Category Archives: Privacy

Tips to Protect Your Android Phone

Wondering how to safeguard your Android phone? You’ll want to read this blog entry!

Be sure to visit the TCEA TechNotes blog to read this entry.


Did this holiday season leave you with an Android device in your hands? If so, you’re not the only one. “Between them, Android and iOS accounted for 99.6 percent of all smartphone sales in the fourth quarter of 2016,” says James Vincent (Gartner as cited in The Verge). “Of the 432 million smartphones sold in the last quarter [2016], 352 million ran Android (81.7 percent) and 77 million ran iOS (17.9 percent).”According to Google, as cited by MacRumors, over two billion Android devices are in use around the world. Unfortunately, more Android devices means more opportunities for malware and hacking. Join me as we explore some of the apps that can protect you from malware, hackers, and intrusion. Don’t be afraid to pass these tips to your children/students as they begin to explore the wild, wild world of Android. After all, Bring Your Own Device (BYOD/BYOT) initiatives are ever-increasing in schools.

Note: One handy app that I used to get a list of all the apps on my Android phone is List My Apps. This app makes it simple to get your Android app list emailed to you with links.

#1- Anti-Malware Tool

While there are many anti-malware tools in the Google Play store, not all are safe. For example, some anti-malware tools may masquerade as helpful tools to capture your sensitive data. With an Android device, just like the Windows operating system, you may put yourself at risk without anti-malware tools. Tom’s Guide provides a list of tools. My favorite one, though, is BitDefender Mobile Security for $15 a year. The app offers a host of features, making sure you don’t let malware install itself or hitch a ride on existing apps. You can lock individual apps to prevent others from opening them; useful if you lose your phone while it is unlocked. This is quite important, especially if you decide to take foolish advantage of third party apps (e.g. GetJar) not approved in the Google Play store.

Did You Know?If you lose your phone, you can use Android’s Find My Device feature to locate it via GPS or remotely wipe the information on it. Wow! To turn that on, go to your phone’s Settings, then Google then Security. If you have not done so already, make sure to get the Find My Device app. Setup is a snap.

#2- Protecting Your Camera and Microphone Access

Did you know that the camera and microphone on your device can be activated remotely? Worse, once activated, you can be spied upon.

Researchers have discovered a design flaw in Android that can be used to remotely capture screenshots or record audio… without the user’s knowledge or consent. (Source)

Two apps that I use on my Android phone to protect against this include Camera Blocker and Microphone Block Free. Each offers a free version that will allow you to flip the ON/OFF switch on your camera or microphone. You can turn these off when you need to snap a picture or answer your phone.

#3- Prevent Robo Spam Calls

Finding yourself receiving an unending stream of robocalls and spam? Give Hiya a try. It features “spam detection and call blocking capabilities.” These help you “avoid unwanted and dangerous calls.” This app has blocked countless calls to my mobile phone. On Android, Hiya pops up with caller ID to let me know who is calling. This allows me to decide if I want to waste my time responding. For phone numbers not in the Hiya database, I have the option of adding new numbers.

Hiya Call Block Security identifies the calls you want to take and blocks the numbers and texts you want to avoid. Hiya is free (no ads!), and is incredibly easy to use. It offers the ability to block calls, blacklist unwanted phone numbers and SMS text messages, reverse phone search incoming call information, and receive spam alerts.

The best way to win an argument with a telemarketer or spammer is to avoid it. Younger phone users may not know how to say “no.” Get them Hiya so they can avoid a data-compromising conversation.

#4 – Virtual Private Network (VPN)

If you are using public WiFi, make sure to get a virtual private network (VPN) solution. You can find a great overview of why you should use a VPN over at Pixel Privacy. Here’s why a VPN is such a great idea:

A laptop and mobile device user visits her favorite coffee shop, connecting to the free Wi-Fi hotspot to access the internet. She uses the unprotected hotspot to pay bills, do her banking and shop on Amazon. Meanwhile, a quiet young man sits in the corner, sipping his latte and monitoring her internet connection, stealing valuable personal and business information.

