Privacy and Security with Rebecca Herold
Due to the coronavirus pandemic, we’ve rapidly changed the way we work, how we play, and how we’re educated. This sudden shift leaves us and our families exposed to privacy and security risks we previously hadn’t thought about or planned for. Listen up for any blindspots you might have.
Our guest today is Rebecca Herold. Rebecca, also known as The Privacy Professor, has over 25 years of experience in system engineering, information security privacy, and compliance. She has authored 19 books with the 20th on its way. She has been a member of the NIST CyberSecurity IOT Development Team, and was an adjunct professor for Norwich University’s Masters of Science in Information and Security and Assurance Program for 9 years. Today she will share with us her experiences with privacy and security and will also share things for you to keep in mind when using various apps and services.
- [1:06] – Rebecca started out as a systems engineer in 1988 and around 1990 got into system security and established security systems for banks.
- [3:50] – Rebecca created her own consulting company and began teaching as an adjunct professor at Norwich University. Her adjunct professor position helped her learn even more about the practicality and various needs in security.
- [6:40] – When you have a career in which you use technology that is constantly changing, it keeps things interesting. Rebecca has had to constantly adapt and learn.
- [7:20] – Risks don’t go away. You just accumulate new ones that you have to keep addressing. That’s something that many security and privacy practitioners forget. They keep up to date on new risks but sometimes forget the existing ones.
- [9:32] – Privacy tends to be an afterthought and we need to shift our thinking to start setting up security and privacy controls from the beginning.
- [12:30] – Throughout the COVID-19 pandemic, Rebecca has gotten a lot of questions from business owners regarding their employees and how to gain information on them to remain safe and help manage their self-insured expenses.
- [13:40] – Some business owners are trying to bypass doctors and healthcare professionals because they are self-insured. They also want to know where their employees have been to avoid them coming in with COVID-19. These are huge privacy issues.
- [16:24] – “COVID tracker apps” may be used by business owners to try to avoid their insurance rates going up. These examples show the problem with tracker apps not being used transparently.
- [17:01] – There are hundreds of these COVID tracking apps and some were built with privacy and security integrated but many were not.
- [18:24] – Always think about apps and what data they might be collecting.
- [19:23] – Rebecca gives examples of apps asking for information that is unnecessary for tracking COVID-19, such as your exact date of birth.
- [21:42] – There are situations where apps are being portrayed and communicated to users that privacy and security are built in, however a lot of privacy features have been overlooked.
- [22:22] – We need to get this pandemic under control and have insights, but we don’t want to create other problems. There has to be a balance. What can we do to track this but keep people’s privacy safe?
- [23:35] – Always ask yourself why is this information necessary when signing up for various apps and websites.
- [26:62] – If people are asking you for information and it’s not necessary for the purpose in which you are using a service or product, you don’t have to give it to them.
- [29:20] – Social media has a long way to go. They’ve been around a while, but they have to be the “latest and the greatest” to stay in business.
- [30:33] – With so many people working from home right now, people don’t realize that their home environment is much different than the private and secure environment in the workplace.
- [31:40] – Zoom became the go-to site for online education and business meetings, but meetings are not always secure.
- [34:00] – Because you’re participating in a meeting from home, other people involved can see the inside or outside of your home and may use that information maliciously.
- [35:40] – Rebecca shares examples of smart toys and apps being used maliciously.
- [37:50] – In your workplace, there are security measures in place and IT professionals available to make sure things are working smoothly. But that isn’t the case at home.
- [39:01] – Part of Rebecca’s job is to find open access points to demonstrate to clients how this information can be used.
- [41:10] – Rebecca shares the possibility of people accessing baby monitors and home security cameras through open access points.
- [42:39] – With remote learning going on, teachers and students need to have some basic training on privacy and security measures such as multi-factor authorization and understanding devices like Amazon Echo.
- [45:06] – Rebecca shares examples of smart toys and devices that are listening and recording data, even though they are advertised to only respond to key words. These types of devices should be shut off when students are learning from home.
- [46:52] – Social engineering is a big concern with online education and parents need to be aware of possibilities and educate their children. This could include strangers coming into contact through an online video conference or even sharing files.
- [48:34] – Privacy and security is a lot for people to learn in a very short period of time.
- [49:24] – The environment your child is learning in from home should be similar to the environment in their classroom. This is applicable to work-from-home environments as well.
- [50:15] – Rebecca shares an experience with the president of a South American country using video footage from the president’s son with which people could gather many pieces of private information.
- [51:32] – There’s so many possibilities that people don’t think about before they naively show where they’re at.
- [52:51] – When Rebecca shares herself through a webcam in her home office, she uses privacy screens to prevent people from seeing her home behind her.
- [53:40] – Rebecca recommends keeping your webcam disconnected until you need to use it because some apps are given access to your webcam that you may not realize.
- [54:22] – Taking a little bit of precaution will prevent you from someday saying “Why didn’t I just do that?” when faced with a privacy problem.
