Data Privacy & Security Service Digital Digest Spring 2017

Data Privacy & Security Service

Issue 8 Data Privacy & Security Service

Spring 2017 (Issue 8)

Data Privacy & Security Service

Issue 8


Article by New York State Office of Information Technology Services:

One of the most common online scams is called phishing. Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by masquerading as a trustworthy entity. Online scammers will pose as legitimate busi- nesses, organizations or individuals. If they are able to gain the trust of their victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. Online scammers can make their communica- tions appear to be those of legitimate businesses or organizations by spoofing the email address, creating a fake website with legitimate logos, and even providing phone numbers to an illegitimate customer service center operated by the scammers.

Two common types of phishing attacks:

In This Issue

Page 1:  Phishing Attacks– Are You at Risk? Page 2:  Phishing Attacks (Continued)  Attack Your Friends to Save Your Data  Schools Are Not Immune from Phishing Attacks Page 3:  Parental Consent, Opting-In and Out  The LinkedIn Phishing Attack: How They Did it  Comptroller’s Corner Page 4:  A 10-Digit Key Code to Your Private Life: Your Cellphone Number  Products for Parents  How Well do you Know Texting Lingo? Page 5:  A Not So Funny Accidental Order  Recent Data Breaches  NY District Targeted by Phishing Attack

 Phishing Email – One of the best known forms of phishing is an email scam. An email, purporting to be from a popular company, may ask you to click on a link in order to fix a problem with your account. In other instances, the

email message may threaten to close your account if you do not respond. Scam- mers often use threats that your security has been compromised in order to in- crease the likelihood that the recipient will respond.  Spear Phishing - Spear phishing is a personalized email attack in which a spe- cific organization or individual is targeted. These attacks are prepared using infor- mation about an individual to make the email appear to be legitimate and induce the recipient to divulge sensitive information or download a malicious file. Such preparation is often based on extensive information gathering on the targets and has become one of the favored methods used in cyber espionage.  Phishing scams can be difficult to identify, however being aware of the threat and being vigilant in examining emails can reduce the risk that you will fall prey to such an attack.  Be cautious about all communications you receive, including those that purport to be from "trusted entities." Be careful when clicking any links contained within those messages. If in doubt, do not click.  Do not send your personal information via email. Legitimate businesses will not ask users to send sensitive personal information through email.  Keep an eye out for telltale signs - poor spelling or grammar, the use of threats, the URL does not match that of the legitimate site.  Be wary of how much information you post online. The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam. Recommendations:

Questions to think about:

Where is your district data?

Who is responsible for data in your district?

Do those responsible for data know


Data Privacy & Security Service

Issue 8


Additional Resources from New York State Office of Information Technology Services:

 Enterprise Information Security Office Newsletters:

 Annual New York State Cyber Security Conference:

 Microsoft:

 Anti-Phishing Working Group:

 Using Cyber Common Sense to Combat Threats to Privacy and Security: stories/using-cyber-common-sense-to-combat-threats-to-privacy-and-security For more information about the Enterprise Information Security Office and how to keep safe online, please visit . Cyber Security Is OUR Shared Responsibility.

A New Source of Phishing Information: Your Friends

With friends like that, who needs enemies or so the idiom goes and has been reborn in the age of cyber ransom. Ransomware is a tool hackers use through phishing to get quick cash. This new tool has been reinvented with a new scheme called Popcorn Time . This ransomware scheme offers release of your data for $775 or 1 Bitcoin. But wait, you don’t have the money or the bitcoin? Give up the email addresses of some of your friends and your files will be re- leased.

Additional Resources

Here are some suggestions for dealing with a ransomware attack: 1. Don’t click on a link from someone you don’t know or that looks suspicious 2. Educate yourself on the latest cyber secu- rity issues 3. Review your security protocols and make sure they are up-to-date.


