March Tips: Get proactive. Action steps for everyone.

Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.

Pie for Pi Day! March 14 (3.14)

"Pie for Pi Day, 2011" by djwtwo is licensed

under CC BY-NC-ND 2.0

The Privacy Power Position

Even as threats to our personal security and privacy grow, along with the risks in work environments, everyone has the power to limit risk by taking actions based on increased awareness. Scroll to engage with a collection of simple and effective action steps you can take to guard against a mounting number of privacy and security threats.

Longtime readers may notice the Tips newsletter is now centered on four distinct goals:

Answer reader questions.
Spotlighting people and organizations doing great things in the name of privacy and security.
Sharing fun ways to incorporate privacy and security awareness into a specially designated holiday.
Pointing to our recent podcasts and other easy-to-access resources.

Readers tell us we are on the right track because this is the content they enjoy best, greatest value from, and can often take the information and put it to use within not only their work environments, but also within their personal lives. Do you agree? Drop us a note. We always welcome your feedback.

Have an infinitely great Pi Day on March 14! As someone who has a degree in Mathematics, I always love the opportunity to celebrate a little bit of 𝜋 with 3.14 slices of Raspberry Pi/pie. (Hey, I hear you groaning!)

Rebecca

We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

March Tips of the Month

National Organize Your Home Office Day
Privacy & Security Questions and Tips
Data Security & Privacy Beacons*
Privacy and Security News
Where to Find the Privacy Professor

National Organize Your Home Office Day

March 8

Although National Organize Your Home Office Day is celebrated only in the U.S., we believe it should be recognized around the world. Especially as it relates to increasing the security of computing devices and information, everyone should have a marker for these important tasks.

No matter where you are based, consider taking these steps for organizing (and securing) your home office this month:

Even if you live alone, keep all hard copy reports with sensitive and personal data locked up when you are not actually using them. This will keep information safe from anyone who lives with or visits you, as well as anyone who can see in through your windows or into your workspaces during online meetings. It will also help prevent accidental damage or disposal.

Install a personal cross-shredder in your home office (employers may provide this for remote workers). Shred documents with sensitive and personal data as soon as you no longer need them. Do not throw them in the trash prior to finely shredding them.

Keep your work areas free of those fun and commonly used “digital spies,” including voice response devices, smart toys, smart TVs and any other type of device that is or could be continuously recording everything going on in the vicinity.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming!

Q: Many hybrid workers are going to co-working spaces, cafes and libraries on their “work from home” days. It seems like a great way to work while getting a change of mood and environment. But, are those locations safe from a security and privacy perspective?

A: There are many issues to unpack with this question. But, let’s focus on three primary concerns and action steps you can take to mitigate privacy and security risks.

Check your employer’s work-from-home policy to be sure you are allowed to perform your specific duties in a public area. Most of these policies do not allow working in public areas, or shared-word spaces, for cybersecurity and privacy reasons, as well as other safety and health reasons.

Public places typically have open (unsecured) wi-fi networks, which are very risky. Here again, check your employer’s policy to understand the requirements, such as using a VPN, that have been established for secure use of public wi-fi.

Be aware of the people around you. These days, it’s not unusual for competitors to be occupying the same co-working space. Even if the person at the desk or café table next to you isn’t a competitor, you still want to shield all information you are working with – be it digital, viewable or audible.

Do the following, at a minimum, when working in public or shared spaces.

It is worth repeating: know and follow your employer’s security and privacy policies for working outside of the office.

Use a privacy screen on any computing device that shows sensitive, personal or access-prohibited information.

Do not discuss business activities or information on your phone with others or surveillance devices around you.

If attending an online meeting where you will not be speaking, position your computer screen (with that privacy screen attached) so it is not viewable by surveillance cameras or other people in the room, and listen using earphones.

Do not attend online meetings during which you will be speaking at a shared working space. Attend from a secure room where no surveillance, either from technology or present human beings, can take place.

Do not leave print or other types of viewable information on the table, chair, etc., where others are located. That information could easily be taken, or photos taken of it.

