Bet Your Bottom Dollar
Have you heard the saying "No wife can endure a gambling husband...unless he's a steady winner?"

Although tongue-and-cheek, the adage makes an important point: To most people, risk is no big deal when rewards are great.

And at this stage in the game - when rapid innovation and connected technology is heaping rewards at the feet of public companies, for-profit entities, politicians, government agencies and even consumers - we've become somewhat comfortable gambling with our privacy.

Read on for some examples... 

Robot Vacuum May Sell Your Home's Blueprint

Is skipping this household chore with the risk?

Part of a robotic vacuum's appeal is its ability to learn. Collecting data as they clean, these "smart" vacuums find out where your walls and furniture are so they can avoid knocking into obstacles and become more efficient.

But the reward of an effortlessly clean house comes a noteworthy risk - that data mapping could soon be for sale to the highest bidder.

In its exploration of the possibilities, The New York Times used this for instance:

But the data, if sold, could also be a windfall for marketers, and the implications are easy to imagine. No armchair in your living room? You might see ads for armchairs next time you open Facebook. Did your Roomba detect signs of a baby? Advertisers might target you accordingly.

And who else might want access to this information? On its own, location data locating your couch may not be all that compelling. Combine it with other data picked up from your digital breadcrumb trail, and any number of big data analytics-based assumptions could be made about your income, your lifestyle, your daily patterns.

HEDGE YOUR BETS: Many Internet-enabled gadgets say they will not sell data "without the informed consent" of customers. Make sure you are actually informed on what that "consent" truly means before plugging any Internet of Things (IoT) devices into your life. If you want to use devices that lack privacy assurances, simply turn off the data collection and sharing actions in the device's settings.

BTW:  I have a vacuuming robot, but it is not "smart." Rather than map my house, the robot simply turns when it bumps into something. So, there is a way to have an effortlessly clean house without the risk of data collection -- just get yourself a "dumb" vacuum robot! 

Digital Assistants May Share Your Conversations with Developers

Are you sure no one's listening?
Owners of digital assistants like Amazon Echo and Google Home like to comfort themselves with the "fact" their devices only listen when asked. But, as we've seen in numerous circumstances, listening (and recording) can be unintentionally triggered - by a child, a visitor to the home or even a TV news report. What's more, the devices have to be listening at all times... how else would they hear the trigger word?

So what are Amazon and Google doing with those recorded conversations? Where do recordings prior to the triggers get stored? How quickly are they deleted? What proof do the providers offer to demonstrate their policies?

One thing's for sure, Amazon, Google and other Internet powerhouses will evolve their use of the voice data over time. For now, we know they are already sharing some of it with app developers of unknown legitimacy. (Thanks to Faith Heikkila for this pointer!)

HEDGE YOUR BETS: In addition to muting your device when not in use, you can also delete old recordings. Amazon makes this pretty easy to do in its Amazon Echo settings. Google Home also offers a process to delete recordings

Promotions In Your Physical Mailbox May Be Worse Than You Think

Does that USB card contain marketing? Or malware?

To spice up their direct mail campaigns, marketers are sending USB thumb drives to prospective customers through the mail. Recipients, intrigued by the mystery of what could be on the devices, pop the thumb drives into their computers to learn about products, services and other enticing offers.
But marketers aren't the only ones that could benefit from insatiable consumer curiosity. Fraudsters, too, know these  captivating gadgets are difficult to resist .
As  one personal security advocate points out , these USB marketing campaigns may be inadvertently "training" consumers and executives to insert strange gadgets into their computers. (Thanks to my friend Chick for this pointer!) It's not difficult to imagine a well-financed fraud ring loading a virus onto a bunch of these storage devices and distributing them via nefarious direct mail campaigns disguised as legitimate marketing. Or a small-time crook replacing a legitimate device with a nefarious one he spots in the mailbox of a foe or targeted victim. 
Of course, use of the postal system wouldn't be entirely necessary. There have been cases of criminals planting infected USB drives in parking lots, malls and other places. Good Samaritans wanting to get the devices back to their rightful owners insert them into their computers and bam! Infected.
HEDGE YOUR BETS:  Use caution (and anti-malware tools!) before putting anything you didn't purchase yourself into your computer. USB cards, web keys and thumb drives can all contain malicious code or viruses. The reward of satisfying your curiosity is hardly worth the fallout of a computer virus. 

MORE RESOURCES:  Check out my friend Scott Wright's Honey Stick research looking at infected USB tactics. 

UPDATE: Lottery Scammer Pleads Guilty to Rigging the Game

Cyber security insider faces 25 years in prison

A couple years back, I shared the upsetting news that a cyber security executive with the lottery in my neck of the woods was accused of stealing. Prosecutors (in what ultimately became five states) said he installed malicious code in lottery computers that would allow him to predict the winning numbers.

