Weaponizing Your Privacy

So this was the funniest War of the Roses on the Kane Show that I ever heard. 

They use the Alexa personal assistant from Amazon (voiceover) to call the cheater. 

In this skit, we really see the potential power of these home computing devices. 

Alexa hears and knows everything that goes on in the house (including the cheating).

Alexa confronts the cheater and calls him a few descript names for his infidelity.

Alexa punishes the cheater by going online to purchase items with his credit card. 

Alexa betrays him by calling his girlfriend and telling her about the cheating. 

Cheating aside, maybe this is a great lesson how we should all be considering our privacy in our homes and on our persons before we install Alexa, Siri, Cortana, the Google Assistant or any other personal or home surveillance systems. 

With all the bad actors out there and people that want to steal everything from your money, identity, secrets, and maybe even your wife–these devices are a direct line into your personal life.

This is called weaponizing your privacy!

Tell me, do you really believe that no one is listening or watching you?  😉

Modesty And Privacy Of Body and Information

So modesty and privacy is very important in terms of propriety and security.

Both are intimately connected. 

Already as children, we learn not to show or talk about our “privates” to others. 

And as adults, we understand that there are certain things about ourselves that we don’t just talk about or divulge to others indiscriminately. 

Not being discrete with these and showing either your private parts or your personal information can get you in a load of trouble by giving others the opportunity to take undue advantage of you. 

Both open you up to be ridiculed or even raped of your person or information identity. 

That which is yours to use with others in propriety is instead disclosed for taking out from your control and for use against you. 

Security demands modesty of body and of information, and if not taken seriously, then no amount of lame covering will keep that which is private from public consumption. 😉

The “Real” OPM Data Breach

A lot has been made and should be made of the theft of over 21 million federal employees’ sensitive personnel records and security clearances. 

Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.

The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them. 

But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.

Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:

– They could insert phony records for spies, moles, or other dangerous persons into the database–voila, these people are now “federal employees” and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!

– They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.

Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system. 

The damage done to U.S. national security is unimaginable. As is typically the case with these things, “An ounce of prevention is worth a pound of cure.” Instead of investing in security, now we can invest in “credit monitoring and identity theft protection” for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come. 

With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. 😉

(Source Photo: Andy Blumenthal)

18 Million–Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here–this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out–it’s people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel–generals, spy masters, political kingpins, and other key decision makers–thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can’t go back and put the genie back in the bottle–although wouldn’t it be nice if such critical information (if not encrypted–already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk–whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can’t very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 

If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it’s own employees and patriots? 😉

(Source Photo: here with attribution to Donkey Hotey)

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it–like a ticking time bomb.

A simple threat will follow:

“I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history.”

So how valuable is your data to you?  

– Your personal information–financial, medical, legal, sentimental things, etc.

– Your corporate information–proprietary trade secrets, customer lists, employee data, more.

How long would it take you to reconstitute if it’s destroyed?  How about if instead it’s sold and used for identity theft or to copy your “secret sauce” (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 

Data is not just inert…it is alive!

Data is not just valuable…often it’s invaluable!

Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 

When the time comes, how much will you pay to save your data?

(Source Comic: Andy Blumenthal)

Driving Identity Theft

It’s been only about 4 months since my mom passed, and now my dad becomes very sick from chemotherapy and ends up in the hospital for a week.

His red and white blood count were extremely low, but thank G-d, the doctors were able to save him.

However, he is in a drastically weakened state and now looks like he will need regular assisted living just to get by every day.

This has been horrible to see someone who has always been so strong, smart, and there selflessly for all of us, to be in this condition.

We found a nice place for him, but even the nicest place isn’t his place and doesn’t allow the independence he (and we all) always cherish.

On top of it, I get a letter in the mail with more than half a dozen tickets on his car.

It’s impossible, because he hasn’t been driving due to his illness.

We run down to check his car, and sure enough someone stole his plates (and replaced them with another set).

They did this to his car that has handicapped tags.

In the meantime, they are driving around through tolls and doing G-d knows what.

The police were helpful–they came as soon as they could–took a report, the plates that were switched onto his car, and dusted for fingerprints.

I will never forget standing there just after my joint surgery–when not three hours before, I thought to myself, maybe things are finally calming down.

Hopefully, the police will catch whoever did this.

In the meantime, I take comfort knowing that G-d is the ultimate police force. 😉

(Source Photo: Dannielle Blumenthal)

Newspaper, Identity Thief

So, true story.

I know identify theft is a serious matter, but really…

I’m heading out of the driveway and I see the newpaper delivery guy just pulling up.

He’s running a little late, but I figure I can still get the paper in time for morning reading on the Metro.

I walk over to him and ask if I can get the Journal that he’s deliverying to me.

He says, “No, I only deliver the Wall Street Journal and the Post.”

I say, “Yeah, the Wall Street Journal, can I get it, since you’re running a little late this morning.”

He says. “I’m never late!”–actually, he is and sometimes doesn’t deliver at all (the other week, I got 3 papers in one day).

I say, “OK, but I can take it from here.”

He says, “No, I only deliver to the door.”

I say, “But I’m right here.”

He says, “How do I know you are who you say you are?”

I say, “I am, and thank G-d, I really don’t need to steal a $2 newspaper from you, Sir.”

He says, “Okay, but I’ll need to see an id!”

I say, “Are you serious?”

He says, “Yeah,” pulling back to safety the pile of newspapers he is holding is his arms.

Reluctantly, I flip open my wallet and flash my license to him.

Not good enough…he insists I take it out so he can read it.

