Cybersecurity Blog

Password reuse results in missile alert terrifying a family – 01/24/19

A Florida family was terrorized by a notification coming from their Nest security camera alerting them of a missile launch by North Korea.  Interestingly enough, until they heard the alert the family didn’t even know the camera had speakers.

 

 

Although the traumatized mom blames Nest for not notifying their users of a data breach, it wasn’t Nest who was breached. The data breached occurred elsewhere. As the family reuses passwords, once one of their accounts was exposed it left all of their accounts vulnerable.

Although it certainly would have been a nice bit of customer service for Nest to notify their account holders that they should change their passwords if they reuse them, it is not their legal responsibility as they were not hacked. The responsibility for notification lies with the breached account provider.  The family didn’t say whether that notification was received.

Regardless of whether Nest should have notified their users or not, this poor mother still had to watch her terrified nine year old son crawl under the carpet in a panicked attempt to protect himself from nuclear missiles.  No mother should have to experience that.

How do you prevent your family from being traumatized by a prankster hacker?

  1. Be familiar with all the features of your  camera before you buy it. Know if it has a microphone or speakers, connects to the internet, whether the default password can be changed, how the firmware is updated and where recorded video is stored.
  2. Change the default password as soon as you set up the camera. Use a unique, effective passphrase.
  3. Update the camera’s firmware as soon as it is installed and keep it up to date. If it has an automatic update feature, enable it.
  4. Disconnect the camera from the internet when you aren’t using it.

Taking these steps will greatly reduce the chances of your camera being hacked. These same steps can be taken to secure any IoT device.

Our world is rapidly changing with technology creeping into all aspects of our lives. It is important that we change with it to ensure our families safety. That means we need to be aware of the risks associated with the devices that we bring into our homes and how to mitigate them. As this Florida family has learned, tech companies aren’t going to do this for us even if we are 114% certain that they should.

 

Buying tech this Christmas? Check out its creepy factor – 11/20/18

 

This year, there are tons of cool tech gadgets on the market. Everything from teddy bears that connect to the internet to personal alarms. As neat as all of these devices are, some of them have the potential to leave the users feeling exposed and violated.

Thankfully, the good folks at Mozilla have put together a terrific website that examines the privacy risks of the hottest tech gifts. At privacy not included you can find out what information a device collects, what is done with that data and what kind of security the device has. They also rate customer service. To make it extra fun, consumers can give each item a creepiness rating based on how comfortable they would be having that device in their home.  Check it out.

 

Watch for fake Black Friday offers – 11/19/18

 

It’s that time of year again. Retailers are sending out emails teasing you with their upcoming Black Friday deals that are too incredible to believe. Criminals love to take advantage of this flurry of email activity by sending out their own offers, mimicking legitimate retailers and luring consumers into giving up their login credentials or downloading malware onto their device.

If you receive an email with one of these truly fabulous offers, visit the retailers website directly rather than click links in the email.  The retailer’s offers will be on their website if they are legitimate.  Happy shopping!!

 

Have a D-Link router? It may have a huge security hole. – 10/22/18

 

 

The following models of D-link routers, DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, and DWR-111 all contain a significant security flaw.  If you have one of these models, check the D-Link website for updates.  If no update is available, the router has likely reached end of life and no update will be issued.  Unfortunately, that means you will need to buy a new router if you want to secure your network from hackers.

Watch home owners find out their security cameras are being broadcast worldwide – 10/22/18

 

 

With more and more of the devices in our home connecting to the internet, comes more and more ways for criminals to hack your home network. To show just how easy it is, CBC’s Marketplace teamed up with some white hat hackers and hacked into the home networks of several Canadian homes.  When home owners were shown how vulnerable their privacy and their networks were, they were shocked and disturbed.  Watch the episode and see how easy your network can be hacked and what you can do to prevent it.

This week’s Cyber Security Challenge draw entry code is l4lnwsrt. This is the last entry code.  Make sure you get all your codes entered before 4:00 pm Oct 30.

Porn Hoax messages on WhatApp targeting kids – 09/13/18

 

There is a disturbing new hoax making the rounds in WhatsApp?  Children are receiving messages in in the app from someone named Olivia who claims to know them, but has a new phone number.  Once they establish contact, they send  the child a link to porn sites. Although this is currently happening in the UK, hoaxes like this can quickly spread.

This would also be a good time to review with your child how to stay safe online, and remind them to not forward hoax messages.

Kids and cell phones, how to keep them safe – 08/08/18

 

As parents gleefully start planning for back to school, one question that may come up is ‘Does my child need a cell phone?’. If your answer is yes, there are some things that you can do to help protect them from cyber bullies, predators and scammers.

