Browsed by
Category: Basics

Internet of Crap

Internet of Crap

Welcome to the wonderful world of the Internet of Things. You’ve probably seen this term in the news a bit lately. Perhaps you read about it in connection with a massive botnet called Mirai, or it’s even more potent descendant, IoT_reaper.

The term Internet of Things (IoT), refers to items – other than computers, tablets or mobile phones – that are connected to the Internet and communicate back to their manufacturers or distributors. A prime example of this is, printers and copiers that provide supplies consumption and problem diagnostic data back to the manufacturer. This allows service calls and supply replenishment to arrive with minimal delays in production. A great benefit, to be sure.

The problem arises when large numbers of consumer devices start using this same capability, but without much in the way of careful design or attention to the possible security compromises. A buyer of a $1,500,000 production printer may safely assume that some attention has been given to this issue by the manufacturer. They also know that $1.5M worth of business gives them quite a bit of leverage to press the manufacturer to fix it if something is wrong. But a buyer of a $20 “smart” light bulb has neither of these safety factors. For $20, you get what you get.

As more low-cost consumer devices all start turning up with internet capability, we start to see some very odd ideas expressed in this technology. Late in 2015, we learned about a vulnerability in Samsung refrigerators that exposed customers’ GMail logins (including passwords) to cyber-criminals. Many people had questions about this. “How could this happen?” “Have they fixed the problem?” My question was, “WTF were REFRIGERATORS doing with GMail logins?”  This illustrates the first principle of IoT security

  • 1st Principle of IoT security: Don’t give your devices information they don’t need. Think about what could be the impact, when information you give to something like a refrigerator is leaked to cyber-criminals. If a device works and does what you want despite the fact it’s still asking for some information, drop the matter. Its feelings won’t be hurt; it has no feelings.

As I have said a number of times in this space, the essence of security is not absolute, but relative safety. Make trade-offs intelligently between risks and benefits.

When I get a new device, one of first things I do is assess what I will gain by connecting it to my network and to the internet, vs. what might be at risk if the device’s security is not up to snuff. Most of the time, my conclusion is, “don’t connect it at all” or “connect it to the home network but keep it off the internet.” If your router has a parental controls feature, where you can restrict your kid from getting online, you can also use that to restrict your fridge from getting online. Most devices’ main reason for being connected to the Internet is to feed data back to its manufacturer that can — at the most benign end of the spectrum — be used for marketing purposes.  Consider that when assessing the risk side of this question.

  • 2nd Principle of IoT security: Don’t allow devices to connect directly to the Internet or the rest of your home network unless necessary.  Figure out what you’re really giving up if you don’t connect the device. And if the answer is, “not much”? Don’t plug in the wired connection, don’t give it the WiFi password, just say no.

Brian Krebs is an information security researcher (hacker!), with a blog that is very popular in our field. He does a lot of independent investigation of cyber-criminals, and as a result he often draws their ire. He has had heroin shipped to his door, and they have spoofed phone calls to police that result in the SWAT team being dispatched for the non-existent “hostage situation.”

Last fall, Krebs’ blog website was attacked by the largest denial-of-service that had ever been seen to that point: a botnet directed over 660 gigabits/second of bogus traffic at his server. For comparison, the fastest connection available from Time-Warner in Rochester is 50 megabits/second, so this was larger by a factor of 13,200. All of that focused on a single web site will disable the servers just because of the volume.

Upon investigation, the source traffic was found to have been infuriatingly simple. The attackers had just scoured the internet for connected IoT devices and checked them to see if they still used the manufacturer’s default username and password to allow remote access. They were able to find millions that did, mostly CCTV cameras and cheap routers. Those were harnessed by the criminals to start sending Krebs a synchronized tidal wave of garbage network traffic. It’s tempting to say they were “hacked” but they weren’t, really. Their owners had offered them to the public with the documented default logins, effectively free to use for all comers.

  • 3rd Principle of IoT security: Change the default username and password. If the install process forced users of all new devices to choose any non-default username and password, that alone might have been sufficient to stop the attack on Krebs.

So to recap: our three principle of IoT Security are:

  • Don’t give your devices information they don’t need.
  • Don’t allow devices to connect directly to the Internet or the rest of your home network unless necessary.
  • Change the default username and password.

Yes, there are problems in IoT security, and we’re going to need the manufacturers to address poor designs and worse implementations. But by applying these three principles, we can reduce the impact on our own lives, so that we still get some benefit from these modern things.

 

Time to Go!

Time to Go!

Where?  To the Rochester Security Summit of course! It kicks off tomorrow for two days of security geeking-out.  I am looking forward to it plenty.  My talk is on Friday at 2PM about full and responsible disclosure of bugs, bug bounties and so on.

This weekend I will make a post here, covering that topic.

Death and Taxes

Death and Taxes

Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point – if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on. These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual, legal last will and testament, you must consult a lawyer.

What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords. If you are using some kind of password management tool (as I suggest!), this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment. The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways.

If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!

Email is still a fundamental service in the online world, especially when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).