Schools are not Immune from Phishing Attacks

Many believe that schools are not a prime target of scammers and phishing attacks. However, they are at the top of the lists of organizations that hackers want to target. The reason for this is that schools hold a significant amount of PII on students and staff. The data that schools possess allows hackers to assume the identities of persons whose data they steal. As shown in the below articles, phishing and hacking is not exclusive to school administrators. There are a variety of ways that hack- ers can get in. Simply compromising a secretary’s login to an SIS system could provide the hacker

with a significant amount of PII. Other examples could be a teacher logging into a website that allows the hacker to install ran- somware on a workstation. Using this type of access, the hacker then could gain entry to the district’s network and essentially take control of the district’s data. For these reasons, it is important that districts educate their staff on how to identify and avoid phishing and ransomware attacks. Additionally, district IT staff should regularly review and assess preventative measures against ransomware. This includes internal filters and firewalling to limit the scope of a potential attack.  LA School Pays $28,000 Ransomware Bill  L.A. County employees victim of phishing email that may have impacted 756,000  Cyber attackers hold Valley College hostage  Phishing attack compromises Olympia School District employee data  Superintendent's email hacked  East Baton Rouge school system caught up in bizarre 'phishing' email fraud, $46,500 lost in wire transfers  Ransomware Attacks Force School Districts to Shore Up—or Pay Up Below are just a few examples of recent phishing attacks against educational organizations:


Data Privacy & Security Service

Issue 8


The publication titled “Student Data: Trust, Transparency, and the Role of Consent” addresses the practical implications of consent requirements (opt-in, opt-out) both for day-to-day school management and for the education system as a whole. It ex- plores how existing federal laws, including the Federal Educational Rights and Privacy Act (FERPA), protect student data. If your district has struggled with deciding what to include in “Directory Information”, this publication will help. Generally, the publication proposes that in lieu of focusing on the technicalities of parental consent requirements, legitimate privacy concerns must be addressed in a manner that protects all students. It argues that parents should never have to opt-out

Additional Resources

The following are some additional re- sources that may help to guide your district in developing policies around consent: 1. Student Data and Consent Policies 2. Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices

of embracing new technologies in order to protect their children’s privacy. Instead, to foster an environment of trust, schools and their education partners must offer more insight into how data is being used. With more information and better access to their own data, parents and students will be better equipped to make informed decisions about their education choices.

View the full article here .

The LinkedIn Phishing Attack: How They Did It

Over the last few months several phishing attacks have been carried out against LinkedIn users using LinkedIn itself. The following article details how the attacks were and are being carried out. This summary serves as an important example of why users cannot assume that a message is le- gitimate even if it is shared via the service itself. Hackers have found many ways to attempt to steal users data, many of which seems perfectly legitimate.

Additional Resource What can a district do to help its users avoid phishing attacks and what limita- tions exist when educating users about phishing?

DARKreading has a detailed article avail- able here that provides some insight.

View the full article here .


In this month’s Comptroller’s Corner, we feature a website from the Privacy Rights Clearinghouse. This website features information on data breaches that have been made publically available. This site allows filtering by organization, years, and

types of breaches. Why might you want to look at this website? Well, the answer is simple: The best form of security is aware- ness. By knowing what breaches have occurred recently, organizations can stay ahead of the curve and implement policies and procedures that may prevent future data breaches that other organizations have suffered. Visit the Clearinghouse here .

The Comptroller released an Audit of the Holland Patent Central School District’s Student Information System (SIS) on January 13, 2017. The audit focused specifically on access to the SIS and rights of users. The key findings of the audit included that users were granted access to areas that were not relevant to their job functions, and users were also given rights to assume another user’s account and identity when it was not necessary for their job function. The audit expressed that it is important for dis- tricts to assure that users have the appropriate rights for their job functions. Additionally, districts should continuously review permissions granted to users and adjust as appropriate.

View the contents of the full audit here.


