Posts Tagged ‘passwords’


Cyber Threats Right Here At Home

Wednesday, January 3rd, 2018
Share

Smart home

 

A page in The Costco Connection for January 2018 is devoted to “some of the smart tech you may want to invest in over the coming months.” The image above suggests 10 different smart technologies – lighting, windows, temperature, door locks, etc.

Note that I said “Costco.” This wasn’t Wired or Popular Science, which you might expect to have articles about the very latest in high-tech gadgetry. No, we’re talking mainstream.

So, back to the array of smart tech devices.

Maybe you already use some smart tech devices in your home?

Or you got one as a Christmas present?

Or better yet, gave one to your children?

Here’s a better idea of how smart the technologies are:

  • Smart phones – Shoot 4k video so you can play it back on your TV; recognize your fingerprint as password; track your blood alcohol level; find your car; diagnose why it’s not starting.
  • Smart watches – Receive text, email and tweets from friends; capture your fitness info; give you directions or track your run via GPS; lock, unlock, and start your car.
  • Smart homes – Respond to voice or touch commands to adjust air and water temperature, lights, locks and cameras; “learn” family habits and schedules; report on current traffic conditions along your route to work; read and adjust solar panels; start the laundry.
  • Smart TVs – Connect to social media platforms; follow voice and gesture commands; display photos and videos from your phone.

These all fall under the heading Internet of Things, the IoT.

The IoT — a mind-boggling composite of convenience and just plain cool stuff!

With one little problem: security.

Here it is reflected in one sentence from ISO Online, in an article about DEF CON 2017:

“At the IoT Village, hackers found 47 new vulnerabilities in 23 IoT devices.”

Whoops!

Even if you don’t understand exactly where the threats lie, you can probably recognize just how these vulnerabilities come about.

  • Like every other product, IoT products are hurried to market to beat the competition. (Think Apple.) They don’t have time to spend on developing sophisticated layers of security that interact with every other device’s layers of security.
  • Device manufacturers may be as interested in selling information about you and how you use the product as in selling the product in the first place. So, they conveniently overlook certain aspects of security. (Remember the TVs that were capturing info about their viewers’ choices? And the “Talking Barbies” that stored and transmitted what the children said to their dolls?)
  • Many IoT products are complex, combining software, hardware and services often provided by more than one supplier. Not infrequently, one or more of the suppliers sells out or even goes out of business somewhere along the line. A broken link in the chain is a hacker’s opportunity.
  • And IoT users – that is, us consumers – are not following smart security practices!

Now last month our Advisory reviewed home and business security systems – all of which were internet connected — and in doing that research I read many, many advertisements and reviews. Not one had anything to say about security. The Costco article didn’t mention security either!

But when I dug into broader background on the Internet of Things, I got a whole load of warnings.

So, in our ongoing effort to improve awareness and understanding about all areas of preparedness, here are . . .

Seven recommendations for your personal IoT devices as of January 2018.

1-Enable security features on all smart devices.
Not sure if there ARE security features? If the device connects to your home network, there better be usernames and passwords that you can change from the default! In fact, the instructions should remind you to make those changes. Remember that default usernames and password combinations are published online and thus easily available to hackers.

2-Use strong passwords.
Are your children using the devices? Don’t give them an easy password so they can operate the thing. A simple password makes it easier for every hacker to break into the device!

3-Check for and reconnect or remove dead devices.
Some IoT devices are treated by the family or employees as toys, and after a while they lose interest in them. These neglected devices are precisely the ones that may provide an opening for a hacker. Take a regular inventory and clean up your IoT.

4-Schedule battery replacement.
Many of these devices operate using battery power. Batteries die – and when they do, you could cause a security risk. (Door lock won’t open? Fire alarm won’t go off?) Check all devices regularly until you know just how long their batteries will last, and then build a schedule for ongoing maintenance – with dates and numbers and types of batteries required.

5-Update firmware (operating systems) and apps.
If you find the updates on your phone or computer to be a nuisance, imagine having an entire collection of devices with apps that need updating! But it’s through updates that holes are stopped up and vulnerabilities are fixed. Watch for updates and apply them. (Not sure exactly how you’ll be notified of updates? Find out, so you don’t miss out.)

6-Be sure updates and/or network communications are encrypted.
You don’t want strangers listening in on your baby monitor, measuring your blood pressure or noting the hours when the house is empty! If your smart device sends unencrypted info across your home network and the internet, you are vulnerable.

7-Are any ports left open?
Some devices – particularly hubs or routers – need open ports to allow connections to the internet. The more ports that are open, the more vulnerable you may be to hackers. By and large, your firewall software will allow or block connections based on the profile you’ve set up. If you haven’t set up firewall software, do it. (If you aren’t sure how to find out about the status of your ports, you can get additional software to check on them.)

A next step for non-tekkies.

If you’re interested in getting a lot more familiar with IoT and IoT Security, plan on either spending a lot more time online or spending some money on one or more of the books available via Amazon or other book stores. Most of these books seem to be directed to IT professionals and have professional prices.

