Your Information or Theirs?

The concept of allowing a company you purchase from to share your information with other companies has become very commonplace in our modern society.  Information like your name, email address, phone number(s), and even physical or mailing address are common pieces of information that will get shared by companies and you usually agree to it without even knowing you’re doing it.  Buried within most “Terms of Service” agreements will be some sort of clause that allows the company to share your data with other vendors or even to sell your data for their own profit.

What most of us do not realize is that the definition of that information is evolving almost as fast as technology.  The most recent and surprising example of this type of data sharing comes from the company iRobot, the makers of the popular Roomba vacuum.  According to an article by Hacker News, Roombas being manufactured since 2015 not only vacuum but also map your entire house as they do.  iRobot is apparently planning on selling and/or sharing this data with third-parties.

iRobot CEO Colin Angle stated, “there’s an entire ecosystem of things and services that the smart home can deliver once you have a rich map of the home that the user has allowed to be shared.”

Angle also mentioned that he is planning to push the company toward a broader vision of the smart home, and in the near future iRobot could sell your floor data with the business like Apple, Amazon, Microsoft, and Google.  He does add the caveat that it wouldn’t be without the user’s consent.

While I see the vision of the company and the positive aspects of sharing the data between devices inside a single home or building, the idea of data that specific about my life and my home simply scares me.  I have to ask myself, as should these companies, where do we stop or how much is too much?  I also worry about whether or not they will actually inform or request separate permission from their customers before they do this or if they just rely on their existing Terms of Service agreement.

Another, larger question on my mind deals with where will it go from here.  What new types of information will start to be gathered and sold by all of these new Internet of Things (IoT) devices we keep adding to our lives.  At what point is our privacy just not going to matter anymore? Honestly, it’s not technology or progress that is to blame, but rather the lack of forethought and the lack of care about people that I feel causes these issues.

My advice, as usual, is pay attention and be careful.  Be as aware as you can of the technology you use and the companies that make it.  Protect your data and your privacy at all costs.  If you have any doubts or questions, you can always contact us here at Cyber Watchtower and we will be glad to help in any way we can.

Austin Bynum
Chief Watchman
Cyber Watchtower

Austin Bynum has spent the last 18 years working in IT and network security.  His passion is to ensure everyone stays safe online and digitally.  His belief is that everyone has the right to be safe online without having to be their own expert.

Passwords vs Biometrics?

Most people are of the opinion that the use of biometrics will soon take over the use of passwords as we progress technologically as a society.  For those who don’t know what I’m talking about, biometrics are some sort of unique identifier belonging to you that exist somewhere on your body e.g. A fingerprint.

If you use fingerprint identification on anything, then you know how much simpler it can make your life when accessing your information. Most of the modern smartphones and even many laptops have this capability now.  It is hard to argue that the use of biometrics is typically faster and simpler overall for the user.

A recent incident has brought some pretty large attention to the issue of biometrics.  Self-service food kiosk vendor, Avanti, has been a victim of a malware attack that, according to them, has most likely compromised customer biometric data as well as their first name, last name, credit card number, and expiration date.  This attack is also one of the largest, successful Internet of Things (IoT) attacks and according to some reports, up to 1.6 million people could be impacted.

The most major question to me arising from this incident is one of overall security involving biometrics.  While it’s true they are typically easier and faster to use, it’s not exactly like something you can easily change if it gets stolen.  If your password or even credit card data are compromised, those at least you can change.  However, if your fingerprint or other biometric data is stolen, those are not things you can change.  This question and others relating to biometric security are continuing to resurface after incidents such as these.

So, what is the solution? In my mind, we always increase security with a multi-layered approach.  In the case of logging into something like this, one might have a password and biometric data as a form of two-factor authentication. The flip side of this is that users would most likely complain that now the system is more cumbersome to use.  Yes, their data might be a little more protected, but the technology that made their life easier just got more complicated to use.

While I still believe in two-factor authentication, in the case of Avanti’s breach, the data would still be compromised.  So if you are an Avanti customer, your biometric data might be in someone else’s posession now.  I know, it is scary!

While I still think that biometrics still represent a lot of our future authentication, the question must be asked about securing that data, how it is stored, and how it is transmitted.  According to Brian Krebs and his research, some simple technological applications to the kiosks themselves could have prevented this breach easily.  The kiosks fell victim to a known Point of Sale (POS) family of malware known as PoSeidon that siphons credit card data from point-of-sale devices.  In this case, it also grabbed the biometric data too.

In my eyes, the fault lies with Avanti and their terminals, and/or the third-party vendors that distribute and maintain them.  That being said, while everyone is looking for someone to blame, the bigger question and picture here is that of you, the consumer.  How do you protect yourself? How do you avoid these problems?  Unfortunately, it is a question of your own risk management.  I write articles all the time about the best practices you should have to protect yourself, but the fact remains that when your data is in someone else’s hands, you lose control.

My advice this week, do the best very best you can and be careful!  If you are an Avanti customer, follow the advice on their public statement and start monitoring your credit and close any accounts you may have used with them, or at least have your card reissued.