"Busy Coffeeshop" by Kevin H. is licensed under CC BY-NC-ND 2.0

Q: I am sure that my next-door neighbor (who is not on friendly terms with me) is listening in on my phone calls. She claims to be a wi-fi “super guru” and she always knows where I will be; she is always there before I get there! These are not coincidences; these are in locations in cities 50, 100 even 200 miles away. I’ve gotten multiple different cellphones and numbers to try and make this stop. And things are fine for a few days, but then all of a sudden, I can tell she has to be listening in on my calls because of where she turns up, and the snarky things she says to me across the fence about my conversations! How is she doing this? The police said they won’t help me because there is no proof. Any suggestions for how to stop this eavesdropping?

A: Yikes! That must be so upsetting. There are a variety of ways in which cellphones can be hacked. Here, described in a very simplistic way with most of the technical details omitted, are the most common ways:

Installing malicious apps. Through a variety of phishing, social engineering and vulnerable network access methods, the attacker installs the app on your phone and then uses it to hear phone calls, read your text messages, log your keystrokes and perform other privacy-invasive actions.

Actions you can take

Remove all apps you don’t use or rarely use. You can also uninstall and reinstall any apps you want to keep. This helps to ensure you are using the most updated versions.

Replace your phone.

Install strong layers of security on your phone (e.g., multi-factor authentication, encryption) to help prevent eavesdropping from malicious apps.

SIM card swapping. This type of attack has been growing in recent years, victimizing folks from all walks of life. Even Jack Dorsey, the former CEO of Twitter, got hit by this hack, which is accomplished in a variety of ways. One of the most common is a social engineering attack on a telecommunications provider. Hackers pose as legitimate customers and request a replacement SIM card (with the same data preloaded). When the replacement SIM is installed into the hacker’s own phone, it becomes a clone of the victimized customer’s phone.

Actions you can take

Ask your telecommunications carrier to do one (or a combination) of the following three things: Create a new SIM card for you; establish or change your account PIN; and implement multi-factor authentication.

Bluetooth hacking. Hackers use tools to search for vulnerable mobile devices with open Bluetooth connections. When the hacker is close enough to your phone (i.e., 30-50 feet away), they can make a Bluetooth connection to your phone and possibly access your data and info, as well as potentially listen to your calls. Tiny devices also can be placed outside your house to collect data and pass it on to hackers out of Bluetooth range.

Actions you can take

Remove any unusual-looking items stuck to your siding, windows, etc.

Turn off Bluetooth and wi-fi when you are not using them.

Set Bluetooth to invisible mode.

Use a VPN.

Use multi-factor authentication

Create long, complex passwords for all your devices and connections.

Update the firmware on your phone regularly

Don’t use public (open) wi-fi networks

Never type your PIN or password into a screen, site or message from an unknown or unexpected source.

SS7 attacks. Hackers use free and fairly simple tools to exploit known SS7 protocol vulnerabilities in phones. This not only allows them to listen in on calls, but also to intercept/see text messages and track the locations of phones.

Actions you can take

Ask your telecommunications provider about using an authentication method that does not involve the SS7 protocol.

Monitor for threats and use intrusion prevention services tools.

Keep your phone shut off when you aren’t using it. Of course, this means you cannot receive incoming calls, so this may not be an option for many folks.

If you continue to find evidence of your neighbor accessing your phone communications after trying the above actions, consider reporting it to the FBI. The agency has teams that specialize in telecommunications and computer crimes. Usually, they deal with federal interstate issues, but because your circumstance appears to involve a large telecommunications company, they may be interested from a critical infrastructure security perspective.

"Eavesdropping" by A. Strakey is licensed under CC BY 2.0

Q: I’m seeing online messages about a Zoom Meetings class action lawsuit. Everyone is saying they got the same link and are encouraging each other to sign up. This sounds like a phishing attempt. Is it?

A: Good job having your scam radar up and alert! While it does sound suspicious, the messages you are seeing may be legitimate. That said, you should still be cautious of look-alike scams.

There was a settlement in a class action suit against Zoom that is awarding $15, $25 or more to folks who have used Zoom or have created a Zoom account at the Zoom website. NOTE: Many anti-malware tools flag this site as suspicious! My cybersecurity lawyer friends, though, have told me it is legitimate. And, here is the class action settlement agreement. You may be eligible to join the settlement.

If you purchased a subscription to Zoom Meetings between March 30, 2016, and July 30, 2021, you can file a claim for $25 or 15% of the money you spent for your core subscription — whichever is greater. If you did not subscribe to Zoom but used, opened or downloaded the app during that time, you could receive $15 as part of the settlement.

