|
|
|
From this day forward
Engaged couples often choose June as the perfect month to seal their bonds. The wedding ceremony, although celebrated by millions before them, is usually a first for the special pair. They enter married life with hope and optimism, undaunted by cautionary tales or well-intentioned advice.
Although arguably less romantic, it's the same kind of na�ve positivity consumers, business owners and developers often exhibit when downloading a new app, installing a new software system, using a new smart gadget or engineering "the next great thing." To educate without crushing excitement and innovation is the goal. No one wants to be the killjoy; yet, it's so important to continue to inform decision-makers about the importance of proper security and privacy controls.
Read on for some of the latest happenings in the world of privacy... and then share! The best kind of education is peer-to-peer. When people hear a piece of news or a tip from someone they trust, it has a much better chance of going the distance.
|
|
You're invited...
An Effective Framework for Third-party Information Security and Privacy Oversight & Risk Management
May 28, 2015
12PM (EDT) / 11AM (CDT) / 9:00 (PDT)
**Psst...you get CPE credit for attending!**
|
'Til death do us part...
Internet Hall of Fame inductee and inventor of the uber-secure Blackphone says we are living in the "golden age of surveillance."
What Philip Zimmermann means by this is western governments are increasingly resembling their eastern counterparts in scary ways. So concerned is Zimmermann about government-mandated backdoors to coded services that he has taken his encrypted email service to Switzerland. The end game? Avoiding compliance with any U.S. orders that may come his way to turn over the private correspondence of his users.
If Zimmermann's move seems dramatic or unreasonable, take a read of The Guardian's observation, which I found to be pretty poignant:
To the average law-abiding citizen, campaigners such as Zimmermann might seem a little paranoid. Public support for [Edward] Snowden in the UK was tepid compared to Germany, where the realities of living under a police state require no leap of imagination.
This is not to suggest the U.S. is not making strides in its attempt to protect innocent citizens from being, in effect, spied on. In a recent ruling, a three-judge 2nd U.S. Circuit Court of Appeals panel found the National Security Agency's practice of collecting data about Americans' telephone calls in bulk is illegal.
To have and to hold...
It was so good to see bi-partisan common sense on such an important issue in my home state's legislature. In May, the Iowa bill to protect the privacy of domestic and sexual abuse, stalking and trafficking victims passed unanimously in both the Iowa Senate and House.
The Safe at Home bill got its legs when 18 months ago a woman voiced concerns over an abusive ex-husband having access to her home address. Although victims will still need to register their addresses with the state for contact purposes, this law keeps that information protected from the most heinous of criminals. Now, however, it will be incredibly important for the state to keep that information safe from breaches.
What about the offender's privacy, you may ask. What right do they have to the clearing of their records after they have served their respective sentences? Any? Europe thinks they do and has decided to allow its citizens the right to request that Google take down any information deemed to be "inadequate, irrelevant, excessive or outdated." Naturally, this could extend to arrest and conviction histories. Because there are legitimate arguments for both sides of the issue, this is a controversial topic throughout the world.
In the U.S., it's much more difficult to have your record cleared off the World Wide Web. In fact, a contingent of Americans is fighting against digital-warehouse websites that publish criminal records, even after they have been purged from government databases.
|
|
To love and to cherish...
There is a new epidemic victimizing people of all ages and walks of life. It has a rather disturbing name, and one I'm not going to include in this email for fear it will trigger your spam filter. Essentially, it involves the posting of private boudoir-style images and video without the consent of the individuals pictured. Most of the time, it's done as an act of revenge on a former spouse, boyfriend/girlfriend or even a casual acquaintance. Here's one such incident involving an NFL player who shared pictures of a woman online without her permission to embarrass and disgrace her.
In another, more sophisticated case, a particularly derelict individual launched two websites. One displayed embarrassing images, and even addresses and names, of victims who were naked or in otherwise compromising situations. The images were provided by ex-spouses or ex-boyfriends (and sometimes girlfriends). The other posed as a security site that would, for a fee, have the image removed (easy enough for him because he was the person behind both sites.)
The trend is troublesome and yet one more reminder that nothing you share or post digitally is safe nor truly private. If you want to participate in the capturing of private images, do so at your own risk. Once they are live on the Internet, there is almost nothing you can do to take them down.
