Big Risks from Big Names
 
You'll recognize quite a few of the companies, apps and organizations included in this month's Tips message. And that's intentional. 

Many of us place a great deal of trust in well-known brands. A lot of that comes from the pack mentality: "Everyone's doing it. How bad can it be?" A general lack of awareness is responsible for a lot of that trust, too.
 
Read on to be sure you and yours do not fall into the unaware category this summer....

IN THIS ISSUE

pokePokémon GO Craze Opens Android Users Up to Risks
Be careful when catching Pokémon; you could catch a RAT instead
 
Arguably the app of the summer, Pokémon GO was downloaded more than 7 million times in its first week alone. But early Pokémon GO Android users weren't just getting the game. Some were getting a malicious RAT known as DroidJack.
 
This happens when people circumvent trusted app stores to try and get their hands on really popular apps fast. Unwilling to wait for the app to become available in iTunes or Google Play, app users will go on a web hunt for another option. When they inevitably find it, what they've actually found is a faux version of the app created by hackers and infected with a malicious remote access tool (RAT). 
 
What does a RAT do? It gives an attacker full control over your phone; the cybercriminals responsible for the fake app will be able to modify and delete data, as well as track your location and take pictures and videos, lock your screen and other bad things. For more on this, watch our discussion of other Pokémon GO data security, privacy and safety risks on CWIowa LIVE.
 
How can you tell? Check the app's list of permissions. If you see any referencing access to wireless network connections or the ability to view web browsing, you may have an infected app.
 
How can you get rid of it? Check the SHA256 hash of the downloaded APK. The legitimate Pokémon Go APK hash should read 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67.
 
The hash of the malicious APK discovered by Proofpoint reads 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.
 
If you have the malicious APK, uninstall the app immediately and delete the malicious APK.
 
THE TAKEAWAY: Never side-load an app from unofficial markets. Wait for them to be available from sources you know and trust. They have procedures and algorithms that double check the security of apps developers make available through their stores. 
 
appleApple, Facebook Show Privacy Good Faith
Disabled cameras and encrypted conversations in the works
 
In what may be an attempt to persuade business partners and users of their commitment to privacy, these two big names are working on two big enhancements:
 
Apple may soon be able to block your phone: With this new technology, Apple could disable your photo and video recording capabilities. An infrared signal, deployed by Apple and/or its partners, would stop people from making illegal recordings of concert or theater performances, for example. I can see a lot of potential for this in hospitals, schools and other places where the privacy of particularly vulnerable people is paramount. 
 
Facebook testing secret conversations: A would-be feature for its texting app, Messenger, secret conversations would offer end-to-end encryption. The idea is to allow certain messages to be read only on the two mobile devices on which Messenger users are communicating.

hotIt's Hot Out There! Practice Good Personal (Data) Hygiene
Keep grime (and crime) away with these tips

 
What follows is a short excerpt from a pdf I prepared on practicing good personal data hygiene. Want a copy? Just send me a quick email request.
 
Did you know you can remove or correct a lot of your online personal information? Check out this list of tools that can help you do so fairly easily. If you can't visit them all, use at least the first two. (If you're interested, I have a list of 250 sites like these.)
WatchAre You on a Watch List?
Government lists the subject of intense debate
 
In the U.S., which is right now in the throes of a presidential election, that debate has been somewhat ramped up in recent weeks. 

Regardless of the political hot-buttons people press by mentioning government watch lists, there exists a pretty big issue with the lists themselves. And that's the reported inaccuracy of their contents.
 
For its part, the U.S. government's "no-fly list" identifies 47,000 people as suspected terrorists based on what has been described as "vague and subjective" standards. And the list is necessarily secret so there exists no opportunity for a person to appeal his or her inclusion on the list. (Well, there is a process for being removed, but of course, you'd first have to know you were on the list.)
 
Big data analytics and intelligence have their purposes. They also have their failures.
Making assumptions about who to add to the no-fly list based on a set of data created by big data analytics is not always appropriate or even an accurate methodology. If not done correctly, using flawed logic, or bad data sets, this is going to cause problems for many of us down the road. The logic used to put individuals on the no-fly list, and the data used to perform the analytics upon to create the list, need to be reviewed by information security and privacy technology experts. These individuals can help ensure only the appropriate people are added and that those who are not appropriate are removed. They can also help establish methods for ensuring accurate no-fly lists going forward.
 
