When it first occurred, connecting things to the internet seemed more like a gimmick than anything practical. Remember that fridge that was supposed to know when you need to buy more milk and would email you a reminder? Even though that particular concept still hasn’t really caught on (though it should!) plenty of other things in our houses and workplaces are connected to the web, to the point where we don’t even consider it gimmicky anymore. Cars that can be started via an iPhone app? Sure! Security cameras that text you when they detect motion? Why not? How about thermostats and lighting that can be adjusted via wifi? Done! Except for a “little” problem: this growing “internet of things” is just as bad (if not worse) at security as the rest of the internet. A security study by technology giant HP took a look at the 10 most popular internet-enabled devices and discovered each device had at least 25 security vulnerabilities that could lead to terrible things.
What this means for you:
Most of my clients have a healthy respect (if not fear) of the internet and its tireless ability to invade your privacy, and typically make more informed choices than the general public, but as more and more devices come “connected” right out of the box, it’s easy to fall into the convenience trap of plugging the thing in and moving on to the next item on the to-do list. What this will eventually mean is people are surrounding themselves with devices that, taken as a whole, can provide an incredible amount of detail about their supposed “private” life. And those devices are all connected to the internet. Unless manufacturers starting upping their security standards (or the market forces them to), we may all find ourselves living a rather exposed existence. So the next time you are considering a device that is “internet” enabled, consider whether or not you are ready (and willing) to understand exactly how that device secures itself from hacking, and whether its worth the convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
As a parent, there is perhaps nothing more frightening than to have your child’s well-being threatened, and when that threat comes from a device meant to help safeguard children (and relieve parental anxiety), the impact can have far-reaching implications. Proving that some hackers out there have no grasp of human decency or compassion, there have been at least two separate known incidents of network-enabled baby monitors being hacked and then used to audibly taunt and yell at the toddlers devices were monitoring. In both cases, the devices weren’t hacked in the true sense of the word, but were exploited through a weakness that is common across the internet: easy-to-find default passwords. The parents, not knowing that the passwords should be changed, left the devices configured as they came out of the box, and the baby-screamers used that opening to perpetrate their irredeemable acts.
What this means for you:
In comparison to the above, getting hacked as an adult seems almost laughable, but when you think about it, it’s just as scary. In case you missed my blog about “ratting” and you aren’t feeling insecure enough about your security and privacy, you should have a read. The lesson hard-learnt here is this: make every attempt to understand all the devices you use, especially the ones that may be safeguarding the security, privacy and happiness of your family. Read the instructions that come in the box, and if they are incomprehensible, get on the internet and ask questions, or grab your nearest tech geek to have them review the device for potential security issues. Don’t take for granted that a device manufacturer (or website publisher, or software programmer) has your security and privacy top of mind when they are making and marketing their product. The lure of profit encourages even the most trusted brands to cut corners on occasion, which can lead to scary situations like the above.
About a year ago, I shared an article from Ars Technica detailing a chilling and degrading hacker activity called “ratting” wherein your computer could be hacked into covertly spying on you. This disturbing trend now appears to be spreading to Android smart phones; for a short while before it was detected and removed, a seemingly legitimate app was available on the Google Play store that was purportedly for parents to keep an eye on what their children were doing on their smart phones. Unfortunately for the 50 or so people who actually downloaded the program, the real purpose of the app was to install a remote access trojan platform on the device which would enable someone to illicitly use the phones cameras and mics to spy on the user, as well as control other aspects of the phone like sending texts, making calls and sending emails.
What this means for you:
The app was built on a software development platform that is being marketed specifically to hackers, and one of the key selling points is this kit’s ability to build apps that can “hide” from Google’s security scans that usually prevent malware from being uploaded to the Play store. Translation: you can expect more apps like the one mentioned above to appear on the Google Play store. Where before you could, with maybe 99% effectiveness, depend on Google to protect you from harmful apps, you can no longer take for granted that if an app appears on the Google Play store that it is 100% legitimate. To protect yourself as an Android user, you should:
- Make sure to have a reputable Anti-malware app installed (I like Webroot’s Security & Antivirus).
- Read carefully the access permissions each app is asking for before installing.
- Pay attention to user reviews and install count. If the app only has a small number of reviews and installs, give it a few days and check back to see the app survives internet scrutiny.
Fortunately, Google has a means to automatically reach out to any Android phone and purge apps that it has found to be harmful, but it’s much safer and less stressful to avoid being victimized in the first place.
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
Just in time to ride the publicity wave created by Amazon Prime’s Delivery Drones, infamous MySpace hacker Samy Kamkar has created a flying drone that can hack other drones and take over control of them. Before you grab your bug-out bag and head to that bunker in Montana, it may ease your fears somewhat to understand the drones in question are of the toy variety, versus the death-dealing military variety. The popular Parrot AR Drone is controlled from an iPad or iPhone via unencrypted Wi-Fi, a feature that Mr. Kamkar takes full advantage of in his miniature drone predator, aptly dubbed, “Skyjack“.
