Internet of Things and Connected Lives: An Insecure Relationship

Internet of Things and Connected Lives: An Insecure Relationship

Internet of Things

We live in a crazy connected world these days, and the Internet of Things makes it abundantly clear. IoT is probably one of the hottest emerging technology trends right now. Put simply, the Internet of Things is the technology of putting internet connected computer devices into everyday objects. Anything from refrigerators to light bulbs are now being produced with the ability to connect to a network and be controlled remotely.

As far as technology trends go, sales revenue and market value can rise and fall like the tides. This leaves it as no surprised that so many tech manufacturers are trying their best to come up with the next big Internet of Things device. The tech sector expands by leaps every year, so staying on top is a monumental, never ending task. However, as great as being able to control everything (I mean everything) from your phone sounds, there is great security risks involved.

Internet of Things Security in the News

The largest security threat in IoT news recently was the massive DDoS attack on Dyn, a company that provides DNS services to, well, half the country. The targeted devices used in the attack: IP security cameras. There has been the recent disclosure of CIA tools that turned internet of things devices such as smart TVs to spy on American homes. And you can’t say you haven’t seen the stories of baby monitors being hacked and used to listen in and even talk to whoever happens to be in the room.

In an article from Linux Insider, the growth of Linux based malware is discussed. With much of the IoT world in the hands of Linux based controllers, attackers have started focusing their efforts on Linux exploitation. And in a wonderful article on Fast Company, we hear the concerns of Vint Cerf, commonly known as the “Father of the Internet”. Perhaps one of the more subtle, but telling quotes from the article, Vint expresses

“Basically you’re relying on software doing the right things, and if it doesn’t do the right thing, you have very little to say about it. I feel like we’re moving into a kind of fragile future right now that we should be much more thoughtful about improving, that is to say making more robust.”

Internet of Things and the Common Consumer

As technology abounds and our world gets more connected, the common consumer has become more tech savvy than in years past. However, I find that tech savvy and and tech minded tend to be two different things. Basic understanding of your technology makes you tech savvy. A more definitive understanding makes you tech minded.

One thing a lot of common consumers do not realize about IoT devices, is the inherit security risk you bring into your home. In a most basic explanation, every device that ends up connected to your home router is a security risk. This means anything from computers, to cell phones, to connected devices like security cameras, TVs, and other appliances. With each new device introduced, the risk of attack goes up.

Unfortunately, even the most basic of security practices that help protect a home network are not in use by most common consumers. So when they decide to add even more attack points to the home network, it comes as no surprise that IoT products have started to become a favorite target. Your smart home is quickly becoming the smartest botnet in the world, and you don’t even know it. What stops an attacker from using your own appliance against you?

Internet of Things and Health Technology

This is a really scary talking point. Not only have we invited inter-connectivity into our normal home lives, but we have also invited it into our health decisions. Modern hospitals, and medical practices with recent equipment upgrades now have connected devices. IV pumps, insulin pumps, oxygen apparatus, the list goes on. Everything in the medical community is being connected.

This isn’t the scary part though. Being able to better monitor a hospital ward with a centralized computer system that shows such detail, that’s a great thing. The scary part is that, just like home devices, these new bits of medical genius come with their security flaws. Whether it’s outsider control of the device, to using the network node to get in and steal personal information, the security of such things hasn’t been well thought out with the technology.

The Future of IoT Security

Internet of Things Security

The future of IoT security has to start in the present. It starts with manufacturers being able to quickly resolve current issues and patch vulnerabilities. A quick response is a great way to assure your consumers that you take their security seriously. On the other side of that, security must be part of the end product that is released. Cybersecurity is one of the fastest growing IT fronts, yet too many companies still don’t take it seriously. Manufacturers must take security not just of the present, but of the future seriously when planning and building new products.

For the common consumer, the practices of basic network security should be learned and applied a lot more than they are right now. If you didn’t know that your router can get software upgrades, raise your hand? If you raised your hand, then you have a lot of learning to do. Just like our phones and computers, internet connected devices can and probably will receive updates. The biggest reason for these updates? You guessed it, improving security.

Final Thoughts

Internet of Things is no doubt the future technology that will run our everyday lives. It’s almost the next inevitable step. However, like other technological leaps in the past, IoT doesn’t come without its flaws and concerns. Manufacturers and consumers have to work together to preserve security. Manufacturers have to do their jobs in preventing and maintaining the security of the devices they release. Consumers have to do their part to implement the security basics on these devices and their home network in general.

A connected world with connected lives will not be this terrible thing that the older generations think it will be. It will not be a disillusioned dystopia of tech zombies with no interaction. However, without the proper procedures and practices, we can’t hope to totally eliminate the slight possibility.

