Photo by new 1lluminati Attribution 2.0 Generic (CC BY 2.0)
Eyes Peeled for
Data Security & Privacy Foolery
April is an apropos month to be on the lookout for "fools" coming for your personal data, money, biometrics and other items of value.

To help, we're providing a mix of physical and digital data security and privacy news, as well as a few practical tips for staying safe. We've designed the content below to be helpful for both personal and business use.

We have also added more mentions of news items this month. We had several readers (Thank you Sue, Pax and Ivan!) write to say they like links out to data security and privacy to news. Do you agree? Please let us know.

Use (and share!) the information below to keep those attempting to take advantage of lingering 2020 chaos at bay.
April Tips of the Month

  • Data Security & Privacy Beacons

  • Privacy & Security Tips: How to spot a two-way mirror and backup Outlook

  • Privacy & Security News: Ransomware, Surveillance, Vulnerable Software & More

  • Where to Find The Privacy Professor
Data Security & Privacy Beacons*
People and places making a difference
The University of Michigan’s MORPHEUS technology emerged unscathed from the university's bug bounty effort. DARPA pitted 500+ hackers against this computer chip, and the chip won. Congratulations to all of the engineers and developers who obviously prioritized data security in the design and development of MORPHEUS.

If it works, Rita Personal Data is a great idea. We’ve not actually tested the service, but certainly love what it stands for. Inspired by GDPR, the service promises to find all of a user's data online then enable users to restrict which companies have access. It's difficult to believe a single entity would be able to find every piece of data on an individual, not to mention compel other organizations to pay you for using that data. But the concept is intriguing. Have any of you tried this?

Nicole Nguyen's WSJ article, The Best Password Managers and Security Tips: How to Solve Your Login Problems, stands to help a lot of people. As Rebecca has shared in the past, however, locally stored password managers (those on your own storage drive, not in a cloud) are the most secure option.

The U.S. Federal Trade Commission (FTC) has once again earned a privacy beacon, this time for providing free weekly credit reports during COVID-19. The agency has extended the service through April 2022. Take advantage of this! As the FTC reported, “If you’re feeling anxious about your financial health during these uncertain times, you’re not alone. That’s why the three national credit reporting agencies, which last year gave people weekly access to monitor their credit report for free, are extending that benefit until April 20, 2022.”

Mich Kabay puts out frequent privacy and security reminders through his Facebook page. Check it out. Start with this post about a mailing he received for scammy auto repair insurance.

California officials created the California Privacy Protection Agency Board, a first of its kind privacy board in the U.S. Thank you to each of the appointees for serving in this important and historic capacity:
  • Jennifer M. Urban, Chair
  • John Christopher Thompson
  • Angela Sierra
  • Lydia de la Torre
  • Vinhcent Le

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
Photo by Tristan White on Scopio
Privacy & Security Tips
How to spot a two-way mirror and backup Outlook
For Your Physical Privacy and Security...

There's an apparent uptick in reported incidents of hidden two-way mirrors in public bathrooms, dressing rooms, fitness gyms, restaurants and nightclubs... even other people's homes. Here are just two recent incidents...

Sadly, Rebecca has personal experience with this, having discovered such a mirror early in her career at a Las Vegas hotel off of the strip. She was in town to attend an IT audit conference when she found the analog surveillance "device." And, she's not the only one. A Privacy Professor Consultancy client recently shared their story of finding a similar mirror in vacation home rental and thought it could be a good tip to share here in the Monthly Tips.

Here are a few privacy tips to check for the presence of two-way mirrors.

  • Shine a cell phone flashlight at the mirror. If you can see the light pass through from the mirror side, it is hollow behind.
  • Place a pencil or finger tip up to the mirror. There should be a visible gap between the object and the reflected image. If not, you may be looking at a two-way mirror.
  • Knock on the mirror. A standard mirror should not echo.
  • Check for bubbles. A mirror film is often used to disguise a see-through situation.

To see some of the above tips demonstrated, check out this video.

It's important to keep in mind these tips are far from exhaustive, and new technology will one day (if it's not already) enabling the development of two-way mirrors capable of passing these simple tests. Use caution whenever you are in front of a mirror you don't own.

For your Digital Privacy and Security...

Outlook users, take note! Have you backed up your emails lately?

Our business just performed an Outlook back up this past weekend, creating copies of all messages on an external drive dedicated to email. We then deleted all emails older than two years from the Outlook inbox, freeing up A LOT of space.

Besides being a good data hygiene practice (See more about data hygiene in Rebecca’s article referenced later), it also helps your Outlook run much faster with a smaller .pst file (which houses all your emails).
Microsoft has created a set of instructions for making a backup to a local hard drive. Check it out and let us know if you find the process easy to follow.

Photo by Constantin Stanciu on Scopio
Privacy & Security News
Ransomware, surveillance, software vulnerabilities and more
Ransomware News

Cybersecurity firm warns of potential ransomware attack in the near future. CNBC’s Eamon Javers reports on a dire warning from cybersecurity firms that a ransomware attack could be coming soon.

Largest ransomware demand now stands at $30 million as crooks get bolder. Cybersecurity researchers at Palo Alto Networks analyzed ransomware attacks targeting organizations across North America and Europe. The found the average ransom paid rose from $115,123 in 2019 to $312,493 in 2020.