Packet sniffing happens all the time. Use a free solution like Opera VPN or a subscription service like Private Internet Access (PIA).

#5- Password Manager

Keeping track of a million passwords can be quite a hassle. Two tools I have found helpful include Secure Space Encryptor (SSE) and/or KeePassDroid. Both work on your mobile phone. You can keep track of your usernames and generate more complex passwords than “password” or “dragon.” In future Android-related blog entries, we’ll take a look at additional tools you can use to safeguard your data.  


Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Oops. Another 39 #Txed Schools Suffer Data Breach #cybersecurity

Do you have kids enrolled in a school district? It wouldn’t hurt to ask that district, “How are you safeguarding my child’s personally identifiable information (PII)?” A good follow-up would be, “How are you requiring third party solution providers protect my child’s information?”

Note that the Security Notice about a Data Breach affecting THIRTY-NINE school districts appears in the “What’s New?” section. Not exactly the best way to publicize the information, right?

The information should be in a school or district policy and procedure. Why? There are a great variety of data breaches every day. Some involve the school or district due to a mistake (e.g. “We sent someone we thought was the IRS staff records. Oops.” or perhaps “We published decrypted student PII on one of our web servers by accident. Oops.”

Image Source: Available online 12/4/2017

Texas Data Breach Affects THIRTY-NINE DISTRICTS

Officials say a Texas Department of Agriculture employee’s computer was attacked through malicious ransomware on Oct. 26, with the attack affecting more than 700 students. Personal information that may have been exposed includes names, Social Security numbers, home addresses, birth dates and personal phone numbers.
The Texas Department of Agriculture oversees school breakfast and lunch programs, which is why school districts were affected. (Source)

The Texas Department of Agriculture notified the following 39 districts:

“There’s not any evidence that we have that the information that might have been compromised was ever misused,” they had the nerve to proclaim. Really?

Texas Dept of Ag’s Incomplete Recommendations
Of course, in light of this, they recommend these actions to the students AND staff of the NINE school districts, again putting the burden of protection on the individuals rather than taking it on themselves. We need a better system:

  • Contact three major credit bureaus and 
  • Activate a fraud alert for the ransomware attack

My Recommendations for Next Steps to the Nine Affected Districts
Here are the steps (in order) I recommend staff and parents of students take immediately to mitigate the identity theft that is sure to follow.

  1. Setup an encrypted email (e.g. ProtonMail) for financial accounts. Don’t just use your Yahoo/Gmail account. Keep that for common use, but rely on your encrypted account for financial transactions.
  2. Create an Online Social Security account. Create the account before the bad guys do. 
  3. Freeze your credit reports to prevent new accounts. It may prevent others from opening new accounts in your name (or your child’s name) unless thieves have a special PIN#. These approaches aren’t foolproof but they do help. Credit Freeze sites:
  1. Equifax Credit Freeze Site
  2. TransUnion ($10)
  3. Experian ($10)
  •  Sign up for Identity Theft Alert: Fill out this form to notify the credit agencies of potential identity theft. 
  • Check your credit frequently. Annual Credit Reports provides a free service, but you may need to pay to get that more often.
  • Switch from debit cards to protected credit cards. Make a decision to NOT use your debit card or write print checks with your routing and account # on them.  
  • File tax return early. If you don’t do it, they will.
  • Get alerts via your bank mobile app for all transactions. I love knowing when funds come out of my bank account. Even if it’s my wife buying me a gift for my birthday.
  • Add a password or pin# to all bank account transactions. It takes an instant, but without it, it may be difficult for folks to access your accounts. And, of course, change these. 
  • Get more than one form of ID, such as passport, passport card, and driver’s license. You never know when you will have to prove you are who you say you are.
  • Setup 2-factor authentication (view overview) for all email, cloud storage, digital accounts.  Use secure passwords. You can use a free password manager (e.g. Keepass) or pay for one.
  • Get anti-ransomware software for your computer.
  • Use a Virtual Private Network (VPN) when working on public networks with your computer or phone. My favorite VPN for computers, including Chromebooks, is Private Internet Access ($40 annually). For mobile phones, you can use a free Opera VPN.
  • And, don’t forget you need to protect your mobile phone. Read this fantastic article from Harvard Business Review.


