Smart home technology and the internet of things (IoT): risks and rewards to consider. Additional details

As a follow-up to my post regarding smart home technology and IOT(link to the post),  I have been asked to do a deeper dive to into cybersecurity and how to protect yourself from “being hacked.”

I will start by saying that all of your devices and online accounts are vulnerable to being Hacked. “Hacked” means a criminal (“Hacker”) gains access and control (“comprises”) your devices and/or online accounts (“comprises”) and can steal, copy and change you’re your information.

Once you are hacked at home or work, the criminal can make your life miserable. Here is a partial list of what they can do:

• Steal your information. Then they can threaten to expose that information to others unless you pay them. You will never really know if they actually destroy it even if you pay.
• Lock you out of your device by using encryption and demand that you pay them a ransom for a key to decrypt the device so you can regain access.
• Monitor what you are doing online and later blackmail you.
• Edit the information on your devices without your knowledge.
• Use your devices to send out spam, and spread miss information and by pretending to be you, they can contact people you know who trust you and manipulate them.
• Use your devices to access other systems that your devices are set up for easy access easily.

Most hacks start by via an email to you. Here are some common ways hackers can gain access to your devices to harm you.

Phishing

Phishing involves a hacker sending you a fake email that appears legitimate. These emails tend to look like they are coming from a person you know or an organization you have a relationship with like Google, Facebook, your bank or your place of employment. These emails will generally indicate that the matter is urgent and immediate action is required on your part.

DO NOT TAKE whatever action they ask!

You may be instructed to click on a link that will take you to a website that looks the same as the organization that you think the email is from, but it’s actually a forgery of the site. Once at the link you will be instructed to log into the forgery website. Once you do that, the hackers now have your username and password which they can then use it to log into the real site.

Now that they have access to your account (which could be a bank account, an email account, etc.), and they can steal your identity, reputation, and your money.

A phishing email can also have an attachment which asks you to download it. As soon as you click on the download button and open the attachment, malware gets installed on your device giving the hacker complete access to your device and all of your data.

Some tips to protect yourself:

• Look for spelling or grammatical errors in domain names or email addresses. Cybercriminals also often use email addresses that resemble the names of well-known companies but are slightly altered. For example, [email protected] instead of [email protected] (“l” instead of “i”)
• Make sure you install a commercial anti-virus software tool on all devices
• Don’t download or install software that’s was pirated
• Only download software from trusted Websites
• Keep your operating system on all devices up to date by installing updates
• If you get a suspicious email, but you are not sure what to do it’s the best to ask someone for help. Don’t forward a suspicious the email to anyone without first getting their permission!

Malware

Malicious software (code) that is written with the intent of compromising a system (or device) in order to steal to steal the data available on the system causing to use in ways to cause harm to the owner and/or user. This code installs itself on your device and sometimes can spread to other devices of yours or others.

This malware code can harm you in a number of ways which include stealing or deleting sensitive data, modifying your system’s core functions, and secretly tracking your activities.

There are various factors that can expose you the installation of malware in your system:

•  An older or pirated version of an operating system which is not updated and is vulnerable to attacks.
• Clicking on unknown links or installing fake/pirated software can download malicious software code.
• Clicking on a malicious attachment can lead to malware or malicious code to be installed on your device
• Furthermore, USB, Thumb drives USB Sticks Flash Drives, etc. (USB storage devices) can also be used to compromise your device and install the malware.

 If someone gives you a USB storage device, it may contain malware, and just the act of inserting it into your USB port could activate the installation of the malware on your device.

Furthermore, if you lend a person your USB storage device, and it contains malware, the malware can be installed on their device. And, it works the other way so if the other person’s device contains malware this malware can install itself on your USB storage device and ultimately make its way to your device. These risks are leading many organizations to disable USB ports on all of their devices

Malware can be presented in many different ways

• Virus

A virus is software code that can infect and install itself on your devices. Once installed, it can take control of your device. It tends to replicate itself into data files, Apps or boot sector of a computer’s hard drive and to make the files/system inaccessible. Once in, the author of the virus can do all sorts of thinking to make your life miserable

• Spyware

Spyware is malware designed to spy on you. It hides in the background and tracks everything you do online, including your passwords, credit card numbers, surfing habits, and chats. It can record keystrokes, uses your webcam to record you and even listen from your microphone

• Keylogger

It is a specific form of spyware that simply records the keys you type and where you type them. These logs are then sent to the attacker who can analyze them to find your passwords, chats, credit card numbers and much more

Malicious mobile apps

There is a big misconception that every app available on the Google Play store or the Apple store is safe and legitimate. However, this is not the case. Some Apps available on these stores are not safe for users. Some of these apps may contain Malware as described above

How such apps can steal your data?

