Are Your Connected Devices Safe?

phone-bill

The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on Credit.com.

5 Cyber-Security Myths We Need to Ditch

Pick a subject, any subject, and there are myths and pure nonsense that someone will buy into.

  • Birds will die if they eat the uncooked rice flung at newlyweds. (Nope)
  • If you eat Mentos and drink Diet Coke simultaneously your stomach will explode. (Hardly)
  • You only have one credit score. (Wrong)
  • Napoleon was short. (At 5’ 6”, his height was average in his day).
  • “President Obama was the founder of ISIS.” (Oh, come on Donald!)

Cyber-security has its own set of misconceptions as well. Here are five.

1. Software Will Protect You

Say it with me now: “Software alone is not going to stop cyber-crime, even a little.”

There is no more harmful notion than the one that leads people into doing whatever they want on their computers or smartphones because they downloaded a software update. While software has its benefits, they often have to do with containing damage, not stopping an attack.

The false sense of security fostered by the idea that software can protect anyone from the kinds of daily mutating, highly sophisticated attacks out there today is dangerous.

2. Cyber-Crime Is Mostly About Credit Card Fraud

The idea that cyber-crime is just about credit card fraud is a pernicious misconception that, ironically, can lead to credit card fraud and other forms of credit-related crimes.

There is no right answer to the question regarding the most prevalent forms of cyber-crime. But by far the majority of the capers out there are focused on grabbing colossal amounts of personal identifying information from organizations that do business with millions of people or, alternately, stealing confidential business information that can be sold to the highest-bidding competitor. Sure, there are other forms of attack, some of them very much on the rise, such as ransomware schemes, but by and large the focus among cyber-criminals is on sellable information and making a lot more money than can be had from a credit pump-and-dump.

That said, the ways that stolen information can be used leads back to consumers and can very easily result in credit fraud, since stolen data can be easily purchased by identity thieves for next to nothing on the dark web.

3. Cyber-Crime Is Only About Making a Buck

If cyber-crime were only about making money, we’d all be a lot safer than we are right now.

Let that sink in.

Make no mistake, there are hordes of hackers out there driven by ideology. Many are far less interested in making money than in making money disappear or taking down the electrical grid or rigging an election. For them, mere monetary reward is not a motivation unless it is needed to facilitate an attack.

This is the stuff of nightmares and blockbuster Hollywood films, and there isn’t a thing most of us can do to stop any of it from happening.

In a world where the Stuxnet worm that was used to attack Iran’s nuclear program is quaint technology and detonating a hydrogen bomb would inflict less casualties than a cyber-attack that shuts off the power grid, having our credit ruined by a pajama-wearing identity thief is the least of our worries.

4. Cyber-Criminals Don’t Target Small Businesses

The myth that cyber-criminals don’t focus on businesses that aren’t at the top of the food chain can be debunked with one name: Target. The company was hacked by one remove. The criminals managed to get malware on a far-flung point-of-sale system by coming in the side door. They merely had to compromise a smaller HVAC vendor.

No matter how small the enterprise, it must have serious security protocols and a meaningful cyber-defense plan, lest it suffer an extinction-level event and potentially bring down a whole lot of other folks with it.

5. There Is No Way to Stop a Cyber-Attack

This is the biggest myth out there, in my opinion. Except, of course, that in the final analysis it is true: There is no way to stop every single cyber-attack.

That said, for many attacks, PEBCAK is the answer. Unfamiliar with this approach? It’s an oldie but goodie that anyone in IT will recognize, the letters forming an acronym that neatly states why countless attacks are successful. PEBCAK stands for Problem Exists Between Chair and Keyboard.

While it is true that cyber-threats abound, the only way to contain the pandemic and meaningfully push back is if everybody does what they are supposed to do. That is a big “if.” But one can hope, and while fixing the human problem is a Herculean task, it’s a worthy goal.

If you’re concerned you’ve been a victim of identity theft, it’s important to keep an eye on your credit as new accounts in your name or a sudden drop in credit scores indicate fraud has occurred. You can view two of your free credit scores, updated monthly, by visiting Credit.com.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

Image: PeopleImages

The post 5 Cyber-Security Myths We Need to Ditch appeared first on Credit.com.

