I've gotten one of these beautiful documents from the governor in appreciation for the suggestion for the proclamation. 
 

Three Fast 'Data Privacy Day' Tips 

 

asst-party-hats.jpg

 

In advance of the annual international Privacy Data Day, please share these three action tips to protect the privacy of consumers and businesses:
 

1. Nothing is truly free, including mobile apps. Be aware of the personal information you give mobile app providers. Many free apps sell your information to a wide range of companies, some of which may have malicious intents. Studies have shown most apps do not have many, or even any, security controls built in. Check privacygrade.org to see if the app you want respects your privacy and has security built in.

 

2. Be cautious with new "smart" devices. A wide range of new and unique gadgets -- from socks to smart cars -- connects you directly to other entities (and even to the Internet) to automatically share information about your activities, location and personal characteristics. Before using such devices, make sure you know which data they are collecting, how it will be used and with whom it will be shared.

 

3. Only share personal information with trusted sources. Be extra careful not to share sensitive personal information, such as social security numbers, credit card numbers and driver's license numbers. Don't do business with an entity that does not have a posted privacy notice.

Sony Hack Reminds Employees to Watch What They Write 

For every accurate statement made about the recent Sony Pictures hack, there have been at least two inaccurate ones. Shockingly, many of these errors have been uttered by people in positions of authority, such as politicians and other self-proclaimed cybersecurity "experts."

 

That's why I was so happy to be invited to talk about the incident on the Great Day morning show last week. The full episode is available here.

 

Increasingly, entertainment companies are coming under attack from headline-hungry hackers. Sometimes these criminals have an agenda; sometimes they are simply curious to learn what they can get away with. On Christmas Day, in fact, a hacker group going by the name Lizard Squad generated a complete worldwide outage striking the online services of Xbox One and Playstation 4.

 

However, it's important for people to know every organization is vulnerable to hackers. True, some are much more susceptible because not enough attention nor enough resources are allocated to have an effective information security program. 

 

Just as notable is the fact every person is vulnerable to hackers, as evidenced by the reputation damage suffered by several Sony Pictures executives whose emails were leaked to media. Things you may think are funny or private, when exposed to a broader audience out of context, can paint a public picture of a person you are not. Remember: You should never put anything into an email...especially your work email... you would not want the entire world to be able to see if that message is not encrypted.

 

Make 2015 the year your organization -- and even you personally -- resolves to improve security and privacy efforts. Even small things, such as thinking twice about the content of your work emails, can make a big difference should your organization become the inevitable next victim of a headline-inducing attack. 
 

Who's Using Your Unblocked Wi-Fi Signal? 

toast-confetti.jpg Locking down personal and business Wi-Fi networks with strong passwords became even more critical recently.


 

Consumers in 19 states learned of a new and very interesting use for their unprotected routers. Comcast, an ISP in several areas of the U.S., was building public Wi-Fi hotspots using the unprotected, in-home routers of their customers.


 

So what are the problems with this practice? In addition to the predicted increased electrical costs and slower Internet speeds realized by unwitting Comcast customers, a lawsuit brought by several of them claims the practice also threatens their privacy.


 

Comcast may have headed off much of its legal and PR troubles with clearer communication. As reported by Network World, the lawsuit alleges that adequate disclosure of its public Wi-Fi program has been lacking. It says:


 

Comcast's contract with its customers is so vague that it is unclear as to whether Comcast even addresses this practice at all, much less adequately enough to be said to have obtained its customers' authorization of this practice.


 

Businesses can learn a good lesson from this lawsuit. At least annually, and definitely with every product or service update, be sure to examine your privacy policies and necessary disclosures. Opt-out strategies may seem like an adequate way to protect yourself from customer backlash; however, unless instructions and explanations are crystal clear, they can be meaningless.

 

SPECIAL NOTE: In honor of Data Privacy Day, I will report on my own city's unprotected business and personal Wi-Fi networks on the Great Day morning show, January 28. Tune into KCWI either live on the air or streaming online at 6 a.m. on Data Privacy Day! 

 

Stop Facebook from Using Your Photos in Ads -- Before Jan. 15! 

Not many people are aware that Facebook has reserved the right to place its users' personal images in paid ads inside its network. Those who are aware may be too intimidated by Facebook's ever-changing privacy and other account settings to stop it from happening.

 

If you're one of those individuals, never fear. Changing your account to disallow use of your images in advertising is comparatively easy:

 

First, create an archive of your Facebook posts so you can remove some or all images from your account. Learn how here.  

 

Next, remove any images you do not want used in Facebook advertising from your account.  

