by Ross Sivertsen | Feb 10, 2015 | Blog, Uncategorized
This is another one of those posts that I have filed under the category of ‘Really?!’
I posted two weeks ago about national data privacy day, and managing you information is YOUR responsibility:
http://lrs.ms/InfoProtect
While the EU and many other parts of the world are increasing penalties for breaching the loss of personal information; the French DPA levied a fine against Google for €150,000 for a simple neglect to notify a change in their privacy policy.
Anthem, the second largest insurance provider in the US suffers one of the most egregious data breaches in history with the loss of over 80 million customer/client records including those of the CEO. Now this little extravaganza is getting parlayed in to a congressional hearing.
Yes, Anthem was imediatley forthcoming of the breach, and it was found by their own internal audit procedures, kudos for them; don’t we wish Target and Home Depot were as equally transparent.
Boards and shareholders (myself included) are growing increasingly impatient with the cavalier way our personal information is thrown around.
All that said, there is little help on the horizon for netizens in the US, and managing the location and use of your personal information is still your responsibility.
For example, of the 10 most significant personal data privacy and protection issues from the last year, 9 of them involved the EU and Russia. Only one, the amendment to the Safe Harbor policies, and that involves the data for citizens of the EU.
I’m about to send out my forth information security tip; and folks I know the first three seems MIND NUMBINGLY simple (change your passwords, use complexity, etc.), but I will tell you, how few people actually follow those basic practices, and in reality cause 80% of the loss of data. The suggestions aren’t sexy, but they are VERY real.
http://lrs.ms/AnthemCSuite
http://lrs.ms/2014PrivacyDev
by Ross Sivertsen | Feb 6, 2015 | Blog, Information Security
90% of all passwords are vulnerable
it takes 5 minutes to go from hackable to uncrackable… (Look I know these sound like the fundamentals but you’d be surprised at what I see people do).
In fact over a long enough timeline every passwords security drops to zero.
(Thank you passwordday.org for allowing me to shamelessly plagiarize this first paragraph)
Surprisingly you would think those who were brought up in the age of always having a computer nearby, The Millennials, would think this is as old hat as the advice to use condoms or not smoke (both of which many choose to ignore anyway), but the statistics show otherwise. Only 41% them and their neighbors the Gen X’ers changed their passwords ever or only when prompted.
http://lrs.ms/MillennialPwds
And 55% use the same password for everything.
http://lrs.ms/55PctUseSame
I could write a book on good credential hygiene, but the site for password day 2014 has several excellent suggestions.
http://lrs.ms/PwdDay
by Ross Sivertsen | Feb 1, 2015 | Blog, Information Security
Let’s start with the basics… It’s called phishing for a reason…
95 Percent of all successful attacks started with an attempt to get you to click on a link you shouldn’t…
http://lrs.ms/atks-hum-err
Seriously people; would you knowingly drive to a questionable part of town… in the middle of the night… with your doors unlocked… your windows rolled down… your wallet, purse or whatever sitting open on the front seat… cash and credit cards out in plain sight and easy reach…
AND THEN give all of your personal information including driver’s license number, social security number, passport and banking information to the first STRANGER you meet?
THAT’S exactly what you’re doing when you venture to those questionable websites (if you really need a lesson on the ones to which I refer dust me privately and I’ll be happy to give you my opinion), or click the link in the email guiding you to an heretofore unknown inheritance from the long lost you didn’t know you had.
Here’s my first tip… DON’T
Patient: “Doctor, Doctor! It hurts when I do this…”
Doctor: “Well, don’t do that!”
by Ross Sivertsen | Feb 1, 2015 | Blog, Information Security
This past Wednesday was national data privacy day, created by congress in 2009 to help raise awareness of need to protect personal information and data.
While it seems laughable that the same government that espouses the need to protect our data is the same body that brings us Edward Snowden-esque allegations of widespread data infiltration of its citizens by same said government; I think there is a point here worth noting…
At the risk of stating the obvious; protecting your information and identity, whether online or otherwise, IS important.
But it is also YOUR data, and therefore YOUR responsibility. Which is good because we are largely on our own. Being freeing is, in a lot of ways, freeing; we aren’t going deluded ourselves that something is happening when it’s not. (What do you mean I’m denied medical coverage?! That’s why I pay for insurance!)
Having spent a considerable amount of time in the EU, one of the things they do is take the protection and privacy seriously, the EU’s Data Protection Directive requires substantial disclosure of the use of collected personal information and levies heavy fines to those commercial enterprises that violate the directive.
The U.S. has no commensurate directive or legislation. So it becomes our responsibility to ensure our own protection.
I mentioned around Christmas time that I would be sending out ‘bite sized’ tips on protecting your information. Some of them are so obvious they seem ludicrous to even mention, but having been in my position for as long as I have (and two Masters degrees in information security), I find that 99% of protecting your information is about good personal practices (when was the last time you changed your passwords, and do you use the same or similar passwords for your banking information as you do for Amazon?)