I finally got the paper, but we wasted what seemed like 5 minutes between the negotiation and proof of identity exercise.

Don’t get me wrong, I appreciate his diligence, but I think this type of scrutiny over access and identity would be better placed squarely on our cyber assets–somewhere where we really need them! 😉

(Source Photo: Andy Blumenthal

Facebook IPO–Love It, But Leave It

With the Facebook IPO scheduled for this week, valuing the company at as much as $96 billion, many investors according to Bloomberg BusinessWeek (11 May 2012) see this as overvalued.

Facebook will be the largest Internet IPO in history, and would be about 4 times as much as Google was valued at its IPO at $23 billion in 2003.

Further, Facebook could be valued at offering at 99 times earnings.

This is more than the price earnings ratio of 99% of companies in the S&P Index, yet even with some estimating sales of $6.1 billion this year, Facebook would only rank about 400 in the S&P 500.

True Facebook has amassed an incredible 900 million users, but the company’s revenue growth has slowed for the 3rd year in a row.

Another article in BusinessWeek (10 May 2012) describes a new social networking contender called Diaspora.

Unlike Google+ which is predominantly a Facebook copycat, Diaspora is bringing something new and major to the table–they are addressing the privacy issues that Facebook has not.

Diaspora is a distributed (or federated) social network, unlike Facebook which is centralized–in other words, Diaspora allows you to host your own data wherever you want (even in the cloud).

Each of these independently owned Diaspora instances or “pods” (dispersed like in the Diaspora) make up a true social “network”–interconnected and interoperable computing devices.

With Diaspora, you own your own data and can maintain its privacy (share, delete, and do what you want with your information), unlike with Facebook where you essentially give up rights to your data and it can and is used by Facebook for commercial use–for them to make money off of your personal/private information.

When it comes to personal property, we have a strong sense of ownership in our society and are keen on protecting these ownership rights, but somehow with our personal information and privacy, when it comes to social networking, we have sold ourselves out for a mere user account.

As loss of personally identifiable information (PII), intellectual property, identity theft, and other serious computer crimes continues to grow and cost us our money, time, and even our very selves in some respects, alternatives to the Facebook model, like Diaspora, will become more and more appealing.

So with social networks like Facebook–it is a case of love it, but leave it!

Love social networking–especially when privacy is built in–and others don’t have rights to what you post.

But leave it–when they are asking for your investment dollar (i.e. IPO) that could be better spent on a product with a business model that is actually sustainable over the long term.

(Source Photo: here with attribution to Allan Cleaver)

 

Big Phish, Small Phish

Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.

Phishing is a type of social engineeringwhere fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.Additionally, phishing emails can contain attachments that infect recipient’s computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.

The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap.In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.

Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.

The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.

There are a number of ways to protect yourself against phishing attacks.

1. Delete email and messages that are unwarranted and ask for personal information
2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
3. Configure your browser to block pop-ups
4. Use anti-virus, firewalls, and anti-spam software
5. Set up automatic security updates
6. Input personal information only into secure sites, such as those that begin with “https”
7. Only open attachments when you are expecting them and recognize where they are coming from
8. Check financial statements upon receipt for any fraudulent activity
9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
10. Always be cautious in giving out personal information

Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet–hook, line, and sinker.

Online Presence, Your Calling Card

In the age when Facebook has surpassed 800 million users, I still often hear people say that they don’t like to join social networks or put any information about themselves on the Internet.

Whether or not their apprehensions about their privacy being compromised is justified or whether they feel that “it’s simply a waste of time” or that they “just don’t get it,” the impetus for us to all establish and nurture our online presence is getting more important than ever.

In the competition for the best jobs, schools, even mates, and other opportunities, our online credentials are becoming key.

We’ve heard previously about jobs checking candidates backgrounds on the Internet and even bypassing candidates or even firing employees for their activities online.

Numerous examples of people badmouthing their companies or bosses have been profiled in the media and even some politicians have been forced out of office–remember “Weinergate” not too long ago?

Now, not only can negative activities online get you in trouble, but positive presence and contributions can get you ahead.

The Wall Street Journal (24 January 2012) reports in an article titled No More Resumes, Say Some Firmsthat companies are not only checking up on people online, but they are actually asking “applicants to send links representing their web presence” in lieu of resumes altogether.

What are they looking for:

– Twitter Accounts
– Blogs
– Short Videos
– Online Surveys/Challenges

The idea is that you can learn a lot more about someone–how they think and what they are like–from their history online, then from a resume snapshot.

Of course, many companies still rely on the resume to screen applicants, but even then LinkedIn with over 135 million members is sometimes the first stop for recruiters looking for applicants.

Is everything you do and say online appropriate or “fair game” for people screening or is this going over some sacred line that says that we all have professional lives and personal lives and what we do “when we’re off the clock” (as long as your not breaking any laws or doing something unethical) is no one’s darn business.

The problem is that when you post something online–publicly–for the world to see, can you really blame someone for looking?

In the end, we have to be responsible for what we disclose about ourselves and demonstrate prudence, maturity, respect, and diplomacy, perhaps that itself is a valid area for others to take into account when they are making judgments about us.

When it comes to children–parents-beware; the Internet has a long memory and Facebook now has a “timeline”, so don’t assume everyone will be as understanding or forgiving for “letting kids be kids.”

One last thought, even if we are responsible online, what happens when others such as hackers, identity thieves, slanderers, those with grudges, and others–mess with your online identity–can you ever really be secure?

Being online is no longer an option, but it is certainly a double-edged sword.

(Source Photo: here; Image credit to L Hollis Photography)