'Falling' Into Traps 'Leaves' Unprotected Data Vulnerable
It's easier than ever to fall into data privacy and security snares these days. With new technology at our finger tips promising unprecedented thrills and convenience, we often jump in head first without thinking through all of the ramifications.
Fortunately, more consumers, business leaders and government officials are paying closer attention to the tricks and traps targeting our private data.
Just ahead of the holidays, data transactions inevitably increase. More online shopping, more travel and the injection of more connected devices into our living, working and leisure spaces means greater risk of data compromises. Making matters worse, many people have their guards down against online deception during these times, creating a climate for the perfect data breach storm.
Read on to learn more about some of these vulnerabilities, as well as how to keep your data as private and secure as possible.
|
|
Before You Buy USB Gadgets This Holiday
|
Checking it twice is good advice
Overseas manufacturers of connected devices and other Internet-enabled gadgets are excellent at offering their products for extremely low cost. Cheaply made (and rarely secured), they can sell these items at rock bottom prices, fooling consumers into thinking they discovered a real bargain.
And that's a massive motivator for many shoppers.
Be very careful as you're scouring the Internet for these deals. There are so many ways your data can be exploited by gadgets
that get power from a USB port (e.g., portable speakers,
cup warmers, reading lights, desktop fans). They may be pre-loaded with malware or just so security lax that they attract cybercriminals the minute they are attached to your system. (Researchers recently uncovered
29 different exploits that can be deployed via USB devices.)
WHAT YOU CAN DO:
If you're unsure about a device's security, ask the manufacturer. If they don't respond to your direct inquiry, ask via social media. Sometimes, the public nature of asking via Twitter, Facebook or Instagram gives brands an added incentive to respond. No response still? Do not buy.
And, I always love getting your questions. If you're considering a purchase you feel is questionable, send me a note, and I'll look into it. I may even publish my findings in an coming Tips Message!
|
|
Privacy Hero: Joanne McNabb
|
|
California privacy expert blazes trails for legislation, awareness, rights
As the former chief of the California Office of Privacy Protection, Joanne McNabb has been front and center for some of the United States' most meaningful advances in privacy legislation. She was involved in the first U.S. state breach notice law, SB 1386, which became the de facto model for most subsequent U.S. state and territory breach notice laws. In fact, she wrote the first breach notice ever (before the law had even taken effect). It was for the breach of state employee data that inspired the legislation.
Under her leadership from 2001 to 2012, Joanne's office continued to research consumer privacy issues and weigh in on additional privacy laws for California. Many of these laws became models for other states, and in many ways, federal regulations emerging during that time.
When Joanne became Director of Privacy Education and Policy for the California Department of Justice, she created an entirely new online resource. Yet again, her efforts set the stage for the development of the many important privacy rights, laws and awareness websites and digital resources that exist today.
In 2017, Joanne retired from state service. Today, she is a consultant for California Privacy Consultants, providing a variety of organizations with research and recommendations on privacy issues and practices.
Considering the consumer privacy rights, education and legal protection trails she blazed, Joanne is a privacy hero to so many. The impact of her passion and effort expands far beyond California, throughout the U.S., and in other parts of the world that have often looked to California for examples of privacy education and legal protections.
We want to know: Who is your privacy hero?
Throughout 2018, we'll introduce an individual or team who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply
drop us a note and explain why we need to know your hero.
If you have someone in mind, don't wait; we have just one month left to name another hero!
In the January 2019 Tips Message, we will announce our Privacy Hero of 2018. The hero will receive a token of appreciation and commemoration of outstanding work.
|
|
Don't Be Like Kanye, Use a Strong PIN
|
Dos and don'ts for every smartphone owner
This, of course, is not the first time an individual has "spilled the beans" about his or her password. Remember that man-on-the-street segment from a couple years ago in which the reporter fooled people into revealing their passwords on camera?!?
The incident sent quite a few questions my way, so I compiled the following list of ALWAYS and NEVER for smartphone users.
ALWAYS USE...
- A PIN (even when you have fingerprint or facial recognition enabled; layers of protection are best).
- A PIN you can remember but is not publicly available (e.g. your birthday is NOT a good idea, as most everyone has shared that data broadly).
- As many digits as possible.
- A fresh PIN (change regularly; change Immediately if you suspect someone has access to it).
NEVER USE...
- A repeating number (Kayne's 000000 is a great example of what NOT to do).
- Your phone number, Social Security number, home address or zip code.
|
|
WhatsApp Users (Unwittingly) Pulled Into Facebook Ecosystem
|
With Facebook as owner, WhatsApp becomes another targeting tool
Since the purchase of WhatsApp in 2014, Facebook has left ads out of the WhatsApp user experience. But, that's about to change, writes
TechCrunch's Natasha Lomas:
So WhatsApp's [approximately] 1.5 billion monthly users can look forward to unwelcome intrusions as they try to go about their daily business of sending messages to their friends and family.