 

Cybersecurity: Securing and Protecting Your Home Network

Cybersecurity: Securing and Protecting Your Home Network

Wireless Router

Active cybersecurity extends way beyond the companies we deal with, and right into our own homes. Take a moment right now and count: How many devices are connected to your home network? Include anything from phones, tablets, and computers, to smart hubs, thermostats, and appliances. How many other people have your network credentials when they come visit? For our home, the number is staggering.

At any given time I may have up to 7 devices connected, and up to 8 more when friends and family come visit. To put it into more of a security point of view, that’s up to 15 different attack points on my home network. 16 if you include the router too. That’s a lot of security to have to think about. At-home cybersecurity is a necessary part of having a home network. While we won’t be talking about security on individual devices, we will be discussing how to lock down your network, and keep it as safe and secure as possible.

Wireless Router Security

Chances are, if you have a home network, it is wireless. I mean, come on, it’s the most convenient thing ever to not need to be wired into a network anymore. Nobody likes that. But a lot of people make mistakes with their wireless networks at home that make them easy targets for cybercriminals. This usually starts with the password. Most wireless routers and modems come with a preset password. At first glance, these seem like strong enough passwords. They are the right combination of letters numbers and characters, and are the perfect length.

However, these passwords are easy to get your hands on. Cybercriminals often maintain a “word list” of common router default passwords and it’s not hard to find. So the single most important thing you can do to begin securing your home network is to change this password. Remember the proper password protocols when selecting yours.

  • Do NOT use words like “password” and number sequences like “123456”. Come on, you’re better than that.
  • Try to avoid using dates like your birthday or anniversary in passwords.
  • Do NOT use credit card numbers or bank account numbers (DUH)
  • DO make your passwords at least 8 characters or longer. The longer the password, the harder it is to guess.
  • DO use a combination of numbers, letters, and special characters (when allowed).
  • Do NOT use one single word. Attackers can have dictionary lists that will use that word at some point.

In the past, I have taken to using a random string generator to produce my network passwords. Why? Because it’s not something I’m easily going to remember or be able to tell anyone by mistake and B) It’s guaranteed to be the length and makeup that I specify. I keep my passwords in a safe place not on my computer for reference if I need them.

Wireless Security Key TypesParallel to this choosing the right kind of security encryption key for your wireless router. You’ll notice when you go to input a security key when signing in that there is usually a drop-down list of different types of encryption like the picture to the left. The strongest encryption that comes with most home based network routers is WPA2. Sometimes this is listed as WPA2/Personal or WPA2- Personal with AES. This is what you want to use.

Older methods of encryption like WEP are the least secure and in most cases obsolete now. They can be easily broken with the right software by someone with bad intentions. So choose the right kind of encryption and a strong password key that matches it for the best way to secure your wireless router.

 

SSID: To Broadcast or Not to Broadcast

SSID stands for Service Set Identifier, and this is the name of your network. This is what appears on a list of available networks. You know, the ones people think are funny to name “FBI Surveillance Van” and “Get Your Own Wifi”? By the way, those are neither funny nor clever. So pick something different. Here’s the thing about SSID. It is supposed to be used to uniquely identify your network. If you leave it at the default, then chances are you’re going to leave the password the same too, thus making you an easy target. It is also a good tempting target for people who go war driving through neighborhoods.

If you think you have neighbors who may be trying to jack your WiFi to watch unmentionable content, you also have the option to hide the broadcast of your SSID. This means that to connect to your network, both the SSID and your password key will have to be entered. For people just perusing for free WiFi and those on a simple war drive, these networks will just be passed up. However, it should be mentioned that some software can discover the network is there, but it still takes the same guessing of both network name and password to access.

Get Behind a Firewall

Firewalls can be software or hardware based. The difference between the two is that a hardware firewall adds an additional layer of security against wireless attacks. Devices, especially desktop and laptop PCs are some of the easiest targets on a home network, or on any connection to the web really. Software firewalls are built into most major operating systems including Windows and Mac OS. Getting to know how to use firewall settings can be a big advantage to protecting your network. With firewall software you can configure apps to allow incoming and outgoing connections, or to deny these connections.

A hardware based firewall goes a bit further in that it protects all the devices connected to your network. It can also be a little easier to maintain and manage a hardware firewall than separate firewalls on separate devices. On a home network, these can be easily setup in less time than it takes to heat up your oven for dinner. Pricing for hardware firewalls can vary, and you’re often going to get what you pay for. But what really is the price for security and privacy?

Summary

These are all just a few basic steps you can take to ensure the security of your home network. Since the advent of wireless internet, and the quick spread and explosive growth of technology, it has never been more important to take your security seriously. You don’t want to end up a part of a botnet, or with your home network invaded and ransacked. These few key tips put you well on your way to smarter, safer, and more secure home network management.

