Monthly Archives: January 2016
The “Internet of Things” security is badly broken and getting worse. The Shodan search engine is only the latest reminder of why we need to fix IoT security.
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
The feed includes images of marijuana plantations, back rooms of banks, infants and children in their homes, kitchens, living rooms, garages, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores. The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.
While the privacy implications here are obvious, Shodan’s new image feed also highlights the dismal state of IoT security, and raises questions about what we are going to do to fix the problem.
Of course insecure webcams are not exactly a new thing. The last several years have seen report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.” Today it’s estimated that there are now millions of such insecure webcams connected and easily discoverable with Shodan. That number will only continue to grow.
So why are things getting worse and not better? Webcam manufacturers are in a race to gain market share. Consumers do not perceive value in security and privacy and have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as $20.
The problem: Consumers are saying we’re not supposed to know anything about this cybersecurity stuff and the manufacturers don’t want to lift a finger to help users because it costs them money.
If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, such a quantity of insecure devices makes the Internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes? You may remember in November the story about a 2008-era malware – Conficker.B affects police body cams in 2015, it threatens not just the reliability of recorded police activity but also serves as a transmission vector to attack other devices.
The bigger picture here is not just personal privacy, but the security of IoT devices. As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby’s crib.
FTC to the Rescue? When it comes to strong-arming manufacturers, government entities like the US Federal Trade Commission (FTC) may be able to help. Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, was quick to mention several examples where the organization went after at-fault companies. In recent years according to Mithal, the FTC has prosecuted more than 50 cases against companies that did not reasonably secure their networks, products, or services.
The FTC takes action against companies engaged in deceptive or unfair business practices, she explained. That includes IoT manufacturers who fail to take reasonable measures to secure their devices.
In addition to the enforcement action against TRENDnet, the FTC also issued security best practices for IoT manufacturers back in January 2015, urging them to build in security at the design phase rather than bolting it on as an afterthought. These practices could be a “defense-in-depth” strategy to mitigate risks, pushing security patches to connected devices for the duration of the product life cycle, and so on.
As consumers of IoT products it’s our responsibility to learn about the individual security and password settings for the devices we use and secure them to the best of our ability. Just don’t rely on the manufacturer to protect you – they probably won’t.
Data Privacy Day – January 28, 2016
Data Privacy Day (DPD) is an effort to empower people to protect their privacy, control their digital footprint and escalate the protection of privacy and data as everyone’s priority. Held annually on January 28th, Data Privacy Day aims to increase awareness of privacy and data protection issues among consumers, organizations, and government officials. DPD helps industry, academia, and advocates to highlight consumer privacy efforts.
Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on Jan. 28.
Data Privacy Day is led by the National Cyber Security Alliance, a non-profit, public private partnership focused on cyber security education for all online citizens. StaySafeOnline.org has many resources to help you, your family and your business stay safe online.
Free Security Check-Ups Check your computer for known viruses, spyware, and discover if your computer is vulnerable to cyber attacks.
Check Your Privacy Settings One-stop shop for easy instructions to update your privacy settings wherever and however you go online.
Parent Resources Information regarding cyberbullying, child identity theft, Facebook for parents, social networking, etc.
Educator Resources Prepared educational materials for the classroom, K – 12th grades.
Business Resources Informational resources for businesses regarding bring your own device, information security, document destruction, compliance, data breach, and risk management. https://www.staysafeonline.org/data-privacy-day/business-resources
Privacy and Domestic Violence Resources for domestic violence survivors and victims to help safeguard the privacy of their personal information.
If you’ve not already heard, or have somehow forgotten over the long holiday, next week marks a significant milestone for Microsoft’s Internet Explorer web browser. Next week, along with the first Patch Tuesday of 2016, Microsoft will stop supporting Internet Explorer versions 8, 9, and 10. This means that after January 12, 2016, Microsoft will no longer supply security updates for these versions.
Don’t know how to check what version you have? Simply click the “tools” icon in the top right corner of your screen and then click “About Internet Explorer”
For those clinging to the old versions, a new patch (KB3123303) delivered during Patch Tuesday will install a nag notification to warn users about the lack of support and offer an upgrade to Internet Explorer 11 (where applicable).
Microsoft really wants folks to either move to Internet Explorer 11, or Windows 10 and Microsoft Edge in an effort to stay secure on the web. Unfortunately, even though Microsoft is touting a 200 million active device milestone for Windows 10, customers may not be as accepting of the new web browser built into the latest OS.
Microsoft Edge was supposed to be the future of web browsers with a sleek and fast interface. But, as it exists today, Edge is buggy and temperamental and is a huge black mark on an ever improving OS. Recent browser stats show that customers may be using the exit of IE 8, 9, and 10 from supportability as a way to migrate to Chrome and Firefox. Not really what Microsoft intended. In December, Internet Explorer dipped below the 50% usage mark, while Chrome is creeping closer to taking the number 1 spot. Edge has only been able to garner a paltry 2.3% share.
If you have any questions about updating your Internet Explorer browser just give us a call and we’ll be happy to help you! 781-826-9665