There is an interesting article in this week’s New York Times: Why ‘Smart’ Objects May Be a Dumb Idea. In it, the author Zeynep Tufekci, notes that with the rapid proliferation of smart things, enough hasn’t been done to secure them from hacking. There have been several examples recently of cars being hacked to demonstrate the dangers.
Though I’ve written about the Internet of Things in the past, specifically around the Nest thermostat, I’ve been surprised to hear how many items have been getting connectivity. Some items make sense, door locks, thermostats, lamps, televisions, automobiles. Others are a little surprising, like light bulbs, refrigerators and ovens. Yet more are frightening like rifles.
The problem that they all share is how to keep them secure against hacking. At the most benign, hacking them can undermine privacy, even if it’s not clear why. Take Nest thermostats. Hacking into a Nest user’s account will show whether there is anyone at home. Whether at home or away, a fair amount of mischief is possible exercising control of the thermostat. On the other end of the spectrum, the threat of someone controlling your car is terrifying!
The general concern in the security community is that the various manufacturers are not implementing holistic security practices. Rather, they are reactively fixing discovered issues, but are not properly looking for and proactively fixing security weaknesses before they become identified by a third-party or worse, become exploitable “in the wild.” A perfect example is the auto hacking. Why has there not been a firewall between the Wi-Fi capability and the computers operating the car itself. That would be easy to do, with no loss of functionality, yet the manufacturers apparently didn’t see the need.
As a result, I’m personally slow rolling on the Internet of Things. Yes, I have a smart TV and the Nests, but I’m not running out to purchase smart door locks, nor does my TV have a camera or microphone. Though one of our cars has Wi-Fi, we don’t really need it, so I’ve disabled it for now, the risk is currently not worth the reward.
Fortunately, the car hacks that the media has been yelling about of late, were performed in laboratory conditions, which is to say that to hack the car, the researchers needed access to the vehicle at some point to be able to retrieve the data required to get remote access to the vehicle. As a result, we’ve not yet seen any incidents in the wild.
What should you do? Like everything on-line these days, you need to evaluate the value you get with smart devices and weigh that against the risks posed. As aways, do not take the enhanced capabilities at face value or worse do it because it’s cool. The good news is that we’ve not yet seen widespread hacking of appliances and other “things”. That said, its probably a matter of time before it happens.
As readers of this blog know, I run Windows in a virtual machine (VM) on one of my Macs. Though I can do most everything on the Mac, there are a few apps that that I depend upon that do not run on the Mac so I run them on Windows. Also, I test various topics for this blog on both a Windows and Linux VMs.
Before performing any change as major as upgrading your operating system, you should do a couple things:
- Insure that your applications and devices are compatible. Check Microsoft’s Compatibility Center. I found the site to be helpful, but didn’t find everything I run on my Windows box, so I also needed to check with various app vendors also.
- Back up your system! Let me say it again (with emphasis): BACK UP YOUR SYSTEM! Upgrades typically work fine, but they can go south and put you into a world of hurt if you’ve not backed up. See my post on Systematic Backups for more information. BTW: If you’re running in a virtual environment, simply take a Snapshot, which will permit you easily recover your system to a pre-upgrade state.
- Finally, be aware of a new feature that has serious security implications: Wi-Fi Sense.
Now that Windows 10 is available for upgrade, there is a new feature that you should know about prior to upgrading your system to Windows 10.
The new feature is called Wi-Fi Sense. Wi-Fi Sense allows you to share your Wi-Fi network credentials with friends and family without explicitly giving them the credentials. When enabled, Wi-Fi Sense copies your credentials into the Microsoft Cloud, where anyone on your Outlook, Skype or Facebook friends list can automatically connect with your Wi-Fi network when within range. It’s an interesting feature but personally, I think the security concerns far outweigh the benefits.
It comes enabled by default, but It can be disabled. My concern is whether it saves your credentials prior to you explicitly disabling it. By that I mean, if you disable it after you upgrade, it appears that the credentials have already been stored by Microsoft and there is no indication that they will be deleted from their servers. Given the current security climate, I’d be a little uncomfortable with this.
If you tend to give your friends and family credentials (as opposed to maintaining a “guest” Wi-Fi account) liberally, then this could be a more secure method since you don’t need to provide the actual password in unencrypted form.
The only way to securely opt out of this feature for your network is to rename it adding the string “_optout” to the SSID. This is really inconvenient and totally unnecessary. However, for now, this is the only method to insure that your Wi-Fi credentials are not compromised.