 

***Important: You must do this before January 15. After that date, new Facebook rules kick in that allow the social media network to use any of the images you have posted. Going forward, you may want to post photos and videos for only a few days, then delete them. This will keep them from being used from your account. That way you can still share images with others, but you limit the time available for Facebook to use your images.

   

Example of a Popular Phishing Scam

In December, I received the following phishing scam from an entity purporting to be PayPal. 

 


 

I reported the incident by sending an email to PayPal at spoof@paypal.com (something you and your employees, friends and colleagues should get into the habit of doing; it really does make a difference!). If you're unsure where to send suspected phishing emails, check the spoofed company's privacy policy on their website, as there is usually an email address for you to use for such purposes posted within.

 

***REMINDER: Any website that gathers personal information either through a form or through the use of cookies or other webbugs should have a privacy policy posted on that site.

 

How can you spot phishing emails like this one? Consider the following:

  • The domain name does not match the sender's (in this case the sender is "PayPal;" the domain is "payea.com")
  • The IP address noted in the email is from China.
  • Unlike less sophisticated phishing attempts, this one is actually pretty articulate. Often you'll find misspellings, poor grammar and other hints that the language used in the email is not the spammer's area of expertise.

New Year concept with champagne cork in snow  

Terrorists Adding Phishing to Weapons Arsenal

ISIS is apparently using phishing schemes to go after their enemies. As reported by The Register, the terror group has sent "booby-trapped" emails from what appears to be an anti-ISIS group.

 

The impersonating emails ask the recipient to read a report about the actions of ISIS by clicking on a link embedded in the message. Once they do, the victim's computer is instantly infected with spyware, which The Register reporter believes terrorists are using to identify the precise location of its enemies and then target their victims. Iain Thomson writes:

 

Imagine a person regularly using a cafe for web access; if ISIS can map the cafe's network address to its physical location, it will know exactly where that person is when he or she switches on their laptop.

 

Scary stuff. 

 

Bloggers Targeted by Malware Campaign

The Hacker News recently broke a story about the "SoakSoak" malware infection of more than 100,000 blogs. Each hosted by Wordpress, a popular open source blogging service, the infected blogs caused users to inadvertently download malicious files on their computer systems.  

 

Gizmodo believes the source to be Russian  and also says the attack could have been prevented. Kate Knibbs writes, "This is yet another stark reminder that ignoring vulnerabilities is an act of hubris that should not be tolerated."

 

If you run a Wordpress site, there are a few things you can do:

  • Check for the presence of malware on your site by using the free Sucuri Malware and Security Scanner
     
  • If you find malicious code, remove it immediately
     
  • Update Wordpress' premium plug-in
     
  • Get behind an effective firewall, such as CloudProxy

 

 

Privacy Professor on the Road

I have a couple of events confirmed, and many being discussed. Here is where I will be for certain in March:

 

March 17: Co-presenting the session, "GAPP vs. Gaps: Managing Enterprise Privacy" at the ISACA NA CACS Conference in Orlando, FL.

 

March 18 & 19Providing a 2-day class, "Conducting a Privacy Impact Assessment," at the ISACA NA CACS Conference in Orlando, FL.

 

A Discount Gift to You!

For a limited time, I am offering several of my information security and privacy tools and products at a 25% discount! See them at www.privacyprofessor.org.

 

 

Questions? Topics?

Do you have any topics you'd like to see me discuss on the Great Day KCWI morning show? Or, any you'd like for me to answer in my next monthly Privacy Professor Tips? Please let me know by sending an email!


 
 

Need Help?

 

If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Department of Health and Human Services, as well as all the State Attorneys General are increasing their compliance reviews, and fines/penalties), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you!

  

You Have My Permission to Share

 

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Feel free to forward this in its entirety to others. If you want to use only excerpts, then please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission for excerpts does not extend to the images in this email. One of the photos is my personal photo. For the others we have paid for their use only within this tips message, which you can forward within this message, but cannot remove and use elsewhere. If you want to use them, contact me.

 

Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.comrebeccaherold@rebeccaherold.com 
   



 

This is me before a New Year's Eve party a couple of years after I earned by bachelor's degree. At the time, I was teaching 7th - 12th grade math & computing and loving life!
 


 

 

We're off to the start of another year, and this one promises to be a doozy in terms of data and security vulnerabilities - and hopefully stepped-up efforts. 


 

For all you young (and young at heart) folks, consider a career in the information security and privacy field. It's one of the greatest industries to be a part of, and there's something exciting quite literally every day. Women, you may want to consider this scholarship application


 

 

Best of luck with your resolutions and have a very Happy New Year!!!

 

Rebecca
Rebecca Herold, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI 
The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564   

Email me

  

Logo