Hear more about how to prevent the trend from spreading further as my friend Theresa Payton speaks about it on the Meredith Vieira Show.
|
For richer, for poorer...
 Spying is no longer a hobby of hackers and exes alone. Now we have to be concerned about our own property snooping on us.
The Internet of Things (IoT) is creating a world in which everything from our coffee makers to our TVs, our socks to our watches are capable of collecting and sharing information about us - our habits, location - even our conversations. Keep in mind, when surveillance is built in, there is a chance anyone can use it.
Our cars are becoming a particularly concerning hotbed for prying eyes. Take the 2016 Chevrolet Malibu, for example. The car includes a "Teen Driver" mode that tells parents how fast their teenager drives and if they have any near misses. While the spirit of the reconnaissance may be well-intentioned, there are obvious privacy concerns. Not to mention, information on your teen's habits and location, if shared via the cloud, becomes vulnerable to compromise.
I've written and spoken a lot in recent years on IoT privacy and security problems. Here are just a few news items echoing this sentiment:
|
For better, for worse...
Apple fans are loyal, and the vulnerabilities below are not likely to move them to the Android side of the fence (Android, itself, has faced scrutiny in recent weeks for users' vulnerability to malicious apps). At any rate, because Apple claims so many users, I thought I'd share a few of the latest threats:
|
Privacy Professor on the Road
I have a growing list of presentation and training events confirmed. Here is the public event where I will be next. Stop by and say hello if you'll be in the area.
August 25: I will teach a class on how to perform a privacy impact assessmentand implementing Privacy by Design within organizations at Data Privacy Asia, Singapore
November 9 - 11: I will deliver multiple sessions at the ISACA Euro CACS Conference in Copenhagen, Denmark
Reader Questions
I was grateful for your tips on securing my home Wi-Fi, but I have a few follow up questions. You recommended putting a wireless router in a secure location. Currently mine is in an upstairs bedroom at the back of the house. Of course, there's a bike path that goes right by that window. Is that okay?
Certainly that is better than on the first level or in an area close to the street. Of course, if a hacker is using a war-driving tool stronger than the free ones available on the Internet, your wireless router is likely to be found. That said, most war-driving hackers take the path of least resistance, which means they use the freebies, and they usually stick to the residential streets.
You also advised never to use default passwords when setting up a wireless router. I'm using mine, but it's something like 20 characters long and a mix of nonsensical letters and numbers. Is this sufficient?
No. Even through a default may be long and complex, it's often the same long and complex password used for all other wireless routers of the same type. Change it immediately. Here is just one incident where a default password came back to haunt unsuspecting wireless users. It isn't only average homeowners making this mistake either. In one case, a cash register manufacturer used the same password non-stop since 1990.
I recently provided more information about default passwords on the Great Day morning show; you can see it here.
|
Questions? Topics?
Do you have any topics you'd like to see me discuss on the Great Day KCWI morning show? Or, any you'd like for me to answer in my next monthly Privacy Professor Tips? Please let me know by sending an email. I've also just added some easy to use "?" buttons on my sites you can use! See here and here.
Need Help?
If you need any help with information security or privacy training and awareness, security or privacy activities, or if you must comply with HIPAA and need help (especially important now that the Department of Health and Human Services, as well as all the State Attorneys General, are launching the next round of compliance audits and increasing their compliance reviews, and fines/penalties), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you!
You Have My Permission to Share
I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Feel free to forward this in its entirety to others. If you want to use only excerpts, then please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission for excerpts does not extend to the images in this email. One of the photos is my personal photo. For the others, we have paid for their use only within this tips message, which you can forward within this message, but cannot remove and use elsewhere. If you want to use them, contact me.
|
|
|
| | My parents on their wedding day at the family farm house. |
Channeling the hope and optimism of people in love, we always want to be champions of innovation. New technologies, solutions and processes is what will ultimately compel us to the top of our game.
Just as spouses are facing a rollercoaster of emotion, we too must understand the pitfalls. We don't have to take the bad with the good if we know upfront to build in the proper support for security and privacy. Best of luck in each of your pursuits, both personal and professional. And please have a wonderful wedding season!
See you next month!
Rebecca
|
|
|
|
|
|
|
|
Rebecca Herold, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI
The Privacy Professor�
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
|
|
|
|