Check your email. You may have gotten a claim number from “NoReply@ZoomMeetingsClassAction.com.” ZoomMeetingsClassAction.com also provides a simple form to submit for your share in the settlement.

"Region 1 Zoom Meeting - Hotwire" by CLender is licensed under CC BY-NC-SA 2.0

Q: I listen to your podcast and find it very useful. I am considering setting up my own email server and want to ensure it is done correctly with the right amount of security. What are appropriate security protocols to consider for personal email?

A: We are big supporters of folks securing their own systems. Fair warning, however… an email server is a significant project to manage on an ongoing basis for most individuals.

The U.S. National Institute of Standards and Technology (NIST) put together a terrific resource, however. Whether setting up your own email server or checking on your email service provider’s security, the NIST Special Publication 800-177 Revision 1: Trustworthy Email can be a big help.

"Spring Break 2012 - NYC" by Otis Blank is licensed under CC BY-NC 2.0

Data Security & Privacy Beacons*

People and places making a difference

The Information and Privacy Commissioner of Ontario developed Privacy Pursuit! Games and Activities for Kids .

The Federal Trade Commission (FTC) has a couple of great new offerings.
They wrote a useful article, “How to tell if someone is using your identity.”

They launched a program to challenge bogus money-making claims used to lure consumers, workers, and prospective entrepreneurs into risky business ventures that often turn into dead-end debt traps. The rule will allow the FTC to recover redress for defrauded consumers, and seek steep penalties against the multilevel marketers, for-profit colleges, “gig economy” platforms, and other bad actors who prey on people’s hopes for economic advancement. They will provide a page to report such incidents.

Microsoft’s new publication, Cyber Signals, aims to defend against cyberthreats with the latest research, insights and trends. We’ve seen some great cybersecurity and privacy information there so far.

The Cybersecurity and Infrastructure Security Agency (CISA) published Free Cybersecurity Services and Tools, a one-stop resource where organizations can find free public and private sector resources to reduce their cybersecurity risk.

The Wall Street Journal published a helpful article, “How to Delete Your Old Posts on Instagram, Facebook and Twitter.”

The Social Security Administration (SSA) distributed messages (see below) explaining how U.S. residents and citizens can more easily access their personal information. The agency went on to encourage people to check their Social Security statement at least once a year for accuracy and to notify them of any mistakes.

Amazon posted about Data Privacy Day (see below) and encouraged users to review and change their privacy settings. Some of you are probably thinking, “What? Amazon is not a privacy beacon!” Well as we indicate in our asterisk footnote each month (look down), we like to celebrate a specific action or product of any person or organization when they do something privacy positive, even if they are doing other things that may not be.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page. Thank you!

The PSB News page contains news grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our clients and employees.

Due to the unprecedented volume of IoT and Log4j news of late, we created special pages for each of those topics, as well:

IoT security and privacy news

Log4j security and privacy news

"Sailor helps a high school student, complete cybersecurity challenges." by Official U.S. Navy Imagery is licensed under CC BY-NC-SA 2.0

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news! We have added several new items since the January Tips were published.

Rebecca's Radio Show

If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of

real-world topics within the data security and privacy realm.

Latest Episode

This episode first aired on Saturday, February 5th, 2022

Khaled El Emam

Synthetic Data: Protecting or Harming Privacy?

There is more personal data than ever before. Such data is being used for medical and other types of beneficial research. However, privacy breaches are skyrocketing as hackers target that data. Synthetic data is created from personal data, while maintaining the statistical properties of personal data, to allow for research. But is synthetic data privacy preserving, or privacy harming?

Next Episode

First airing Saturday, March 5, 2022

David Elfering

Critical Infrastructure Cybersecurity: Over the Road Trucking & Transit

Listen to the world’s most experienced expert on the topic during this thoughtful discussion and examination of cybersecurity within the surface transportation industry. If people are worried now because of shipping and trucking delays and worker shortages, then they should be even more worried about the unseen threats lurking deep under the ground transportation surface. Cybersecurity vulnerabilities could cause many more disruptions!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. March 2022 Privacy Professor Tips. www.privacysecuritybrainiacs.com

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Info

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com;

2) making a request directly to Rebecca Herold; or

3) connecting with Rebecca Herold on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the SafeUnsubscribe link below.