    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

    AL DíA: Here We Go Again (#databreach)

    Data breach notices have become so common in my household, I find myself reaching for a spreadsheet to keep track of them all. How many different ways can a company tell me my data has been stolen?

    “Hey, man, we’re sorry. We’ve screwed up and let your personally identifiable information out into the wild. We’re sorry we’re so dumb, those hackers are so enthusiastic, and our salaried tech support couldn’t stop them.”

     Uber Breach
    Take a look at the sincere pleading of Uber CEO, Dara Khosrowshahi, in light of their hidden from customers data breach. First, let’s look at the extent of the breach:

    The names and driver’s license numbers of around 600,000 drivers in the United States were stolen in the breach, along with some personal information of 57 million Uber users around the world which includes names, email addresses and mobile phone numbers.

    And here is Dara’s response:

    “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

    While you can get specific help via this link, Lyft is starting to look a lot better. Oh…wait.

    Anatomy of A Data Breach Disclosure
    After awhile, you begin to adopt a clinical perspective when reading them. “Do they really mean it?” I ask yourself. Or, “Gee, could they have done a better job with this notification?”

    You start to wonder at the anatomy of a well-written disclosure of a breach masquerading as an apology letter. Some have compared it to the stages of grief:

    Which got me thinking about the whole data breach pattern thing and in particular, how it relates to the 5 stages of grief. And a data breach in many ways is like that: it’s a series of emotions experienced by someone who’s lost a loved one, it’s just that the loved one is their data! But seriously, it actually aligns well and it both explains The AA’s behaviour and foretells what’s about to come next. Let’s go through it. Read Troy’s complete blog entry.

     The latest emailed notice, which came two weeks after another one in the mail, came from Armor Games:

    We at Armor Games value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may have involved your email and password. We are requiring all affected users to change their password, and recommend that they change this password on any other sites.

    What Happened? On Oct 24, 2014, we discovered that a third party obtained access to our users’ emails and “hashed’ passwords. That means that the passwords were encrypted in such a way that it is nearly impossible for anyone, even us, to read it. However, on Oct 24, 2017, a security researcher informed us of a file containing emails and plaintext passwords which claims the data had come from us (Armor Games) and another company (Coupon Mom). We are investigating whether we are the true source of the breach, since the number of leaked emails/passwords is far less than the number of emails breached on either our system or Coupon Mom’s system in 2013. Our users’ passwords were hashed (this makes it unlikely that they could extract plaintext passwords from our data), and some users are reporting that their passwords were included in this breach though they have never used either site. As we investigate the source of the data in this file, we are taking the precautionary measure of treating this as a data breach of our own users.

    What Information Was Involved? The information in the file contains 11 million emails and plain text passwords. No financial information, names, addresses, or game data was contained in this document.

    What We Are Doing. After the original discovery in Oct, 2014, we promptly hired a security auditor and implemented all their recommended changes as we investigate the matter, and notified our users. Today, we are notifying all affected users again, requiring that they change their password on our site, and recommend that they change this password on other sites. Furthermore, we are instituting new policies and code to further protect our users’ data.

    What You Can Do. We recommend changing your password on any site where you’ve used this or a similar password. On particularly secure accounts, like your email login, we also recommend enabling 2-factor authentication.

    When choosing a new password, we recommend that you avoid choosing a minor variation of your previous password. For example, don’t just change your password from “favoritehero832” to “favoritehero833”. Choose from random letters, numbers, and symbols such that the exposed password cannot be used to help guess your new password.

    For More Information. Please email us at support@armorgames.com for more information. If there are further developments that require additional action from you, we will send you updates about your situation.

    ArmorGames sincerely apologizes for the inconvenience and concern this incident may cause, and remains committed to safeguarding the personal information in its care.