The right (or wrong) set of purchases, travel itineraries and personal associations could land you on the no-fly list. These may also be the factors helping your bank decide whether or not you qualify for a loan or your insurance company decide whether you're a worthwhile risk.
 
Who you friend on Facebook, the Tweets you like, the apps you download - all of this lumps you into a consumer segment that is being monitored. See below for yet another risk of social behaviors.  
 
THE TAKEAWAY: It's important to be aware of the decisions being made based on personal information. Just as important is talking to your legislators about establishing procedures, validated by privacy and information security technology experts, for detecting and correcting watch-list errors. 
 
 
beforeBefore You Like that Facebook Post, Read This
 
Don't like it, post it or retweet it if you really don't agree
 
So many decisions are being made based on our social behaviors. Every click of your mouse or press of your finger inside a social network is monitored, collected and sold to interested parties. (And this is generally true even if you have "locked down" your networks with various privacy settings!). 

One thing to be especially careful about is reposting stories or rumors that don't have a ring of truth. I can't tell you how often I see someone post a story from satirical magazines, like the Onion, as if it were completely true. 

(Here's a list of global satirical magazines, which you can sort by country. Before believing something scandalous, indicting or otherwise sharing "proof" of wrong-doing or conspiracy theory, please check to see if the story is coming from one of these sites.)
 
Another example is the "warnings" about Facebook that come out occasionally telling people the social network is about to start doing something that will violate privacy, destroy entire profiles or [fill in the blank] by a certain date.
 
Just the simple act of posting this type of content puts you on what I'll call the "gullible list." Scammers, hackers and con artists actually maintain, trade, sell and source lists like this for likely victims. If you have fallen for a fake Facebook post in the past, you're more likely to fall for their particular scam... or so the thinking goes.
 
THE TAKEAWAY: Only post, like, retweet, share and engage with posts from trusted sources. (This does NOT include your friends, as even the smartest among has our gullible moments... and fraudsters are getting really good at making posts that look like they came from your friends!) If you are tempted to post or like something, first visit an accuracy site, like Snopes, to check on the content's validity. 


roadPrivacy Professor On the Road & On the Air
  
 

On the road again 

One of my favorite things to do is visit with leaders in different industries - healthcare to energy and beyond. 
 
This week, for example, I was at the
Internet of Medical Things conference in Princeton, New Jersey (left). I moderated a panel represented by the Department of Health and Human Services Office of Civil Rights (HHS OCR), the Food and Drug Association (FDA), the New Jersey Department of Homeland Security (NJ DHS), the National Institute of Standards and Technology (NIST) and the Institute of Electrical and Electronics Engineers (IEEE).

Below is a schedule of where I'll be over the next few months.

October 24 - 26: (Live Presentation) "Vendor Management," Privacy + Security Forum, Washington, D.C.  
 
November 9 - 11: (Live Workshop) "Going Digital? Think Privacy Impact and Security Design," Data Privacy Asia Conference, Singapore
 
Taking to the air waves

CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes. I will be visiting in-studio again later this month. 

In the news

Princeton Info

COVER STORY: Paging Dr. Privacy : (It's worth noting the article needs a couple corrections. "Compliance Helper" should have been "SIMBUS360;" "Stanford Federal Credit Union" should have been "Principal Financial Group") 










CSO


Healthcare Info Security




Tech Target 
 


Secure World has begun to republish the monthly Tips message. If you happen to miss one or the email filters file somewhere unknown, you might check there (or just give me a shout; I'm always happy to resend.)

Questions? Topics?

Have a topic I should discuss on the CW Iowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!


Me on the farm we had in the early 1990s. That's the tractor we restored and my pal Buster, who lived to 15 years old.
We all have our gullible moments. Maybe it's because everyone else believes. Perhaps it's a result of wishful thinking. Whatever the cause, there is no reason for shame. Just reason for awareness!

If you feel like this Tips message helps you stay aware, share it far and wide. You can also follow me on Facebook and on Twitter for easy-to-share tidbits in between newsletters.  
 
Wishing you a terrific summer!

Rebecca
Rebecca Herold
The Privacy Professor
Need Help?


Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor®, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images, some of which are my own personal photos. If you want to use them, contact me.