- [56:09] – Rebecca Herold is currently in the final editing of a new book called Security and Privacy When Working From Home and Traveling, which spans 23 chapters of privacy, security, and compliance risks with real-world examples.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Rebecca Herold on Twitter
- Rebecca Herold on LinkedIn
- Privacy Guidance Web Page
- Privacy Security Brainiacs Web Page
- Privacy Professor Blog
- Shodan Search Engine
- NIST – National Institute of Standards and Technology
Due to the coronavirus pandemic, we’ve rapidly changed the way we work, how we play, and how we’re educated. The sudden shift leaves us and our families exposed to privacy and security risks we previously hadn’t thought about or planned for. Listen up for any blind spots you might have.
Our guest today is Rebecca Herold. Rebecca, also known as the Privacy Professor, has over 25 years of experience in system engineering, information security privacy, and compliance. She has authored 19 books, been a member of the NIST Cybersecurity IoT Development Team, and was an Adjunct Professor for Norwich University’s Master of Science in Information Security & Assurance Program. I’m your host Chris Parker and this is the Easy Prey podcast.
Rebecca, thank you so much for coming on the Easy Prey podcast and sharing your expertise with our audience. Can you give us a little background about who you are and what you do?
Sure, happy to. I’m based out of Des Moines, Iowa. Born and raised in the MidWest my entire life. I’ve worked in the IT space my entire adult career as well.
I started as a systems engineer in 1988 building regions on an IBM 390. Started out on a 370 but it’s a 390 mainframe. Went from there to IT Audit after creating a change control system, and from IT Audit, I recommended it at a Fortune 100 financial and healthcare organization I was working at.
I recommended they create an information security department because of some issues I found around 1990, which is pretty early to be considering security, but it was something that they were concerned with. They said, “Since you spent seven months on this audit, go build it then.” I said, “Okay.”
I got into information security that way, and then 1993, they were hoping to be the first online bank, which if you recall back in 1993, that’s really early when we had dial-up through AOL.
I remember those days.
Yes. Anyway, I was responsible for building the security for that. And then as I was building it, I realized this is a bank and there’s a lot of personal information that’s going to be here, so I did a lot of research.
That time, that meant actually going to a physical library to do it. Discovered the OECD Privacy Principles and I thought, “You know, this is good stuff. We need to put this into our online website.” I had established some good communication with the CEO of this company because he was a runner, and he would come into work between 5:30 AM and 6:00 AM in the morning, and that’s when I arrived too, so I got to know him in the elevator.
I just mentioned, “Hey, I think we also need to address privacy,” because I thought putting that bug in his ear would help him to convince the general counsel to take this on.
The general counsel said at that time, there were no legal privacy reasons to do that. The CEO said since you’re doing security, why don’t you just address privacy too? He probably thought it would be no big deal. That’s how I got into privacy.
I was addressing privacy and security at the same time throughout the 1990s at this large corporation. Left in the 2000s. Started my own consultant business in 2004. I also started teaching as an Adjunct Professor for the Norwich University Master of Science in Information Security & Assurance.
At the same time, that was a good way for a young consulting business that I had to also make income at night by teaching, which I have my Master’s degree in Computer Science and Education. That was right up my alley, but I got involved with it, which I mentioned because I did that for nine years while my students were practitioners out for a wide variety of industries and even the military stationed in active duty and some interesting places.
By being a professor to those types of folks and learning about their actual situations, it helped me learn even more about what’s practical, and not practical, effective, and not, for both information security and privacy.
I’m still running my consulting business in addition to building a SaaS services business with my eldest son who’s 23. And he just got his Computer Science degree, but I’ve engaged him and my younger son, who’s 20, helping me to do experiments literally throughout their entire life doing wardriving. As I’m driving the car, they have their Macbooks opened finding open access points as we went through neighborhoods, so we could use that research in my report and dumpster diving and things like that.
That’s a short history. I’ve been doing a lot of work for NIST, the National Institute of Standards and Technology, since 2009. I’ve been on there two years on their privacy framework development team, been on their IoT Cybersecurity Capabilities team since January of this year. That’s really interesting. Smart Grid Privacy helped establish a lot of stuff there for security and privacy since 2009.
It’s a very wide range of cornucopia, I guess, of activities that I have been doing throughout my career.
Definitely a long and varied experience there.
Yeah. It makes it interesting, though. I love learning new things. I’m sure you probably could relate to this too when you have a career where you’re constantly learning new things because of new technology—it just keeps it very interesting.
Yeah, particularly when you’re trying to keep up. It seems like the last couple of years have been massive in growth in terms of privacy and security issues.
Oh my gosh, definitely. Not only for new types of privacy and security issues, but something I’ve always emphasized—not only to my students, but my clients—you still have the existing risk that existed way back in the ’80s, probably the ’70s, and before that.
That’s something that is an oversight by so many security practitioners in privacy is they start addressing the new risk and forget about those long-existing ones. Those get exploited, and then they have security incidents and privacy breaches occur as a result.
