Security and Privacy in the Connected Home

Stay cyber safe with your Internet of Things (IoT) devices!

Did you ever wonder what it would be like to have a smart home? You could remotely change the temperature in your house, tell your lights to come on, or ask your refrigerator if you need to get milk, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.

The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.

Personal Digital Assistants

Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a giveaway that you are not home.

Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.

Smart Thermostats and Other Smart Home Devices

Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.

IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.

Gaming Consoles

Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.

Here are a few tips to follow in building your smart home with IoT devices:

  1. If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.
  2. Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
  3. Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt-in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.
  4. Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.
  5. Setup a separate unique, strong password for every device. Don’t share credentials across devices.
  6. Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.
  7. Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.
  8. When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.

Sun, Sand, and Cybersecurity

This month, we aim to provide some valuable tips on staying cyber safe while heading on a summer vacation. Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.

Getting Ready to Go:

Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.

  • Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.
  • Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).
  • Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!
  • Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your apps access to services on your device, like location services.
  • Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away.

While on the Go:

Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.

  • Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.
  • Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.
  • Protect your $$$: Be sure to shop or bank only on secure sites. Web addresses with ‘https://’ and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.
  • Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.
  • Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.
  • Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.

Want to keep your data? Back it up!

We all know it happens – computers crash, malware infects them, or somebody downloads that cool, new program that crashes everything! While there are many tips and tricks of great value for preventing your devices and data from being compromised, it is important to also have a backup of your information in case something goes wrong!

Backups are copies of key information or data that are stored separately from your device. By storing these separately, you can restore your data or device using these backups and get right back to full working order. With threats of Ransomware, which encrypts and renders your personal files inaccessible, this is a real concern. Below we will explore some key concepts on creating and will provide resources that assist you in making decisions on how to best create this essential type of redundancy in your life.

Choosing what to backup

When thinking about a backup system the first thing to decide is how much you want to backup. Are you okay storing key documents, pictures, and files or do you want your full system backed-up? If you’re concerned about rebuilding a full system, and a having all the license information to make it functional, then you probably want a more complete backup option. If you just want to protect important files, then a system where you choose what to save would work well.

How can you create a backup of just key files?

If you are looking to store copies of your important files, you can copy them to your preferred method of backup periodically. This is accomplished by selecting the folders or files you want to backup, and copying them to the storage device or media. This is made especially easy if you make a habit of organizing your important files into just a few folders. This is a very simple and easy approach, and guarantees that your tax documents, digital receipts, pictures, and other important records remain available.

How can you create a complete backup of your device’s data?

If you are looking to create a more comprehensive backup, your devices likely have utilities built in that allow for easy creation of backups. These may allow you to set a complete copy of your device’s data aside that would allow you to restore it to full working order following an infection or issue. Seek out guidance or tips from your device’s vendor to determine what utilities are available to you for creating backups.

Choosing where to store your backed-up data

Regardless of what you want to save, one of the key ways to keep your backed-up data safe, is to disconnect the storage media after you make the backup. This is important in the event that you are infected with malware, as you do not want the copies of data to also be infected. (Ransomware does look for backups to infect!) This also helps in case your computing device or where you store it is lost, stolen, or physically destroyed. Keeping a separate backup on a different physical storage device, or in the cloud, is a way to better secure your data from this type of problem.

Cloud services for storing backups can be a convenient solution, though they may come at a cost and some individuals may not like the fact that they will not have a copy in hand on physical storage media. Having the backup outside your immediate possession can be helpful if you are concerned about a physical problem, such as loss or damage. Some of these services save multiple versions of your backup, which better secures against infected files corrupting the cloud backup.

External hard drives or removable media (DVDs, USB drives, etc.) are the other most common option. You simply need to copy the data you want to save to the external hard drive or media. Consider keeping the external drive disconnected from your devices while not making backups, as this insures against malware getting on the backup copy.

How often should you back up files and systems?

The frequency with which you back up your data or systems is an important component of this process. Consider making your backups on a weekly basis, with a minimum frequency of monthly backups.

In conclusion, spend time considering how vital the data on each of your devices is. Then consider the best type of backup strategy for your needs and base a timeline of how frequently you make the copies off those needs as well. By adding this simple process to your safe computing habits, you can build in more reliability and recoverability. If you are ever the victim of a malware infection or cyber-attack, you will surely be glad you took the time to make backups!