Data Privacy & Security Service

Issue 8


Products for Parents Net Nanny This software can block websites or types of websites from a child’s phone. It can also be set to warn parents if keywords are searched such as suicide or pornography. Teensafe This product allows parents to view text messages that are sent, received and deleted. Parents can view call logs of incoming and outgoing calls; view their child’s web browser history and see a list of all third-party applications installed on their child’s phone. Parents have access to their child’s contacts list. They can view sent and received “WhatsApp” messages or “Kik” on iPhones. And parents can see their teen’s current smartphone location on a map as well as a history of the phone’s location. SecureTeen SecureTeen assists parents to keep track of their child’s internet use as well as making sure the child is not being stalked or cyberbullied. It blocks dangerous content and manages time online. It is also available for computer use. The next time someone asks for your cell phone number, think twice. Your cellphone number is just as important as your Social Security Number and should be kept just as secure. Cellphone numbers are being used to link private information maintained by companies, banks, and social networks. “It can be used to monitor and predict what you buy, look for online or even watch on television” (¶2). Edward M. Stroz, a former high-tech crime agent for the F.B.I. says that it is “kind of a key into the room of your life and information about you” (¶3). Companies that have your cellphone number have no legal obligation to keep it pri- vate. Read the full article here Click here for the full report


In today’s digital world texting shorthand has become ubiquitous. Children and teens are constantly using their phones to communicate with one another. This communication happens through a variety of means such as texting, tweeting, Snapchat, Instagram etc. As with all forms of communication, children and young adults attempt to hide what they’re talking about from their parents and other adults. It is important that adults are aware of what some of the lingo means. While some of the shorthand is harmless such as “G2G” (got to go), other shorthand can be more concerning such as “GYPO” (get your pants off). On the right, we have listed some examples of common texting shorthand that may seem innocuous, but really are not.

Common Texting Shorthand

1. 1174– the meeting place, at 2. 420– Marijuanna 3. 53X—Sex 4. CD9– Code 9 (Parents are around)

5. GNOC– Get Naked on Cam 6. GYPO– Get Your Pants Off 7. PIR– Parent in Room 8. POS– Parent Over Shoulder 9. S2R– Send to Receive (Commonly referring to pic- tures of each other) 10. IWS– I Want Sex Sources: terms-kids-dont-want-you-know

CBS News recently ran a segment about texting shorthand which can be seen here .

For more information on cyber safety and teaching children how to use technology responsibly, visit the Safe and Secure Online Website . acronyms-every-parent-should-know/


Data Privacy & Security Service

Issue 8


Data Privacy and Security Service Digital Digest Spring 2017

A Not so Funny Accidental Order

Recently, owners of Amazon’s Echo have been sur- prised to find orders at their doorstep that they do not recall ordering. As it turns out, the order was placed on their account, though they did not place it. Their Ama- zon Echo actually placed the order on their behalf. How does this happen?

The Amazon Echo has the ability to place orders on its owners behalf with only a simple command “Alexa order me...” The good news is that you can turn off this unfortunate feature by disabling voice purchasing or by requiring a confirmation code before every order. While the stories related to the Echo are entertaining and relatively harmless, these stories do show that storing all your information in one location , while con- venient, can have unintended consequences. Sometimes an extra step or two is worth the extra few seconds it takes to complete a purchase or to login to a web- site.

For further information contact your local RIC. Click here to find your local RIC contact.

Read the full report here .

For Subscribers to Service:

Recent Data Breaches

Digests & Archived Digests

Chicago Public Schools notifies families of student data breach

Digital Debriefs

Chicago Public Schools (CPS) notified the families of approximately 30,000 students that personally

Inventory Tool

identifiable information containing students’ names, addresses, grade levels and current ele- mentary schools was inadvertently released to a charter school and used by the charter school in an unsolicited postcard advertising campaign. The breach was a violation students’ privacy and district policy.

Information Security Online PD for Teachers

Digital Blasts

For more information click here .

New York District Targeted by Phishing Attack

A district in Nassau County was targeted by a phishing attack in early February. The users in the district recognized that the e-mail was questionable and did not re- spond to the e-mail. After receiving the e-mail, they followed their notification pro- cess and notified the appropriate staff in district. This e-mail can be used as an ex- ample with district staff of what a potential phishing attack looks like.

Summer Digest:

 Data Privacy in the Age of the Internet of Things

Find the contents of the e-mail that was sent to users in the district here .


Page 1 Page 2 Page 3 Page 4 Page 5 Page 6

Made with FlippingBook flipbook maker