For more information, see the following articles:
- Brian Krebs – Windows 10 Shares Your Wi-Fi With Contacts
- Ars Technica – Wi-Fi Sense in Windows 10: Yes, it shares your passkeys; no, you shouldn’t be scared
it will be interesting to see how this develops over the next few weeks. As always, unless the upgrade is needed, it’s a good idea to delay upgrading to a major new release until things settle out. Also, a reminder to check to see if your favorite applications are supported by the Windows 10.
Are your pictures, financial data, letters, music, videos and other critical data protected?
- Is it protected if your disk drive dies?
- Is it protected if your computer is stolen?
- What about if there is a fire at home that destroys everything?
- If you corrupt a file?
- What about the data changed or added within the last 24 hours protected? The last hour? Or was the last backup a week ago?
If your answer is no, or sorta or something other than a definitive YES, then you need to address backups. There is no excuse not to have reliable and automated backups. Continue reading
Recently, I watched one of my favorite mini-series, Band of Brothers, which describes the (mostly) real exploits of the 101st Airborne Division during WWII. There’s a funny scene (and funny scenes were in short supply) in the film where during a training mission, one of the character’s pretended to be a general, yelling a command from behind a bush to to the officer in charge of the platoon. This particular officer, Captain Sobol, was distrusted by the men and his acting on the prank command helped undermine Sobol’s reputation with Command.
I thought about this episode, when I read the Krebs on Security post entitled Spoofing the Boss Turns Thieves a Tidy Profit. In this post, Brian Krebs describes an administrator by the name of Judy, who received an email from her boss to wire $315,000 to a supplier ASAP. Though she started the process, she was bothered by the “tone” of the email, went back and examined the message and determined that it wasn’t from her boss. It turns out that someone had created a domain name that was one character different from the company’s domain name. It looked OK, until examined more thoroughly. Fortunately, she was able to pull back the wire transfer, no harm, no foul.
In this case, the goal was a wire transfer. The more common reason is a phishing attempt. Periodically, I’m sure you’ve seen an email from a friend that says something like: “Check this out!” and gives a URL. You click on the URL contained within the bogus message and end up with malware on your computer. This is the way many of the major corporate security lapses begin, by someone acting on a bogus email message.
Vigilance and good policies can help reduce the impact of these false emails. Judy’s life would have been much easier if she’d called the sender to get verbal confirmation of the wire request. Many companies are adding verification steps to the process of issuing payment.
For the individual, always take a second look at every email that asks you to do something, particularly clicking a URL. Is the tone consistent with the sender? Is the sender’s email address correct? For an email from a “corporation” (e.g. American Express), is the URL correct? Frequently, it will look OK, but the underlying address itself is wrong … hover over the URL for the real address.
Finally, always enter URL addresses by hand. Do not activate them from the email.
Over the past few years, there have been a continuing barrage of calls from people claiming to be from Microsoft offering to “fix” the malware that they’ve detected on my and likely your computer. At my house, I’ve gone through periods where I’ve received several of these calls in a single evening. What’s unsettling is that the callers know your name and possibly other details about you, including your spouses name and home address.
Everyone who reads The Family HelpDesk missives know that these calls are fake and should ignore them, as the goal is to get onto your computer and using a variety of methods, find ways to separate you from your money. For details on this scam, see the Snopes article entitled: Microsoft Impersonation Scam.
Unfortunately, this scam has taken a dark turn. Reports are coming in that callers are now threatening people who don’t sign up for the service. I’ve heard (from a local police department) that at least one caller was threatened to be killed when she declined the service. Continue reading
Every once in a while, a warning will pop up that says something like:
The site does not have a security certificate that is trusted!
The site has an expired security certificate!
with the options to proceed to the site or back away. Many (most?) of us simply click through to the site, assuming this was caused by an administrative problem, which will not impact us. After all, we’ve been doing it forever and nothing bad has happened, right?
Unfortunately, this can be a bad decision, with ramifications that you might not understand for quite a while. Continue reading
By now you’ve likely heard about the sophisticated security breach at Anthem health insurance provider. It’s been reported that up to 80 million healthcare records, including social security numbers have been compromised.
What I didn’t realize until recently was the value to criminals of healthcare records. It turns out that healthcare records make it easier to perpetrate identity theft than other methods. What I don’t know is whether that’s because social security numbers are exposed or if there is other data that makes it easier. Regardless, healthcare records get significantly more money per record than credit card records, up to $80 per record. This makes the value of this crime up to $6B.
