Alberto Marmolejo-Daher, Cody Eckhoff, Justin Moore – March 29, 2024

Privacy Policies are an organization’s outline of how consumer data is aggregated, analyzed, stored, and protected. In this reading, we’re going to outline what these policies are and connect them to cybersecurity.

Historically the United States has allowed businesses and institutions to collect the personal information of its users without express consent, while regulating those in specific sectors like medical and educational via the following acts: Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and Children’s Online Privacy Protection Act (COPPA).

It’s important to recognize that regulations are under constant development because of how rapidly technology has been developed. The European Union adopted regulations in 2018 called the General Data Protection Regulation or GDPR that impose obligations on organizations anywhere. Here is a good article that explains how EU GDPR applies in the USA. Since 2023, states in the USA are beginning to enforce GDPR-like statues, states including California, Colorado, Utah, and Connecticut. These laws will change how US companies handle your data, please read the hyperlinked article for more detail.[Mo1] 

Organizations such as TikTok, Meta, and X (formerly known as Twitter) all have privacy policies that are meant to be transparent to consumers on how their data is managed. While different, they are foundationally the same. These policies generally include what information is collected, what information is shared with third parties, how that information is shared, and how long they keep your information. For example, Meta collects your feed activity, messages sent and received, payment information, preferences, geolocation, and more.[Mo2]  You can easily find these policies by searching “<company name> privacy policies” in a search engine.

Now that we’ve reviewed how privacy laws are ongoing and relevant, we can better understand how they relate to your information online. There have been many data compromises in recent years and a lack of transparency from organizations when data breaches occur. The Digital Guardian has a good article on the laws about disclosure of breaches, if you’re willing to read about them (I know it’s boring, but a quick skim of the text won’t hurt). Apple has a feature on their devices (if you store your passwords in their keychain) that notifies you if your account has appeared in a data breach. Also, you can use a website called haveibeenpwned to check if your email has been included in a data breach.

In cybersecurity, we have some key terms to identify data types that appear frequently in privacy policies. Some of these you may have heard of:

• PII: Personally Identifiable Information
• SPII: Sensitive Personally Identifiable Information
• PHI: Protected Health Information

In addition to these terms, here are five recommendations for protecting your privacy and data.

• Don’t post PII on your social media, as it may be used to reset your password through security questions such as the names of pets, relatives, high school mascots, etc.

• Generally, organizations collect sensitive data; it’s important to be cautious when choosing usernames and passwords because if their data is breached, your data will be breached.

• When choosing usernames, do not choose anything that can be linked to you in a way that could be used for more personal data.

• Do not reuse passwords for multiple accounts. What if a threat actor gains access to your Facebook account using the same user and password as your bank account?

• Enable Multifactor Authentication (MFA), also known as 2-factor authentication on your devices and accounts. This mitigates an incident where your password is compromised by requiring a second layer of security, such as biometrics, push notifications, etc.[Mo3] 

Intro [Mo1]

Social Media/ General Company Handling [Mo2]

MFA, SPII, PII, PHI [Mo3]

Alberto Marmolejo-Daher, Cody Eckhoff, Justin Moore – February 29, 2024

Defense against social engineering! It just rolls right off the tongue, doesn’t it? Social engineering is manipulating a person’s social perception to coerce the disclosure of private/sensitive information. So, let’s get into learning how social engineering works and how to identify it.

First, every social engineering attack has a lifecycle. The lifecycle of a social engineering attack begins with investigation, where a threat actor will select a target and method. A convincing narrative is set to exploit trust with familiarity or urgency; we can think of this as bait being set on a hook. Then, victims are tricked into compromising actions, such as opening infected attachments or divulging sensitive information, where the target takes the bait. In the exit stage, attackers cover their tracks; there is no better attack than one where the victim was unaware what happened. Because when an attacker’s ploy is hidden, they can then either escalate the attack or keep collecting information; often, it’s both.

The lifecycle may end after the attack, say an attacker steals bank account information and withdrawals money, something you will hopefully notice and fix immediately. But, if the attacker has gotten into an account of a person very valuable to an organization, they may extend the life of their attack to create backdoors or collect more information. The longer the attack is obfuscated, the greater the damage.

Now that we’ve described the lifecycle, we can get into details. There are several facets of social roles and cues that manipulators may draw from to create messages that easily obfuscate their malicious intent. Often, people’s trust gets exploited based on authority, familiarity or consensus. Many other times, people are coerced via intimidation, urgency, or scarcity. Be cautious about unexpected requests for sensitive information by verifying the identity of the person or organization making the request and questioning the legitimacy of unusual or urgent situations.

For example, an attacker may impersonate IT in your organization and ask for your password to verify your account, and if you don’t, your account may be deleted. This type of narrative falsifies the attacker’s authority and creates an urgency for the user to act. Instead of listening to the impersonator, the user should stop interacting and investigate the request further. Remember, it’s okay to take time to verify before sharing any personal or sensitive information.

Let’s look at a real common scam that occurs daily. These images show some real email scam messages that you may receive.

As seen in the above examples, often these scams will seem too good to be true, and that’s because they are. They will often offer hundreds or thousands of dollars a week for a remote job and ask you to click a hyperlink, however it is never good to click a hyperlink in an email from someone you don’t know. Another way to recognize these types of scams is they will often have bad grammar and weird formatting, such as the capitalization of “part-time job” in the first example.

We could talk all day about types of scams but here are some interesting scams to read up on:

• “Pig butchering” scam (don’t worry, there isn’t any actual butchering involved.)
• Top scams of 2023

Don’t ever interact with scammers and the content they send but, if you’re feeling curious and want to investigate the links that these phishers send, you can utilize open-source tools like:

• Virus Total  
• Where Goes

Alberto Marmolejo-Daher – January 30, 2024

Can the use of ChatGPT be compromising me or my organization’s data?

Alrighty folks, let’s *chat* about the use of Open Ai’s ChatGPT tool! Anyone? No? Okay then. Using generative AI can be a fun and useful supplement to your workflow, whether that be in your school or work. Yet, there are security concerns we should all have with its use. Should we assume that ChatGPT and other generative AI tools are automatically secure? That there isn’t a possibility of sensitive and/or proprietary data being compromised?

First, let’s cover some of the information that we find online. Cybernews’ article on a report done by LayerX shows employees regularly using generative AI. LayerX collected data from 10,000 employees who used their browser extension. Fifteen percent of those employees regularly post company data into the AI’s engine; nearly a fourth of that is considered sensitive. That means six percent have given sensitive data to ChatGPT. LayerX also found that four percent of these employees are posting sensitive data regularly. Of the data that was pasted from employees, 31% was source code, 43% was internal business information, and 12% was personally identifying information (PII).

Based on that data, we know that sensitive and/or proprietary information exists outside of an organization’s database, making it vulnerable and possibly putting other data at risk. Data from PII can be used to craft convincing phishing attacks, putting user accounts at risk, which may lead to more serious cyber-attacks.

            Well, if OpenAI ensures ChatGPT’s security and maintains it then we won’t have to worry right? As we can see from an article from interesting engineering it’s possible that user’s chat history can be leaked unintentionally. Another article from Hacker news reports that stolen ChatGPT account credentials were sold on illicit marketplaces. If ChatGPT is becoming more involved in workflow with sensitive data, then that means that a compromised ChatGPT account or its chat history will lead to compromised proprietary data.

Next steps…

            Let’s say that you want to continue using ChatGPT in your workflow. Tech.co has a great article on this subject; here is our summary. The nature of generative AI is that it’s also trained on the data that you input, so don’t risk putting that data out there. Instead, you should opt-out of sharing data. Don’t share creative work that you’re not okay with being used in other people’s conversations. Financial conversations with the chatbot can also put you at risk, so when talking about finance, do not share credentials, account information, or documents that contain that information. Don’t put any PII out there because it can be used in malicious impersonation or could be used in password resets.             Always be mindful of what data you put on the internet and be knowledgeable with how organizations use and store your data.

November 28, 2023: Jasmine Fitt, Alberto Marmolejo-Daher, Cody Eckhoff

Have you ever connected to a coffee shop’s public Wi-Fi?

If so, your data & privacy may be at risk! While convenient, using public Wi-Fi Networks or hotspots in malls, airports, and stores may be unsafe. Most free Wi-Fi is unencrypted, meaning that anyone in the area can intercept and read your data.

Most websites use encryption to protect your data while you use it. However, you can never be too careful. Avoid accessing or entering sensitive information such as financial, email, or social media while on a public Wi-Fi network.

HTTP and HTTPS: What’s the difference, and why is it important?

To the average eye, the text in the address bar may seem meaningless, but one character can reveal how secure that website is.

Hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) are sets of communication rules between the client (you) and servers (the website’s host). As you may have been able to guess, HTTPS provides a more secure connection through data encryption. When transferring data through HTTP, the data is unencrypted, meaning it can be easily read. However, HTTPS transmits encrypted data, meaning it cannot be easily read by people who intercept any data.

To tell if your connection to a website is HTTP or HTTPS, you can check the address bar. If the website starts with https:// or has a lock symbol on it, then it uses HTTPS. These will most likely appear on both mobile and desktop browsers. If they aren’t there, then do not use that website or proceed with extreme caution when inputting information and data.

Some websites are imposters

Remember that phishing comes in all shapes and sizes and that the devious tactics that scammers use are constantly changing.

One certain scam is presenting a user with a phony website that looks real to gain the user’s trust and then their information. Let’s run through a phishing scenario.

Let’s say you receive an email from your organization saying that you need to change your password as required by their yearly change policy. In the email is included a link to the organization’s website, and you click on it. The website looks legit, it has the same colors and logo that you’re familiar with, it all looks grammatically correct. Are you sure that you should change your password on this site?

To find out, you must look at the address bar and see if the domain is legitimate; if you were browsing that site on your phone, that key aspect may be hard to pick up on!

Always investigate your organization’s policies so you understand what actions are required of you. Often you may receive a scam request about something that you are not required to do. Look at who sent you the email; if it’s not from the organization’s official domain, then don’t click on anything they’ve sent you.

Resources

https://aws.amazon.com/compare/the-difference-between-https-and-http/