Saturday, January 4, 2020

Secure Your IoT Devices

Happy New Year!  Apologies for the gaps between articles.  Reorganizing at work, and the holidays have really caused time to slip away.  I just wanted to get a quick post out there (since it's been a while) to remind everyone to secure all those new gadgets that you got for Christmas.  For all of you who got new Internet-connected devices for Christmas (smart TVs, thermostats, Ring doorbells, security cameras, etc), don't forget that they are just as vulnerable to attack as any computer and you need to secure them properly.  Camera systems, especially, because an attacker can use them to spy on you and your loved ones in your own home.  IoT connected Alarm systems are a target because an attacker can build a profile of when you are home and when you are away in order to plan break-ins.  Garage door openers can even be connected nowadays, and an attacker can open your garage door if they can get into your system.




The #1 Writing Tool



For all of you advanced network and security geeks who really want to lock down your IoT and home or small business WiFi networks, this video also has some great advice and gives excellent ideas and instructions for setting up your home network.







In Other News: Lots of things coming up in 2020 in the info security world.  Especially with what is going on in the Middle East now - Iran threatening more cyberattacks.  This is concerning because it's not just our government networks that are vulnerable, but our woefully unsecured power grid and medical systems as well.  Time to make sure even your home networks and private accounts, such as banks, healthcare, and other sensitive online accounts are secured.  Make sure you change your passwords often and enable two-factor authentication wherever possible.  I'll try to keep you informed as developments occur.









Saturday, November 16, 2019

Using "Disposable" Email Accounts

Have you ever signed up for a newsletter only to then be spammed into oblivion by the newsletter authors and their various affiliations?  Ever receive a notice from your bank telling you that numerous attempts to access your account using your email address have occurred?  Do businesses ask you for your email address and you hesitantly give it to them only to receive an unending string of advertisements?

If so, you're not alone.  Our email addresses have become such a ubiquitous and even necessary part of our lives.  In fact, many of the entities with which we do business won't even let us sign up for their online services or give us an account unless we provide an email address.  Many people use their email address for everything these days, from online shopping accounts to bank accounts, to providing the email address to auto repair shops and department stores as a way to identify themselves in future business dealings.  Healthcare, investment, retirement planning, social security, and many others are all examples of where we willingly submit our email addresses to conduct business in our busy lives.

Email gives us a huge amount of convenience.  But giving our email address to all of these entities presents a huge security risk as well.  At the very least, our own email addresses can be the source of information for others to launch tons of unwanted junk emails, SPAM, PHISHING emails, and just plain clutter.  There are not only the obvious annoyance risks but some serious personal security risks as well.


Security Risks:

Many times, our email address is also our username for the various accounts that we create online.  If that is the case, then half of the credentials needed to log in are already known or easy to guess.  If someone can find out where we do your banking, our shopping (most people shop at Amazon these days), and access our healthcare information, they quite possible already have half of the information needed to access the account.  And since people are in the habit of using the same password for all of their accounts, if a bad guy gets into one account, the rest of the known accounts are easily accessible.  

Another problem is that people have gotten into the groove of using the same formats for both usernames and email addresses - first initial and last name.  Their email address is jsmith@someemail[.]com and their username for many accounts is also jsmith.  If a hacker tries and fails with an email address, they have a pretty easy guess at what the username might be.  Whether or not the bad guy gets into your account, this then opens the door for a wide variety of problems, including identity theft, having our bank accounts drained, or them going around and signing us up for a plethora of newsletters and other online accounts just for spite.


Recommendations:

Besides being annoying, a lot of SPAM email also contains phishing links and tactics or has embedded malware.  And many of the newsletters that we may sign up for only need our email address at sign up so that they can send a verification email to make sure we are a human (and not a bot).  They send the verification email with a link, we receive the email, click on the link to verify, and then that email is really never needed by that account again unless they want to send more SPAM.  So having said that, there are a number of recommendations that will help from having the main email address compromised or used for SPAM purposes: 

  • Use as a "main" (primary) personal email address ONLY for emailing family and close associates.  Do not give this email address out freely.  Use this main email address to get notifications from top-tier accounts such as a bank, investment, health-care portals, and a few other critical accounts only as needed.