Sometimes the new emerging is the exciting side of privacy security and the old school is not so flashy.
Yeah, not only that, but I think executives—especially I found throughout my career—CEOs read the headlines in the Wall Street Journal every morning or some other type of publication. I know just through the 1990s, the CEO that I mentioned earlier, he would read the headlines, and he would ask me about them in that elevator.
“I read about this problem with regard to security, so what are we doing about it?” That takes the attention of practitioners away from those other things because they have to deal with answering questions from executives about the latest headline issue.
Yeah. And even when you have things—on a previous podcast, I was talking about just the seismic shift that has happened in mid-2020 with coronavirus that it has just shifted the way how so many different things work.
We never expected people to be at home as much as they are and to have this in such a short period of time. The way we work has changed, the way we “don’t travel,” the way our children are educated, all these are suddenly shifting in a way that people—I don’t want to say people don’t have time to think about privacy and security—but I think privacy and security is usually an afterthought when there are these very quick sudden shifts in the way we work.
Oh, exactly, and plus it’s like we need to get something going now. What can we do now to just maintain our business or maintain our schooling? And we’ll worry about security and privacy later. That’s been a problem throughout the history of security and privacy oftentimes, they’re the afterthought or you tack those on at the end. But of course, that’s another lesson throughout the decades. It’s better to build in those security and privacy controls instead of trying to tack them on after the fact.
Yeah, definitely. I’ve done a little bit of front-end websites and dealing with databases. It’s a lot easier to deal with your security when you’re building it from the bottom up as opposed to, “We already built this with that security in mind. How do we now make it secure?”
Yeah, and especially with today’s apps. The mobile apps, once you build a buggy or a vulnerable app and it’s deployed and you have millions of people using it, it’s hard to have all of them replace those unsecured apps with the more secure one after you decided to go back and build in the security and privacy controls.
Or maybe the more difficult position is when you’re Facebook and your business model was built on—I don’t want to say exploiting people’s privacy, but exploiting people’s information—and then you decide you want to pivot and be a privacy company. Well, your business model is built on selling information that you now don’t want to sell—you’re going to have a problem.
Yeah, exactly. Those sources are way out of the barn and way over the hills. Yeah, it’s hard to get them wrangled up again.
Individually, we don’t have the resources of Fortune 500 companies and multi-billion dollar industries. What do we do as consumers or small businesses? How do we deal with this stuff?
Specific to COVID, since we talked about working from home and trying to figure out how to do that in a secure way, but also dealing with a worldwide pandemic, I’ve had some very interesting discussions with not just clients, and I have been a member of Facebook for a long time. You don’t know how dangerous the waters are unless you actually get into the water, right?
I’ve been a member of that for a long time and as a result, I’m in contact with people I actually knew in grade school and beyond. Some of them are business owners or run businesses, and I’ve gotten some really interesting questions about, “We want to know about our employees. We want to know which ones might be infected by COVID,” because one of them self-insures. They self-insure their employees, which means they’re basically paying for their medical bills.
Well, they’re concerned and want to know about this, so they want all of their employees to use a COVID tracking app, so they can then decide about which of those employees should come on-site instead of factory. In factories, some of the people are working very close together. Yeah, we self-insure so we want all of them. We’re requiring all of them to use these COVID trackers so it can help us to manage our self-insured expenses. But another thing they mentioned just really concerned me because they said they also want to do it so they can bypass the HIPAA requirements.
They said that and I didn’t realize what they were saying. Just threw up all sorts of privacy red flags for me because HIPAA is another area. I’ve written a couple of books on HIPAA security and privacy compliance over the years and worked with a lot in healthcare.
That HIPAA only applies to your healthcare provider, which are your doctors, nurses, clinics, and so on, and your healthcare insurers, which are the actual health insurance companies. And then the clearinghouses that deal with managing the data that’s exchanged between the other two entities—very general description there.
But with the self-insurance, the person I was speaking with was saying, “Well, we don’t want to have to deal directly with the doctors and so on because that way, that’s not going to be considered treatment, payment, or operations for them. We’re just getting all the health data directly, so then we can do our own analysis and decide which ones we want to tell to stay at home or even”—this is where big privacy issues come into—“where we can see where they’ve been.”
Maybe they’ve been in a hotspot so we’re going to tell them they better not travel there because they might get fired then, or we will know if there’s somebody in their family, which their health insurance extends to, are doing things that would possibly cause our expenses to go up.
Just listening to that, you can probably see all sorts of privacy issues because my next question is, “Did you tell them that you’re also going to know about where their family members and friends are and what they’re doing…the way you’re doing this?”
They’re like, “Well, we told them we just need to make sure that we know about where they’re at for COVID, but we didn’t get into the details. We don’t want to cause big concerns.”