You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here. Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document.

Finally, how to notify online friends & colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities. You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.

Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record – if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.

As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are many ways to accomplish each of these three things, but what I will delve into a future post is document storage “in the Cloud”, and how that can address all three of these concerns.

this article originally appeared in the September 2016 edition of The Empty Closet.


[*] – except maybe Peter Thiel but really… who wants to be a vampire?

The Most Basic of Basics

The Most Basic of Basics

There are three elements of safer computing:

  • Confidentiality — keeping what must be private, private
  • Integrity — making sure no changes are made without your authorization
  • Availability — making sure you can get to everything you rightly should be able to

Everything I am going to suggest to you in these pages supports at least one of these elements.

There are a lot of things to talk about, and some of them need a pretty detailed discussion. But to begin, I am going to ask you to look at the most basic – even unglamorous – things that are just so important they should never be neglected. So let’s start right out with the most unglamorous one of all, but also the one most effective at helping you recover from the greatest variety of hazards.

Backup

All your important data should be backed up, ideally in two or more different ways. For example, if you copy everything to Google Drive or Dropbox, you should also get an inexpensive removable drive like a Passport or a MyBook and copy everything to that.

Backup is really cheap protection against so many hazards, everything from a ransomware infection to a house fire. Using different locations diversifies your protection. If the MyBook is in the house next to the computer when fire breaks out, it’s not likely to be usable as the backup. On the other hand, if you need to get files back quickly after a mishap like an over-enthusiastic disk cleanup, a MyBook will be five to fifty times as fast as pulling data back down from somewhere on the internet.

Make sure that however your backups run, they don’t require you to remember to do something every time. You can set them to be scheduled for a certain time or choose a backup scheme that runs continuously, monitoring for new or changed files all the time and backing them up in the background. The schedule you choose determines how much data you can expect to lose after a disaster. What this means is, if you suppose you might lose your main disk at any random time, and you have a backup that runs once a week on a schedule, then your data loss from what hasn’t been backed up can be up to seven days’ worth of changes. If that’s tolerable to you, then a weekly schedule may be just fine. But if you cringe at losing even seven hours – never mind seven days – of changes to your data, you should be looking for a backup that runs daily or continuously.

Finally, a bit that too many people forget: testing.  Every so often (I would suggest once a month: set a calendar reminder), you have to test your backup to make sure it does what it says on on the tin.  Pick a file at random from a recent backup, and restore it.  Don’t overwrite the original; choose another location.  You want to be able to confirm that the restored file and the original match.  Besides confirming your backups actually work, it also keeps your hand in on working the restore process.  In an actual emergency where you need to restore critical data, deer-in-the-headlights is not a good look on you.

A wide variety of free and low-cost backup software is available. Check out these superb write-ups from Tech Support Alert, a site that specializes in reviews of freeware. For Windows, browse to http://is.gd/WinBackup and for Mac, http://is.gd/MacBackup

 

Questions?  Send them to questions@safer-computing.com

 

This article originally appeared in the May, 2016 edition of The Empty Closet

Safer Computing

Safer Computing

I call this blog “Safer Computing” because I want to evoke some of the same ideas we think about when we talk about “safer sex.” We know sex with others can’t ever be 100% absolutely safe. So we are being clear-eyed about those risks when we intelligently reduce them until the benefits outweigh the risks.

Computers were originally conceived to be super-calculators. Even the so-called “killer app”, the one that caused the IBM-PC to explode in popularity in the ’80s, was VisiCalc. VisiCcalc was one of the earliest commercially successful spreadsheet applications. But most of those early PCs were also being connected by their owners to modems, and later to LANs at work, DSL and broadband at home. We all quickly discovered that these things were not only super calculators, they were also supercharged communicators. And since communication involves other people, sooner or later there were bound to be problems with some trying to victimize others. Not to mention the potentially disastrous results of honest mistakes.

On this blog, I will discuss various security and safety issues involving computers, tablets, smartphones and connected devices. The things we do with computers are really not new or complicated. Buy a book. Read the news. Pay our bills. Catch up with friends. If I can explain these things as we do them digitally so they are as easy to understand as going to a bookstore or opening a newspaper, I will consider my mission accomplished.

Technologists are quite proud of the new and efficient and somewhat complex ways they’ve worked out to do these otherwise simple things. They want you to appreciate the engineering marvels they have wrought. So they can sometimes back up a dump truck full of technical terms, and make up a few new ones, and bury any plain meaning there might have been. The way to make my points about using computers, smart devices and the Internet more safely will be to DE-mystify the concepts. You will not find a lot of technical jargon here, and on the rare occasions you do, there will be a plain-English definition. If using your computer and the Internet to pay your bills electronically can be as easy-to-understand as writing checks and sealing them in envelopes, we’re all going to have a good time.

And one more thing: I want this to be interactive. I want to make sure that I deal with topics of concern to you. Therefore, I have opened an email inbox for you to send me your questions. Please, send your questions to questions@safer-computing.com and I will answer all that I can, here.