 

 

Cybersecurity: Social Engineering and Why You Should Care

Cybersecurity: Social Engineering and Why You Should Care

 

Social Engineering

 

Call it people hacking, call it spying, call it snooping. Call it whatever you like, but social engineering is a practice that has been going on for a long time. In an increasingly connected society, it is the most useful tool in a hacker’s arsenal.  It uses the error of human emotion to exploit human weakness. This information is gained in a few short minutes and exploited in just a few seconds. Social engineering still remains one of the biggest security threats to this day. And here is why you should care.

The Art of Hacking People

Social Engineering, by definition, is a non-technical kind of security attack. It relies heavily on human interaction, manipulation, and the exploitation of human emotion to get people to break security protocols and give out sensitive information. This can be anything from email addresses and phone numbers to more sensitive information like passwords and other sensitive account information. What makes social engineering unique is that it doesn’t involve any kind of compromise of systems. Once the damage is done it is hard to trace back.

At the most fundamental level, social engineers are like the con-artists of old. Peddling whatever kind of human connection it takes to convince you to do something or tell them something you normally wouldn’t. Like the guys of old who used to sell bogus medicine to unsuspecting people and raking in the benefits of how people feel when they think too much about illness and death. A social engineer is someone with amazing people skills and a very deceptive nature that can often exploit the human experience to their advantage.

Types of Social Engineering Attacks

Phishing: This is the most common type of social engineering attack. The goal of a phishing attack is to get you to open malicious links, and enter your account credentials in a phony form that then sends this information to the attacker. Social engineers usually disguise these in emails that claim to be from different services you use and often come cloaked with a sense of urgency that makes it seem important for you to click and follow the directions. Most recently was a phishing scam that spread like wildfire through Gmail disguised as a Google Doc and compromised the credentials of thousands and thousands of accounts. To benefit, most email clients and services do a better job these days of blocking potential phishing emails.

Baiting: This is very similar to a phishing attack. Except, in the case of baiting, there is a good or service offered in exchange for the sensitive information. This is typically done with downloadable music and movies, in exchange for using something like Twitter, Facebook, and Google login credentials. Another thing that makes baiting different from phishing is that it doesn’t have to rely on digital media. Infected USB drops are a form of baiting that rely on the general curiosity of people that they will pick the USB up and plug it in to see what’s on it. In turn, the USB infects the host computer, usually with a keylogger, and credentials are harvested this way.

Quid Pro Quo: This is another kind of attack that has gotten more popular in recent months and years. With a quid pro quo attack, the attackers offer benefit in exchange for information. This may sound a bit familiar with the spam attacks where attackers call promising to fix security and performance issues with Windows machines. This affects people in the private sector, but attackers also target companies in hopes of finding the person that gives in and gives up information. In most recent memory, this has become more of a scam than an attack as attackers are just running down lists of phone numbers and hoping and waiting.

Why is Social Engineering Such a Threat

Hacker in Hoodie

 

What makes social engineering such a threat is that it is something that relies, not so much on technical knowledge, but on people skills. When most people think about hackers, they think about script geeks with monster computer rigs, hiding out in the dark, jacked up on Red Bull, and typing away with fury. What most people wouldn’t say is a hacker has “great people skills, excellent verbal communication, and a charming personality”. Not exactly what you would think when you hear the term “hacker” but in essence, it is a very necessary task to be able to pull off now in order to gain access to simple sensitive information. Take this section of “Real Future: What Happens When You Dare Expert Hackers to Hack You” as a great example of how easy it can be.

 

What Can I Do to Protect Myself

The first thing to do is the most obvious. NEVER give out confidential information about yourself unless you can 100% verify who it is you are talking to. If they can’t satisfy your questions to verify their identity, then you don’t need to be giving them your information. A second to that point is also to realize that real representatives of the companies you do business with will not ask you for a password over the phone. Ever.

Second is on the more technical side of things. Does this email seem to good to be true? It probably is, and you would be best to avoid the link. Can you access your account normally without having to go through what the email says? If you can, don’t click that link. A good line of thinking when a phishing email shows up is to check your account with those services. If there is something actually wrong, your sign in should tell you. But if you can sign in and there are no issues, then you can guarantee the email is an attempt to hijack your credentials.

Do NOT, under any circumstances, allow USB access to your device from anyone you don’t know. Or any device you can’t verify as yours. USB attacks are becoming more deceptive. Often, having the latest security upgrade on your doesn’t mean it can be stopped. Do not trust people to just hand you a USB device and ask you to print something off, open a file, or install a program. Without being able to verify the legitimacy of the device, it can be a hazard.

Summary

Social engineering, as stated before, is not a new tactic, but it remains one of the most successful tools in a hacker’s arsenal. Recognizing a threat and combatting social engineering attacks are imperative to defense. Simple and effective vigilance can often be the difference between keeping your information secure, and losing your information, and possibly a lot more.