This dangerous ransomware is using a new trick to encrypt your network. Ryuk now has the ability to use a worm-like capability to spread itself to any Windows machine on the same network as the initial compromise.

This company was hit by ransomware. Here's what they did next, and why they didn't pay up "When it hit, we ran to our server room and data center and started pulling plugs out." How one company was hit by ransomware, but refused to pay up.
Exchange servers first compromised by Chinese hackers hit with ransomware. As if Exchange users didn't already have enough to worry about, they have this.
Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities. Recent dark web postings of data allegedly stolen from healthcare entities show that ransomware extortion threat actors will continue to target healthcare in 2020.
Ransom Paid Just Before Netwalker Gang Disrupted. Client Says Third-Party Administrator Paid for Promise to Destroy Exfiltrated Data

Photo Caption (Star Wars-themed Image Above): "Happy April Fools Day!" by JD Hancock is licensed under CC BY 2.0

Surveillance News

Below are three different views of the same problem: Cameras, sold by startup Verkada, have the capacity for facial recognition, attracting the attention (and the bad deeds) of hackers. The company has reported an attack.

Inside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras. Flock has expanded from surveilling individual neighborhoods into a network of smart cameras that spans the United States.

How Many Times are Americans on Camera Every Week? Research found the average American is filmed by security cameras more than 230 times a week, a number that has increased rapidly over the last decade and will continue to do so in the near future.

Tracking the Vaccinated by Name, Race Challenges Privacy Laws. First of all, we strongly support getting vaccinations! So, please do not interpret this as being against fighting the COVID-19 pandemic to make the public safer. However, even with the best programs used to improve and protect the public, privacy issues must be taken into account. A shout-out to Maria for pointing out this article.

News of Software Vulnerabilities

A Hacker Got All My Texts for $16. A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild. According to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. "By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system," the report stated.

Turns Out This Sophisticated Hacking Campaign Was Actually the Work of 'Western Government Operatives.' A sophisticated hacking campaign that was previously witnessed targeting security flaws in Android, Windows and iOS devices is actually the work of “Western government operatives” conducting a “counterterrorism operation,” according to a new report from MIT Technology Review.
Apple Issues Urgent Patch Update for Another Zero‑Day Under Attack. The vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks.


Thousands of UK taxpayers' personal details potentially exposed online through councils' debt-chasing texts. Got a link? Change the last character and bingo, it's blackmail time!

Voting and Elections Security

US military conducted 2 dozen cyber operations to head off 2020 election meddling. Details regarding these operations are scarce given their sensitivity. However, Cyber Command has been public about using its unique authorities to operate outside the US to act against malicious activity.


Woman allegedly made deepfakes to kick rivals off daughter's cheerleading squad. According to law enforcement, a cheerleader's mother sent coaches AI-altered photos and videos of rivals on her daughter's cheerleading squad to portray them drinking, smoking or naked. Lesson: Think twice before believing photos and videos you see online. Deepfakes are becoming easier to make, and the consequences of people believe them could be life-changing to those involved.

Ignore bogus COVID vaccine survey. Scammers are using a new trick to steal your money and personal information: a bogus COVID vaccine survey. 
Photo by Gary Cummins on Scopio
Where to Find the Privacy Professor
Here are just a few of the podcasts, webinars Rebecca has done and news articles she's written or been quoted within. 
Second Annual Los Angeles Cyber Security Summit 2021 - South Bay, April 17, 2021, 9:00am - 12:30pm Pacific Time
In this webinar event, Rebecca will discuss for 20 minutes, current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. The discussion will be followed by 10 minutes of open Q&A.

IIA Philadelphia Spring Summit Keynote (online). April 23, 2021. Topic: Security & Privacy Compliance in Work From Home Situations. 
FutureCon Virtual Eastern CyberSecurity Conference CISO Panel, Mar. 31, 2021. Use promo code PANEL to get a complimentary pass.
Webinar: Customer Data Privacy 2021: It's No Longer Just Business, It's Personal Hosted by Spirion, with panelists from Fannie Mae, Kent State University, and The Privacy Professor
Rebecca spoke recently with Corey Munson, VP of PC Matic, on his podcast about work from home security and privacy risks, and some specific risks that IoT devices within home work environments bring to businesses.
Head’s Up! Rebecca will be speaking at the NIST Workshop Addressing Public Comment on NIST Cybersecurity for IoT Guidance on April 22 from 10:00am – 4:00pm EDT. Registration is free! See more here
Global Praise for ISACA Webinar: Security & Privacy Compliance in Work from Home Situations The Stock Exchange of Thailand liked Rebecca's webinar so much they created a Thai transcript and posted a 2-part article, along with a PDF of the full transcript.

PRO TIP: Use the translate option in your browser to convert to another language if you do not know Thai.

A couple recent industry articles to which I've contributed thoughts...
Photo by Rainer Puster on Scopio
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

Fighting US Elections & Campaigns Interference with Cybersecurity with Matt Barrett, co-founder of US CyberDome. Matt previously led the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) program for the National Institute of Standards and Technology.

Next Episode

Debunking the Big Lies about Voter Fraud with Genya Coulter, Polk County Florida Election Clerk for the Supervisor of Elections

Airing first on April 3, 2021.

The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. April 2021 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.