The Internet of Things: A Look at Real-World Use Cases and Concerns

However, I did find this inexpensive book that looks intriguing for ordinary consumers. In it, the author turns the IoT from focusing on the THINGS (as we have done in this Advisory) to focusing on how the CONNECTIONS are going to empower people and businesses. His case studies make it clear how this can happen.

(FYI, according to the back of the book cover, the author was born in 1981. He got his first computer at age 7, wrote his first software application at 9, and has built and sold “several” technology businesses since he was 18. That gives me a comfortable feeling about his level of expertise!)

 

This Emergency Plan Guide Advisory is aimed at households. Naturally, much of it also applies to the business world, or at least to the small business world. Earlier in 2017 we drafted an Advisory and a checklist/questionnaire on Cyber Security for Business. If you overlooked them, you may want to check them out again. We’ll be updating this info regularly, but don’t wait for the update!

In the meanwhile, pay attention to your Things and don’t let them get you into trouble!

Virginia
Your Emergency Plan Guide Team

P.S. This is the kind of information that everyone should be aware of. Please forward this Advisory to friends and family and share with your neighborhood group. If just a few people take a few actions they will be safer than they were before.

P.P.S. What really got my attention from the DEF CON article was the report of a wheelchair being hacked . . .!

Confident About the Security of Your Passwords?

Wednesday, January 11th, 2017
Share

Combination LockThere is no such thing as complete security. All precautions and security devices are nothing more than time delays. You are not immune from hackers or malicious software bugs, identity thieves or unscrupulous “ransom ware” extortionists.

You can, however make yourself and your business a harder target and significantly reduce the likelihood that you will be a victim.

The first line of defense is usually the password.

At last count, I have close to 100 passwords I have to retain and use periodically, some more frequently than others and some more complex than others. Virginia has an equal portfolio with only a dozen or so overlapping with mine. That’s too many unique and nonsensical combinations of numbers and characters to rely on memory alone.

We understand all too well how unlikely that you will approach your computer and on-line security with enthusiasm.

It’s just human nature to look for shortcuts.

I accept this and, in fact, I have some institutional experience that I’ll share with you that may help motivate you to reexamine how you approach this important subject. It’s not a long story, but it’s one I think you’ll find both entertaining and enlightening.

A true and embarrassing story of security shortcuts.

Some years ago, I was serving our country with the US Army as a Special Agent for Counterintelligence. I assure you that, while there were exciting times and even dangerous assignments, there were many more tasks that some (me included) would consider mundane and tedious. Among the latter was the responsibility of conducting periodic inspections of Army units in their handling, storing and protecting of classified information.

(And, yes, this required that we put on our expressionless “face” and make sure we came across as serious “spooks.”)

One thing we did that relieved the tediousness of these inspections was to ask early in the process to see how documents were stored and who was in charge of their security to “make sure” they had the proper level of clearance.

Storage was typically in a bank of four-door file cabinets with a rod inserted through the handles, secured with an impressive Sargent-Greenleaf combination padlock at the top.

Then, with the handful of personnel (including the Unit Commander, officers and non-coms in the “audience”) we would proceed to begin attempting to open the padlocks by turning the dials without anyone providing us with the actual combination/s.

Imagine, if you can, the looks of surprise and embarrassment on the faces of the soldiers as, one-by-one, we deftly opened most – and sometimes all – of the locks on the file cabinets.

“How in the hell did you do that?!?” was the typical reaction.

Actually, it was quite simple. Before the actual inspection, we examined the personnel records of the people in charge. We jotted down birthdays, wedding dates, serial numbers, etc. With few exceptions, we would find that at least half of the locks could be opened by treating these dates as combinations because they were an easy way for the people to remember the sequence of numbers.

In some of the more dramatic encounters where we opened ALL of the locks, it was usually where the same sequence of numbers was used on all the locks.

The point of this story is to illustrate that the convenient ways you create passwords is typical. Most “crackers,” if not “hackers,” will have search scripts that can readily break these normal code patterns.

Avoid normal code patterns!

There are a number of ways to pick passwords that will foil eager agents, friendly or not so friendly.  Here are three:

  1. Use a password generator. Typically, these programs will create totally random combinations of capital and lower case letters, numerals and symbols, often as long as 16 digits.
  2. Save these passwords so you can retrieve them, since you won’t be able to remember them. Password manager programs include Keeper, RoboForm and LastPass.
  3. Not happy with having all your passwords stored on your desktop? You can write them down on paper and store or seal it well away from prying eyes.

If these ideas seem too few, or too paltry, we recommend you click on Consumer Reports: 66 Ways to Protect your Privacy Right Now. In 14 pages it discusses passwords but also covers email, devices, privacy, software updates, two-factor authentication, PINs, travel, encryption, settings, wifi, pfishing, and ransomware!

Joe Krueger
Your Emergency Plan Guide Team

P.S. Let us know which of these 66 suggestions you already follow, and which ones you decide to implement.