I rest my case.
http://lrs.ms/EUDataProtLaw
http://lrs.ms/EUDataProt
http://lrs.ms/DataPrvWP
by Ross Sivertsen | Jan 12, 2015 | Blog, Information Security
If you don’t think net neutrality and internet sovereignty are related, you better think again.
The republicans in congress are fiercely fighting the request by the Obama administration to classify broadband internet providers as a utility making them, and the Internet, subject to much stricter regulation.
At the heart of the net neutrality debate is ostensibly whether or not internet should be considered like a utility and therefore subjected to utility provider regulation similar to electric or telephone service.
Meanwhile in China, Internet Czar Lu Wei and President Xi Jinping are arguing the states right to manage and govern the the information running across it’s sovereign territory. The Internet, Wei argues, is part of the national infrastructure like roads and power and it is the states responsibility to insure infrastructure stability.
Both prescribe controlling information flow across the internet, albeit each country takes a slightly different approach. While China is more overt in controlling information; by classifying and categorizing information protocols, the proponents against net neutrality arrive at very much the same place.
The tragedy of the Charles Hebdo shootings simply underscore the stakes involved in the freedom of information debate.
We are quickly facing a world where the information we’ve taken for granted may not be as easily accessible.
http://lrs.ms/ChinaInternet20151
http://lrs.ms/ChinaInternet2015
http://lrs.ms/NetNeutrality2015
http://lrs.ms/NetNeutralityDefined
by Ross Sivertsen | Jan 9, 2015 | Blog, Information Security
From the Snowden leaks last year, to all of the ‘cyber breaches’ and loss of personal information from large retailers in the last couple of years; we as a global village are finding out that keeping things to yourself is not as easy as it once was.
All of the social media platforms compound the difficulty of keeping our private information private, and we all struggle with the increasing importance to do so.
In a world where EVERYTHING is ‘out there forever’ as soon as it’s set in to the wild, and where almost everything is subject to discovery in our increasing litigious society; I see an increase in the number of secure messaging apps aiming to help keep conversations private; for example;
Sicher, Silent Circle, CyberDust, Signal, et al. all use end to end encryption and data destruction to provide a means for groups of people to communicate with each other securely and privately.
Even WhatsApp, the popular text messaging replacement application is starting to use end to end encryption.
But I’ve noticed another trend unique to these secure applications; while they have provided a means of ‘hiding from prying eyes’ they have fostered a new sort of social media platform.
For example one of my favorite new apps is CyberDust (available on iOS, Android, and Windows Phone). CyberDust not only provides secure person to person messaging because everything runs over an encrypted channel, and the messages self destruct after a short period of time AND are NEVER stored on their servers or any endpoint; CyberDust also provides a sort of ‘Twitter-Like’ platform where a person can ‘Blast’ a message to a group of subscribed followers.
I’ve been using CyberDust to sort of ‘Pre-Publish’ posts, as a platform that allows me to get something ‘out-there’ quickly without a lot of editing, and in somewhat longer format than the Twitter limit of 140 characters.
I find this feature incredibly useful, because I can send raw unedited posts to my followers without worrying too much about the editorial content, grammar, and so forth; and since I save my posts to Evernote, I can come back at a more convenient time, clean them up and post them on LinkedIn or my blog (blog.ross-sivertsen.com).
But I’ve noticed as I’ve used CyberDust, something more disturbing occurring; many of the people I follow, some of them professionals, are posting pictures and comments I believe they would think twice about posting if the platform they were using was as open as Facebook, or Twitter.
Let me say before I continue, that I’m neither Polly Anna nor prudish about this subject, and I am in NO WAY making a judgment about anyone I follow; I publish a number of posts that are all raw, unedited, and sometimes incendiary.
What I am saying is; even with a platform that leaves no physical nor virtual evidence of pictures, posts or comments; when we intentionally broadcast a message to a group of people, do we not leave with our audience, followers and listeners a residual impression of who we are; whether or not evidence exists?
This subject goes beyond privacy issues and quickly is an issue of reputation management. The fact of the matter is regardless of whether or not the platform is secure and encrypted, I am sending a post out to the public, i.e. more than one person to whom I have no personal relationship other than they follow me, rather than one or two people with whom I have a relationship and where the conventional social contract of confidentiality is the norm.
I believe in the right to personal expression and exercise said personal expression frequently, I am also acutely aware of the consequences of my actions, and of the things I publish or portray.
My point is that this message becomes a cautionary tale to everyone (most of all myself) that we leave a lasting impression of who we are and what were about with the people around us; even if the evidence self destructs after 30 seconds.
“Three people can keep a secret, if two of them are dead.” – Benjamin Franklin
