Tag Archives: Cybersecurity

Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

New Year, Same Scams

The Tax Season is upon us, and once again the “IRS Scam” will be rearing its ugly head.  As I teach my students, as I’ve discussed in public lectures and presentations, this is one of the most insidious scams out there, and one that’s easily avoided.  Except that most people, especially seniors who were raised to trust and respect authority, continue to fall prey to it.  Face it, if you’re confronted with a phone caller who tells you that you might be served a warrant, your first instinct would be to be scared.  Your second might be to comply.  Except that you shouldn’t.

That’s because the IRS will NEVER initially call you regarding ANY issue.  The keyword here is initially.  If the IRS wants to contact you, they will initially send you a letter.  That’s right, via “snail mail,” i.e., the US Postal Service.  Once you have that letter, you might need to call THEM, and then you can establish a phone dialogue, but their initial contact with you will be via mail.  If you receive a phone call that you are not expecting from someone claiming to be from the IRS, just hang up (or, if you are being more adventurous, dare them to serve you with the warrant, and then hang up!).

It’s not just the IRS scam.  The Microsoft Tech Support scam is still alive and well, especially now that many have downloaded and installed Windows 10.   When you get a call from someone saying that they’re from “Microsoft Tech Support,” the first thing you must ask yourself is, “am I expecting this call?”  The second thing you must ask yourself is “how do they even know what operating system I’m running”?  But, in the end, you need to know that the REAL Microsoft Tech Support will never call you out of the blue. They will call in response to a request from you, but never without such a request.  If you get a call like this, you could play around with the caller a bit and ask him or her if they know what OS you’re running, what service pack or version you’re running (even if you don’t know what version you’re running), but it’s best just to hang up.  And never, never, never, give any identifying information (userids, passwords), let alone a credit card number.  Just hang up.

One thing you should do if you’re into the Internet of Things (IoT)

A July 7 article in Computerworld detailed The Internet of Things: Your Worst Nightmare.

Author Preston Gralla described the nightmare that would ensue when all of our home media devices, appliances, and even our electric (well, battery powered) toothbrushes are connected to a wireless access point (WAP) router.  Now I haven’t had the problem of having a WAP burn out (ever), but nonetheless, his article discusses what happens when each device has to be authenticated to the new wireless network.  After reading his article, I’m not sure that I want to be involved with IoT, but more and more of our electronics are.  It’s just a matter of time before most of our household devices are connected to the Internet.

So what’s the one thing you should do if your devices are part of IoT? You need to make sure that your WAP is secured with a nearly unbreakable password or passphrase.  Way too many users bring wireless routers into their home, connect their devices to it, and never enable the WPA2 security.  And even if they do, they usually just keep the default password (here I’m presuming it’s a simple password) or create their own simple password (“password”, “12345678”, etc.).  Full disclosure here – my ISP-provided WAP came with a default password, and I kept it.  But this password has SIXTEEN characters, randomly generated, and includes alphas and numbers.  So given that I determined it was unbreakable (well, www.thepasswordmeter.com did that for me), I kept it.  But I certainly would have changed it if it had been something simple, and if yours is, you should change it, too.

You just never know when your refrigerator is going to get hacked and start melting your ice cream!

So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.

Interesting results on which e-commerce sites protect you

This CBSNews.com article reveals which e-commerce sites protect your password, in other words, which ones prevent you from such issues as: allow the use of weak passwords such as “123456” or “password”; being able to enter the same incorrect userid/password combination multiple times; enforce the usage of strong passwords; or send you updated passwords in plain text in e-mails.

The thing we ALL have to remember is that ultimately, WE are responsible for OUR own security.  No one is going to do it for us.  No e-commerce site is going to do it for us.  WE have to create our own secure passwords.  WE have to keep track of them.  I’ve already recommended on this blog the need to use a password manager like Lastpass.com or Keepass.  They are readily available tools that allow us to keep track of all of the many passwords we have to use.  Another valuable tool you can use to see if your password is secure enough is www.passwordmeter.com, which actually scores your passwords based on an algorithm that records the number of upper case and lower case letters, special characters, and digits that are in your password.  I recommend that everyone use this tool as well.  You’ll find the results quite interesting, and then you’ll probably end up changing your password(s) based on your findings.