Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

New Year, Same Scams

The Tax Season is upon us, and once again the “IRS Scam” will be rearing its ugly head.  As I teach my students, as I’ve discussed in public lectures and presentations, this is one of the most insidious scams out there, and one that’s easily avoided.  Except that most people, especially seniors who were raised to trust and respect authority, continue to fall prey to it.  Face it, if you’re confronted with a phone caller who tells you that you might be served a warrant, your first instinct would be to be scared.  Your second might be to comply.  Except that you shouldn’t.

That’s because the IRS will NEVER initially call you regarding ANY issue.  The keyword here is initially.  If the IRS wants to contact you, they will initially send you a letter.  That’s right, via “snail mail,” i.e., the US Postal Service.  Once you have that letter, you might need to call THEM, and then you can establish a phone dialogue, but their initial contact with you will be via mail.  If you receive a phone call that you are not expecting from someone claiming to be from the IRS, just hang up (or, if you are being more adventurous, dare them to serve you with the warrant, and then hang up!).

It’s not just the IRS scam.  The Microsoft Tech Support scam is still alive and well, especially now that many have downloaded and installed Windows 10.   When you get a call from someone saying that they’re from “Microsoft Tech Support,” the first thing you must ask yourself is, “am I expecting this call?”  The second thing you must ask yourself is “how do they even know what operating system I’m running”?  But, in the end, you need to know that the REAL Microsoft Tech Support will never call you out of the blue. They will call in response to a request from you, but never without such a request.  If you get a call like this, you could play around with the caller a bit and ask him or her if they know what OS you’re running, what service pack or version you’re running (even if you don’t know what version you’re running), but it’s best just to hang up.  And never, never, never, give any identifying information (userids, passwords), let alone a credit card number.  Just hang up.