How to Spot Phishing Messages Like a Pro

The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.” When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.

Message #1

Subject: Low Cost Dream Vacation loans!!!

Dear John,

We understand that money can be tight and you may not be able to afford to go on vacation this year.   However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.

Please email your completed form to [email protected].

Your dream vacation is just a few clicks away!

Dr. Stephen Strange

World Bank and Trust

177a Bleecker Street, New York, NY10012

What did you notice in message #1? 

In this message, you can see that the phisher wants to give us a low-cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.

Message #2

Subject: Free Amazon Gift Card!!!

Dear Sally,

You name has been randomly selected to win a $1000 Amozan gift card. In order to collect your prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days.  Failure to respond will forfeit your prize and we will select another winner.

www.amozan.com/giftredemption2321

 

What did you notice in message #2? 

Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.

Message #3

Subject: Urgent – Take Action before Your Email Account is Deactivated

Dear User,

Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.

http://www.microsoft.com/

Thank you,

Information Technology

Helpdesk Support Team

What did you notice in message #3?

This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgment and threatens the deactivation of your email account. Additionally, the link at the bottom looks like a link to Microsoft, yet it is, in fact, heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.

With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:

  • If it seems too good to be true, it probably is;
  • Hover your cursor over links in messages to find where the link is actually going;
  • Look for misspellings and poor grammar, which can be good signs a message is a fraud;
  • And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).

 

Avoiding Many Types of Malware

Every day as we use our devices, browse the Internet, and open emails, we are also exposing those devices to potential malware (malicious software). Malware is any software that is designed to cause damage to and/or unauthorized access to devices or networks. Malware comes in many forms, all of which can have negative effects on your device and for you. With a little extra vigilance, and some good habits and practices, you can greatly reduce your likelihood of having a device infected with malware and can minimize the impact to your device, data, and life, in the event that it does become infected. Below we will explore a few common types of malware and their impacts, as well as some tips and practices that can help you as you go about your connected life.

Common Types of Malware and Their Effects

Ransomware – Ransomware is malware that stops you from being able to access your files, usually by encrypting them, and then requests payment to decrypt the files, restoring your access. Most commonly, ransomware asks for payment in bitcoin, which is a popular cryptocurrency. Unfortunately, paying the ransom does not guarantee restoring access to your files.

Trojan Horses (a.k.a. trojans) – This malware takes its name from the classic story of the Greek army sneaking soldiers into the city of Troy hidden inside a large wooden horse. Trojans of the malware variety behave in much the same way, by appearing to be legitimate apps or software that you want to install. Some trojans allow an attacker full access to your device, others steal banking and personally sensitive information, and others are simply used to download additional malware, like ransomware.

Keyloggers – This type of malware records your keystrokes and sends them to a cyber threat actor, giving them access to your usernames, passwords, and any other sensitive information you have entered using your keyboard. With this information, the cyber threat actor can access your online accounts or commit identity theft.

Tips and Practices for Avoiding and Surviving a Malware Infection

  • Update and patch your devices and software. Vendors release updates and patches in order to fix security issues, not just to fix functionality! Many types of malware can be foiled by keeping your software up-to-date by accepting the updates when you get a notice about them.
  • Never click suspicious or untrusted links. Even if the URL comes from a company or person you know, it is always safest to manually type in their URL. At the least, hover over the link to discover where it’s really sending you, as some malicious actors send emails that look convincing. This advice is also true for links in emails, documents, and on social media platforms, as malicious links are commonly posted to such sites. For more information on spotting suspicious emails and checking URLs.
  • Only download from trusted sources. When looking to download an app or software, only do so from a trusted vendor or source. On mobile devices, ensure that you only download apps from the Google Play store and Apple App Store, which are the trusted sources for Android and iOS devices.
  • Backup your data and be sure the backups are good! Backing up your data, whether by doing a complete backup of your whole device or just key files, is the best way to protect those important files and pictures against ransomware and other data loss. For best practices and more information on backups.
  • Use antivirus and other protective software on your device. If your computer or router has built-in protections like antivirus or a firewall, ensure you have those enabled. Otherwise, buy or download an antivirus product from a trusted vendor. This is important for both your computers and your smartphones!
  • Configure your devices with some security in mind. By setting up your devices with some basic security settings enabled, you will not only protect against some malware, but against other forms of malicious activity and access. For tips on configuring your devices.