[Facebook] is also set to charge businesses for messages they receive from potential customers via the WhatsApp platform.
The original founders of WhatsApp claim to be surprised and disappointed in Facebook's decision to monetize their app. But, considering the $19 billion Facebook invested in the purchase, it's not terribly shocking.
The other non-surprise stemming from the marriage of Facebook and WhatsApp was the intermingling of user data from both platforms. European regulators, which keep a close eye out for "conjoining" of this sort, were not happy and
levied a fine of $122 million against Facebook for misleading them about the possibilities of such data sharing between apps.
ODD PARTNERS IN THE PREVENTION OF ELECTION INTERFERENCE
Facebook has been vocal about its attempts to thwart election interference, but
as the Verge points out, that could be difficult, given one of its corporate "kids" is extremely well-positioned to help the bad guys.
...media companies [with interest in Brazilian elections] are buying large groups of phone numbers and blasting them with anti-leftist propaganda on [WhatsApp]. While it's often discussed as a chat app, WhatsApp has message-forwarding mechanics that strip away the identity of the sender and allow messages to spread virally with little accountability.
|
|
FRESH PHISH: Threats Delivered To My Inbox
|
Real-life phishing and ransomware claims
Every few months, I like to share real-life examples of nefarious emails circulating on the Internet to help readers spot these fakes.
If you receive something like the below, do not be fooled. Although ransomware is very real, messages like this should be seen as precisely what they are -- empty threats.
(
And no, I've not done what is claimed in the threat letter, nor set a password like the one they claim. Hopefully none of my readers has used such an easy-to-guess password either!)
_____________________________________________________________________
|
|
READER QUESTION: Should I try CLEAR to get through lines faster?
|
New York startup promises faster lines in exchange for biometrics
I'll admit to being intrigued by CLEAR, which gets its members through airport security in less than five minutes (currently in 35+ U.S. airports). I've even considered signing up.
However,
with scary new initiatives proposed by many in the U.S. Congress and the White House, I've ultimately decided to wait and see.
The U.S. government, at least for the time being, seems intent on scooping up as much personal data possible. What's most concerning is their plan to pool that data and use the results as a sort of terrorist data bank.
I already have TSA Precheck, which gets me through lines much faster (critical for someone who spends a lot of time in airports). And, TSA Precheck doesn't need the additional biometric and other personal data used by CLEAR. Not to mention, CLEAR is not in most of the airports I fly through.
I don't see the need to give more of my personal data to the government, especially if they plan to use it before there any real rules for its use have been established.
Shaving off a minute or two (and only at some locations) isn't worth the exchange of my biometrics and other personal data -- particularly if it's to be handed over to government agencies and others with undetermined rules for securing it.
Whatever you end up deciding, I recommend reading
CLEAR's privacy policy for more information on how the startup uses, shares and discloses the personal data it collects from members.
|
Where to Find the Privacy Professor
|
|
In the classroom...
After years of
providing a regularly updated set of online employee training modules for my SIMBUS business clients,
and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes.
As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I will host a full schedule of classes
.
Do you have a team or group you'd like to coordinate training for? We can often arrange a discounted price for organizations and associations based on the number you have participating.
Hope to see you in the virtual classroom sometime soon!
**
I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**
On the road...
One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Next up...
On the air...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show
Data Security & Privacy with The Privacy Professor on the
VoiceAmerica Business network
. All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites.
Hear the perspectives of incredible guests as they talk through a wide range of hot topics. We've addressed identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, government surveillance, swatting and GDPR, just to name a few. Several episodes provide career advice for cybersecurity, privacy and IT professions.
In October, we talked at length about voting and elections security. With U.S. elections coming up on November 6 and October being National Cyber Security Awareness month, I answered a wide range of questions received in recent months from Tips readers and show listeners.
OCTOBER ELECTION SECURITY SHOWS
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
In the news...
CNBC
Global Business Travel Association
Health Care Info Security
LA Times
Mashable
NIST
The Privacy Advisor
Tripwire
|
|
3 Ways to Show Some Love
The Privacy Professor Tips of a Month is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this e
mail is sharable (I'd just ask that you follow
|
|
|
|
 |
|
View from my 3rd floor office window this past weekend
|
|
This is such a beautiful time of year, especially here in my home state of Iowa. I hope you get a chance to explore the real world this fall. Just be safe as you do, keeping an eagle eye out for those data privacy and security snares.
Here's to a safe, healthy and happy November. Enjoy!
Rebecca
Rebecca Herold, The Privacy Professor
|
|
|
