By Carl Weiss
The Cyber Sharks Are Here
Who can forget the opening music to the movie, “Jaws”? In its day, the novel and subsequent blockbuster motion picture were enough to keep people on the beaches and out of the surf. But as paranoid as many moms became about letting their kids frolic in the waves back in 1975, 40 years later we should all be hearing the ominous strains of “da-dum, da-dum, da-dum” every time we surf the web. That’s because while “Jaws” was a work of fiction, the arrival of schools of Cyber Sharks is all too real.
Everything from appliances, to medical devices, to automobiles are rapidly becoming web-enabled. While this provides the public with even more interactivity, it also provides hackers with more ways to get to consumers and businesses. Just as most people make the mistake of thinking their smartphone is a phone instead of a computer that you can talk on, most don’t realize that the average automobile built today has100 lines of code onboard. Many are now Wi-Fi enabled as well. You don’t have a car with computer onboard. You have a computer that can be driven. Soon, these computer cars will do most, if not all, of the driving. So if a hacker can take control of your car, what does that mean for the passengers and driver? (On a recent “60-Minutes” episode, hackers gained access to the car in which Leslie Stahl was driving, turning on the lights and windshield wipers. So this is not just a hypothetical possibility.)
Who’s Watching Who in Your Smart House?
|Photo Credit: consumerist.com|
A February 24, 2015 blog by CNN reported: “Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn't just processed by the television; it may be forwarded over the Internet for remote processing. It's literally Orwellian.”
|Photo Credit: itproportal.com|
How Do I Hack Thee? Let Me Count the Ways
So many smart devices … so little time. Nearly any device is susceptible to being hacked. Symantec reported on March 12: “All of the devices failed to check whether they were communicating with an authorized server, leaving them open to man-in-the-middle attacks. One out of five devices did not encrypt communications and many did not lock out attackers after a certain number of password attempts, further weakening their security. All of the potential weaknesses that could afflict Internet of things systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices.”
|Photo Credit: ilookbothways.com|
The number of ways that hackers can get into your devices is staggering. Below are some of the most popular tools of the hacker’s trade:
- Password cracking software, such as ophcrack and Proactive Password Auditor. These are still used, however, social media has made it easier because users give up so much of their personal data today.
- Wireless network analyzer software, such as Aircrack-ng and CommView for WiFi. Networks. These are often used in places like StarBucks and other free, Wi-Fi enabled stores and restaurants.
|Photo Credit: youtube.com|
- File search software, such as FileLocator Pro and Identity Finder The Hex Dump (a.k.a., Voodoo). When an electronic device is manufactured, it is programmed with firmware. Hacking firmware is simply a matter of buying a programmer that can receive the memory dump and transmit it to a computer where the code can be altered. Then the modified code is transmitted back to the device.
- Attacking Defaults. Virtually every piece of hardware on the market comes with a set of standard defaults, including username and password that provide access to the system. Since most people do not change these default settings, this is the easiest way to exploit a system. Examples are Web application vulnerability scanning software, such as Acunetix Web Vulnerability Scanner and WebInspect along with Network vulnerability scanning software, such as GFI LanGuard, QualysGuard and Exploit software, such as Metasploit.
- SQL Injection. While it sounds like a medical procedure, SQL Injection attacks are conducted by entering unexpected entries into a database and then probing the returned error messages to reveal information that can be used to hack the system. For instance, by entering met characters like #$%^ into a field that processes only alphanumeric information, the database could be tricked into revealing the contents of the database, or in some other way compromise a SQL server. Examples are database security scanning software, such as SQLPing3 and AppDetectivePro.
|Photo Credit: huffingtonpost.com|
The real danger is that the Cyber Sharks have the upper hand since detection, much less prosecution, is hit-and-miss at best. Meanwhile, hacking continues to proliferate nearly unchecked. CNN recently reported that in 2014, hackers exposed the personal information of 110 million Americans, roughly half of the nation’s adults.
|Photo Credit: northbaybusinessjournal.com|
- Get help! Use your vendors for support and to coordinate products. Not all products play well together!
