Sunday, February 3, 2019

Nest & Your Piece of Mind

Nest has come under a lot of fire lately, especially in reports of their camera systems being hacked.  This is misleading on a few levels.

Here are the original articles:

The Facts first:  Yes, someone took over the accounts belonging to these two families creating havoc and panic.  No one wants to hear a Nuclear Alert originating from their home without foreknowledge of a test in progress, much less general access to their private lives.  The mere thought of walking past my child's bedroom and hearing a male voice swearing at my child would push the needle to the edge of my fight/flight reaction and someone would end up finding a Father Bear in the room protecting his cubs.

We have become very complacent in our digital worlds.  That is the problem.   And, most sites have left the security protocols on their sites lacking the necessary enforcement of stronger authentication schemes to protect end users and their privacy.  It isn't the companies fault, but they aren't exactly championing safe practices while using their product.

Most companies want your accessibility to their site to be a balance between security and simplicity.  These two things usually don't go well together.  Most consumers don't want to remember long, abstract passwords.  Who can blame them?  I have about 50-60 sites I normally visit that I have credentials on, whether accessing from my PC, my iPhone or iPad or even other smart devices like my television.

So consumers become complacent in using very simple e-mail and password combinations.  That isn't the issue - the issue is using them over and over and over again on site after site.  Over a period of 3-4 years, there is a high chance your username (e-mail address) and password have been compromised and is floating around on the Dark Web somewhere.  This isn't an article on using LifeLock or similar services - that will come later.  

This is about bolstering the security of the existing systems you already are using. I am into the Google Universe pretty heavy - also Apple's ecosystem due to my iPhone/iPad love (had original iphone - still have it in my drawer). 

Apple did a great service recently and PUSHED people to employ a 2 factor authentication to protect your online identity.  Many of your online services recommend this and may prompt you at some point to put in your cell phone or use an authenticator.  Why?

If my username and password are on the dark web, then some low-life reject out there can pay pennies on the dollar for thousands of username/password combinations and then using tactics like a brute force attack against a site, will check to see if any of the illicit username/passwords work on that site.  Say they want access to NEST accounts... They take those 1,000 username/password combinations and run it through their application that then targets the login process for and sees which accounts are successful in logging in.  Those that are successful, are flagged and the low-life comes back at a later date and sees what can be mined from those flagged accounts.  

Now, to stay with our original targets - NEST, there isn't a tremendous amount that can be done on - except gain access to your security footage, home automation systems (heater, security), and cause shear panic via their pranks. 

I use NEST products - love them - easy to setup and easier to operate.  Want to protect yourself? Nest offers but doesn't PUSH their MFA or 2FA - what does that mean?
  • MFA - Multi-Factor Authentication
  • 2FA - Two Factor Authentication
In a nutshell - they are the same thing, but it means that not only would your provider require a username/password combination, but a 2nd check to ensure it really is you.  The most common?  TEXTING a simple random six digit code to your cellular device to ensure it really is you.  

Want to set this up in NEST?  This is super simple:

  1. Open up NEST on your smartphone
  2. Click the GEAR in the upper right corner of the application
  3. Choose ACCOUNT in the top of the list
  4. Click MANAGE ACCOUNT in the top of the next list
  5. Choose ACCOUNT SECURITY option
  6. Click 2-STEP VERIFICATION (might be OFF - switch to ON)
  7. It will want your cell phone and it will ask to test with your device
  8. When it is successful, it will register and that 2nd layer of protection will now be enabled on your account - next time you access your account from your cell phone or computer, it will prompt for that 2nd check on your identity.  

That is the EASIEST thing you can do - turn on your 2FA for whatever online account you want to protect.  Got a bank account you access? Better turn it on there.  What about your 401K?  Health Insurance/Medical Records like Kaiser or Blue Cross?  That is a good candidate.  

Do I worry about this for an online retailer like KOHLS, MACYS, etc. - not as much.  Most times those sites might have my credit card saved, but they still require the security number on the back of the card to process an order.

Here are the sites you should protect probably in order of precedence):
  • Banking
  • Legal (Social Security, HR Block, etc.)
  • 401K or investments
  • Online accounts for e-Mail (GMAIL, O365, Yahoo)
  • Security Systems & web cameras (Nest, Ring, etc.)
  • Online Shopping - Amazon, Target, etc. etc
You can also employ something like an AUTHENTICATOR application like Google Authenticator or Microsoft Authenticator - these employ a set of random generated numbers that are synchronized with your online activity.  The problem with this method is that it requires the APP on your smart device to produce the number - if your phone is stolen or lost, you lose access to those stored codes.  It isn't a bad idea, but at least with texting, it is tied to an agnostic phone number - could be on an android, iphone, etc. - I lose the phone, I just have to get a new phone from my provider and put my number on it and it starts working again.

Hope this helps.  This only scratches the surface of protecting your online accounts and private lives.  Security is bigger than ever in 2019 and will only keep getting more and more critical to our digital well being!  

Tuesday, January 29, 2019

Responsible Corporations - My Privacy Does Matter

DATELINE - 1/29/2018

It is the morning after the big GROUP FACETIME bug and controversy blew up on the Internet. Here is the short timeline of events. Around 4 PM PST on 1/28, my favorite Apple News site (MACRUMORS) started posting some news pieces around a serious Group Facetime flaw found in the latest iOS update.

In a nutshell - by using the group facetime feature, calling someone, and adding yourself back into the meeting, starts an audio bridge connection whether or not the remote party accepts the call or not.   Steps to reproduce (now blocked by Apple):

  • Start standard FACETIME call with friend
  • while that call is ringing, add another person
  • choose yourself from the contacts
  • audio bridge should start when that 3rd person is added
Mainstream media picked up on it and started reporting on it.  By 11 PM, my local news on TV was broadcasting it.  So also last night, Apple disabled Group Facetime on their servers - thereby blocking this bug from running chaotically around the world.  

I went to bed secure in the fact that Apple really does care about me, the end-user, and my privacy.  That my hard earned money is well spent in this company.  They shout this from the roof tops in everything they do.  I just upgraded a Mac and one of the first things in Mojave is a notice about our privacy and that Apple cares.  It is plastered all over their website and marketing material: 

Why shouldn't I believe that they care? Right?

I then wake up this morning and find that my same trustworthy news site for everything Apple has posted a bunch of items from a user (non verified, but the posts are pre-dating the issue by 7 days - can't fake those) found here:

Apple (at some level) has known of this issue since 1/21/2019.  It only came to light and things changed after main-stream media picked up on it.  That is a cause for concern - greatly. 

This changes my views on Apple (once again) from champion of my privacy to a company protecting its self interests.  At some point in the past 7 days, that bug had to have been seen or known by someone at Apple, and at a minimum, either didn't reach up the chain of command to the right people, or at worst - was seen and quietly was trying to be dealt with on the backend with a patch before the rest of the community found out about it. 

Apple (and other companies) need to be champions for our privacy and rights.  They have made some incredible strides and wonderful technology, but at the end of the day, if the they don't have my back, there is no reason to have theirs.  Put people above the dollar.  There seem to be way more missteps lately than valuable things from these mega companies.   Time to step into the light and let people know that we have flaws and their security is exposed and that you would rather publicly declare the issue (after disabling the service) and ensure to us, your constituents, that you care about our privacy and our security while using your devices.

Stepping off my soap box now.