Tag Archives: Password security

Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

Appalling Violations of Basic Principles

Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated.  Some of which were:

  • Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
  • Failure to require secure passwords, and to change those passwords regularly, according to a schedule
  • Failure to install the necessary security & update patches
  • No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
  • Failure to encrypt data
  • Failure to monitor the network (again, IDPSs would be one component of doing this)

All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security.  It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.

Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.

Your password is yours – don’t share it

When it comes to password security, one of  the things I teach my students is not to share it.  Often I think that they believe that’s a principle that they don’t have to follow.  I mean, what could be the harm in sharing your work password with a co-worker, especially if your PC has some important file that your co-worker needs access to?  (well then, just e-mail it!)  Or if you’re going to be going out of town for work or vacation?

Well, about a month ago, it was revealed that one NSA staffer found out about not following this principle the hard way.  Apparently this person gave Edward Snowden his password, and Snowden used it to access sensitive files.  At the time, it probably seemed harmless.  But it was in direct violation of NSA standards.  The person has since resigned from the NSA.  The files that Snowden was able to access were quite sensitive, and may have caused our government incalculable damage.  In terms of the saga of Snowden, his exposure of US secrets, and his escape to asylum and limbo in Russia, this is probably old news.

However, this small story in the larger one of Snowden illustrates the fact that no matter how advanced, or complex, or powerful our technology is in the defense of our information and cyberspace, there is absolutely no doubt that people are our weakest link.  If people don’t follow policies and the procedures that implement those policies, an organization can lose its data, its reputation, and its trust with consumers and with the people that count on that organization to protect them.