- Use a multi-disciplined approach – Network security has many entry ways, including low tech, surveillance, email, text, and social monitoring.
- Use a multi-layered approach – You need protection from the Cloud to the firewall servers ― PCs and all smart devices.
- Use Traps like “Honey Pots” – Traps should be an integral part of your defense.
- You must setup employee policies to minimize your exposure. These policies need to cover proper usage of systems, especially password and social media usage policies.
- Employee education is a key factor. They need to know the cost both, to the company and themselves. They also need to know what behaviors are allowed and prohibited.
- Vigilance is extremely important from the CEO, to the network administrators, to the employees and down to the janitors.
- Regularly check the FBI’s REPORT web pages.
|Photo Credit: fbi.gov|
- Regularly check other governments’ site for cyber security threats.
- Regularly check the website of top companies that provide security solutions for cyber security threats. (i.e., Trend, Symantec, Malwarebytes, MacAfee, etc.) Get their newsletters.
- Subscribe to some security blogs to automatically receive current information. Again look at the top companies cited above.
- Take the time to read and learn all you can about security and intrusion detection.
- Scan the news daily for current information on cyber attacks.
- Find podcasts and webcasts that teach and inform on cyber security and intrusion detection.
Here is a checklist for individuals from a previous article, “The Hack Attack is Back (it also contains more detail so you should check it out):
- First, find out what your bank’s policies are with regard to your accounts being hacked. Check out about single use credit cards. These are good for making purchases online, especially during the holidays. Another way is to use PayPal or some similar payment system.
use a credit card as the final means of payment. This gives you two layers of
Photo Credit: myid.com
- If you using a debit card to make purchases, stop! Use a regular credit card for store and online purchases.
- If you don’t currently have an ID protection service, get one. Their annual cost is relatively low and many offer monthly plans. (See “The Hack Attack is Back” for list of providers.)
- If you don't have a paper shredder, buy one. They’re generally inexpensive and good ones can be found for under $100.
- Speaking of keeping your data secure: Make sure your smart devices (computers, tablets, smartphones, etc.) are password-protected with at least an eight-digit password made up of numbers, letters and some special symbols.
- Every smart device needs to have a couple of layers of anti-malware protection. I use Trend Micro, Malwarebytes, Spy Bot’s “Search and Destroy and Advance System Care on my computer.
- Make sure you keep your all your smart devices current with regards to security updates. If you’re running Microsoft Windows, this is almost a weekly process. If you love free apps for your tablet and/or smartphone, beware! Many of these apps can compromise the security of that device.
- Regularly check the FBI and other scam/fraud websites to learn about and lookup current or suspected threats and scams.
- Last but not least, refrain from visiting websites of a dubious nature. This includes porn sites, warez, free software apps, online first-run movies and music sites.
|Photo Credit: dragula.buzznet.com|
In this article, I discussed the huge increase in cyber attacks aimed not just at large US corporations, but also small businesses and individuals that have happened this year. The rise of ransomware has made it possible for cyber criminals to be profitable by going after individuals and small businesses. Follow the how to protect yourself list provided to minimize your risk and exposure. There is one specifically for businesses and one for individuals.
If you'd like to read more articles like this one, check out "Trick or Tweet? The Vulnerabilities Inherent to Twitter and All Social Networks" and "Working the Web - Is There a Cyber Attack in Your Future?" or enter the words “hacking” or “hack attack” in the Search box at the top of this blog. If you found this article useful, please feel free to share and repost it. I welcome your opinion and comments, just add them to the Comments section below.
If you'd like a free copy of our eBook, "Internet Marketing Tips for the 21st Century," please fill in the form below and we'll email it to you. Your information is always kept private and is never sold.
Carl Weiss is president of Working the Web to Win, an award-winning digital marketing agency based in Jacksonville, Florida. You can listen to Carl live every Tuesday at 4 p.m. Eastern on BlogTalkRadio.