There’s a lot of organizations that are doing things like that…really are not transparent to those who are using these apps. That’s one problem with it, but then the other problem is for those who are offering health insurance that’s sponsored by an actual health insurance company, they are also using these apps in ways that are trying to help them as the sponsor to also not have their insurance rates go up.
That’s just one example of the problem with these COVID tracking apps, but it’s a huge problem. Just that one problem is huge because there are so many organizations throughout the US—and of course throughout the world—who are trying to figure these things out.
And then you get to the apps they’re using. There are hundreds of COVID tracking apps out there right now. Some were built with security and privacy built in, many were not. You don’t know how many people are getting access to the data that’s collected. You don’t know what data is being collected.
In the very real need to manage a deadly and life-changing (if you don’t die) pandemic, a lot of unsecured apps are being implemented and other types of tracking tools. That’s creating a lot of security and privacy problems as well.
I could talk about this and probably even teach a class in it over a full semester because there are just so many issues involved, and I know in just an hour’s time I can’t get into them all, but hopefully it will help your listeners to start thinking about even just asking, “What data are you collecting through this app and why do you need to collect it?”
Because here in Iowa, just as an example, our governor decided to go with this company that Ashton Kutcher recommended. Now what’s the story behind that? Ashton Kutcher was born and raised in Iowa around the Iowa City area. That’s where the University of Iowa is at. But anyway, he’s here a lot. He loves Iowa, but he recommended this startup to the governor, and of course, the governor said, “Oh, okay. I’ll go ahead and implement this.”
I went out and I was thinking about maybe implementing that app just to see what it asks for. It asked for things that truly are not necessary to track: whether or not you have COVID or have been around others. Just one example, it asked for your specific birthdate. Why do you need to have your specific birthdate to track COVID? Certainly, there are age ranges that can indicate where COVID might be impacting a more susceptible population.
Yeah, your age could impact your behavior or your risk, but knowing the specific day and month is not necessarily relevant to that. It’s not like once you turn 49 on that specific day your risk suddenly doubles.
Exactly, exactly They could have just asked for which of these age ranges do you fall into, and that would be sufficient for the purpose for which that app was created. But then I started looking into it too to see what else was related to it.
It said for privacy, they follow all the Iowa privacy laws, and then they gave a link to the law that they said they followed. I went to that link and it was a link to the Iowa privacy breach notice law. And for your listeners, a lot of privacy breach notification laws don’t establish security requirements for protecting data.
It’s just a notification once it gets breached.
Exactly. It says they’re following this law, but all this law says is a few very specific data items considered to be personal information, and if those are accessed in unauthorized ways then there will be breach notices provided.
It didn’t include a lot of the data they were asking for through this app. Your birthdate wasn’t in there and also other things about what you’re doing with regard to where you work and so on. There are just a lot of situations where apps are being used, and they’re being portrayed and communicated to the users, “Don’t worry. We’ve built these securely. We’re thinking about your privacy.”
But when you start digging into the details, you find out they’ve missed a lot of aspects of securing personal data and using and sharing personal data that creates some very significant privacy vulnerabilities, which makes me concerned. At the same time, certainly, I know from personal experience and having relatives and even a dear neighbor on the other side of my back fence who died of COVID in May, we need to get this under control.
We need to be able to have insights, but at the same time, we don’t want to create other problems while we’re trying to contain this worldwide pandemic. That’s where it truly is a balance between what you can do with regard to data collection and tracking to control a deadly pandemic; while at the same time, you’re not doing things that are going to cause other problems now and for who knows how long for months and years to come.
Yeah, I know. It’s kind of scary. I had interviewed Troy Hunt on a previous episode. He runs Have I Been Pwned, the data breach website. And one of the things he and I were talking about was we always need to be thinking when we’re filling out a form on a website somewhere, or I guess, theoretically, even paper, is, “Why do you need this information?”
Is this data really required? Do you need to know my birthdate in order for me to buy a product from your website? I know you want to put me on the birthday list or the wedding anniversary list, but both of those things become data points for identity theft or accessing bank accounts.
Do I have to provide you my birthdate because I want to buy a pencil? That doesn’t seem to make sense.
Yes. When you’re filling those things out, that’s something to keep in mind. Personally, this is not a new issue, of course, with COVID apps, but it’s something that has been a problem for a very long time.
You referenced earlier to Facebook and how they monetize all that data and so on. Something I’ve advised to my clients and the readers of my privacy tips monthly publication is if you’re using a service or a site and they’re asking you for information that’s not necessary to use that site, you don’t have to provide it. Even if they say it’s a necessary field to complete, you don’t have to give them something accurate if it’s something that does not impact your use.
As an example, I joined Facebook in 2008 or 2009. I’d have to look at the date, but you know how it requires you to put where you’re located? I’ve lived on Elephant Island and Antarctica since 2008 or 2009, at least as far as Facebook is concerned, because they don’t need to know my location in order to have me be able to use Facebook in the way I want to, which is to communicate with others and just see what’s going on.
