Scam of the day – August 5, 2017 – FBI issues warning about internet connected toys

Recently the FBI issued a warning to consumers about the privacy and identity theft dangers posed by internet connected toys.   The toys, often come equipped with sensors, microphones, cameras, data storage components, speech recognition and GPS.  They are incredibly sophisticated and can tailor the toy’s response to the child’s behaviors and words. The dangers arise from the lack of security of some of these toys in the manner they gather and store information.

Cayla, a new doll from Genesis Toys seems like such a nice girl, but according to the Bundesnetagentur, the German telecommunications regulatory agency, she is a spy and is now banned from Germany.   Cayla is a part of the ever expanding Internet of Things and according to the Bundesnetagentur, Cayla has hidden cameras and microphones that could be used to record private conversations over an insecure Bluetooth connection.

Cayla is not the first doll to be so equipped, In the Fall of 2015, the latest incarnation of Barbie, the “Hello Barbie” was introduced.  Hello Barbie also has hidden microphones and speakers, but  instead of Bluetooth technology, uses Transport Layer Security (TLS) which is an encryption protocol to protect the privacy and security of communications

TIPS

Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.  Use encryption software for the transmission of data and research where data is stored and what steps are taken to secure the information.  Also, limit the amount of information you provide when setting up the accounts for the toys.  The less information out there, the less the risk of identity theft.

Scam of the day – June 13, 2017 – Russian gang accused of hacking slot machines

Last week federal indictments against members of a Russian gang  alleged to be led by Razhden Shulaya were unsealed in New York.  While many of the indictments were for common racketeering crimes you would expect, the defendants were also accused of developing devices to hack into particular models of slot machines to predict the machine’s behavior thereby enabling the criminal to steal money from particular slot machines.

Long gone are the days of the old-styled one arm bandit slot machines. Today’s slot machines are operated by sophisticated computers and programmed to make pay offs of specific amounts.  This is actually a good thing as all states regulate slot machines  and require that casinos that have slot machines pay a statutorily set minimum pay off for the entire casino.

TIPS

Just about everything we do is computerized and often connected to the Internet in some fashion.  This is what we refer to as the Internet of Things and whether it is a talking doll, a car, a medical device or a smart television, anything that is computerized and connected to the Internet is a potential target for hackers.  This is important for all of us to remember when we use items that are a part of the Internet of Things.  We should make sure that passwords and security settings for these devices are not left on default and are as secure as we can make them.  It only takes a little time to do so and it is well worth it.

Scam of the day – February 24, 2017 – Talking doll banned in Germany

Cayla, a new doll from Genesis Toys seems like such a nice girl, but according to the Bundesnetagentur, the German telecommunications regulatory agency, she is a spy and she is now banned from Germany. Cayla is a part of the ever expanding Internet of Things and according to the Bundesnetagentur, Cayla has hidden cameras and microphones that could be used to record private conversations over an insecure Bluetooth connection.

Cayla is not the first doll to be so equipped, In the Fall of 2015, the latest incarnation of Barbie, the “Hello Barbie” was introduced.  Hello Barbie also has hidden microphones and speakers, but  instead of Bluetooth technology, uses Transport Layer Security (TLS) which is an encryption protocol to protect the privacy and security of communications

TIPS

Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.

January 29, 2017 – Steve Weisman’s latest column from USA Today

Here is a link to my latest column from USA Today in which I discuss the vulnerabilities of Internet connected medical devices, such as pacemakers and what you can do to protect yourself.

http://www.usatoday.com/story/money/columnist/2017/01/28/web-connected-medical-devices-great-unless/97084180/

Scam of the day – January 5, 2017 – FDA issues cybersecurity guidelines for medical devices

By now, we are all familiar with the Internet of Things which presently includes 5 billion devices and is expected to grow to 25 billion devices by the year 2020.  The Internet of Things is the popular name for the technology by which products and devices are connected and controlled over the Internet.  The range of products that are a part of the Internet of Things is tremendous and includes, cars, refrigerators, televisions, fitness bands, webcams, toys and even medical devices.  The Internet of Things offers tremendous opportunities for constructive and efficient use of these products, but as with any technology connected through the Internet, also provides an opportunity for hackers to exploit the technology for their own criminal purposes.

