Caveat Emptor: The Internet of Things (IoT)

smart-home1It’s the hottest thing going today. All your devices connected to the internet — and to you. And, to everyone else!

Yes, your new devices that are connected to the internet are a great convenience. Turning on your lights from your smartphone. Getting messages from your refrigerator when you need resupply. Home security systems with cameras and internet reporting. That Wifi connected baby monitor. That activity monitor that you upload data to every day about your fitness activities (some companies terms of use allow them to not only retain that data, but provide it to others!).

Walt Manning, a security expert and investigator, provides some insights into the IoT via his presentation at the Government Identity Fraud Conference in March. He notes that we already have more than 25 million devices connected to the internet. And by 2020 (only a few years away) this will double to 50 million! Ultimately, it is expected that the average house will have 100 devices connected to the internet.

Moreover, almost none of these devices are secure. On average, Manning reports, each device has 25 security flaws, and none of them are truly secure. This explosion of connected devices will have 5-10 times the impact that the internet currently has on the security of data.

Because, for all of the convenience of connected devices, we pay a price. That price is data; information about ourselves and our activities is recorded in logs somewhere. Everything. And to compound this problem, so far, every connected device has security flaws. So, someone, somewhere is storing all that data about you. And, that information is also readily available to anyone who wants to hack your systems.

So you want that information available to just anyone? Where is it stored? With what security? Is it encrypted? Do you even know? And, what are “they” allowed to do with that information?

There are some things you can and should do to protect yourself. For it’s a clear conclusion that the convenience of these devices is winning over security. So, some suggestions:

  1. Most devices will connect via your home Wifi router. Make sure it is passphrase protected.
  2. Check the terms of use with your internet provider. What do they say about providing data to others? Remember, they record everything that happens over your connection!
  3. Research each device and company before you buy. Do they have secure systems? Where is the data stored? Are they allowed to give that data to others? Under what circumstances? Read the Terms of Use for everything (I know, you won’t, but I have to tell you anyway.)

If your research demonstrates the device has little or no security, and/or data will be provided to others without your permission, look elsewhere. We ARE going to buy this stuff — it’s just too cool and too convienient not to. But, we neeed to protect ourselves with some simple research into the products we buy, and buy smart (pun intended!).

a891b87d092047e4a85da861a68c0d58Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Walt Manning for his great presentation on the Internet of Things ans security — some of their information is included in this article.


Protecting Yourself from Identity Theft

I wrote last week about the epidemic of identity theft. This week, again based at least in part on information provided by speakers at the 2nd Annual Government Identity Fraud Conference earlier this month, I’ll share some ways everyone can use to protect themselves from ID Theft.

First, a recap: Remember, experts tell us that with all the breaches that have occurred in the past few years, everyone’s identity has already been stolen. That means even though you have not been a victim, it doesn’t mean you won’t be. One Bulgarian ID thief/fraudster who got caught noted that they have so much data it will be years before they use up all the stolen identities already available.

And after all, the FBI reports it only costs $.35 on the dark web to purchase a real, identity!

So what can we do? Here are some ideas from the experts.

  1. Passcode protect everything. Don’t use obvious passwords like your dog’s name or your street address number. Instead use a passphrase that is a combination of words, numbers, and symbols at least 11 digits long.
  2. You say you can’t remember anything that long? Here’s a link to Morgan Wright’s free online course on setting a passphrase you can remember: Morgan graciously provided this link to us at the conference.
  3. Change your passwords regularly. No, not every year, every month or so. Remember, even if one of your sites is breached and gives up usernames and passwords, they are only good until you change them. So change them regularly.
  4. Use a unique passphrase for each website or application. Don’t just clone that one password you can remember and use it for all your sites. Make them all unique, not just variations on a theme.
  5. OK, you say you can’t possibly remember all those passphrases? Neither can I. So use a password/passphrase management application. I use Dashlane, but there are many out there and they are all pretty good. Most will synch between devices. Pick your favorite.
  6. Make sure you are running malware protection software on all your devices. Start with your computer and then ensure you have protection on all your mobile devices. 
  7. Make sure the operating systems on your devices are up to date. Set them to auto update. Much of every update includes software patches for known security holes in the operating systems.
  8. Never, ever, use a public WiFi without using a VPN connection. Public WiFi is one of the easiest pathways to your data. Few of them are secure.
  9. Don’t fall for spear phishing emails! Spear phishing is a targeted email sent to you that appears to be from someone you know asking a reasonable question. But they almost always want you to send them private information about yourself or others. There’s a pair of rules to live by here. First, if it doesn’t sound right — it probably isn’t. Second, if someone, even someone you know, asks you to send personal information of any kind over the open internet, before responding, contact them directly to confirm it is legitimate (calling them is best). An ounce of protection… Keep in mind that spear phishing is the number one tool for espionage and information theft.
  10. Finally, although there is more, take the next step in privacy protection and use 2-factor authentication. This method requires not only a password/phrase but a secondary process of answering a question or using a unique PIN. It’s not foolproof, but it is a major step forward in security. Many applications and sites now offer this option.

Remember, the Identity Theft Resource Center reports an identity is used to the detriment of the real owner every 9 seconds in the United States. Here are ten ways you can protect yourself.

Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Morgan Wright and Walt Manning for their great presentations — some of their information is included in this article.


And stay tuned — there’s more!