Tag Archives: passwords

Freely shared personal information plays part in Neiman Marcus hack

Data that you share on social media could end up for sale on the Dark Web. The luxury retailer Neiman Marcus is the latest victim of a data breach. At the end of January, Neiman Marcus notified their online customers that unauthorized individuals attempted to access customer’s online accounts by trying various login and password […]

How to create strong, unique passwords for all your accounts (and remember them!)

One of the best ways to protect yourself online is by using strong passwords. Yeah, right. You’ve seen the rules before 1. Use long, strong passwords that mix letters, numbers, special characters, and capital letters 2. Avoid using the same password on different websites. But since we have so many to remember, the average is 19 per […]

Taking a closer look at cracked Ashley Madison passwords

People create terrible passwords. As simple as this might sound it unfortunately remains news to millions — if not billions — of individuals who use the Internet. As proof, we’ll take a look at a selection of passwords that were revealed in the Ashley Madison leak. Regardless of any shortcomings Ashley Madison had in terms […]

Computer-aided sniper rifles the latest things controlled by hackers

For those of you keeping track, you can add high-tech sniper rifles to the growing list of Things That Can be Hacked. The vulnerability that allowed two security researchers to break into the computer guidance system of a sniper rifle is the same that allows hackers to access baby monitors and home routers. Simply put, the […]

Are the hacks on Mr. Robot real?

      No Comments on Are the hacks on Mr. Robot real?

Last night the pilot episode of MR. ROBOT, a new thriller-drama series aired on USA Network. The show revolves around Elliot who works as a cyber security engineer by day and is a vigilante hacker by night. I watched the episode and then sat down with Avast security expert Pedram Amini, host of Avast’s new […]

Technology mistakes to stop making today

We love our fans and followers on Twitter because they frequently alert us to great resources. It happened today when we received a tweet from @LoveNerds4Ever letting us know that Avast Antivirus was mentioned on a Sacramento (California) News10 video segment. Thanks, Shawna! @avast_antivirus You were mentioned! “Tech Mistakes” Ryan Eldridge #NerdsOnCallComputerRepair on #News10Sacramento https://t.co/pFAdSIN0N2 […]

Lizard Squad hackers use unsecured home routers in DDoS attacks

Your home router could be part of a network used to knock sites like Sony PlayStation network offline. During Christmas we reported that a hacker group calling themselves the Lizard Squad, took responsibility for ruining the day for Sony PlayStation and Microsoft Xbox users by taking the gaming networks offline. This and previous attacks, which […]

Who’s Watching You Sleep?

      No Comments on Who’s Watching You Sleep?
The Gaping Hole in the Internet of Things

 

Thanks to George Orwell’s classic book 1984, I graduated High School thinking I would eventually live in a world monitored and suppressed by world governments.  In the wake of the PRISM scandal in 2013 I started to get the feeling that Orwell’s dystopian novel was looking like an ill-timed prophesy.  In light of comedian Pete Holms’ rant on how Privacy is Uncool, it is little brother (us) leaking our secrets; no one has to steal them from us.  If you thought unmanaged Social Media privacy settings were bad, how much would you cringe if you knew you were letting people watch you sleep?  Welcome to the perils of the Internet of Things (IoT).

Up until very recently a number of security camera manufactures were shipping internet connected cameras (AKA IP cameras) with default passwords.  Many of these passwords were never changed by the purchaser after setting them up.  It was only a matter of time that someone would set up a website displaying many of these feeds (Up to 73K at its peak). 

Let me introduce Insecam, the website dedicating to not only showing you the unrestricted feeds of home and commercial security cameras but also to where they are located with all of the admin and password information.  In addition to this they have social plugins that let you share your favorite feeds with your community.  Ultimately taken from the pages of the improving-through-shaming security book, this site claims to seek the end of default passwords yet places advertisements conveniently next to navigation icons.

Sleep edit.jpg

On my review of the site, I saw mundane shots of doors and walkways and more mild scenes of people working the front counters of gas stations and dry-cleaners.   With a chill down my spine I saw a bartender drinking the profits and an overhead shot of a girl scrolling through a fashion site.  What startled me was the shear amount of cameras in bedrooms, a no-no in my world.  Granted that a majority of these were aimed at cribs but the alarming part was the number of unsecured cameras pointed at hospital patients, adult beds, living rooms, and private hot tubs.  Sadly, various online forum contributors claim to have found dead bodies and adults in very private or intimate situations.  Situations like this define the need for better security in the internet of things landscape.

No matter what colored bucket of hacker you place the Insecam’s creator into, they have exposed a gaping hole in the IoT landscape.  In 2011 there were over 9 Billion devices connected to the internet and by the year 2020 it is expected that number will be close to 24 billion.  This is a cause for concern for manufactures and companies like Symantec and a potential bonanza for hackers.  As more and more things come online, we are discovering new vulnerabilities and how some security practices are becoming out of date.  There are obstacles with current security practices but there are ways to overcome them.

Better Password Management

I’m not a fan of passwords.  Since we have to live with them we have to learn how to use them.  I wrote a fun mocku-blog on password best practices for you to loathe and share.  Passwords are a very weak form of security and Insecam proved that.  Two Factor authentication can be used to install and access IP camera feeds via a computer or mobile device.  If you have the time, take a peek at this white paper from Symantec on digital certificates used for authentication. 

When it is all said in done, Insecam victims used default ports and passwords and were most likely discovered by an IP address surfing tool.  A simple change of the password would eliminate them from the site but it could still be guessed by a serious stalker.  Keep in mind that passwords are the number one thing sought after by hackers since we often use the same ones on multiple sites.  Here is how they do it.

Encryption; an IoT solution

As a best PKI practice, all data SHOULD be encrypted in transit and at rest between a Host and Client.  If the device manufactures enabled encryption of the data, only the end user could review the video stream with client authentication.  This would slow the feed a bit but it would secure the connection.  If marketers want to instill trust in their internet connected devices they need to consider implementing a security promise with their messaging.  So how can they encrypt a live feed?

My engineering buddy and counterpart Frank Agurto-Machado recommends the use of embedding a private SSL ROOT CA within each device.  The connection between the manufacture’s infrastructure and the camera would be secured and encrypted via client authentication to this private SSL root.  Ultimately, this may increase the cost of a device but it would help better ensure security.  While this DOES NOT remedy the Password hijacking, it secures the model from point-to-point between the “client” and the host.  Symantec offers Private CAs to enterprises that need customized encryption for server to server communication or for applications such as this. 

The Security Trade-Off

Balance Act_0.jpg

Throughout the course of world history humans have always had to juggle between access and fortification when it comes to security.  Our ancestors had to find a way to secure a food hoard that would not take hours to hide or cover.  Castles had to ensure soldiers and citizens could pass freely yet survive a siege.  Anti-virus software on your PC has to allow you to quickly surf the internet but check and possibly restrict all incoming traffic.  Manufactures within the IoT space have to learn how to balance these two and improve customer messaging to assist them in setting up a trustworthy and secure devices.

Edit:  Since the writing of this blog insecam has been shut down.  From appearances it appears to be taken down by a third-party hacker.