Of course, that messes with their income, their revenue generation because the ads that other people who live in Des Moines, Iowa, were getting didn’t show up for me. I didn’t see that advertisement but still, the point is if people are asking you for information and it’s not necessary for the purpose for which you are using a service or buying a product, you don’t have to give it to them. Just challenge them on that. Or if it’s online, you don’t have to give the actual information out.
Of course, let me qualify that if you’re using a site that’s like a bank or something that has laws that require specific information to be provided, then that’s a different story. But if it’s just a free site like social media or some silly online quiz to tell you what kind of dog you would have been in a past life, you don’t need to provide actual information to them that truly does reflect your life.
It’s funny because I’ve heard of a couple of stories about that. I have a good friend. When he signed up for Facebook, he was not comfortable with giving them his birthdate so he gave them a different date. And so now, it’s funny because every year, everybody celebrates his social media birthdate. Everyone wishes him a happy birthday, and he’s like, “Nope.”
What’s interesting is I know a lot of people in the privacy industry, and we all have the same birthday. It’s January 1st, and a lot of us were born in the year 1981—a lot of us chose. The same thing—people wish birthdays if we chose to show that. Of course, that’s a setting now. You can choose to either show it or not show it, but I still get ads from the advertisers on that date for specials because it’s my birthday. But yeah, that’s a really good example you provided.
Then there was another one. I forgot who was telling the story that a relative’s daughter was smart and mature for her age, and so they had created her a Twitter account, and they had put in—because she was under the age allowed to use Twitter—an earlier year on her birthday.
She had built a good social media following. She was behaving on social media the right way, not overly sharing information, but not connecting with the creepy people out there. But she was doing a really good job and at some point, when she crossed that age threshold, she changed her birthdate to what it really is, and Twitter went back and deactivated her account because basically, she violated the terms of service.
When you changed your birthdate, you are now suddenly using the service before you were allowed to, therefore, the account is gone.
Right, it’s just like, “Shame on you. You’re going to lose this account you built up a lot of followers for over the years.” Social media has a long way to go. They’re kind of like what we talked about with businesses who are doing things on the fly trying to figure out how to keep business going.
Social media is still doing that even though they’ve been around now for two decades. They’re still doing things on the fly, trying to figure out what rules should we put out there, and then they soon find out those rules are either ineffective or they just simply don’t make sense when they apply them.
Yeah, I don’t know if it’s a scary thing, but it’s the business model that they’re in. They’ve got to be the latest and the greatest, otherwise, they go the way of MySpace.
Yeah. That’s still around in some form, but it’s something completely different now, probably. Who knows?
Yeah, it definitely is not what it used to be.
We’ve talked about privacy and security from the corporate side and maybe the consumer side with COVID and people working at home, what kind of things do we need to be thinking about there?
That’s another thing. With so many people working from home, it’s kind of related to COVID because people want to know that you’re still okay, but working from home, people don’t realize, first of all, that their home environment is much different from the environment you have when you go to your office building or someplace else. There’s typically a security and privacy position that has, hopefully, implemented some basic security requirements just to keep information from inappropriately leaving the business. That’s not so much the case when you’re in a home environment.
For instance, what a lot of organizations did to address working from home very quickly is they said, “Huh, what are people already using that we could use as a way to get face-to-face meetings going without having to teach our remote and work-from-home users a new tool? Oh my gosh, they’re using Zoom. Let’s just start, having everyone use Zoom.”
A lot of people have been using Zoom to talk with family and relatives, and it wasn’t really created as a way to have meetings, to talk about business in a secure manner, or to do online classes with students there. When they told the employees to start using Zoom, they just continued using it in the same way as they did before.
“Oh, let’s post the link to our Zoom meeting and all the connection information: time, date, and so on. We’ll just put it out there on Facebook like we always did when we wanted to talk to grandma.” But when they did that so many times—and you’ve heard of Zoombombing, I’m confident—people saw what they shouldn’t. It’s like, “Oh, this looks like a good meeting.”
Maybe I make ice cream. Maybe Ben & Jerry’s—and I don’t know anything about what Ben & Jerry’s do in Zoom, but I’m just doing this off the top of my head. It would be fun to find out what their new recipe is. We see the people are meeting online to have a business meeting. Why don’t I just join in, and since they aren’t requiring a password, I could probably learn something pretty good that can be used for competitive differentiation.
We have those that decided to just lurk (if you will) on other people’s business meetings, but then we have those that are a little more malicious and wanted to be disruptors: “Hey, let’s come in and we can post some pornographic images or other disturbing images right in the middle of a meeting and embarrass the people who are there.” We have that kind of Zoombombing too.
But even if you don’t use Zoombombing, people were setting up their meetings through Zoom, and all of sudden, you could see where they lived. In some of the meetings I was even in, I could see a woman was on her patio outside, and I could see the street behind there. And the way it was set up, it exactly pinpointed where she lived. It was a pretty big meeting.