  • Do NOT use your email address as the username for your top tier financial and health care accounts mentioned above if at all possible.  If they will give you a choice between an email address and a username to access the account, choose a username.  And then make the username complex.  Many people use their first initial and last name as a username.  That is way too easy to guess.  Instead, use something as complex and jumbled as you would a complex password.  For example, if my name is John Smith, instead of username jsmith  I might select a username like M@rtyM00s3!! with which to log in.

  • Use two-factor authentication wherever possible.  Especially at banks and healthcare portals.  Most of those entities allow, and in fact, some now require two-factor authentication such as sending a PIN to your phone or sending a code to your email account that you will also enter at login.

  • Get a secondary (tertiary, etc) email address from one of the free online email providers, such as Gmail, that you use to sign up for newsletters and online discussion forums.  When the spam gets to be too much, stop using that account.  But then your primary email address remains unaffected.

  • Get a "disposable" email address from one of the providers mentioned in the videos listed in the resources below to use for the purposes of newsletter sign up and one-time verification.
  • Under NO circumstances use your official or work email to sign up for your personal accounts.
  • Do NOT use the same password for all of your different email addresses, and make your passwords for all of the accounts complex (at least 12 characters, a mixture of upper and lowercase letters, numbers, special characters, and NO dictionary words).  A robust password manager such as Dashlane or Roboform will help manage all of the various passwords.

  • Do NOT use initials and names for your disposable or secondary email address that allows people to easily guess your full name.  If I am setting up a disposable email address for use in signing up for a newsletter or product notifications, instead of wflinn@disposableprovider.com, I might use nococyberguy43@disposableprovider.com.  The disposable email providers typically present you with a randomized email address - use that if you wish.

Email provides us with a great deal of convenience but can be a source of a great deal of risk and even annoyance.  Your primary email account should be guarded almost as closely as your bank account number.  It really is a shame that we have had to become so guarded about something as ubiquitous as an email address.  But more and more the bad guys are using our email addresses as yet another vehicle with which to exploit us, steal our identities, and drain our bank accounts.  But with a few simple measures, we can prevent these personal disasters and keep our information and accounts secure.


Resources:

Article: How to Create Disposable Email Addresses

YouTube Video:  How to create a disposable email address for website registration.

YouTube Video:  Disposable Email Addresses | Tech Bytes | Website of the Day






Saturday, November 9, 2019

Cyber Security and Online Shopping

With the popularity of online shopping today, the importance of cybersecurity becomes essential to everyone. Shopping, even in the real world, involves money.  And where there is money, there are criminals ready to take advantage of unwitting people. Since much (most?) shopping is now happening in cyberspace, these criminals wasted no time in following the money trail straight to a valuable and highly exploitable target: online shoppers.

Online shopping became fashionable when people discovered one is free from stress and fatigue caused by crowds and traffic. There is also the convenience of searching whatever it is you want from your home, at your most convenient time and paying for it without waiting in line. All of these with just a few clicks of a mouse. 

How They Do It

The anonymity of the Internet and the ability to easily obtain easy to use exploitation tools provide an easy avenue for even unsophisticated or inexperienced cybercriminals to do their work. They can target online shoppers, fraudulently obtaining the information they can use for their own financial gains. Criminals use three common ways of attacking online shoppers.  These aren't the only methods to be sure, but the three below seem to be among the most common recurring avenues to exploit the unaware online shopper.

Unprotected Computers
Unprotected computers are an easy target for viruses and other malicious codes used by cybercriminals to gain access to the information inside it. On the other end, online vendors have to protect their computers, too, against attackers who may access their customer databases.

Fake Sites and Email Messages
In the virtual online world, a site (or an online store) can be faked by these criminals, with no one the wiser.   It isn't too difficult for them to get an email list of people who have shopped at a particular site and then send bogus emails to those shoppers.  These fake sites mimic the legitimate ones and inherit the business, at least until they are caught or noticed.  One way you can tell that these are fake sites is poorly worded language or improper formatting is seen in the email that they send you, the site descriptions, policy pages, and other parts of the website.