As always, if you have any questions or need help with anything, we at Cyber Watchtower are here to help you in any way we can.  Please contact us and let us help you.

Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Tornado Sirens? What’s Next?

As always, I try very hard to write about things that I think are important and pertinent in most people’s lives.  In my opinion, the following incident I’m going to discuss constitutes another major attack on Internet of Things (IoT) devices that are intended to help our society be safer.  The major incident that happened the night of April 8th in Dallas I believe has a much broader implied impact than just to the residents of that city.

18 minutes before midnight on April 8th, 156 tornado warning sirens went off for roughly an hour and a half.  The city had recently suffered some severe inclement weather including 3 tornadoes just days earlier so you can imagine residents’ initial reactions were mainly comprised of fear.

The culprit, however, was not bad weather, but rather a compromised network of sirens that, for some unknown reason, hackers decided to mess with.  While some find it harmless and humorous, it had adverse reactions to some city services and infrastructure.  According to an article from the Washing Post, “Not everyone cracked jokes. ‘We had people asking if we were being attacked because of what’s going on overseas,’ a city spokeswoman said the next day. And thousands of people flooded the Dallas 911 system (which has had its own technical problems), she said, leaving people with real emergencies waiting on the line for long minutes.”  This obviously shows how something that might have seemed like a harmless prank, can have a real impact on people.

Last year, Dallas suffered a different hack where attackers compromised highway information signs and posted mischievous messages.  I’m not sure this one caused as much pandemonium, but it still shows the vulnerability and accessibility to all of these connected devices we have in our society.

So why do I write about this?  It is a way that I keep you informed about what is going on but also doubles as a way to show the increasing dangers of connected devices that are not secure and unmonitored.

I love technology! I love what it has and can do for us as a society!  However, I constantly battle these malicious parties that seem to want to do nothing but wreak havoc and dismay by compromising technology.  Sometimes it’s simple mischief like the highway signs and then it escalates to tornado sirens.  Your personal IoT devices are at risk too, just by people who want to cause damage. See article.

My job is to try to stay ahead of these people, but it is increasingly difficult.  The best advice I have for you is to make sure that any devices you may have in your home or business are secure.  If you don’t know or don’t know how to find out, contact me, or at least some local security professional who can help you determine that.  Contact manufacturers and ask them about the security built into their devices and make sure you are doing everything they recommend to keep it safe.  Don’t be scared to use technology, but please make sure that whatever tech you do use, you secure it and yourself as best you can.

Stay connected but stay protected.

Austin Bynum
Chief Watchman
Cyber Watchtower

Internet of Things – 2017

Happy New Year!

With arrival of a new year, I thought I’d start a new discussion on the Internet of Things.  You may or may not have heard this term before, but it involves a lot more of us than you may think.  The Internet of Things, or IoT as it is commonly called,basically refers to any physical object connected to the internet.  The IoT is made up of everything from light bulbs to pace makers to vehicles.  The most common devices are things like smart home devices like light bulbs, TV’s, and thermostats.  Other devices on the rise are centralized home devices like the Amazon Echo or Google Home.  We now have refrigerators that connect to the internet for TV or to just keep up with maintenance.

Regardless of the type of device(s) you or someone you know may own, the simple truth is that all of our lives are becoming increasingly more connected.  Unfortunately, that also means that there is an ever-increasing threat to the security of our lives.  As I’m sure you’re aware, being connected to the internet in any way brings its own set of risks and these IoT devices are no exception.  In fact, most of them have their own inherent security holes that aren’t usually found till they’ve been on the market for a while.

What most people do not know is that there have been all kinds of reported issues and cases around these devices.  Some of them have been found by security experts testing the devices and others by actual instances of devices being compromised.  There are some common issues out there and research continues to take place and the device manufacturers themselves continue to try and fix the issues as they’re found.

What most people do not think of is that while these devices provide us with a never before seen level of convenience in our lives, they also, sometimes, provide a less than secure gateway into our homes and lives.  They can be compromised and used to do all sorts of things from send SPAM to even giving attackers full access to any connected device, including computers, in your home.

I do not write this to scare you, but more to warn you and, like we always do at Cyber Watchtower, educate you as much as we can so that you can protect yourself.  Right now, the best advice I can give you is below in a few easy points.

  • Do your research on any device you plan to purchase and buy from known manufacturers with a known good history.
  • Patch and upgrade firmware on all devices when it’s available (including internet routers).
  • Periodically check online for news or updates on your devices to make sure there haven’t been any major issues with their security.
  • Pay close attention to anything out of the ordinary in the function of your device or anything else they may be connected to.

I have no doubt that we will continue to see exponential growth in the use of these devices over the next few years.  The manufacturers are already catching on will and have started building better security into the devices too.  We at Cyber Watchtower love technology, but we want your security intact above all.  So, enjoy your IoT devices, but just be careful and cautious.

Protect yourself and have a great new year!

Austin Bynum
Chief Watchman
Cyber Watchtower