Scam of the day – September 6, 2017 – Pacemakers recalled due to risk of hacking

By now, we are all familiar with the Internet of Things which presently includes 5 billion devices and is expected to grow to 25 billion devices by the year 2020.  The Internet of Things is the popular name for the technology by which products and devices are connected and controlled over the Internet.  The range of products that are a part of the Internet of Things is tremendous and includes, cars, refrigerators, televisions, fitness bands, webcams, toys and even medical devices.  The Internet of Things offers tremendous opportunities for constructive and efficient use of these products, but as with any technology connected through the Internet, also provides an opportunity for hackers to exploit the technology for their own criminal purposes.

While hacking of medical devices sounds like something out of fiction, in 2007, former Vice President Dick Cheney was so concerned about hackers that he had the Internet connection on his pacemaker disabled.  In September 2015, the FBI issued a warning saying that “Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection.”

Now the Food and Drug Administration (FDA) has issued a recall of 465,000 pacemakers due to the vulnerability of the devices to being hacked and controlled by criminals.  Fortunately, the recall can be accomplished with a remote adjustment of the devices and will not require surgery.  Six different types of pacemakers all made by Abbott and sold under the name of St. Jude Medical are covered by the recall.  Here is a link to the FDA’s recall with more specific information.

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

TIPS

Earlier this year the FDA issued recommendations for security steps to be taken for Internet connected medical devices, however it should be noted that these are not regulations, but only recommendations.  So what can you do to protect yourself in the meantime? The most important thing you can do is find out if any Internet connected medical devices you may have comply with the FDA’s security regulations.  You should also find out what information is stored on your device and how it is accessed.  Also learn about the use of password protection and make sure that your device is not still using a default password.  If your device uses an open wifi connection, you should change it to operate exclusively on a home network with a secured wifi router.  If your device is capable of transmitting data, make sure that the transmissions are encrypted.

Scam of the day – August 5, 2017 – FBI issues warning about internet connected toys

Recently the FBI issued a warning to consumers about the privacy and identity theft dangers posed by internet connected toys.   The toys, often come equipped with sensors, microphones, cameras, data storage components, speech recognition and GPS.  They are incredibly sophisticated and can tailor the toy’s response to the child’s behaviors and words. The dangers arise from the lack of security of some of these toys in the manner they gather and store information.

Cayla, a new doll from Genesis Toys seems like such a nice girl, but according to the Bundesnetagentur, the German telecommunications regulatory agency, she is a spy and is now banned from Germany.   Cayla is a part of the ever expanding Internet of Things and according to the Bundesnetagentur, Cayla has hidden cameras and microphones that could be used to record private conversations over an insecure Bluetooth connection.

Cayla is not the first doll to be so equipped, In the Fall of 2015, the latest incarnation of Barbie, the “Hello Barbie” was introduced.  Hello Barbie also has hidden microphones and speakers, but  instead of Bluetooth technology, uses Transport Layer Security (TLS) which is an encryption protocol to protect the privacy and security of communications

TIPS

Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.  Use encryption software for the transmission of data and research where data is stored and what steps are taken to secure the information.  Also, limit the amount of information you provide when setting up the accounts for the toys.  The less information out there, the less the risk of identity theft.

Scam of the day – June 13, 2017 – Russian gang accused of hacking slot machines

Last week federal indictments against members of a Russian gang  alleged to be led by Razhden Shulaya were unsealed in New York.  While many of the indictments were for common racketeering crimes you would expect, the defendants were also accused of developing devices to hack into particular models of slot machines to predict the machine’s behavior thereby enabling the criminal to steal money from particular slot machines.

Long gone are the days of the old-styled one arm bandit slot machines. Today’s slot machines are operated by sophisticated computers and programmed to make pay offs of specific amounts.  This is actually a good thing as all states regulate slot machines  and require that casinos that have slot machines pay a statutorily set minimum pay off for the entire casino.

TIPS

Just about everything we do is computerized and often connected to the Internet in some fashion.  This is what we refer to as the Internet of Things and whether it is a talking doll, a car, a medical device or a smart television, anything that is computerized and connected to the Internet is a potential target for hackers.  This is important for all of us to remember when we use items that are a part of the Internet of Things.  We should make sure that passwords and security settings for these devices are not left on default and are as secure as we can make them.  It only takes a little time to do so and it is well worth it.

