Busy week in cybersecurity, so this week I am going to recap some of the top stories and focus on how they affect solos and other small businesses (and how you can remain cybersecure). Well, except for the first story—that affects everyone who drives a car (notice I didn’t say owns car).
- Your car spies on you, and it’s a real blabbermouth. The Washington Post continued its excellent series on privacy in the digital age with an investigation into the data cars collect. Turns out newer models have several computers, some of which collect technical data about the car’s performance, but others that collect personal information about the driver. GPS data? Of course. If you read this newsletter you expected that. But they found the computers were downloading data from drivers’ phones—contacts, texts, email, photos—and sending it to the manufacturer. Worse? The lack of transparency about what data is collected, how it is stored, if it is secured, and who has access to the data. Even worse? The next user/owner of the car has your data. (They bought a used car computer online and were able to piece together the life of an upstate New York driver. Awkward.) Learn more about this investigation, what “services” you can decline, and the tool you can use to erase your data (maybe) here.
- Google has your medical records. Last month, a whistleblower reported that Google partnered with Ascension on a project called Project Nightingale that gives Google access to the medical records of Ascension’s 50 million+ patients. The Wall Street Journal (WSJ) reports that this was done without patient consent, and it was also alleged that Google employees can freely download the PHI. It was also revealed that Google has sucked up other patient data in the US and in Europe, where their collection methods resulted in a lawsuit. What can you do? Stay engaged with the investigative process moving forward in Congress as a result of the WSJ report. According to HIPAA Journal, “Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.” The deadline for a response to Congress from Google and its parent company Alphabet is 05 January 2020. The full article from HIPAA Journal is here.
- Smishing attempts are on the rise. I received 2 in just the past day. Smishing is phishing by SMS text—I copied a screenshot of the latest smishing attempt here as an example. Smishing can be an attempt to elicit information, but mostly it’s a vehicle to install malware on your phone. As small business owners, we can get texts and calls from numbers we don’t recognize, so there can be a temptation to address messages sent to us, but that’s no excuse. Don’t click on things—online or on your phone—from randos. The amount of smishing is only expected to increase in 2020. Prepare for 2020 by adopting these 6 Easy Ways to Protect Yourself from Smishing.
- The new threat for 2020: Drones intercepting your data on public wi-fi. I’ve said it once and I’ll say it again, public wi-fi is not secure, but drones engineered to intercept data on public wi-fi take this cybersecurity threat to the next level. If you are going to use public wi-fi, use a VPN (virtual private network), even on your phone. Cell data service can be spoofed, so it is no longer the secure alternative it used to be. For more about VPNs, read here.
- He knows when you are sleeping, he knows when you’re awake. Once your Ring account has been compromised, hackers can watch you—and archived video of you (and your family)—without you knowing, Vice reported this week. (They can hear you, too—so if you work from home and talk with clients on the phone, they can access that too!) And it’s easy—hackers rely on compromised credentials. So if you are reusing passwords (or using a password similar to one on another account), you’re an easy target. Don’t know which of your passwords has been compromised? Here’s how you safely find out. And one last piece of advice? Stop bugging your own damn house.
- Not worried about cybersecurity because you can just buy another laptop? Not so fast . . . Purveyors of ransomware have become frustrated by victims who don’t follow their business model, so they have adapted by adding blackmail to their list of services. The hackers behind Maze ransomware have started outing the targets who don’t acquiesce to their payment demands by posting the targets’ names and promising to post the personal information and proprietary data from the ransomed computer. This could result in some interesting liability and reputation issues for solos and small businesses who don’t make a good-faith effort at cybersecurity and have clients’ proprietary information exposed.
Happy holidays to all! If you’re traveling for the holidays, stay cybersecure with these Seven Easy Ways to Stay Cybersecure on the Road. And if your gifts include new toys, computers, devices, etc., be sure to check out the DCCCyber blog for ways to secure your new devices and securely dispose of your used devices.
We’ll be taking next week off from the newsletter, but follow us on Twitter (@DCCCyber) and visit our group’s site (https://cyber.dukecityconsulting.com) for a selection of current cybersecurity news curated just for you!