Category Archives: Information Technology

Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

Have you been hacked? I (potentially) have

The other day the New York Times, in their online site, had a little interactive quiz – have you been hacked?  Based on the most recent well-known hacks, they asked some simple questions, such as “have you purchased anything from any of these stores (sic), or do have a job with the US government, or have you worked for the US government in the past two years?

I was able to say no to the US government question, but I failed the rest of the test: I have a Twitter account; I’ve shopped at Home Depot and Target in the past two years; and probably most importantly, my health insurance is with Blue Cross Blue Shield of Georgia, which is owned by . . . Anthem.

So what’s the tally?

  • My  address, twice
  • My birthday, once (presumably from the Anthem hack)
  • My credit or debit cards, twice
  • My e-mail (potentially up to three different e-mail accounts), four times
  • My employment history, once.  This one is somewhat murky, as Anthem would have access to how long I’ve been a professor at Armstrong State, but I don’t think a hacker could get the details of my employment (performance reviews, etc) from Anthem
  • My health history, obviously from Anthem, twice
  • My password (encryption), once.  Since I don’t use the same password for each site, this one may not be that scary.
  • And, of course, my Social Security Number, presumably from the Anthem breach, once

So, what does someone do about all of these intrusions? There are several suggestions, the first of which, of course, is to check your credit history.  Check your bank and credit card statements, regularly. Change passwords, which I’m probably a bit overdue on some sites. Use a password manager, which I do.  Secure your wireless access point (router).  Use and update your anti-virus software.  Unfortunately, beyond these suggestions, unfortunately, there isn’t much an individual can do.  Just understand that no one is going to protect you – you have to protect yourself.

BYOD – becoming a thing of the past?

Two years ago, as a summer research project, I investigated BYOD policies: what are the elements of a sound BYOD policy; who has them, who doesn’t; and whether they are effective.  It was a lengthy process, and I presented my findings at a colloquium of my college in October, 2013.  Not only that, that Fall Semester, I had my Cyber Security I (Fundamentals of Information Security) craft an effective BYOD policy as part of their semester group project.

Two years ago, it seemed that BYOD was going to be the future of mobile devices in organizations, and that mobile device management policies (MDM), especially automated MDM policies from 3rd party vendors, were going to be controlling BYOD in the organization. Still, as several students pointed out in class, if companies would just “hand out” mobile devices instead of allowing BYOD, the need for managing personal devices in the workplace would slowly disappear.

According to this article from Computerworld this week, it’s starting to come to that.  In the article, Jack Gold, an analyst at J. Gold Associates, stated that:

“There certainly is a curtailment of BYOD from where everyone thought it would be a couple of years back,” Gold said. “Companies are much more cautious now, knowing that the benefits of BYOD often don’t outweigh the risks.”

For many companies, the presumed cost-savings in letting employees use their own devices just hasn’t outweighed the security and management headaches of BYOD.

Gold cited the rise of the use of cloud-based file-sharing services such as leading to the slow demise of BYOD.  If employees can save their personal docs and photos in the cloud, they don’t need to worry about losing them if the worker leaves the company and has to return the device. As a result, employees are more willing to accept the use of employer-provided devices, knowing that their personal data is elsewhere.

While BYOD has not disappeared from the workplace, it appears that, for many of the security reasons I identified two years ago, it’s in decline.  And for security-conscious organizations who want to segregate their employees’ personal lives from their work lives, that’s a good thing.