While hacking of medical devices sounds like something out of fiction, in 2007, former Vice President Dick Cheney was so concerned about hackers that he had the Internet connection on his pacemaker disabled.  In September 2015, the FBI issued a warning saying that “Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection.”  In 2014, the Food and Drug Administration (FDA)  issued guidelines for building enhanced cybersecurity into the design and development of such medical devices.   Now the FDA has released new recommendations, a year in the making, that deal with maintaining the cybersecurity of medical devices after they have been released into the marketplace.  Here is a link to these important recommendations which are merely recommendations and not enforceable regulations.

http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

TIPS

While medical device manufacturer’s and the government work on security standards for Internet connected medical devices, what can you do to protect yourself in the meantime? The most important thing you can do is find out what information is stored on your device and how it is accessed.  Also learn about the use of password protection and make sure that your device is not still using a default password.  Learn from the manufacturer what steps they have already taken to protect your device from being hacked.  If your device uses an open wifi connection, you should change it to operate exclusively on a home network with a secured wifi router.  If your device is capable of transmitting data, make sure that the transmissions are encrypted.

Scam of the day – October 26, 2016 – How to protect yourself in the Internet of Things

Distributed Denial of Service (DDoS) attacks against companies that temporarily shut down websites by flooding them with more traffic than they have the capacity to accommodate are nothing new, however, what was unusual about last week’s DDoS against Dyn a prominent Domain Name System (DNS) provider that hosted such popular sites as Amazon, Twitter, Spotify, Netflix and Paypal was that the botnet of hijacked devices used to launch the attack was not made up of hacked computers, but rather was made up of hacked devices such as smart televisions and webcams that make up the Internet of Things which are devices connected to the Internet that one would not generally think of as requiring security.   However, anything that  is connected to the Internet can be hacked and used to become a part of a botnet and therefore requires security precautions.

So what can you do to protect yourself from having your devices hacked and becoming part of a botnet?

TIPS

Your first line of defense is your router so it is important to change the default password with which your router came.  In addition, each of your Internet of Things devices should have its own distinct password.  Unfortunately, particularly for older devices that are a part of the Internet of Things, security was not built into these devices and they may not even be password enabled. Another helpful device is an Internet hub which is a a device that can control multiple Internet of Things devices through a single mobile app that utilizes dual factor authentication and encryption.  The manufacturers of these Internet hubs such as Samsung’s SmartThings also provide regular security updates.  Not all Internet of Things devices are hub certified which is why when buying an Internet of Things device, you should look for hub certification as an indication that the manufacturer is security conscious.

Finally, and perhaps of greatest importance in protecting yourself from becoming part of a botnet is to do what you already should be doing which is refraining from clicking on links or downloading attachments in emails that may contain the malware enabling a hacker to access first your computer and move through it to your entire network of Internet enabled devices.  Never click on links or download attachments unless you have absolutely confirmed they are legitimate.

October 24, 2016 – Steve Weisman’s latest column for USA Today

I submit my columns for USA Today a week in advance so this particular column that was published in today’s edition of USA Today was written prior the massive DDoS attack that occurred on Friday, October 21st.  However, the exploitation of the Internet of Things as was done to perpetrate the DDoS attack is the subject of my column.  Here is a link to it.

http://www.usatoday.com/story/money/2016/10/24/where-real-cybersecurity-threats/92666966/

Scam of the day – September 8, 2016 – FTC issues warning about rental cars

As if we didn’t have enough to worry about, the Federal Trade Commission (FTC) recently issued a warning about risks which most people are not aware of that arise when you connect your smartphone to a rental car in order to access the car’s infotainment system and other connected features.  By far, the biggest problem is that the car may store personal information of yours, such as your mobile phone number, message logs, contact lists and even the content of text messages you received while connected to the car.  If you don’t delete this information when you return the car, this information can be accessed by future renters of the car, employees of the rental car company or knowledgeable hackers.

TIPS

Don’t use the USB port merely to charge your smartphone rather than connect to the infotainment system.  Connecting your phone to the system may transfer your data automatically without your doing anything further.  Instead use a cigarette lighter adapter to recharge your phone in the car.  If you do decide to use the infotainment system, a screen may appear on which you are provided options as to the information you authorize the system to be able to access.  Limit the access to only those uses that you need.  Finally, and most important, when you return the car, make sure that you have gone into the infotainment system’s settings menu and delete your device and your data.