Scam of the day – February 24, 2017 – Talking doll banned in Germany

Cayla, a new doll from Genesis Toys seems like such a nice girl, but according to the Bundesnetagentur, the German telecommunications regulatory agency, she is a spy and she is now banned from Germany. Cayla is a part of the ever expanding Internet of Things and according to the Bundesnetagentur, Cayla has hidden cameras and microphones that could be used to record private conversations over an insecure Bluetooth connection.

Cayla is not the first doll to be so equipped, In the Fall of 2015, the latest incarnation of Barbie, the “Hello Barbie” was introduced.  Hello Barbie also has hidden microphones and speakers, but  instead of Bluetooth technology, uses Transport Layer Security (TLS) which is an encryption protocol to protect the privacy and security of communications

TIPS

Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.

January 29, 2017 – Steve Weisman’s latest column from USA Today

Here is a link to my latest column from USA Today in which I discuss the vulnerabilities of Internet connected medical devices, such as pacemakers and what you can do to protect yourself.

http://www.usatoday.com/story/money/columnist/2017/01/28/web-connected-medical-devices-great-unless/97084180/

Scam of the day – January 5, 2017 – FDA issues cybersecurity guidelines for medical devices

By now, we are all familiar with the Internet of Things which presently includes 5 billion devices and is expected to grow to 25 billion devices by the year 2020.  The Internet of Things is the popular name for the technology by which products and devices are connected and controlled over the Internet.  The range of products that are a part of the Internet of Things is tremendous and includes, cars, refrigerators, televisions, fitness bands, webcams, toys and even medical devices.  The Internet of Things offers tremendous opportunities for constructive and efficient use of these products, but as with any technology connected through the Internet, also provides an opportunity for hackers to exploit the technology for their own criminal purposes.

While hacking of medical devices sounds like something out of fiction, in 2007, former Vice President Dick Cheney was so concerned about hackers that he had the Internet connection on his pacemaker disabled.  In September 2015, the FBI issued a warning saying that “Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection.”  In 2014, the Food and Drug Administration (FDA)  issued guidelines for building enhanced cybersecurity into the design and development of such medical devices.   Now the FDA has released new recommendations, a year in the making, that deal with maintaining the cybersecurity of medical devices after they have been released into the marketplace.  Here is a link to these important recommendations which are merely recommendations and not enforceable regulations.

http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

TIPS

While medical device manufacturer’s and the government work on security standards for Internet connected medical devices, what can you do to protect yourself in the meantime? The most important thing you can do is find out what information is stored on your device and how it is accessed.  Also learn about the use of password protection and make sure that your device is not still using a default password.  Learn from the manufacturer what steps they have already taken to protect your device from being hacked.  If your device uses an open wifi connection, you should change it to operate exclusively on a home network with a secured wifi router.  If your device is capable of transmitting data, make sure that the transmissions are encrypted.

Scam of the day – October 26, 2016 – How to protect yourself in the Internet of Things

Distributed Denial of Service (DDoS) attacks against companies that temporarily shut down websites by flooding them with more traffic than they have the capacity to accommodate are nothing new, however, what was unusual about last week’s DDoS against Dyn a prominent Domain Name System (DNS) provider that hosted such popular sites as Amazon, Twitter, Spotify, Netflix and Paypal was that the botnet of hijacked devices used to launch the attack was not made up of hacked computers, but rather was made up of hacked devices such as smart televisions and webcams that make up the Internet of Things which are devices connected to the Internet that one would not generally think of as requiring security.   However, anything that  is connected to the Internet can be hacked and used to become a part of a botnet and therefore requires security precautions.

So what can you do to protect yourself from having your devices hacked and becoming part of a botnet?

