Archive for the ‘Security or Privacy Initiatives’ Category

Carrots and Sticks! How to improve your security culture …

Posted: November 3, 2018 by IntentionalPrivacy in Compliance, HIPAA - HITECH, Privacy, Security or Privacy Initiatives, Tips, Vulnerabilities
Tags: , ,

Originally written for Third Rock

Sticks

Just like technology controls, administrative controls work better when they are layered. Almost every organization has an administrative control “stick” in the form of policies. The purpose of policies is to explain the rules as well as the consequences if the rules are not followed.

But do the employees really understand what every policy means? Some may be too embarrassed to ask for an explanation if they do not understand a particular policy. Another issue with policies may occur if an employee does not remember what they agreed to five minutes after they handed in their signed policy understanding statement.

Carrots

This is where a security awareness program can help improve an organization’s security culture enormously. It does not have to be expensive to be effective. The program will also be more effective if security awareness training can involve employees. Here are some techniques:

  • Make security training interactive. Use only a small number of PowerPoint slides, tell relevant stories, and keep it short and engaging.

Look for ways to make security important to an employee’s personal life; for instance, show how they can better protect their families online. Employees who practice good security hygiene at home will be better at understanding and implementing security at work.

People learn different ways! The more types of senses used during the training, the better it will be remembered by the audience. Break up the training monotony with focus groups, table-top exercises, and question-and-answer sessions. Instead of having a once-a-year marathon, have sessions monthly or even quarterly. If they are held during lunch make sure you provide food.

There are several places to find resources online. StaySafeOnline.org is one example; they have tip sheets and videos for all age groups and even for businesses. The FTC also offers resources at their Stick with Security blog.

  • Encourage employees to turn in social engineering attempts. Give a small reward, such as a coffee cup, to the first employee who turns in a security issue, such as a phishing email or a social engineering phone call. Maybe your organization will want to stipulate that an employee would be eligible to win a prize once a quarter to give other employees a chance to win. Add the names of each submitter to a list for a prize drawing to be held at the end of the year or at an employee meeting. Send out emails with sample snapshots of the latest attacks, so others can avoid them.
  • Staff are human; if someone makes an honest mistake, reward them for reporting it immediately. The sooner it gets turned in, the faster the issue can be resolved. Of course, the staff person needs to understand what happened and how to avoid it in the future. Organizational controls should also be reviewed to help avoid that issue in the future. Maybe a policy needs to be changed, some staff need retraining, or maybe a technical control can be added to eliminate the issue.
  • Have a process for reporting lost or stolen devices that includes who to contact and how. Decide if the process should include automatic wiping of the device. Make sure that employees are aware of the process.
  • Have a response plan for when a security issue is reported, whether an employee, a customer, a vendor, or a volunteer is the person reporting.. Ensure that a contact is always available for found security or privacy issues.
  • Post a short list of actions for possible security and privacy issues in a prominent place like a break room or a kitchen. Also give the list to employees so they know what to do in an emergency.

Peopleyour customers, your employees, your partners—make a security program work!

October is National Cyber Security Awareness Month

Posted: October 2, 2017 by IntentionalPrivacy in Identity theft, National Cyber Security Awareness Month, Personal safety, Security or Privacy Initiatives, Tips
Tags: , ,

Today is the kickoff for the 14th annual National Cyber Security Awareness Month. Do your part to protect your own and other people’s information. For tips, visit https://stopthinkconnect.org/resources/preview/tip-sheet-basic-tips-and-advice

Getting creeped out by IoT …

Posted: August 8, 2017 by IntentionalPrivacy in IoT, Security or Privacy Initiatives, Theft
Tags: , , , , , , , ,

Common problems with IoT devices include their lack of privacy and security controls and their lack of transparency. “Transparency” in this case means that the end user knows and willingly agrees to how the device operates, especially on their home network.

I have recently been working on building a Raspberry Pi B+ home monitoring system. The Raspberry Pi is a handy little computer board geared to hobbyists or children learning to use computers; more than 12.5 million have been sold. Something that appalled me was the complete lack of discussion about securing the thing in the project plan I downloaded. Before you put any device on your home network, you should—at the very least!—change the default username and password (which for the Raspbian operating system is “pi” and “raspberry”).

