Just say NO!

Another day, another few hundred million accounts compromised. Facebook is the most recent (as of this writing in late March). This problem has become so common place that it hardly qualifies as news. What is different about this one is that it wasn’t criminals who broke into Facebook and obtained the data, instead Facebook found that this information was left unprotected (unencrypted) and available to Facebook employees and ‘there is no evidence of date’, that the information was compromised. Which is a backhanded way of saying, “We don’t know what the heck happened, we just found these few hundred million accounts lying around and figured it probably wasn’t a good thing.” Do ya think? Oh, and it turns out, this info has apparently been ‘just lying around’ like this …. For YEARS! The only reason we know about it now is due to a whistle blower at Facebook.

The questions that immediately come to mind for me are:

1. How did something like this happen? Several hundred MILLION accounts just ‘lying around’. I doubt Mr. Zuckerberg leaves a few hundred million dollars lying around. A leprechaun, he is not.
2. What else is there just lying around- at Facebook and on other systems? Who is protecting our information?

From a cybersecurity and IT professional viewpoint, this indicates an egregious lack of basic security protocols and – RESPECT for the privacy and confidentiality of your clients. While I would not be surprised to see Mr. Zuckerberg making another trip to Washington for yet another Congressional hearing, let’s be honest – that doesn’t do squat but give some politicians facetime and help them think they are doing something.  One would hope that after the last high profile pillorying, Facebook would have realized their internal systems might just need a bit of an overhaul. Hopefully, the FTC will fine them a few billion after the Cambridge Analytica mess, but even that won’t be enough to move the needle.

What can we do? The only thing that the average individual can do - anyone that has a Facebook account should give serious consideration to deleting their account and just say NO to Facebook. They can only sell, exploit and LOSE what we give them.

Fool me once…

Who is watching whom?

With the advent of the ‘Internet of Things’ IoT (internet connected devices), the average consumer is likely to have multiple devices in their home, office or on their person that is capable of surreptitious surveillance and not be aware of it. One of the more high profile examples of this was the recent Apple FaceTime bug that would allow anyone to activate the microphone and camera in your iPhone or iPad without your permission. While Apple released a patch for this bug within a few days of it being made public, how long this bug existed and may have been exploited, is unknown. If you have an Apple device, please make sure you have installed this update and if you do not use FaceTime, disable it.

Unfortunately, the FaceTime bug is just one of the many exploits that we know about. Any internet connected OR wireless device (think baby monitor) in your office, home, car, coffee shop or on your person is vulnerable to be exploited. To make this problem worse, some of these devices come pre-configured for ease of installation with default settings that either cannot be changed or the user does not bother to change. This allows anyone with a very basic knowledge to gain access to and control those devices. Additionally, some of the older devices (3+ years) have very basic (if any) security and do not have the option to be upgraded (built in obsolescence).

So, what does the average consumer do? If you do a web search for ‘how to protect yourself from the internet of things’ you will find a LOT of articles. Unfortunately, most of them use terminology and give recommendations that can be daunting for many.  One of the better articles that gives some common sense advice is this one from Lifehack. While some of these may require enlisting the help of a family friend or local geek, at a minimum we suggest you make an inventory of your connected devices (tip #1), so that you at least know what is at risk and can potentially mitigate your exposure.

Did you know? If you have an Amazon Alexa or a Google Home device, then you have a built-in, always on, microphone (and possibly camera) listening/watching and recording everything within range, 24x7. George Orwell would be so proud! If you have an Alexa and want to really be freaked out, login to your Amazon account and you can review and listen to all of the recordings it has made – and fortunately, delete them. Perhaps Jeff Bezos should pay a bit more attention to his own personal internet security…?

I love technology and have many IoT devices (including Alexa -which I turn off when not in use and restrict to my office), but I always assume that any of these devices has the potential to ‘go rogue’. As such, I am cautious about not only what I use but where I install it, to help me manage the failure points.