Playing on Consumer Emotion During Holidays or a Crisis
Charities have been misrepresented before, especially during natural disasters or holiday seasons where people pour in donation money and aid.  Holiday shopping seasons, especially those times closet to the holiday itself, allow the criminal to play on the consumer's sense of urgency in buying last-minute gifts.  Never click on a link sent to you in an email.  Always go to the charity's website by typing in their known good URL in the web browser address bar. 

What YOU Can Do - Cybersafety Measures

World's most effective door security solution.Maintaining an up-to-date anti-virus program, a firewall and anti-spyware is always the three-pronged first line of defense in cybersecurity. They protect you against viruses and Trojan horses that may steal or modify your data and make your computer vulnerable. Spyware may also give the attackers access to your data.

Update Your Web Browser
Browsers are the gateway between your computer and the Internet. They must be kept updated with the latest security patches and software versions.  Use automatic updates whenever possible that the operating programs and utilities are up to date.  Microsoft browsers will usually update each month during the regular patch cycle.  Browsers like Chrome and FireFox typically update when you open the browser after a new update has been released. 

It is likewise important to check the default settings of your computer and apply the highest level of security. This will preempt the attackers to use the default setting of the programs. This applies primarily to browsers, email clients, etc. because these are the connectors to the Internet. 

Only Visit Reputable Vendors
Cybercriminals are very good at mimicking the sites of legitimate vendors and make it appear genuine. You need to verify their legitimacy before supplying any information. Keep the phone numbers and the physical addresses of these vendors which you can use in case of problems.  Again - Never click on a link sent to you in an email.  Always go to the vendor's website by typing in their known good URL in the web browser address bar.

Personally,  I use Amazon for just about everything.   No, I don't work for Amazon, and this isn't a plug or endorsement for them.  It's just that many of the things that I buy aren't even available at my local stores, Amazon carries nearly every product that I can find elsewhere online, and having an account at Amazon decreases the need to create many accounts at the many other vendors online. 

Security Features and Privacy Policies
As always, passwords and other security features add protection, if correctly used. Never use the same username and password over and over for every site that you have an account.  A robust password management program can help you with this.  Check the site’s privacy policy before giving out personal or financial information. You have to understand how your information is stored and used. 

Encrypted Information
Make sure the information you give out is encrypted. To check if it is, see if it includes a URL that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted. Know where the padlock icon is located in your favorite browser because some attackers use fake padlock icons to trick users. 

Use your Credit Card
Credit card charges have laws that limit your liability in case of fraud. This may not be the case for your debit card. Because debit cards draw money directly from your bank account, unauthorized withdrawals could leave you penniless. Needless to say, a record of your purchases should be kept aside. Report any discrepancies immediately.

Don't Give Them Unnecessary Information
When you do create an account at a vendor's website and fill out your profile, don't feel obligated to give personal information above and beyond that which is needed for them to properly process your order.  For example, they may ask for your birthday, which is not needed to process your order, but to send you an email on your birthday to get you to shop there again.  And unless you actually want to receive a barrage of emails from them, be sure to uncheck the box saying that you want to receive email from them in the future.  This is one way to help alert you to suspicious emails claiming to be from that online vendor.  If you opted out, but then receive a bunch of emails from them, either they are violating the law, or a scammer is using that business's image to try to attack you.

Log Out!
Don't just close your browser, log out of your account and then close the web browser.  Logging out will close the open session, and if you have your browser set to delete cached sessions, closing the browser will delete all of your cached information.  This is particularly important if you are using public computers, such as those found at a library or "cyber cafe" type of setting.

Wrapping it all Up

Shopping online is truly a time-saving, hassle-free, and fun way of buying whatever you want on the Internet. The presence of the ubiquitous cybercriminals stalking at every cyber corner, however, necessitates the need for good cybersecurity and awareness practices as well.  Pay attention to links sent to you in email.  Ensure that you only visit reputable charities and online businesses.  Use your credit card instead of a debit card.  Use proper password security and ensure that you are only visiting encrypted websites.  These simple ways will help you stay safe online, and help to keep you from becoming of these cybercriminal activities.

Stay Safe!



The #1 Writing Tool