    I suppose, if writing this letter/email, I would have begun with apologies first. But that might be premature. After all, Armor Games wants me to understand the full extent of what they are apologizing for. I am tempted to write the perfect letter. Oh wait, I already did that!

    Here is a blog entry I encourage you to read. It covers creating secure passwords and more.


    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

    Protecting Myself Against Data Breach #equifax

    Yesterday, my wife received a letter from Equifax. Although we had thought she had not been affected, it appears she is now one of the affected. Check this paragraph out of the letter:

    On September 7, 2017 Equifax notified U.S. consumers of the data security incident, including that approximately 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted.  

    To minimize confusion, you are receiving this letter because you are one of the 2.5 million additionally potentially impacted U.S. consumers. Source: Letter received 10/21, mailed 10/13/17, “Notice of Data Breach” from Equifax.

    Consider those tidbits. 143 million were impacted (I was included in that batch). Then, 2.5 million MORE people were potentially impacted.

    DESCRIBING DISASTER
    Do you know what my favorite description of this event is? It’s featured in this article by Liz Weston:

    “Equifax just signed you up for a lifetime game of Whack-A-Mole,” says Leslie Beck, a certified financial planner in Rutherford, New Jersey.

    Whack-a-mole. Yes, that’s an apt description. Here’s what I’ve been doing in my free time.

    1. Switch from debit cards to protected credit cards. Make a decision to NOT use your debit card or write print checks with your routing and account # on them. I just went through this earlier this month and closed all my accounts at a credit union that didn’t offer me better protection. This may also help you with gas station fraud due to skimmers. Even though there’s an Android app to help you detect bluetooth badboys, that may not be helpful if you’re on iOS. And, yes before you ask, on the way back from a workshop in Cotulla, Texas, I stopped to fill up my tank. Fraudulent charges appeared instantaneously. Good thing, my wife and I watch our accounts like hawks.
    2. Freeze your credit reports to prevent new accounts. Yes, I’ve been freezing my credit at all the Equifaxes I can find. It is supposed to prevent others from opening new accounts in my name unless they have my special PIN#. These approaches aren’t foolproof but they do help. Credit Freeze sites:
    1. Equifax Credit Freeze Site
    2. TransUnion ($10)
    3. Experian ($10)
  • Online Social Security account. Create the account before the bad guys do. Problem is, if you froze your credit reports, you’ll have to go in person to the Social Security Admin building.
  • File tax return early. If you don’t do it, they will.
  • Check your credit frequently. Annual Credit Reports provides a free service, but you may need to pay to get that more often.
  • Sign up for Identity Theft Alert: Fill out this form to notify the credit agencies of potential identity theft.
  • Some additional tips
    • Setup an encrypted email (e.g. ProtonMail) for financial accounts. Don’t just use your Yahoo/Gmail account. Keep that for common use, but rely on your encrypted account for financial transactions.
    • Setup 2-factor authentication for all email, cloud storage, digital accounts. You will need to have your smartphone with you to receive text messages or run a simple, easy authentication app that will give you a number for the digital account. The number changes every 60 seconds. This works, as I’ve had attacks on my accounts and seen it action.
    • Use secure passwords. I like to use secure password generator then add my own twist to it. I end up with a secure password that I keep track of using a password manager (e.g. Keepass, Lastpass).
    • Add a password or pin# to all bank account transactions. It takes an instant, but without it, it may be difficult for folks to access your accounts. And, of course, change these.
    • Get alerts via your bank mobile app for all transactions. I love knowing when funds come out of my bank account. Even if it’s my wife buying me a gift for my birthday.
    • Get more than one form of ID, such as passport, passport card, and driver’s license. You never know when you will have to prove you are who you say you are. I was at an airport traveling from WA to TX when I was stopped. Thank goodness, I had more than the minimum ID required.
    • Encrypt confidential data documents you have saved in cloud storage (e.g. Google Drive, OneDrive, Dropbox), as well as when they are “at rest” on your laptop or USB external drives. Read my tutorial on easy, free open source cross-platform solution.