TIPS

Your first line of defense is your router so it is important to change the default password with which your router came.  In addition, each of your Internet of Things devices should have its own distinct password.  Unfortunately, particularly for older devices that are a part of the Internet of Things, security was not built into these devices and they may not even be password enabled. Another helpful device is an Internet hub which is a a device that can control multiple Internet of Things devices through a single mobile app that utilizes dual factor authentication and encryption.  The manufacturers of these Internet hubs such as Samsung’s SmartThings also provide regular security updates.  Not all Internet of Things devices are hub certified which is why when buying an Internet of Things device, you should look for hub certification as an indication that the manufacturer is security conscious.

Finally, and perhaps of greatest importance in protecting yourself from becoming part of a botnet is to do what you already should be doing which is refraining from clicking on links or downloading attachments in emails that may contain the malware enabling a hacker to access first your computer and move through it to your entire network of Internet enabled devices.  Never click on links or download attachments unless you have absolutely confirmed they are legitimate.

October 24, 2016 – Steve Weisman’s latest column for USA Today

I submit my columns for USA Today a week in advance so this particular column that was published in today’s edition of USA Today was written prior the massive DDoS attack that occurred on Friday, October 21st.  However, the exploitation of the Internet of Things as was done to perpetrate the DDoS attack is the subject of my column.  Here is a link to it.

http://www.usatoday.com/story/money/2016/10/24/where-real-cybersecurity-threats/92666966/

Scam of the day – September 8, 2016 – FTC issues warning about rental cars

As if we didn’t have enough to worry about, the Federal Trade Commission (FTC) recently issued a warning about risks which most people are not aware of that arise when you connect your smartphone to a rental car in order to access the car’s infotainment system and other connected features.  By far, the biggest problem is that the car may store personal information of yours, such as your mobile phone number, message logs, contact lists and even the content of text messages you received while connected to the car.  If you don’t delete this information when you return the car, this information can be accessed by future renters of the car, employees of the rental car company or knowledgeable hackers.

TIPS

Don’t use the USB port merely to charge your smartphone rather than connect to the infotainment system.  Connecting your phone to the system may transfer your data automatically without your doing anything further.  Instead use a cigarette lighter adapter to recharge your phone in the car.  If you do decide to use the infotainment system, a screen may appear on which you are provided options as to the information you authorize the system to be able to access.  Limit the access to only those uses that you need.  Finally, and most important, when you return the car, make sure that you have gone into the infotainment system’s settings menu and delete your device and your data.

Scam of the day – March 26, 2016 – Justice Department indicts 7 Iranians for hacking banks and a dam

As had been rumored for some time, the Justice Department on Thursday unsealed indictments against seven Iranian hackers tied to the Iran’s Islamic Revolutionary Guards Corps alleging that they were responsible for hacks against 46 American banks, corporations and financial institutions as well as a small dam in Rye, New York.  Among the targets of the hackers were Ally Bank, American Express, Ameriprise, Bank of America, J.P. Morgan Chase, Citibank, Citizens Bank, Wells Fargo, AT&T and the NY Stock Exchange.

The attacks against the financial institutions were distributed denial of service (DDOS) attacks where the targeted companies were shut down after being overwhelmed by a coordinated onslaught of requests sent by networks of botnet computers.  Generally, these attacks are not much more than nuisances as the primary damage is just the taking down of the targeted websites for a few hours.

In the case of the attack on the Rye dam, however, the attack was intended to be able to control the dam allowing the hacker to release water, however, because the gate had been disconnected for maintenance at the time of the hacking, the hackers were unable to actually exercise control over the dam.

There is little expectation that the hackers named in the indictments will ever be brought to the United States to stand trial, however, the indictments serve both to put Iran and others seeking to take similar actions against the United States and its infrastructure on notice that they are being monitored as well as to possibly spur governmental sanctions against country’s sponsoring such activities.

TIPS

The takeaway from these indictments is clear and something I have been warning you about for years, namely, that the infrastructure of the United States as well as every other country on the Globe is in danger of potentially devastating cyberattacks.  Our electrical grid, water supply, nuclear power plants and every other aspect of our infrastructure are part of the vulnerable Internet of Things and neither the federal government nor private industry that own and control most of these infrastructure elements have done enough to protect their security.  Hopefully, these indictments will serve to induce the government and private industry to take strong and effective action immediately.