The Internet of Things is Still a Privacy Dumpster Fire

No, not literally, but close.

Image result for dumpster fire

Researchers investigated 81 Internet of Things (IoT) devices like smart TVs or security cameras.

The researchers ran 34,000+ experiments and found that 72 of those devices contacted someone other than the manufacturer.  For example, almost all of the TVs contacted Netflix, even if you don’t have a Netflix account.  For the most part, the manufacturers do not tell you who they are talking to.

Much of the data is sent unencrypted, so anyone listening to the traffic can see what is being sent.

Vizio got caught at it (collecting and selling your data) and paid a small fine ($17 million), so they figure the risk is low.

Since most of these devices have horrible security, they are easy to hack.  That fact has not been lost on the intelligence community in both friendly and not so friendly countries.  That makes your smart devices extra smart – they are a listening post for the good guys and the bad guys.

For example, one camera talked to 52  unique IP addresses and one TV talked to 30 different locations.

This data is aggregated with other data to build profiles – where do you live plus where do you work plus how much do you make plus what are your TV habits.   You get the idea.

Companies sell these datasets.  For anyone in the United States they might be able to produce 2,000 to 3,000 different pieces of information.

Obviously, if the device has a camera or microphone, that adds more data to the mix.

If that camera is on the same network as your computer is and if your smart camera gets hacked, it is certainly possible that an attacker could use that camera to attack your computer.  Actually, that is not far fetched at all – it has already happened.

So what can you do?

The easy answer, of course, is to ask if you really need that smart refrigerator or microwave.  If you don’t, then do get that model.  The dumb model is probably cheaper anyway.

Sometimes you can’t find a dumb device.  That doesn’t mean that you MUST connect that device to the Internet if you don’t need those features.

Finally, if you are going to make that device smart, then isolate it from the rest of your network.  Depending on what you are trying to accomplish, that can be hard, however,   Often times you want that smart device to interact with your phone or your computer.  Building rules that allows that data to travel in one direction.

I am not counting on smart devices actually getting smart until there are laws that either force the issue or change the economics.  GDPR is changing the economics of privacy in Europe.  British Airways, for example, just got hit with a $200 million fine.  A few of those and your average CEO is going to think differently about privacy.   Those laws have already started coming, but it will be at least a few years before they cause manufacturers to change their habits.  Source: Motherboard.

How Long Should Vendors Ship Software Patches

As computers and software become more integrated into every facet of our lives, and as security attacks on our infrastructure become part of the news every day, the question of software patches and upgrades need to become a factor in purchasing decisions.

Whether it is a consumer Internet connected baby monitor (who’s bugs have compromised the privacy of mothers feeding their babies) or Smart TVs that listen in to our conversations (and send that data to China), customers – both business and consumer – need to start considering software patches in their purchasing decisions.

A couple of examples:

  • Apple is very good about patching their customer’s iPhones – until they reach end of life.  This week Apple stopped issuing patches for iPhone 5s and 6s.  This doesn’t mean there are no more bugs nor that attackers won’t go after them.  It also doesn’t mean that owners of those phones are suddenly going to crush or melt them and buy a new one.
  • In January (2020), Microsoft will stop patching Windows 7 and other operating systems from that generation.  Windows 7 had a good run of about 10 years.  Do you still have any Windows 7 computers in your home or office?  They provide patches for free for 10 years.  That is a long time.
  • Microsoft ended support for Windows XP years ago but many computers inside control systems like those that count your vote or make sure your drinking water is safe still run on that operating system.  With many bugs and no patches.
  • Most Android phone makers only patch the phones that they sell for two years from when they introduced it – not from when you bought it.  some don’t patch them at all – ever.  If you get your Android phone directly from Google, then that number is 3 years.  There are probably close to a billion Android phones world wide that have not been patched in years.
  • In business software, sometimes you can get patches, but only if you pay for updates every year.  No payment, no patches.  Cisco is a great example of this.
  • I could write all day about this.

The bottom line is that you need to understand, preferably before you buy software what the rules are (you need to start thinking that the dishwasher or TV or copier or whatever is really software.  Yes, it includes hardware, but it won’t function without the software.  It won’t even turn on).  Does the vendor provide patches?  For how long?  Do you have to pay for them?  How do you install them?

A great example of this is my GE dishwasher (YOU HAVE PATCHED YOUR DISHWASHER RECENTLY, HAVEN’T YOU?).  It broke down a couple of years ago and the repair person came out to fix it.  Didn’t even turn it on.  Mind you this is not an expensive, top of the line dishwasher – just a run of the mill one that you can get at places like Home Depot.  He plugs a network cable into the dishwasher and clicks on a few things.  It tells him what part is broken, he goes out to his truck and gets a replacement part.  After installing it, he plugs the laptop back, a few more clicks and he declares it fixed.  Never turned it on.

But he also said that he had to patch my dishwasher.  This is not a smart dishwasher.  It doesn’t connect to the Internet at all.  GE would not let him close the service call until he patched it.

What was the patch for?   Oh, it could get too hot and catch fire.  Nothing important.