  1. Enable the password protected screen lock.  Let your child know that the password should not be shared with anyone but Mom or Dad.
  2. Know every app on your child’s phone, every account that is created and what the passwords are.
  3. Check your child’s phone for disturbing content on a regular basis. Their access to a phone should depend on you having access to it as well. You pay the bills, you make the rules.
  4. Check the privacy and security settings on the phone and apps. Be careful with location tracking. If you can find your child, so can someone else.
  5. Keep the apps and phone software up to date.
  6. Have a talk with your kids about online safety. Teach them to:
    • Never respond to calls, texts or emails from people they don’t know.
    • Talk to them about cyber bullying, harassment and predators. Make sure they know they can come to you for help.
    • Be careful about what they post. Too much personal information can make them vulnerable. Posting the wrong photo or making the wrong comment can mess up your life.
    • Only connect to people through social media that they know.
    • Watch for geo-tagging on photos. They don’t want their exact location to be displayed.

Even if you don’t follow all these guidelines, having a frank and honest discussion about phone safety and modeling desired behavior will go a long way to keeping your kids safe.  For more resources on determining when is the right time for a cell phone and how to keep your kids and teens cyber safe, visit Safe Search Kids by Google.

 

Data backups are no longer optional – 07/30/18

 

With everything going digital, our lives have gotten easier but it has also made us more vulnerable. Losing precious memories or a month of hard work used to require a hungry pet or a natural disaster. Now all it takes is clicking on an email link or visiting the wrong website. While this has long been a hazard, the surge in ransomware has increased the chance of losing precious data exponentially.

With this increase in risk, backing up data to prevent a catastrophic loss has gone from being just a good idea to being critical.  Single data backups reduce the peril significantly, but they really aren’t sufficient. This is especially true if the backup is stored on a portable drive that stays connected to your machine.  When the computer is compromised anything else that is connected to it, including the portable drive, is also exposed.

Thankfully you don’t have to worry about data backups on your Mount Royal workstation as long as you save your data on the H: drive, J: drive or Google Drive.  IT Services backs up multiple copies of files on those servers in multiple locations for you as does Google.  If you are saving files on the C: drive or the Desktop though, they are at risk as files stored there are not backed up.  This is why IT Services is constantly telling people to stop storing files on the C: drive and the Desktop. We aren’t trying to make your life more difficult, we are trying to protect you from data loss.

What about your machine at home? What is the best practice when it comes to backing up your own data? Most professionals will suggest the 3-2-1 strategy. Have three copies of your data, on two different unconnected devices, one of which is off site.

  1. Your first copy is your working copy.  It sits on your computer and is what you mess with every day.
  2. Your second copy is stored on a separate device. You can use a USB key, a portable drive or another computer. It is connected to the internet or your computer only long enough to copy your data and is then disconnected. Ideally you would do this daily, but you can chance it and only do this weekly.
  3. Your third copy is stored off site.  This ensures that if your home or office is flooded, burns down to the ground or is destroyed in some other manner; your data is still safe.  Again, this should be a device or service that you connect to upload your data and then disconnect from. You can use a cloud service or the sneaker net (upload to a portable device that you store in a safety deposit box or other safe location).  Ideally you would also do this daily, but a weekly update can be done as well.

Following 3-2-1 will almost guarantee that you can recover from any kind of data loss. However it does take some time and commitment, all you have to do is determine if your data is worth it. Unfortunately, we usually don’t figure that out until its too late.

 

 

Your TV is tracking you – 07/12/18

 

If you have a Sony, Sharp, Magnavox, Toshiba or Philips smart TV, Samba Interactive TV is probably installed on it.  It is a service that recommends shows and provides special offers based on your onscreen content,  or at least that is what they tell you. You are asked to enable it when you turn on your new flat screen for the first time.  As 90% of people say yes, it is probably a good bet that you did to.

If you actually read their privacy policy, what it really does is connect to any device on the same network as your smart TV, such as your phone. This allows the service to track you once you leave the house.  So not only is it tracking what you watch, it is also following you as you go to work, pick up your kids, get groceries and go to the movies. Creepy huh? It uses this information to deliver you customized content. However, the data collected can be used not just by Samba, but by their partners as well. Basically anyone Samba likes can see where you spend your time and what you watch on TV. This is the same kind of tracking  other companies such as Facebook, Google and Apple have been criticized for.

Unfortunately Samba Interactive TV isn’t the only service that tracks what viewers watch. In fact Vizio was fined for using the similar automatic content recognition (ACR) technology to deliver targeted content.  With TVs tracking your every move, how do you protect your privacy? Thankfully, Consumer Reports has a list of smart TVs and how to turn off ACR.

This is just another reminder that as consumers we need to take more interest in privacy policies and terms and conditions before we sign up for a service.  We have the right to choose to trade our privacy for convenience. However, before we make that choice we should be aware of exactly what we are giving up and to whom.

Source:  https://nakedsecurity.sophos.com/2018/07/09/smart-tvs-are-spying-on-you-through-your-phone/

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.