We’re talking to hundreds of people at this meeting, and I’m thinking now all of a sudden, these people—that you didn’t know who they were—saw what your backyard looked like. They know you don’t have the privacy fence, or what appears to be any way to keep someone from going in. I have a handy dandy map so I could go in there. I know she’s in an affluent neighborhood. This might be interesting if I was a malicious person and I wanted to break in and steal something or even hurt someone, which a lot of people say, “Well, that’s not privacy. That’s physical safety.”
Physical safety gets threatened when you don’t protect your privacy adequately, oftentimes. It’s just things like this that people say, “Well, what are the odds of that happening?” The odds might be small, or you don’t want to be the one that actually had something bad happen to you as a result of that, and be the 1% that actually was exploited.
Something I do also is I’ve been an expert witness in various cases over the years, and I’ve been an expert witness for some disturbing situations where smart toys were used to track someone down and assault them, where GPS was used to follow someone and assault them.
It’s something that happens, and people just need to realize that, especially when it’s business meetings and you have all these coworkers and others involved. You might be showing what’s in your house, you might have people see that you’ve got children in your home walking back and forth in their swimsuits as they’re going out to the back pool.
You just need to make sure that employees are using these tools in environments where you might not have people peeking in and seeing things or even hearing things on an Alexa that goes up into the cloud to be used and accessed by others at some other point of time.
Everyone’s sharing their work-from-home attire and things like that, and I’ve seen the selfies where the person is sitting at their home desk. They’ve got their monitor on, they turn, hold their phone up, and they take a picture of themselves working showing the screen of their computer. It’s like well, what corporate information is on the screen when you’re doing that?
Yes, exactly. That has happened. For my next book, I’ve actually taken some screenshots that have been published in different news articles that actually are showing—of course, with all the identifying information crossed out—how many times and how easy it is to reveal business information because of what you’re sharing on your screen. Exactly, that’s a perfect example there.
I suppose other risks are when you’re in a corporate environment when you’re at an office, you, in theory, have networking professionals who set up your corporate networks appropriately and all the security settings who have isolated things that need to be isolated, but that doesn’t happen at home. I jokingly talk about when it comes to using public WiFi at your local coffee shop or something like that, I always tell people like, “Do you think the guy who is an expert cupcake maker is an expert security network engineer in setting up and maintaining the free WiFi?”
How many of us at home—we either got the router from our ISP or we went down to the local big-box store 10 years ago, threw a little piece of hardware in our closet, and we haven’t updated the firmware. We don’t know anything about the security settings on it. We turned it on, connected it, and went on with our lives.
Yeah, and so many people don’t realize. They think, “I’m in my home, nobody can see me, nobody can find me. I didn’t put my address on Facebook or LinkedIn.” But something I’ve been doing my whole career with regard to researching is finding open access points when people are connecting to a network that’s remote from where they are at or through the internet.
I’m not sure if you’re old enough to remember war dialing, but I did a lot of war dialing throughout the 1990s. That was the very old-fashioned way to find open access into different corporate networks because they didn’t adequately protect dialing in. Now you have wireless access points, and you can use such tools—and I still do—to demonstrate to my clients and during keynotes that I give where all of these open access points are in a neighborhood and so on.
If you know people are working from home now, I’ll drive through a neighborhood and I’ll use a tool like WiGLE. It’s a freeware tool, and what’s really nifty about it is you can superimpose Google Earth so that, not only can you find where all these open access points on your home WiFi network, but it gives you all this interesting information, like operating systems that are attached to that wireless network, and whether or not they are using encryption. And not only that, it will tell you what type of encryption, and then with Google Earth superimposed, you can actually see their house, you can see what is in the neighborhood, and so on. Or if I don’t want to go out and do the wardriving to find that, I can just use a tool like Shodan, and the freeware Shodan gives you enough information to get some very valuable data for people who live in different cities on the other side of the world.
I’ve shown through some of my research—even where I speak at different events—I’ll do a Shodan search for open baby monitors and I’ll show them where all of the baby monitors or home security systems with the video going on is located. It really gets the attention, even at conferences where security and privacy professionals, a lot of them didn’t even realize how easy it was to find these open access into your home to allow you to see things.
If you’ve got a meeting going on and you’ve also got a Ring, a Nest, or some other type of security camera pointed into the room where you’re meeting, it might be fun to watch what’s going on there in that meeting, especially since so many people have the big screens that they are joining their meeting from now. There are so many ways to get into people’s homes now digitally that most people don’t think about.
That’s scary. We’re recording here in August and people are starting to get ready to—I’m not sure if the kids are going back to school in person if it’s going to be remote learning entirely if it’s going to be mix and match, or even if they open up the schools. If there’s an outbreak, then the kids have to come home. What kind of things should parents be thinking about in terms of privacy and security for their children with remote learning?
That’s a great question, especially since I grew up with a father who was a superintendent of a school district. Then I taught 7-12 grade math and computing before getting my bachelor’s and master’s degrees. It’s so important to do. There are so many things you want your students to learn, but at the same time, you need to keep in mind that those home environments aren’t always the most secure.