Another example comes from the experience of a former co-worker who bought a new refrigerator, not knowing the refrigerator had network capabilities. The refrigerator tried to connect to her network. When she investigated further, the manufacturer said the network connection was used for troubleshooting maintenance issues and installing updates. What could possibly go wrong with a refrigerator that connects to a home network without the owner’s knowledge or consent? It probably has a hard-coded (unable to be changed) default username and password that a hacker could use to cause havoc with that refrigerator. For instance, maybe a hacker could shut the refrigerator off by connecting to it using the default username and password. Depending on when the owner realized that it was not working, an entire refrigerator worth of food could be spoiled. Or maybe they could override the water shutoff for the automatic ice maker, resulting in water all over the floor. It could also provide an entry point into the home network. Argh!

Then there’s the iRobot 900-series Roomba, which currently uses a camera and sensors to vacuum a home. It has mapping software that allows the robot to avoid objects in its path, know where it has already cleaned, return to the dock for recharging, and then pick up vacuuming where it left off. Handy!

According to Reuters, a new feature that iRobot is planning to introduce is sharable home maps. While mapping software could bring many benefits to a smart home—such as improved air flow, temperature regulation, and lighting—sharing such data publicly could be a mistake. Even if iRobot only shares with certain companies, what happens if one of those companies get breached? Could such a breach allow a thief access to download your home map to help them decide what to steal from your home?

Recordings from an Amazon Echo—which listens and records supposedly only conversations that have a keyword such as “Alexa” in them—have already been requested as evidence in an Arkansas murder court case.

There are some organizations that are currently claiming to be examining the security and privacy of IoT devices, which include:

  • AV-TEST Institute – you can check out their findings here.
  • I am the Cavalry – a grass-roots organization that looks at the computer security of medical devices, automobiles, home electronics, and public infrastructure here.
  • UL (formerly Underwriters Laboratory) has published UL 2900 ANSI Standard for Software Cybersecurity for Network-Connectable Products. Unfortunately, it costs between $225-250 for a copy of the standard and I cannot find any products that they have certified.

In the first session of the 115th Congress, Senators Warner, Gardner, Wyden, and Daines introduced the ‘‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” While this act would currently only apply to IoT devices on government networks, hopefully most vendors would put the same security and privacy features in their consumer products. You can read a one-page summary of the bill here and a full version here.

Thank you Senators Warner, Gardner, Wyden, and Daines. Long overdue!

Lions and Tigers and … Passwords? Oh my!

Posted: August 3, 2016 by IntentionalPrivacy in Identity theft, Privacy, Security or Privacy Initiatives
Tags: , , , , ,

Graham Cluley released an article today called “200 MILLION YAHOO PASSWORDS BEING SOLD ON THE DARK WEB?” about various web sites that have had stolen passwords recently posted on criminal web sites (the “dark web”).

While not really news—new password breeches are revealed quite often—but it brings some questions to mind. How do you know if your passwords have been stolen? And, what do you do about them?

If you haven’t changed your important passwords recently, you could just assume they have been stolen and change them.

Or, you can look up your email address or user name at a site like LeakedSource.com. When you put in a user name or email and click Search, it will show you possible accounts and the types of information contained in their databases for free, but not the actual information contained. You have to pay to see that.

Do you actually need to see those old passwords? Probably not; what you really need is the accounts that were compromised. If you look at those accounts and you have not changed your password in a while, here’s what to do:

  1. Install some kind of password manager on each of your devices, something well known, such as KeePass 2 or LastPass. Come up with a password for the manager that you will not forget. If you forget it, the password probably cannot be recovered (99.99% chance of no recovery). Keep a copy of the master password somewhere safe—your safe deposit box or even in your wallet if you need to. (Note: this may not protect you against family members or friends who want to know your secrets.) If your wallet gets stolen, you only have 1 password to change.

You can download those applications from the following sources. Note: Only download applications from the original site:

Personally, I prefer KeePass, but LastPass is much easier to synchronize between devices because it is web-based. LastPass has had recent vulnerabilities however.

The nice thing about a password manager is that it will autotype your password (unless the username and password are on separate pages, such as some bank accounts and credit card sites use). Even in those case you can drag your username and/or password to the proper place.