But my dishwasher hasn’t broken again for a couple of years.  Does it need more patches?  Probably, but I am not likely to pay for a service call just to see if there any patches for it.

Probably almost everything in your house or office that you connect to batteries or electricity has software in it.

One bright spot.  If you subscribe to one or more cloud services, patches are included.  You don’t even have to think about it.

And should be patched.

And likely is not being patched.

And likely has security flaws.

That includes every piece of software on every computer.

Do you even know what you have?

Do you track whether your TV or copier or phone or whatever has been patched lately?

Businesses are okay when it comes to patching computers.  For the rest, it is pretty hit or miss.

A fact that hackers understand and exploit.

We had a client who was attacked because their copier was connected to the Internet and compromised.  Cost them a fortune in credit card fraud (it’s complicated, but real).

It is not simple to solve this problem, but it is solvable.  And it is pretty easy to reduce the attack surface.  Do it a little bit at a time.

Think about it.

Windows 10 Offers New Anti-Ransomware Feature

Back in May Microsoft released Windows 10 Build 1903, AKA the May 2019 update.  Suffice it to say, Microsoft has had more than its share of problems with 1903, so if you are not there yet, I would not install it.  It is quite embarrassing for Microsoft that more than 90 days after the release, it is still not ready for prime time.

However, one they get things figured out, they have got a new feature in 1903 that seems very cool and that is an anti-ransomware feature.

Given how pervasive ransomware has become, anything that you can do the reduce the attack surface seems like a good idea.

One feature that I am not going to talk about today called Windows Sandbox, which is a lightweight virtual machine that you can use to run untrusted software.  More on that another day.  (FYI, none of my machines have updated themselves to 1903.  I threw caution to the wind and forced an update on one machine.  Have my fingers crossed).

In the meantime, I am going to talk about Ransomware Protection.

This feature comes in two parts and, FYI, as is usually the case with new features, this feature comes DISABLED by default.

Part one is called CONTROLLED FOLDER ACCESS.  If Controlled Folder Access is turned on, all changes to any folders that you specify will be blocked, unless you specifically allow it.  This means that if some malware tries to write to, say, your Windows folder, it will be stopped cold.

Part two is called RANSOMWARE DATA RECOVERY.  This backs up your files to One Drive so that you can recover an older version from Microsoft’s cloud.

To turn on Ransomware Protection, click on START and then type WINDOWS SECURITY in the search box.

Security app


Security app

Scroll down to ransomware protection.


And click on manage ransomware protection.

Enable ransomware

Turn on Controlled Folder Access and also log in to One Drive.

Ransomware protection enabled

You can now configure Controlled Folder Access.

Given this is somewhat complicated, you may want to ask your IT person to help you with this.

In the end, however, this seems like a great feature.

Source: Bleeping Computer.

Security News for the Week Ending September 13, 2019

Facebook/Cambridge Analytica Suit Moves Forward

Facebook tried to convince a judge that when users share information privately on Facebook they have no expectation of privacy.  The judge didn’t buy it and the suit against Facebook moves forward.  Source:  (registration required)

Equifax Quietly Added More Hoops for you to get your $0.21

Yes, if everyone who was compromised in the Equifax breach asks for the $125, the total pot, which is only $31 million, will be divided up and everyone will get 21 cents.  Not sure how the courts will handle that when the cost of issuing 150 million checks for 21 cents is tens of millions.  Often times the courts say donate the money to charity in which case, you get nothing.

The alternative is to take their credit monitoring service, which is really worthless if you were hit by one the many other breaches and already have credit monitoring services.

So what are they doing?  Playing a shell game – since the FTC is really a bunch of Bozos.  Equifax is adding new requirements after the fact and likely requirements that you will miss.

End result, it is likely that this so called $575 million fine is purely a lie.  Publicity is not Equifax’s friend, but  it will require Congress to change the law if we want a better outcome. Source: The Register.

End of Life for Some iPhones Comes Next Week

On September 19th  Apple will release the next version of it’s phone operating system, iOS 13.  At that moment three popular iPhones will instantly become antiques.

On that date, the iPhone 5s, iPhone 6 and iPhone 6s Plus will no longer be supported.  Users will not be able to run the then current version of iOS and will no  longer get security patches.

This doesn’t mean that hackers will stop looking for bugs;  on the contrary, they will look harder because they know that any bugs they find will work for a very long time.

As an iPhone user, you have to decide whether it is time to get a new phone or run the risk of getting hacked and having your identity stolen.

What Upcoming End of Life for One Operating Systems Means to Election Security

While we are on the subject of operating system end of life, lets talk about another one that is going to happen in about four months and that is Windows 7.

After the January 2020 patch release there will be no more security bug fixes for Windows 7.

The good news is that, according to statcounter, the percentage of machines running Windows 7 is down to about 30%.

That means that after January, one third of the computers running Windows will no longer get security fixes.

Where are those computers?  Well, they are all over the world but the two most common places?

  1. Countries that pirate software like China, Russia and North Korea
  2. Most election computers, both those inside the voting machines and those managing those machines.

That means that Russia will have almost a year of no patches to voting systems to try and find bugs which will compromise them.

