NMK, PYF, IoT (again)
Sometimes as I read various news feeds and articles on the state of security, or lack thereof, I start to listen to that not so faint Luddite voice saying “GET OFF THE ‘NET. It’s not safe out there. Bad people are out to get you”. Data breaches, ransomware, cryptojacking, and other products of the dark side of the web make that an appealing thought. And then I read something like the column written by Brian Krebs on the need to have an online presence.
While the desire to drop off the grid may be appealing, the world is not headed that way. The IRS and the Social Security Administration are two very important entities that are online and conducting most of their business on the web. Scammers know that, as is evidenced by the numerous cases of criminals filing tax returns fraudulently. As Brian points out, if you don’t have an online account, someone will be glad to create one for you. With all the data breaches happening these days, enough information about you is available to allow the bad guys to set up an account even with the SSA or IRS in your name. Obviously they are not doing this to be helpful.
The point of Brian’s article is the need to Plant Your Flag (PYF) electronically and stake out your identity before someone else does. This makes an electronic footprint a fact of life that can’t be avoided. Accepting that premise moves us to the need to do this securely or Protect Your Turf (PYT). Online security is not complicated. Just like losing weight for people of normal health is simple (burning more calories than you take in), online security is relatively simple, but can be tedious.
Three steps can go a long way to keeping you secure:
- Use a different one for every account. A password manager will be needed to keep track of them.
- Use the longest, most complicated password allowed by the website. Passwords shorter than 8 characters are hardly secure. 12 or more characters are better and 20 is really good. Length is better than complexity. A password manager can generate them for you. (See 1 above)
- Don’t answer ‘security questions’ accurately. When used, the validity of the answer is not the goal, you just need to remember what you entered. First dog breed : kumquat. This will work just fine. Record your answers in your password manager. (See 1 above)
On a different note there was an article in the Sunday July 1 Cleveland Plain Dealer about how many children have online profiles and accounts of which their parents are completely unaware. Some have burner phones to make calls/texts that don’t get reviewed by parents. Kids are buying contraband via social media and various apps without parental knowledge.
The article should be a wake up call for parents because many have the attitude of “Not my kid”. The article cited one mother who was very much involved in her children’s use of electronic devices and social media.
Let’s move this over to the business world. Things sometimes get murky when vetting employees. Facebook can be the great sifter when you see a profile of someone who parties a lot, seems to be smoking marijuana, and is applying for a child care position. Is it legal to scan a profile and use that to decide on hiring? That is a question for legal minds but the private life that is different from the public life is not the sole province of children. Do you have clear guidelines for employees on social media use as it relates to the company? What about social media use at work? What about using personal devices for company business (BYOD)? Are policies clear and in writing?
And finally on to my favorite target, IoT (Internet of Things). There are constantly cases being published of insecure IoT devices and the fact that they can be used for DDoS attacks, ransomware/spam distribution, and other things. Usually these issues involve large numbers of devices.
There seems to be a rising number of more targeted efforts to take control of these insecure devices. This article talks about how vengeful exes are taking control. After a less than amicable separation, victims report smart lock changes daily, the doorbell rings but no one is there, the speakers randomly blast music, the lights turn off and on, and the thermostat kicks the temperature to 100 degrees.
This article discusses the large number of IoT home cameras that are vulnerable and actively being hacked, allowing the cameras to spy on their owners instead of protecting them. This article discusses a situation where a baby monitor was hacked and indications are that someone was spying on the mother while she was nursing her baby.
The key for the IoT issues was poor password implementation. Default passwords were not changed after installation or the password scheme was poorly implemented by the vendor. While the trust of the customer was violated here, it just underscores the need to be an educated consumer and understand that, at least for now, IoT is not plug in and use. More is needed to protect your privacy. You need to configure the security and even more, make sure the IoT device does have adequate security.