After many years of denials, he finally admitted his role in the scheme - one that would have made him $2 million richer had he gotten away with it. Even more troubling is the lottery for which this scammer worked has continued to suffer from theft by retail employees stealing lottery tickets and others making fraudulent claims of lotto winnings.

Although there are numerous take-aways from this incident, one of the most important is the risk of internal threats. The case serves as one more reminder of how critically important it is for organizations to create, maintain and continually upgrade internal controls.

It's really important to ensure appropriate monitoring is in place for those with access to systems and data. Separation of duties is an important best practice that prevents rogue employees from rigging systems in his or her (or a loved one's) favor.

HEDGE YOUR BETS:  Not all insider threats are rooted in malicious intent. Workers with authorized access to sensitive information are human. As such, they make mistakes. When giving personnel access to data security and privacy controls, it is imperative other controls exist to ensure trusted access is not exploited.
ransomWhen the Lights Go Out   
Citizen access to electricity is vulnerable
Anything connected to the Internet is vulnerable - anything. That extends to encrypted documents, biometric profiles, home security systems... and our nations' power grids. 

In June, two security firms released warnings about a virus built to take down computers that control electrical substations and circuit breakers.

Part of the problem is many of these systems operate on outdated and difficult-to-patch technology.

What's the big deal? Well, according to The National Interest, "a virus that aims for substations and circuit breakers could turn off power, create rolling blackouts or physically damage equipment on the grid." 

Worse, many of the world's power grids operate on similar or exactly identical systems, making them vulnerable to repeat or copycat attacks. Once cyber crooks learn how to take down one, they may be able to take down all.

HEDGE YOUR BETS: Let your legislators know you are concerned. It often takes action by government agencies to shine a bright-enough light on some of these vulnerabilities. 

MORE RESOURCES: Check out these reports from a privacy group I led for the National Institute of Standards and Technology (NIST) from 2009 through 2016. We spent years, working alongside a dozen other cyber security groups, researching the vulnerabilities and risks to the U.S. energy ecosystem so we could provide sound guidance and recommendations. 

scaryFresh Phish
Real-life examples of email phishing attempts  
Take a look at the emails below I've received in the past few weeks. They look pretty real, don't they? Each is a phishing attempt, designed to inspire my click, download or mouse roll-over (yes, you can get a virus simply by rolling over a malicious attachment!)

Can you spot the red flags in these phishing attempts? Drop a line and let me know what you see! Some are very apparent; others are fairly tricky.

[I looked up the IP address in the properties of the email above and learned it originated from Bulgaria! I was even able to triangulate the exact location, along with a handy-dandy map to make it easy to get to them!]


Alexa Coming to a Hospital Near You?

Many industries are attracted to the ease and efficiency promised by voice-enabled digital assistants, like Alexa. This includes health care. Unfortunately, devices like this currently lack the security and privacy controls to satisfy HIPAA and other legal requirements.

To be sure, there is a lot of potential for Alexa to improve care and treatment. Just one example is a skill (that's what Amazon calls its apps for Alexa) to provide surgeons hands-free access to a complete list of tasks and surgical safety checklists in the operating room.  

But, for every reward, there is risk. Cyber and physical security experts will have their hands full with the integration of digital assistants in medical environments.

I recently co-chaired and moderated an excellent  online seminar with multiple  discussion s  on this topic. The recording is available online:

Please also check out the resources I provided to seminar attendees. 
PPInewsPrivacy Professor On The Road & In the News  

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

September 13, 2017:   Giving keynote address on preventing medical device nightmares in the Internet of Medical Things and facilitating a roundtable discussion at SecureWorld Detroit 
September 21, 2017:  Giving webinar, " Don't Let Third Parties Bring Down Your Business: Effective Vendor Management," hosted by AHIA    
September 28, 2017:  Giving webinar, "Using the ISACA Privacy Principles to Perform a GDPR PIA,"   hosted by ISACA. (More details will be added soon.)
October 11, 2017 : Providing private executive briefing on healthcare security and privacy in the Internet of Medical Things in northern Rhode Island.

Privacy Professor In the news...


Healthcare Info Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio in June.  I enjoyed discussing Russian hacking, "digital exhaust," the need for better security in our for election systems. (I'll also be on the show this morning, so watch my YouTube channel for an upload of today's episode soon!)

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

Fingers crossed!
My son standing 1,353 feet above Chicago in the clear Skydeck Ledge at the top of the Willis Tower.
(Talk about a gamble!)
We live with risk in all that we do. It's a fact of life. But in the case of data security and privacy, ignorance is far from bliss. 

Take the time to be aware of the risks, vulnerabilities and threats you accept as you implement new technologies, buy new gadgets and elect new legislators. Simply knowing the risks that come with the rewards is a big step forward. It will make you stop and consider, is this worth the gamble? It's something we all need to do!

I hope you're having a terrific summer. Talk with you next month,
Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter