The U.S. Department of Education has hired a Chief Privacy Officer. Take a look at the press release here.

This seems like a great thing. Here is what the new CPO will be doing…

She will head a new division dedicated to advancing the responsible stewardship, collection, use, maintenance and disclosure of information at the national level within the Education Department.

Schools keep a great deal of information about their students. They keep names and addresses. Medical information is also kept. It is important to protect and responsibly disclose this info.

Now that there is a renewed emphasis at the national level, when can we expect the states to follow? How about the individual school districts?

I am eager to see how this impacts things at the state level and local schools. You can bet many will be watching.

- Dan

As always, we can learn from example . . .

A little over a month ago I used my 4GB USB flash drive to move a small executable file from one computer to another. After using it I dropped it back into my computer bag like I always do….

Or, so I thought.

…………………………

Life was good and I had no need for the USB drive. But then I really needed it for moving another file between computers that were not networked.

I rummaged through my computer bag. No luck.

I cleaned the extraneous stuff off my desk. Still could not find the drive.

I even removed all the change in the cup holders in my pickup. No joy.

Finally, it was found deep in the bottom of my computer bag, where it was supposed to be.

………………………….

As The Professor used to say in college, “It’s intuitively obvious” that USB drives can be easily lost.

What should we do? Here a couple of ideas…

• Never store confidential information on a USB drive.
• If you must put confidential information on a USB drive, then encrypt the USB drive, or the files on the USB drive. This is pretty easy. You can use a drive from IronKey, or you can use a generic drive with TrueCrypt.

So, be careful out there. Don’t lose your personal information by putting it on an unencrypted USB drive.

- Dan

http://www.huffingtonpost.com/2010/11/01/what-not-to-post-on-facebook_n_764338.html#s157112

I don’t normally spend a lot of time reading The Huffington Post, but this article is full of common sense. Read it. Pay attention to these recommendations. Use the brain that God gave you.

The vacation countdown is a great one. “I’ll be gone. Come rob me!” Oh, noooooooo……

Be smart.

- Dan

According to cnnfn.com, simplification is coming to Facebook privacy configurations. The article starts out with this…

By Ben Rooney, staff reporterMay 25, 2010: 6:25 PM ET

NEW YORK (CNNMoney.com) — Facebook confirmed Tuesday that it will simplify its privacy settings, in a move aimed at quelling growing concerns over how much user information is exposed online.

“I can confirm that our new, simpler user controls will begin rolling out tomorrow (Wednesday). I can’t say more yet,” Andrew Noyes, a Facebook spokesman, said in a statement.

 

You can read the rest of the article to see what is being said.

Of course, Facebook has been talking about privacy settings for a long time. So has the press, pundits and bloggers. Not that I’m skeptical, or anything, but time will tell as to whether Facebook is truly making any useful changes.

While you are waiting for Facebook to make things simple, head on over to http://www.reclaimprivacy.org/ and use their scanner to help you identify and understand your current settings. The tool will also make some recommendations for you.

Was that a black helicopter that I just saw flying overhead?

- Dan

Facebook’s Eroding Privacy Policy: A Timeline

You really need to take a look at this article. It shows how Facebook has slowly and steadily made your privacy disappear.

You should carefully consider how this impacts you.

- Dan

I received an email earlier today from my bank which proudly announced upcoming changes to their on-line presence. This email spoke about the improved ease of use, and the increased security. Additional features, such as changes to bill pay, were also discussed.

It all sounded very nice.

That is, until I took a quick look at who this email was sent to.

The VP who sent this out put over 1200 email addresses in the CC field of this email. Thirty minutes later, he tried to “Recall” this message. (Recalls only work if the recipient is using the same email system as the sender. In this case, the sender was using Exchange, and I’m not…)

So, now I have over 1200 email addresses available to send spam to.

What’s the problem with this?

1. My email address is exposed to over 1200 other folks for them to use as they wish.
2. Most spam filters will block a message with over 10-15 recipients in the list. I’m surprised that this went through.
3. I work hard to keep that particular address from being available to others. Now at least 1200 other people have access to that one.
4. The credibility of the bank has just dropped. If they cannot protect my personal email address, am I to expect them to protect my personal banking info?

Yep, this is a fairly minor situation, but I’m left wondering if I should explore another bank to use…

- Dan

*** Warning ***

This post is not directly related to information security.

Ok. So I just watched the press conference and apology from Tiger Woods, and I saw something that we rarely see. He took confessed the wrongfulness of his actions, and took personal responsibility for what he did. He “has a lot to atone for.”

Here’s what I like…

• He admitted his wrongdoing, unfaithfulness and affairs.
• He said that he is the only person to blame.
• He had convinced himself that he was above the rules.

Here’s what I don’t like…

• An apology took waaaaay too long in coming.
• I wish that he had lived up to the expected behavior of a man, and never made the decisions that led to his unfaithfulness.
• An apology took waaaay too long in coming. (yep, I know that I am repeating myself…) I am aware that sometimes the process of accepting responsibility for sinful actions, and the need for confession, takes a while.

None of us should be so arrogant as to think that we could never fall. Each of us should take active steps to avoid situations and actions that lead to this.

- Dan

Do yourself a favor. Go grab your wallet. I’ll wait for you to get back…

.

..

…

Now, pull all your credit cards out. Grab your debit cards, also.

Look at them closely. Can you identify where each one of them has been used?

Have you ever used your debit card for on-line transactions?

By spreading your credit and debit card numbers out across cyberspace, you are increasing your target profile, and increasing the risk of compromise.

Speaking from experience, you don’t want those numbers to be used without your permission.

Tip: Create a plan and strategy for the use of your cards.

Here are some things you can do. You may do some other things…

1. Never use your debit card for on-line transactions.

Different banks will give differing explanations about your liability for unauthorized transactions. Minimize your footprint.

2. Have one credit card that is only used for transactions you don’t fully control.

(such as on-line transactions or paying for dinner where you give your card to the server and it’s gone for 10 minutes…)

3. Closely monitor the charges to your cards.

Use the on-line tools your card issuer gives you to see what transactions appear.

4. Don’t write your PIN on the back of the debit card, and don’t give it to your kids to use.

Believe it or not, I just noticed that a friend had done this. It’s like writing the burglar alarm code on the door of your house.

5. Don’t use credit and debit cards.

This is somewhat like using the Google Opt-Out that was reported on the Onion News Network. Radical and gets the job done, but probably not all that practical!

These cards are like the keys to your financial kingdom. Guard them!

- Dan

I can remember many, many years ago when my Dad disposed of old tax documents. He just threw them in the trash.

The only redeeming factor was that we lived in the country and burned all of our paper trash.

But, have you ever known anyone to just toss a confidential document in the trash? What is considered “confidential“?

Here are some examples of what you should consider confidential…

• Anything with your Social Security number on it
• Anything with a credit card number on it
• Anything that is a credit application
• Anything with user accounts and passwords
• Anything with bank account numbers

Tip: Purchase a cross-cut shredder and shred confidential documents.

This will help to protect you from identity theft, or someone using your credit to make purchases.

Make you life easier. Shred those documents!

- Dan

You can learn alot by watching people.

I had breakfast this morning and was stunned to overhear someone on their cell phone give the administrative login credentials for the company website to someone else. They also very carefully spelled out the entire URL to the login page.

If I were not trustworthy, I could log into their website and cause havoc.

What’s the moral to this story? You never know who is listening to your conversations. Be careful what you share, and with whom you are sharing.

Let’s keep quiet with confidential information…

- Dan