We need to make sure that you have been providing some basic security and privacy training for your teachers, certainly, but also for the students. And just help them understand some very basic things, such as using multi-factor authentication when you’re getting into your school website.
Often times, they’re getting into websites that contain the lessons and other resources, or when you’re getting online for a class make sure you are doing it in a secure environment, you’re shutting off your Amazon Echoes, Google Assistants, and those listening devices that are always listening even though there’s supposedly the keyword that will record things only after that keyword has been said.
We know—from many instances, and you and I as systems engineers building these types of systems—that everything is not 100% perfect. And if a system is listening, they hear a keyword, it’s listening. If it doesn’t work correctly 100% of the time, we already know that a lot of information is being stored in the cloud and potentially accessible to other places.
Smart toys for younger students, maybe older students too, college students too, who knows, but those smart toys that listen and communicate with you. The first version was a Hello Barbie where it would listen in to what you were supposedly doing only when you said a certain word or you saw her belt buckle was lit up.
One case that I was involved with was where a malicious ex-partner gave a toy to his child and disabled that light so it didn’t look like it was listening, but actually, he had fixed it. He was listening to all the time and recording everything, then he had access to that data.
You need to make sure that even those types of things are not where the students are at. Make sure they just think about the fact that wherever they are at learning at home needs to be as close to what it would have been like if they were in the actual classroom itself.
If they wouldn’t have something shown in a classroom at the school building, then they shouldn’t have that being shown in the room where they’re attending class in their home, basically. That’s basically a simple rule of thumb, but it hits a lot of various security and privacy vulnerabilities that way.
I suppose there probably needs to be a conversation about social engineering—I’m using the complicated word—in respect to kids of making sure if somebody shows up on the school call that you’re not expecting, or you don’t know, that you leave whatever the video conference room is, or you don’t interact with people. “Oh, yeah, I’m your teacher today, but your regular teacher isn’t here. Tell me about yourself.” Parents should be doing something to educate their kids to be cautious of what’s going on.
I’m glad you brought up social engineering because, of course, that is used so often, and if those online classes are not secured and people have been gathering information about the students and the teachers, it gives them a lot of tools. It gives them a lot of insights as to how to social engineer children or the teachers themselves, or get other information. That’s something there.
Also, even when you’re in an online classroom and somebody says, “Oh, here. I’m sharing a file. Just click on it.” Maybe it’s not someone you know, don’t click on it. It could be malicious. It could freeze up your computer, spread other types of malware into the school system, or maybe they are going to send you to a malicious site that will do nasty things. Social engineering—there are so many different ways that social engineering is done.
You need to make sure the students and the teachers know they should not be sharing certain things through online classes. Instead, have them go to the secure school website to get the information they want to share so that it’s behind firewalls and other security protection, instead of just what could be a wide-open, more vulnerable online classroom.
The privacy, security, and etiquette of all these things is a lot for people to learn in a very, very short period of time.
It is. They’re getting a crash course right now in security and privacy just as a matter of the situation. That makes it so important for those who are security officers and privacy officers for school systems to make sure they get on top of this and communicate with all of their staff, students, and teachers about what they should and should not be doing online in full view of everyone who might be in an online classroom.
It almost seems like we should be doing that for our work-from-home as well. It’s like how much of my home office reveal about my home life, and it really—should as much as possible—try to limit what’s being exposed and treat it more like, well, I might have a picture of my spouse or my kids, but aside from that, I’m not going to have too many personal effects in my work office.
Yes. In fact, you brought that up, a few years ago, maybe three years ago, I was actually contacted by someone who is a reporter in, I think it was, Brazil. It was a country in South America, but the president of that country at that time had gone into the hospital, and the son of the President was posting videos and photos of his father, the President, not only in the hospital but the home where they returned to recuperate.
And the reporter was saying, “Isn’t there a lot of privacy problems with what they’re showing about the President of this country who has had a history of being threatened anyway about what he was doing?” That was a fun exercise. Now that I’m talking about it, I need to go back and look at it because it was fun analyzing the images that the reporter sent to me that the son of the President has shown because he was showing things that told me—again, like you said—what’s inside their house.
Look at this, here’s a window. There’s a door to the patio. Oh, look, they’re interested in these types of activities. That could be useful for social engineering and tricking them into believing I’m someone other than who I really am and getting some information or spreading malware. There are so many possibilities that people don’t think about before they just simply and naively show where they’re at. People just don’t think about those things, but they should.
It makes me think of those really popular internet celebrity personalities to carry their phone, and they’re walking around their house where they’re telling a story. You’re like, you’re giving me the layout of your home. You’re letting me know what products and services you use. I know what kind of air conditioner you have because it was in the background. I could say I’m the technician from the air conditioner company. All sorts of things get exposed inadvertently in those background images.