    Right now, this process is all about YOU doing all the work. The truth is, we need a better system that forces banks, credit unions, credit report agencies, and social security administration to revamp the system.

    Yeah, that ain’t gonna happen.


    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

    MyNotes: Owned #privacy #foss

    Barnes & Noble | Amazon

    “What are we supposed to do to someone that holds, owns everyone?” asks Foggy in Marvel’s Daredevil. “You make them pay” is the response. It’s strangely appropriate that the question of property lies at the heart of Fairfield’s book. As I read the book, I found myself in agreement with many of the points shared.

    Unfortunately, the solution didn’t seem as obvious as the problems. I’m looking forward to completing the book to find out what those solutions are. I invite you to join me.

    In Joshua A.T. Fairfield‘s (@joshfairfield) book, Owned: Property, Privacy, and the New Digital Serfdom, he proposes 4 components as a way to escape device-based surveillance. Those components include:

    • People have the right to modify their own property
    • They can sell it to others, free and clear, when they are done with it
    • They can use it and enjoy it free from the interference of others
    • They can exclude others from using it without their consent
    Here are some of my notes from Chapters 1-5. It’s not meant to be exhaustive, only points that were intriguing.
    My Notes
    1. Intro and Chapter 1
    1. This book is an attempt to tap the emotion of property, and to then channel that emotion through careful analysis of the current legal state of affairs surround the Internet of Things.
    2. The failure of property online is a failure of the legal imagination. Courts have failed to imagine how we can own Bitcoins, magic swords, MP3s, smartphones, autonomous cars, or drones the same way that we own land, houses, or the money in our wallets. 
  • Chapter 2 – Death of Property
    1. Digital property suffers from a serious conflict with intellectual property
    2. …Apple can terminate access to your music collection, Amazon can delete books you purchased, and Google Play can make movies you bought vanish
    3. If we control our device, we control the stream of information flowing from them
    4. If we control digital houses, we can draw the digital curtains
    5. If we do not win this war–between the freedom model and the feudal mode–a few companies will own large tracts of digital assets and everyone else will be a digital peasant
    6. Consumers are dependent on a digital lord, who is dependent on a digital king
    7. Rightsholders don’t want you to be able to sell your used goods. They want each person who wants to buy a device, movie, music, book, and eventually car or house or mini-Segway footboard to have to come and buy a brand-new one from them. That is, they want to destroy our property interests in order to make more money in aftermarkets.
    8. The laws that have until now only governed music, movies, and software are coming to govern everyday life as sensors and software are seeded throughout our environment.
  • Chapter 3 – Surrounded
    1. Devices can record different parts of our life and algorithms meld the results together to get even more information than each data set would have alone.
    2. The linkage of devices serves as a unique identifier. The more devices we carry, the more it is likely that we are the only person in an area carrying that particular configuration, and the more data points about us the devices can independently corroborate.
    3. Big data algorithms then can combine information from both worn and encountered sensors to make broader deductions about me.
    4. Mobile devices follow us across all our contexts, to our club meetings, to rehab, to the doctor, to our parent-teacher conferences, to our homes, on our vacations, to our business meetings, and to the spa. Data drawn from this range of contexts are not just quantitatively greater, but qualitatively more exhaustive and intrusive than data from one context alone.
    5. The centralization of the license-server, intellectual property, cloud-based model of the Internet of Things compromises our ability to command data-enriched resources and control the devices we wear, carry, and encounter. We are degraded financially when we lose money, beaten at the economic game of poker by those who use our devices to see our cards. We are degraded emotionally as relationships of equality give way to centralized control. And we are degraded in terms of our ability to see ourselves as active agents, as people whose choices matter, when we are forced into specific uses (or abuses) of our own property by those who subvert it for their own profit. In short, we lose in every way.
  • Chapter 4 – So What?
    1. If we become digital tenants living at the mercy of digital landlords, we lose our ability to act on our own.
    2. We should be wary of a future in which our ability to express ourselves through control over and preservation of our environment is severely compromised due to the questionable economic claims of intellectual property rightsholders.
  • Chapter 5 – Private Property
    1. …Create a right of privacy that travels with our property when we leave our homes, when we entrust it to those who have promised to keep our secrets, and even when we leave our smartphones unlocked….
    In the first five chapters, Fairfield makes some fascinating points–well supported ones with footnotes that reference law and engaging examples. In fact, I am left wondering just what my Windows 10 laptop is sharing with the world. But then, I knew going in that if  I wasn’t using a GNU/Linux machine, I would be leaking private data to the world.  In essence, I have traded my privacy for convenience when using all the technologies I have at my disposal, from my smartphone to my Win10 laptop.
    Fairfield does a great job pointing out these troubles in Chapters 1-5. Be sure to stay tuned!