  1. Change your important passwords—email, Facebook, MySpace, LinkedIn (for example)—to something at least 15 characters long. Do not reuse it anywhere! A password safe will generate a password for you and you can customize length and character types.
  1. If the site offers some kind of multi-factor authentication (MFA), take advantage of it. Yes, it is painful! But you can often set it so that your devices will remember for at least 30 days (unless you clear your cache).
  1. Do not share your passwords with anyone! Not your spouse, kids, friends, boss, coworkers, or someone claiming to be from Microsoft support.
  1. Last, change your passwords at least yearly. A good day to change them? World Password Day at https://passwordday.org/ celebrates password security on May 5 every year. They have some funny videos starring Betty White! Check them out!

Save your information and your privacy. Practice safe MFA like Betty White!

EFF Privacy Badger browser plug-in

Posted: August 12, 2015 by IntentionalPrivacy in Issues, Privacy, Security or Privacy Initiatives, Social media
Tags: , , , , , ,

The Electronic Frontier Foundation (EFF) recently released a plug-in for Chrome and Firefox called Privacy Badger 1.0. A plug-in is a software module, which adds functionality, that can be loaded into a browser. What the Badger plug-in does is block trackers from spying on the web pages you visit.

Why should you care? Because Big Data companies track everything you do online, and what do they do with that data? One thing they do is analyze data to predict consumer behavior. Here are a couple of articles that explain some of the issues: “The Murky World of Third-Party Tracking” is a short overview, while the EFF has a three-part article called “How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)” that while several years old, is very detailed.

The FTC has gotten involved as well. Here is a link to one of their papers called “Big Data: A Tool for Inclusion or Exclusion?

I loaded the Badger plug-in as soon as it came out, and I am amazed at the number of trackers it blocks (it does allow a few)! One CNN.com page I visited had over a hundred trackers blocked and a Huffington Post page had almost as many. I also run other plug-ins in Firefox (Ghostery, NoScript, AdBlock Plus, Lightbeam).

The Badger icon in the upper right-hand corner tells you how many are blocked.

The best thing about Badger is that it is very easy to use, unlike NoScript.

Give it a try, and let me know what you think.

Being the Change … from the Mouths of Babes

Posted: May 23, 2015 by IntentionalPrivacy in Security or Privacy Initiatives, Tips
Tags: , , , , , , , ,

Let me tell you about children who are leading changes in a wide variety of areas including education, research on cancer and asthma, and even information security and privacy. It was eye-opening to me because many people—including me!—discount discoveries made by children because they are “too young” to add significant information to a dialog. What they could add—if we give them a chance—is a fresh perspective.

I recently had the opportunity to attend an information security keynote presentation given by Reuben Paul. I attend many security events every year, so that might not seem so unusual, except that this amazing young man is only nine years old. He gave his first information security presentation Infosec from the Mouth of Babes at the 2014 DerbyCon conference in Kentucky at the age of eight, and he has given many presentations since then. Here is his story. His father, Mano Paul, is an information security trainer and consultant.

Reuben’s talk at DerbyCon discussed three topics:

  1. Why should you teach kids about Information Security?
  2. How can you teach kids about Information Security?
  3. What can kids teach you about Information Security?

Reuben’s advice at DerbyCon? “[Parents and educators should] teach … kids to use [technology] safely and securely.”

Many grownups do not have the level of understanding of privacy and security that Reuben does. How did Reuben gain that understanding? Reuben credits his parents and his school for being supportive, but some credit belongs to Reuben. He imagined how children could participate in information security and privacy, and insisted on being heard. That takes, well, imagination as well as persistence.

Then I started looking at other amazing children. I found a section on TED Talks called “TED under 20.”

One of the first videos I saw was called Science is for everyone, kids included. The video tells the story of neuroscientist Beau Lotto working with a class of 25 eight- to ten-year-old children from Blackawton Primary School, Blackawton, Devon, UK. The children developed an experiment on training bees to choose flowers according to rules. Then the children wrote and submitted a paper, which was published by the Royal Society Biology Letters.

The paper is free to download and fun to read!

The conclusion the Blackawton Primary School children came to was that “Play enables humans (and other mammals) to discover (and create) relationships and patterns. When one adds rules to play, a game is created. This is science: the process of playing with rules that enables one to reveal previously unseen patterns of relationships that extend our collective understanding of nature and human nature.”

Jo Lunt, science teacher at Blackawton Primary School, said, “I think one of the biggest changes I’ve seen is the children’s approach to learning science. They don’t get so hung up or worried about getting the answer right. They think more about the journey they’re on and the learning they’re doing along the way.”

How I harnessed the wind, is the story of William Kamkwamba. Malawi, the country where he lived, experienced a drought in 2001. He and his family not only couldn’t pay for his schooling, they were all starving because their crops failed. He was determined to help his family find a solution for the drought. He found a book in the library with plans for a windmill. At the age of 14, he built his first windmill from scrap yard materials to pump water for crop irrigation and to create electricity.

Award-winning teenage science in action explains the projects of the three teenage girls who won the 2011 Google Science Fair. Lauren Hodge, age 13-14 category, conducted her research on how carcinogens formed while grilling chicken. Shree Bose’s project, the age 17-18 age category and grand prize winner, concentrated on reasons why cancer survivors developed resistance to chemotherapy. Naomi Shah, age 15-16 category, used a complex mathematical model to look at ways to improve air quality for asthmatics.

Children learn very rapidly, and since they have used technology all their lives, they will often master new skills with an ease that will take your breath away. Be the change, mentor change, and be willing to change. Be open to learning from anyone who can teach you!

Got secure messaging? Part 2

Posted: February 28, 2015 by IntentionalPrivacy in Cell phone, First Steps, free speech, Historical and future use of technology, Identity theft, Privacy, Security or Privacy Initiatives, Tips
Tags: , , , , , , , , ,

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.

 

App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text https://silentcircle.com/pricing Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.

Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html

Got Secure Messaging? Part 1 …

Posted: February 25, 2015 by IntentionalPrivacy in Cell phone, First Steps, free speech, Identity theft, Personal safety, Privacy, Security or Privacy Initiatives, Tips
Tags: , , , , , , , , , , ,

When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

Happy Data Privacy Day!

Posted: January 28, 2015 by IntentionalPrivacy in First Steps, free speech, Security or Privacy Initiatives
Tags: , , , , , , ,

Data-Privacy-Day-2015roundInternational Data Privacy Day—called Data Protection Day in Europe—is celebrated in the US, Canada, and 27 European countries every year on January 28. It started on January 28, 1981, when the members of the Council of Europe signed the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. In the US, Data Privacy Day is sponsored by StaySafeOnline.

Ever thought, why should I protect my information? Listen to Glenn Greenwald’s Ted Talk on Why Privacy Matters. Not only will it help you understand, but it might galvanize you to action!

Some tips on how to better protect your data include:

  • Use “Do Not Track” on your browser. The Electronic Frontier Foundation (EFF) explains how to turn on “Do Not Track” in some common browsers here. The EFF is a great resource about how to better protect your personal information.
  • Think before you share personal information, whether through email, on social media sites, or over the phone. Once you share information, you have no control over what happens to it. Help your children learn what is okay for them to share.
  • Check the privacy settings on social media sites you use on a regular basis. Twitter, LinkedIn, Instagram, Pinterest, … privacy policies change, which may impact your privacy settings.
  • Protect your computer by keeping your operating system and applications updated. On Windows, Secunia’s Personal Software Inspector helps me keep my applications current.
  • Create strong, unique passwords for every important site. Have a problem remembering all those passwords? Me too! Use a password manager like KeePass or LastPass. If you want to protect your information more, use two-factor authentication for email and social media site log-ins.
    • Help setting up Google’s Two-Factor Authentication
    • Help setting up Microsoft’s Two-Factor Authentication
  • Back up your important data regularly—pictures, documents, music, videos, or whatever is important to you—at least once a week. If you use a physical device, disconnect it between backups. To ensure that your information is safe, use two physical backup devices, alternate them, and keep one someplace safe like a safe deposit box. If you use a cloud backup, use a physical back up as well. Online services can go offline temporarily or even go out of business, while devices break, become corrupted, lost, stolen, or infected by malware. Periodically try to recover documents to ensure that your backups are functional.

Other tips

  • Mozilla’s Get Smart on Privacy
  • FTC’s Consumer Information
  • Check out DuckDuckGo, a search engine that doesn’t track you. Want to see how much tracking happens in your browser? Check out the Firefox Lightbeam addin.
  • Try WhiteHat Security Lab’s Aviator browser. Note: if you use two-factor authentication, you will need to enter a code every time you open up a site that uses it.

Protect Your Personal Information Cheat Sheet

Posted: January 2, 2015 by IntentionalPrivacy in Security or Privacy Initiatives, Tips
Tags: , , , , , ,

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
 Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
 Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.
Older Entries