The National Security Nightmare the Candidates Aren’t Discussing

donald_trump

Whether you love it, or it makes you want to move south of the border, Donald Trump’s Great Wall of Mexico is an idea whose time has come.

That said, the Republican presidential candidate has a few things wrong.

First, The Donald’s wall is misnamed. It should be called the Great Cyber Wall of America or the American Cyberdome or, at any rate, something denoting a digital information and communication protection system.

The second thing Trump has wrong is functionality. The wall America needs should not be effective at keeping immigrants from entering our great nation. It needs to protect us from the vast array of hostile hackers who wish to do us harm from both within and beyond our sovereign borders — be they state-sponsored, terrorist, in pursuit of some cause, or simply precocious teenagers. It needs to protect every inch of coastline and border we have in three dimensions. And it needs to do this reliably.

Why a Cyber Wall Matters

In 2007, Estonia, the “most wired nation in Europe” experienced something unprecedented: denial-of-service attacks that crippled the country. Wave after wave of attacks targeted government websites, Estonian newspapers, universities and banks. It wreaked havoc. The government took the extraordinary action of blocking international web traffic — effectively isolating Estonia from the rest of the world during a portion of the attacks. Suddenly, the assault stopped as quickly as it started, but while it lasted, there were riots in the streets.

Those denial-of-service attacks were in retaliation for the Estonian government’s decision to remove a Soviet-era war monument. Increasingly, ideology is driving more fervent fights and drastic measures in the world.

Around Christmas in 2015, parts of the Ukraine started experiencing blackouts. Large swaths of the population lost electric power, all of them in areas associated with the opposition to the Russian annexation of the Crimea, and pro-Russia separatists. The blackouts were caused by hackers. To date, nothing has been proven about who was sponsoring them. The only fact in evidence is that a Trojan called BlackEnergy was used, and the initial penetration into the power companies was achieved through social engineering (also known as trickery and/or deceit in combination with all-too-fallible humanity). In this case, the social engineering took the form of spearphishing — an employee was sent an email that appeared legitimate, they clicked an attachment, and, quite literally, all hell broke loose.

Because many cyber attacks have a social engineering aspect, there is a tendency in the data security community to assume that there is no cure-all for the cyber insecurity that ails us worldwide. But regardless it is a problem in dire search of a solution.

Just last week, National Security Administration Director Michael Rogers stated our need for better protections when he said it was a question of “when, not if” state-sponsored hackers decide to take out parts or the entirety of our power grid, our communications and our emergency response systems. Doubtless, banks and other financial organizations are tasty targets as well.

Meanwhile on the Campaign Trail

This election season we haven’t heard a whole lot about cyber security (or the lack thereof), which boggles the mind. After all, the barbarians are no longer knocking at the gate. They are crawling through millions of investigative reports at the Office of Personnel Management, harvesting tens of millions of Social Security numbers in the breached files of our health insurers, burrowing into countless bank accounts and medical files, rifling through our travel plans, diverting billions of tax refund dollars from the IRS and (doubtless) exploring various avenues into our power grid.

Yet there has been barely a peep on the campaign trail, save former Sen. Jim Webb — who, as you will no doubt remember, was quickly dispatched to the scrapheap of Presidential election history.

Instead, we are witness to a heated debate about the size of a candidate’s hands, and get “Big Donnie” and “Little Marco” sniping at each other like eighth graders who have a crush on the same person while Hillary tries to sound more like Bernie without alienating Wall Street. Meanwhile, Bernie keeps delivering the same stump speech despite a horde of super delegates who plan to make Hillary the Democratic nominee regardless his performance in the primaries.

I don’t just blame the candidates. The media has had a hand in this. Les Moonves summed up part of the problem recently when he said that this crazy election “may not be good for America, but it’s good for CBS.”

In an era of reality show politics, why would anyone with any skin in the game want to risk losing the eyes and ears of Americans because they talk about something substantive like cyber security? Unfortunately, just as convenience often trumps security in this day and age, the failure to intelligently discuss and debate various approaches to keeping our nation cyber safe is a major opportunity loss for the U.S.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Data Security & Identity Theft:

Image: iStock Editorial

The post The National Security Nightmare the Candidates Aren’t Discussing appeared first on Credit.com.