Microsoft WILL provide extended support to businesses and governments for a “nomimal” fee – actually a not so nominal fee.  ($50 per machine for the first year and $100 per machine for the next year with carrots for certain users – see here), but will cash strapped cities cough up the money?  If it is my city, I would ask what their plan is.  Source: Government Computer News

DoD Releases Draft CMMC Guidelines

The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.

It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it.  For example, China stole the plans for the F-35 and built the J-31 (see news item here).  Unfortunately, that is far from an exception.

The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).

The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.

This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.

The plan is that all DoD suppliers will be required to be certified by a third party. Every year,

While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.

  • There are 18 domains
  • The domains are comprised of capabilities
  • The capabilities have processes and practices
  • Certification runs from level 1 to level 5
  • Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
  • Level 5 is advanced security practiced in an optimized fashion
  • There are 35 practices for level 1
  • For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
  • Very few companies will need to be certified at level 5

Click here to review the overview document for version 0.4.

For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.

The problem is that a large number of defense suppliers are small businesses that have no security program at all.  For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party.  This could come as  a shock to some.

While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this.  WE. SHALL. SEE.

The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September.  Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.

A complete copy of the draft can be found here.

My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now.  If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.

DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this.  Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.

Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.

Business Roundtable Lobbying Group Wants Weak National Privacy Law


50 Very Data Hungry CEOs (Out of About 30 Million) Try to Fool Congress into Letting Them Abuse Your Data

A group of big data CEOs wrote a letter to Congressional leaders requesting a Federal privacy law which would usurp the state’s rights to protect their consumers as they see fit.

A spokesperson for Facebook responded several months ago to a reporter’s question about a New York bill requiring companies to be a data fiduciary with the response that if the bill passed (it didn’t), Facebook might as well shut down in New York.  The spin doctors tried to walk that back the next day, but the reality is, if that law passed, it would require Facebook and companies like them to change their business models.

In fairness, it is difficult for companies to keep up with all the privacy laws (we help companies do that), but unless your business model requires that you sell your customer’s data to stay in business, complying is manageable, but it does take work.  Unfortunately, the Facebooks and Googles of the world have made things more complex for everyone else.

The state of data privacy is roughly in the same place that cybersecurity was in after California passed it’s landmark security bill (CA SB 1386) in 2003.  SB 1386 is the model that every other state drew from for enact their security laws.  Now CA AB 375 (the new California Consumer Privacy Act) has already begun this process over again with privacy laws.

Even though they don’t say this, what they really want is for Congress to pass a law because they know that their lobbying billions will allow them to buy a very weak law that will nullify laws like the ones in California, New York, Nevada, Vermont and other states.

The longer Congress doesn’t act, the more states will pass strong privacy laws, because that is what consumers want and the harder it will be to get votes at the national level to obliterate rights people already have – hence the urgency from these CEOs.

The California law would allow people to sue businesses that have breaches, which would dramatically change the economics of lax security practices – right now, at the federal court level, you have to prove that you have been tangibly damaged to sue after a breach.  The defense that some companies are using is that there are so many breaches, how do you know that your damage was from our breach.  The California law removes that requirement to prove that the consumer had tangible damages.  That alone scares the crap out of the Facebooks and Googles – and it should.

They are trying to pass this off as stopping consumers from being confused about their rights (like the right to tell Facebook not to sell your data – that is certainly confusing and hard to understand), but that is completely bull.  The 6 rights that the California law gives consumers are each spelled out in one sentence and are easy to understand. For example:

  • The right to know what data a company has and to get a copy of it
  • The right to request that my data be deleted subject to a list of exclusions
  • The right to stop a company from selling my data
  • The right to equal price and service even if I tell you not to sell my data

And a couple of more rights.  These rights are easy to understand and the real problem for CEOs like Amazon’s Jeff Bezos is that people will likely actually use these rights and that might force companies like Amazon to change their business models.

If companies are transparent about their data collection practices, then this is a pretty simple choice.  People can choose to do business with companies that want to sell their data.  Or not.

One thing that makes this conversation different than the conversation around security in 2003 is that places like Europe, Japan and a significant number of others have already given their consumers these rights, so the big data companies already have to deal with this.  No matter what happens in the US, this will happen in the rest of the world.

At that point, as we are already beginning to see, the lack of a strong national privacy law in the US makes it MORE difficult and MORE expensive for US companies to compete in the rest of the world.

In Europe, the first EU/US privacy agreement, Safe Harbor, was struck down by the EU courts as not protecting EU citizens’ rights.  That was replaced by Privacy Shield (which many people say was just Safe Harbor with lipstick) and Privacy Shield is being attacked in the EU courts.  We do not know the outcome of that court battle, but we will soon.  If the courts strike down or force substantial changes to Privacy Shield, that will make the arguments of these 50 CEOs even less intelligent.    Many companies have already decided that it is cheaper, simpler and better PR to have one set of consumer friendly privacy policies worldwide.

Stay tuned;  this will not end any time soon.

Source: C-Net.

NOTE:  This is likely a hot button topic for folks.  Please post your comments to this.  I promise to approve any comment that is moderately sane and rated PG or less.