However, the purpose of this post is not the breach per se. Rather it’s about the phishing emails and phone calls that either the perpetrators or others are engaging in. They have sent out emails that look something like this:
They have also been actively phoning potential victims offering to “help”.
These are scams. Anthem is sending mail via the USPS to effected customers. That is the only method that Anthem is using to contact effected customers.
For more information on the breach and Anthem’s response, see their FAQ.
Periodically, I’ve collect enough varied topics for the Helpdesk that I need to clear them out. Since the groundhog has just seen his shadow in Punxsutawney, PA (the only true weather prognosticating groundhog), here’s my latest attempt to clean out the cobwebs:
Hackers steal over a billion passwords
This particular hack leverages the fact that folks use the same passwords for multiple sites and apps. The obvious, but hard to execute solution is to always use unique passwords. A 90% solution is to use a password manager. It’s a 90% solution because there are some cases where it doesn’t work as well, however for these cases you can use them to store an encrypted note with these passwords.
In October, I wrote a post entitled: Password Mangers — Worth it?
Apps to deauthenticate before decommissioning a device
Also, Lifehacker authored a really useful article on apps to deauthenticate prior to preparing the device for resale or recycling. I’ve written in the past about the steps to take prior to decommissioning a device or computer, from erasing old hard drives to preparing phones and tablets for resale or recycling.
What I haven’t written about nor really understood was how many app also need to be deauthenticated from the device or computer. Given the increased security being designed into apps and devices, you could find yourself without the rights to use the app without repurchasing the license or worse no license to your data (e.g., music, videos, etc).
How to clean your computers and devices
Continuing the Lifehacker string, they wrote an article on How to Properly Clean your Gadgets without Ruining them. This is a useful article that you might want to squirrel away for future reference.
One addition to their methods is that I keep a bottle of Monster iClean at the house, which comes with a microfibre cloth. When you need more than just a wipe down on screens, this product (or others similar to it) work very well.
How to break into your computer
For the most unsettling article that I’ve found, Lifehacker has a series of tutorials on how to break into your computer and how to shutdown the methods noted in the tutorials. Suffice it to say that having a password on the computer doesn’t prevent a knowledgeable and determined individual from being able to crack it.
The good news is that to do this, they would need access to the physical computer. The two best methods to lock your system down is to have long, difficult to brute force crack passwords and your main drive encrypted. The latter is crucial do prevent someone from mounting your drive from either another computer or a USB/CD booted OS to access the files. See my post Your technical New Years Resolutions for how to encrypt your whole drive on the Mac and Windows systems.
A couple notes on the Lifehacker tutorials:
- They were created before Truecrypt was discontinued. When the tutorials mention Truecrypt to encrypt your whole drive, use the method provided by Microsoft or Apple.
- They provide a method for brute force cracking passwords on a Windows machine. Though they don’t mention a similar method on Macs, don’t assume it can’t be done.
How to build a computer
When I was a kid, we loved to work on cars. A couple of my friends were into ham radio and built and maintained their ham components.
Computers have replaced this hands-on activity for many folks, young and old. A couple years ago I wrote about the Raspberry computer in Do you have a kid who likes to tinker with stuff? However, if you’d like to build a mainstream computer from scratch (or modify an existing one), check out Lifehacker’s How to Build a Computer, the Complete Guide.
Five things that Facebook asks for that is none of their business
Last month, Kim Komando wrote an article on these 5 things. It’s a short, but interesting read. The gist of the article is to take care about what you post to not inadvertently give away stuff that will help the bad guys.
That’s about it for this edition of Clearing out the Cobwebs. Stay safe and warm this winter.
It’s Sunday morning and I’m doing what many folks do on Sunday morning, reading the newspaper and other news sources. On CNET, I came across a remarkable milestone.
100 years ago today on January 25, 1915, the first transcontinental telephone call occurred in the US. Alexander Graham Bell asked from New York City: “Ahoy! Ahoy! Mr. Watson, are you there? Do you hear me?” and his associate Thomas Watson replied from San Francisco: “Yes, Mr. Bell, I hear you perfectly. Do you hear me well?”
The innovation that permitted this to work was the vacuum tube amplifier. Prior to the connection to San Francisco, there was a connection from New York City to Denver. To complete the wire to San Francisco, the signal needed to be amplified.
Later that day, the first commercial coast-to-coast call was made for $20 for 3 minutes or roughly $400 in today’s currency.
Though a century seems to be a very long time ago, it really is amazing the technological advances over the past 100+ years. When I was a kid, making a long distant call was a very big and very expensive proposition. Today, it’s just a call (or a text or an email).