Scam of the day – March 26, 2016 – Justice Department indicts 7 Iranians for hacking banks and a dam

As had been rumored for some time, the Justice Department on Thursday unsealed indictments against seven Iranian hackers tied to the Iran’s Islamic Revolutionary Guards Corps alleging that they were responsible for hacks against 46 American banks, corporations and financial institutions as well as a small dam in Rye, New York.  Among the targets of the hackers were Ally Bank, American Express, Ameriprise, Bank of America, J.P. Morgan Chase, Citibank, Citizens Bank, Wells Fargo, AT&T and the NY Stock Exchange.

The attacks against the financial institutions were distributed denial of service (DDOS) attacks where the targeted companies were shut down after being overwhelmed by a coordinated onslaught of requests sent by networks of botnet computers.  Generally, these attacks are not much more than nuisances as the primary damage is just the taking down of the targeted websites for a few hours.

In the case of the attack on the Rye dam, however, the attack was intended to be able to control the dam allowing the hacker to release water, however, because the gate had been disconnected for maintenance at the time of the hacking, the hackers were unable to actually exercise control over the dam.

There is little expectation that the hackers named in the indictments will ever be brought to the United States to stand trial, however, the indictments serve both to put Iran and others seeking to take similar actions against the United States and its infrastructure on notice that they are being monitored as well as to possibly spur governmental sanctions against country’s sponsoring such activities.

TIPS

The takeaway from these indictments is clear and something I have been warning you about for years, namely, that the infrastructure of the United States as well as every other country on the Globe is in danger of potentially devastating cyberattacks.  Our electrical grid, water supply, nuclear power plants and every other aspect of our infrastructure are part of the vulnerable Internet of Things and neither the federal government nor private industry that own and control most of these infrastructure elements have done enough to protect their security.  Hopefully, these indictments will serve to induce the government and private industry to take strong and effective action immediately.

Scam of the day – February 29, 2016 – Nissan disables app after hacking issues arise

I have warned you many times about the vulnerability to hacking of a myriad of Internet connected  products from toys to cars that make up what is commonly referred to as the Internet of Things.  The possibilities of automobiles being able to be hacked is particularly troublesome and the latest development on that front occurred this week when Nissan disabled its Nissan Connect EV smartphone app which could be used by owners of Nissan Leaf electric cars to control their automobiles through their smartphones.  As is so often the case with the Internet of Things, security concerns were not sufficiently included in the development of the product.  Access to someone’s car’s systems by way of a smartphone could be done by anyone who had the Vehicle Identification Number (VIN) for the car the hacker wished to hack.

TIPS

If you are the owner of a Nissan Leaf, you can check on the status of your own car by going to Nissan’s website at https://owners.nissanusa.com/nowners/

United States Senators Edward Markey and Richard Blumenthal have filed legislation known as the SPY Car Act designed to provide requirements for automobile manufacturer’s to meet the threat of automobile hacking.  SPY is an acronym for Security and Privacy in Your car.  Senator Markey, in particular has long been concerned with the vulnerabilities of automobiles to being hacked and last February  issued a report that concluded that the efforts of automakers around the world to prevent hackers from gaining control of cars electronically were “inconsistent and haphazard.”  Further, Markey said that most automakers did not even have systems for either detecting security breaches or responding to those breaches.  This new legislation is an attempt to respond to the lack of efforts by the automobile industry to effectively deal with this problem.

The bill if enacted into law would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to develop industry wide standards to prevent vehicle control systems from being hacked into.  In addition, the bill would require privacy standards to be developed to protect the privacy of the data collected by our vehicles.  Finally, the bill if enacted into law would require cars to have a new cyber dashboard display that would be affixed to the windows of all new cars that indicated how well the particular type and brand of car protected security and privacy beyond the minimum standards set by law.

Automobile hacking is just another part of the broad Internet of Things where we are all increasingly vulnerable to hacking that threatens our well being.  Companies have got to do a better job of incorporating security into all of the devices and products that we use that are connected to the Internet. It is only a matter of time before hacking into the products involved with the Internet of Things results in devastating consequences.  Here is a copy of my USA Today column I wrote in April of 2015 about the Internet of Things and the dangers posed.   http://www.usatoday.com/story/money/columnist/2015/04/04/weisman-internet-of-things-cyber-security/70742000/

Here is a link to the legislation proposed by Senators Markey and Blumenthal.  If you support this legislation, I urge you to contact your Senators to request that they vote favorably on this bill.  http://www.markey.senate.gov/imo/media/doc/SPY%20Car%20legislation.pdf