What this means for you:
While Skyjack is a long ways away from hacking the various UCAVs that are in extensive use around the world, it’s not hard to imagine how this could escalate the high-tech arms race fueled by the highly-publicized arrival of combat drones in the Afghanistan invasion. The idea behind Skyjack is a drone that can hunt out other Parrot AR Drones autonomously and enslave them. Fly Skyjack into a park where enthusiastic drone pilots are taking their Parrots for a spin, and the more unscrupulous Skyjack pilot can steal away the $300 devices in a blinking of an LED. Now extend that idea to a drone that can fly around neighborhoods, hunting out unsecured Wi-Fi networks or routers, hacking them, logging their locations, and then returning to its owner with map and database of ripe targets. Have I frightened you enough yet to get you to change the password on your home router to something a bit harder to guess?
Image Courtesy of Wikipedia.org
While analyzing the data trail of the recent, highly-publicized Adobe security breach and data theft, researchers also discovered data that appears to have been stolen from a prominent online broker of limousine and towncar services. Among the some 850,000 customer records discovered were such illustrious names as Donald Trump, LeBron James and Tom Hanks as well numerous other wealthy and/or famous individuals. The data also included credit card information, pickup times and locations and even ID numbers of private airplanes used by this company’s customers. The records also included notes on customer behaviors and activities including a number of tidbits that could prove embarrassing or even potentially incriminating. Even if the data were to somehow avoid falling into the hands of police or tabloids, it’s highly likely that cybercriminals will have already cherry-picked many of the customer records for their potential use to fuel spear-phishing attacks and other focused cyber-espionage attempts on corporate and government targets.
What this means for you:
You may have enforced rigor and discipline in your own technology, to the point where you feel fairly confident that you can avoid most attempts to compromise your technology security, but the above points out an uncomfortable reality: you cannot control what information is being gathered about you whenever you interact with the rest of the world. You have two choices here: acceptance and vigilance – be watchful and cautious, and come to grips with the fact that 100% security is impossible, or move to a bunker in the wilderness, off the grid and completely isolated from society. However distasteful and infuriating the former may feel some days, the latter is just not a practical choice (or even possible) for most people.
Security researchers at Skycure have discovered another weakness in smartphone security, and this could impact you despite whatever security measures you’ve taken personally. Most smartphone operating systems, iOS and Android included, offer the ability to “remember” the SSID’s and passwords of Wifi networks you have accessed with your smartphone, and have the ability to automatically connect to that network the next time you are in range. Skycure has alleged that at least one major carrier, if not all of them, are also pre-programming certain SSID’s into phones straight from the factory, ostensibly to provide customers with a convenient connection with carrier-hosted or sponsored Wifi hotspots. For example, AT&T iPhones allegedly are shipping with the “attwifi” SSID preprogrammed into the phone, and will supposedly automatically join that wifi network, presumably in use by AT&T’s retail storefronts, if it comes across it.
Here’s why this is bad: hackers could spoof any SSID that you’ve set your smartphone to remember and autoconnect, and they’ve got a straight shot at your phone. Normally, this wouldn’t be a problem, as this requires guessing what SSIDs are stored on your phone, and then getting close enough to that phone with the spoofed Wifi network. But with the above, it would be trivial to sit in a crowded mall or any high-traffic walkway, scanning for AT&T iPhones, knowing that some, if not all, will autoconnect to a fake “attwifi” SSID without the owner ever being aware that they just got hacked.
What this means for you:
This exploit seems to be fairly new, and though Skycure claims to have seen this happening in the wild, it’s not widespread, yet. The best course of action is to disable the “autoconnect” setting for any wifi network you have used with your mobile device, whether it be smartphone, tablet or laptop. It will mean a few seconds of inconvenience anytime you are out and about and trying to get internet access, but it may mean the difference between keeping your cellphone secure or getting it hacked.
UPDATE: By default, Android phones will store SSIDs and passwords for any wifi network you add to your phone, and will automatically connect to that network whenever it is range. There is NO way to disable the autoconnect functionality built into the native Android settings. However, you can use an app to control automatic connections. I am currently testing this app, which is “free” but ad-supported. I’ve not tested it long enough to give a recommendation, but it does allow you to toggle the autoconnect functionality on or off per hotspot. On iOS devices, the only way to natively disable the “auto-join” feature is to actually connect to one of the pre-defined hotspots, eg. visit a local AT&T store, and then turn “Auto-join” off for that particular network.
In a public event hosted by the Reddit.com, infamous NSA whisteblower Edward Snowden answered questions posted by Reddit users on a variety of topics. Of particular note was his response to a question about whether encrypting emails would be an effective way to keep the NSA (or anyone else, for that matter) out of your business. Snowden’s response was both heartening and depressing at the same time:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means for you:
Imagine you want to send a package that contains some very valuable items to a friend on the other side of the world. You carefully wrap the items and then lock them in a briefcase, which is in turn handcuffed to an armored guard, who is then transported via armored truck to your friend’s house. He makes sure that the package is put into your friend’s hands and verifies that your friend is indeed who he says he is, and he even calls you to let you know that the package has been delivered safely. This is analogous to using email encryption to send an email to a friend.
Unfortunately, your friend’s house has a broken lock on the front door, and he carelessly leaves the valuable items in plain view of a window that is also unlocked. That’s analogous to the weak endpoint security Snowden at the end of his response.
In other words, it doesn’t matter how much security you engage on your end if your recipients don’t engage in the same level of security. To use another real-world analogy: cyber attacks are like water – they will flow into every nook and cranny, looking for a way in. It doesn’t matter if 99% of the surface it is covering is impenetrable. That last 1% provides the hairline crack needed to seep in and destroy everything from the inside.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net