Something that I do is I use a desktop, it’s called a desktop, but it’s actually on my floor. It’s a big old computer, but I have a huge screen on my desktop. But I did not use a built-in webcam. I have an external in it, and I keep it completely disconnected unless I need to use it. That’s the number one precaution I take for having an office in my home.
Second, when I do show myself online through a webcam and get that connected up, I have privacy screens that I put around behind me. It’s interesting when I join—and I’ve been joining a lot of online meetings over the past few months—these meetings, people see where I’m at, and they’re like, “What’s behind you?” I’m like, “Those are my privacy screens.” And they say, “Oh, why do you have them?” I said, “So you can’t see everything that’s in my room.” Besides being a little messy, my bookcase is back there. I want to practice what I preach.
Even just doing that for your listeners when you’re working from home and you’re doing online meetings for business or online schooling, keep your webcam disconnected unless you absolutely need to use it because a lot of apps, by the way, are able to—and of course, there’s a lot of browser apps people use too. Keep them so that your webcam won’t be turned on through some app that you didn’t realize had that access.
A lot of access is given to apps to do things like that. And make sure that you have your vicinity protected when you do show yourself in your room. Some people might think that’s going overboard, but taking a little bit of precaution will help you someday saying, “Gosh, why didn’t I just do that?” After you’ve been robbed or after someone has done something worse as a result.
Yeah, I do the same. For the most part, I keep my camera disconnected, and when it is connected, there’s a physical cover over the camera. If I’m not in the process of recording the video, it is closed. When we started this conversation, I had my video on, and as soon as I stopped sharing my video, I put the cover down over the camera.
And I have to admit, I was looking at Amazon and they make an attachment that will fit on the back of your desk chair that is a green screen. And I almost bought one.
Yeah, that’s another good option. That way you don’t have to lug your physical privacy screens out behind you every time. Yeah, put up your green screen on the back of your chair. That’s another excellent activity you can do.
But I definitely know some people that I have been on conference calls with. They put those privacy screens six inches behind them, and they’re just some little foldable, sometimes artistic, sometimes not. All you can see is the privacy screen. You can’t see anything about the room that they’re in, which is good for security purposes.
Absolutely. That’s another great thing to do.
As we’re wrapping up here. I know that you’re a prolific book writer. Are you working on any new books?
Yes. Currently, I’m in the final editing of creating a new book that’s related to what we’ve been talking about. The title of it is Security and Privacy When Working From Home and Traveling. I’m going to cover all these different issues. Right now, I have 23 different chapters on different topics for related security and privacy risks, and also compliance issues that businesses need to think about.
I’m wrapping that up. I’m going to include a lot of real-world examples since there are so many to think about. It’s being published by CRC Press. It’s a part of the Taylor & Francis Publishing Group, and I’ve done other books through there. This will be my 20th published book. This will be something that’s coming out sometime in the fourth quarter of this year, 2020.
I don’t have an exact date yet, and that depends on how quickly I can get my manuscript to the publisher so they can start doing their thing with regard to getting it all prettied up and put into an actual physical and digital book to be released.
We’ll definitely make sure that when the book is released that we link it to Amazon so that people can go out and get it.
If people want to follow you and learn more about you, where can they find you?
I’m on Twitter. My Twitter handle is @PrivacyProf, and it’s that short because I’ve been on Twitter so long that when I created it I tried to put PrivacyProfessor, but they didn’t allow for Twitter handles to be longer than PrivacyProf. That gives you an idea of how long I’ve been on there.
I’m on LinkedIn. Just look for Rebecca Herold. My photo out there shows me in a pink blazer with one of my Dobermans with me, so that will be very apparent. I’m on Facebook. I’m on Pinterest, although I need to put more information out there.
My websites are privacyguidance.com, and then I’m building a new SaaS service with my 23-year-old son who just got his Computer Science degree. And it’s at privacysecuritybrainiacs.com.
Oh, I like that.
Yeah, isn’t that a cool name? He actually came up with the logo for that too. If anybody goes out there, I think it’s a pretty cool logo too. Keeping really busy with those in addition to being on the NIST Internet of Things or IoT Device Cybersecurity Capabilities development team. People can go out at NIST and find a lot of stuff that I’ve done out there too with IoT Privacy Frameworks, Smart Grid, and so on.
That’s a lot of stuff going on. You’re keeping yourself really, really busy.
I know. It’s one of those things I’ve always had a problem with. I remember, when I was a little girl, I didn’t want to be just one thing for a profession. I wanted to be an astronaut, an archeologist, an actress, and all sorts of things. I think that’s been a psychological problem with me for my entire life.
That’s awesome. Rebecca, thank you so much for coming on and sharing your expertise with our audience. We look forward to your book and thank you for your time today.
Thank you so much. I’ve really enjoyed visiting with you today.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
We all have limited resources when it comes to time, money, and energy so in a world…[Read More]
Social media is a part of life. Given the state of the world, social media has become,…[Read More]
The way we vote is changing – and not for the better. Voting practices in the United…[Read More]