The malicious Apps may contain a code snippet that can install malware on your device. Furthermore, often Apps will ask for unnecessary permissions that hackers may misuse to extract critical data including your contacts, messages, and media. It is advised to look out for the following permissions as an application can misuse them:

• Accounts access. It helps collect crucial data including contact lists and e-mail addresses from your devices.
• Text permission. It can be used to send Text messages to premium-rate numbers and taking your account balance to zero
• Microphone access. It can record phone conversations
• Contacts. It allows a hacker to steal your contacts, which could end up letting all of your contacts to be contacted and spammed

How to protect yourself?

• Always check the permissions before downloading an app and think hard if you want to App the required permissions
• Check reviews and ratings
• Avoid downloading an App if it has less than 50,000 downloads
• Do not download Apps from third-party App stores
• Use your devices to send out spam, and spread miss information and by pretending to be you they can contact people you know who trust you and manipulate them
• Do not download pirated/cracked (modified) Apps.

Smishing

Smishing uses elements of social engineering to get you to share your personal information. This tactic leverages your trust in order to obtain your private information.

How to protect yourself?

• Never leave your system unattended. Always protect it with a strong password
• Be careful about how you store confidential information. Use encrypted computer hard drives, USB Storage devices, etc.
• Never leave your device unattended. Always protect it with a strong password
• Never write your passwords on a post-it or notepad.
• Don’t leave your phone, or other mobile devices, unlocked and unattended.
• Never Make sure proper backup and remote wipe services are enabled in case you lose your device.
• Make sure you carefully wipe out all data on your devices and don’t forget to remove the SIM cards, when applicable, and any external data storage devices, before you sell or dispose of them.

Physical Security of Devices

A physical threat is any threat to your sensitive information that results from other people having direct physical access to your devices like your mobile phone, tablet, laptop and desktop computers, hard drives and other mobile devices.

Physical security threats are often underestimated in as compared with technical risks such as phishing and malware.

Physical device threats occur when someone is able to gain access to your device and confidential data physically.

Physical access can happen if you lose your device or if it is stolen. It can also occur if you leave your device unattended in a place where other people have access to. It can also occur if you devised is in an area that you consider to be private. These places can include your home, hotel room, private office where the door is often left open when you are at the meeting. Lunch, etc.

 A competent hacker be in and out of your device very quickly.

How to protect yourself?

• Never leave your device unattended. Always protect it with a strong password.
• Be careful about how you store confidential information. Use encrypted computer hard drives, USB Storage devices, etc.
• Never leave your device unattended. Always protect it with a strong password
• Never write your passwords on a post-it or notepad.
• Don’t leave your phone, or other mobile devices, unlocked and unattended.
• Make sure proper backup and remote wipe services are enabled in case you lose your device.
• Make sure proper backup and remote wipe services are enabled in case you lose your device.

Insecure networks

Connecting any of your devices to an insecure network can create the possibility of a hacker gaining access to your device, data, and operating system. They can then start monitoring your activity online. A hacker in control of your system can steal passwords of your social accounts, bank accounts and even inject malware on authentic websites that you trust.

With software freely available on the Internet, anyone can sit in a car outside your home and access your critical files, accounting data, usernames, and passwords or any other information on the network.

Connecting to a “free” airport/coffee shop WiF is dangerous especially when you are carrying out critical activities online such as banking, private conversation or even browsing your email. These networks are often left unprotected which can allow a malicious hacker in the same shop/region to snoop on you easily.

What they can do with your device and data?

• Steal your information. Then they can threaten to expose that information to others unless you pay them. You will never really know if they actually destroy it even if you pay.
• Lock you out of your device by using encryption and demand that you pay them a ransom for a key to decrypt the device so you can regain access.
• Monitor what you are doing online and later blackmail you.
• Edit the information on your devices without your knowledge
• Use your devices to send out spam, and spread miss information and by pretending to be you, they can contact people you know who trust you and manipulate them.
• Use your devices to access other systems that your devices are set up for easy access easily.

How to protect yourself?

• Never connect to open Wi-Fi networks that you can’t trust. Just because it’s free, it doesn’t mean it’s safe too. When in a cafe with a Wi-Fi facility, ask the staff for the Wi-Fi you can connect to instead of randomly connecting to any open network.
• If you are using public Wi-Fi, avoid performing any bank transactions or accessing any critical information while being connected.

Windows Sandbox

Microsoft announced last week a new feature to Windows 10 Called Windows Sandbox. The concept of a sandbox in a computer is not new. Software engineers and even law enforcement have used a Sandbox to isolate computer code to a separate area (the Sandbox) from the main operating system and operating environment to protect it from Malware. But your average person does not have the expertise or resources to create a Sandbox themselves.

Windows Sandbox will no give us all access to a Sandbox on our Windows 10 machines strong>Per Microsoft

Sandbox is an “isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC,” Hari Pulapaka, the group kernel manager for the Windows kernel, described. “Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.”

Microsoft’s target for the Windows Sandbox seems target at software engineers and network managers. But it will still be available to us all, and if Microsoft takes the time to integrate it properly into Windows, the feature could be used to test an email attachment without damaging our computers safely.

More to come, stay tuned,

Steve