    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

    School Security Summit: Safeguarding Privacy

    Safeguarding student privacy and the security of networks remains a key priority for education leaders. 

    Note: This blog entry originally published by TCEA TechNotes blog. Read other awesome blog entries by the TCEA team online at www.tcea.org/blog

    In December, 2016, school leaders came together to match answers to tough questions as they heard from industry experts on ways to protect what is most important to them. In this blog entry, learn how to get access to the powerful presentations and conversations that took place.
    Mark Your Calendars! The 2017 TCEA Technology Leadership Summit is scheduled for Friday, May 12, 2017. Register now for this event.

    How Do I Get the Summit Resources?

    You can access the audio, presentation slides, and more of the sessions online now for a nominal fee ($49). You will need to have a TCEA log in.

    What Exactly Will I Get?

    Presentation slides, pictures,and  audio recordings of the high-level speakers will be yours to explore and reflect on. In addition to Bill Fitzgerald’s (of Common Sense Media) keynote, critical areas addressed include:
    • Understanding DDoS Attacks,
    • Securing Single-Sign-On (SSO)
    • Security/Privacy Legislative Panel

    TCEA’s Commitment

    TCEA is committed to creating professional learning and networking opportunities that address the needs of Chief Technology Officers (CTOs) and Directors/Coordinators of Technology in K-16 education institutions. Be sure to join your colleagues at the Friday, May 12, 2017 event.

    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

    What’s Your District’s Privacy Process?

    “What approaches do you have in place to safeguard student data and privacy?” From student assessment data to personally identifiable information to counting how many times students visit the restroom, administrators are working to put tracking systems in place. 

    Note: This blog entry originally published by TCEA TechNotes blog. Read other awesome blog entries by the TCEA team online at www.tcea.org/blog

    These systems (such as Google Sheets/Form where students submit data about themselves without parental knowledge) make it easier for schools to record and track information on students, but they may also put sensitive data at risk. What is your organization’s process for safeguarding student privacy?

    What’s Your District’s Process?

    “There’s no right or wrong answer,” says Bill Fitzgerald of Common Sense Media, “except to not have a process to evaluate how data will be maintained over time.” Whatever the original positive intent, each campus and/or district should evaluate how it intends to use and share collected student data BEFORE any program to gather that data is implemented. The process may include something as simple as the following:
    1. Prepare the program for a pilot implementation.
    2. Invite stakeholders, including students, parents, and educators, to meet and discuss the proposed program. Some points to ponder:
    • What are the positive and negative aspects of the program?
    • Who will access the digital data and for what purpose?
    1. What does the Committee think about objections by the Electronic Frontier Foundation (EFF) and other organizations that make these assertions (Source)?
    • While there is an expectation of supervision and guidance in schools, monitoring the detailed behaviors of individuals can be demeaning.
    • Tracking and monitoring young people in their development may condition them to accept constant monitoring and tracking of their whereabouts and behaviors.  (Source: Chip Free Schools as cited by Slate)

    Conclusion

    Before you purchase and implement a system that tracks students’ movements or data, give serious thought to the process steps you may have overlooked. Doing so can save time and trouble later, resulting in a safer environment.

    Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure