Default Passwords: The Biggest Weakness in IoT Security

IOT, Password Security, Security, Security Threats, , ,
06
Feb 2018

Passwords have always been one of the simplest security methods, but the presence of default passwords in the IoT (Internet of Things) is very dangerous.

Many IoT devices come set up with a default password in place which is certainly a nice option, but when that default password is the same across the entire product range then it presents a major security flaw. Say, for example, you buy an IoT fish tank (yes, these actually exist) and it shares the same default password as all other IoT fish tanks in that product range, it’s not going to take much research to discover that password, is it? Sure, it’s just as easy to change the password, but how many people would think about adjusting security settings on a fish tank?

As more and more organizations are installing IoT devices, it’s a good idea to familiarize yourself with the dangers of default passwords and how to make your passwords more secure.

Default Passwords and their Dangers

It’s estimated that 15% of IoT device owners fail to change their default password, so it’s almost certain that all medium and large businesses have at least one employee with a susceptible IoT device. It’s partly laziness on the owners’ parts and it’s partly down to IoT technology being so new that people aren’t aware of the security risks. Nonetheless, it’s presenting a major security issue for organizations as hackers are taking full advantage of the situation.

Hackers are concentrating on the construction of malware which comes preloaded with huge lists of default passwords, so that breaking through defenses becomes that little bit easier and quicker. And this is exactly what happened when the Mirai botnet managed to infect nearly 185,000 IoT devices by exploiting default passwords. Default passwords are regularly being leaked and shared online, so the importance of changing these as soon as possible should be a paramount concern for organizations.

Protecting Against Default Passwords

If you want to improve the security on your IoT devices and protect the rest of your organization’s network, then you need to take note of the following tips:

  • Change the Password on a Protected Network: Before your IoT device is connected to the internet, make sure that it’s connected to an exclusive, protected network that cannot be accessed externally. This allows you to, first, test the device and, secondly, to change the password before it’s detected by IoT search engines such as Shodan. 
  • Run Regular Audits on All IoT Devices: Detecting and monitoring new devices on your network should become a priority. Any new and unknown devices to your network should instantly be blocked and an authentication process put in place. With this information you can then track down the device owner and ensure that any default passwords are changed before further access to the network is granted.
  • Don’t Use Admin as a Username: Admin is probably the most common username used in IT departments and hackers are well aware of this. Even if you’ve changed your default password to something highly cryptic, a simple username such as ‘admin’ instantly halves the amount of work a hacker has to do.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Creating a Culture of Security in the Internet of Things

Cyber Attack, Hacking, Internet of things, IOT, malware, Password Security, Security, Security Threats, , , , , ,
30
Jan 2018

Hackers aren’t the only threat to the security of your organization’s Internet of Things (IoT), your employees can be just as culpable for security risks.

Let’s face it, the IoT is a relatively new phenomenon and, even though most of your employees will have smart devices at home, the majority of your workforce won’t be aware of the many security dangers. It’s this lack of knowledge which can lead to major security flaws which leave your network open to hackers and their accompanying chaos.

However, humans have a huge capacity for learning and if you can ingrain the basics of IoT security in the business culture, you’ll find that your employees are soon on top of things. And this knowledge can provide an extra layer of defense, so let’s take a look at how you can provide this.

Ban All Guest Access

Many organizations provide guest access to, at the very least, their Wi-Fi network so that visitors can check emails, liaise with their own staff and, more likely, check Facebook! However, whilst this is a generous gesture, it opens your network up to a whole host of security risks. If there’s a freely available guest network then it’s likely that everyone in your organization will know the password and it can be passed on to any visitors.

Now, you’re never going to know every single visitor to your company and, crucially, you’re never going to know how secure these visitors’ devices are. Therefore, it’s a highly dangerous move to allow your employees to grant free access to any section of your network. The simplest way to combat this and prevent bad security practices is to ban all guest access to your organization’s Wi-Fi. It may seem drastic, but it will really hammer home the security risk to your employees.

Improve the Password Culture

Passwords are one of the oldest forms of computer security, but they’re also one of the most effective. IoT devices, though, have a reputation for coming pre-loaded with highly weak default passwords, so the effort required to hack them is relatively low. Changing not only default passwords, but also regularly changing existing passwords remains a highly important task to secure your smart devices.

Your employees are likely to be highly busy, though, so changing their password will tend to fall down their list of things to do. This is where you, as an employer, need to ensure that regular reminders are sent out to your employees to indicate when passwords require changing. Ideally this should be between 6 – 12 weeks of the last password change and the best way to enforce this is by restricting access to applications if the password is not changed.

Whilst employees will initially grumble about having to change their password and remember a new one, these complaints will soon subside and employees will become compliant with the process.

Regular Training

As mentioned in my opening, the IoT is a new phenomenon and the collective knowledge of your employees will be limited. And that’s why you need to make sure that your staff are given regular training sessions on the importance of IoT security.

Ideally, the IT induction that all new starters take should include a section on IoT security; after all, almost of all your employees will bring a personal smartphone into work and, of course, certain employees will be issued with company laptops and smartphones, so the need for good security practices from the off are vital.

It may seem time consuming to complete inductions and regular refreshing training, but the enhanced knowledge among your workforce will ensure that your networks remain safe from the most simple (yet damaging) IoT security mistakes.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

6 Tips to Keep the Internet of Things Secure

Internet of things, IOT, Password Security, Security, Security Threats, , ,
16
Jan 2018

The Internet of Things (IoT) relates to all those smart devices which can connect to your network and communicate with it, but how do you make the IoT safe?

We have smart devices not just at home, but also within our businesses and it’s no surprise to hear that it’s estimated up to 8.4 billion smart devices will be connected in 2017. Naturally, with such a huge number of devices accessing networks, it’s not surprise that they’re proving to be highly interesting to hackers.

As our business life is becoming more and more digital, the need for the IoT is increasing just as rapidly, that’s why I’m going to share 6 tips to keep the IoT secure.

1.  Understand What’s Connected

It’s important that you know which devices are regularly connected to your network. By understanding which devices offer a route into your network, you’re able to take preventative measures to help safeguard against any vulnerabilities. Make sure that a database is kept and regularly updated to include any new hardware so that you can fully understand the reach of your IoT.

2.  Keep IoT Devices on a Separate Network

If one of your IoT devices is compromised by a hacker then this represents a threat to everything on that network, so it’s important that you segment all your IoT devices onto a separate network. In the event of an IoT device being hacked you can then limit the data on offer to the hacker.

3.  Don’t Leave Devices Connected for Longer than Necessary

It’s impossible to hack a smart device which isn’t plugged in, so to completely minimize the risk it’s highly recommended that smart devices are disconnected from the network when they’re not being used. This is a good security practice that needs to be communicated to all employees as anything can be hacked be it a printer or a webcam.

4.  Always Install Firmware Updates

As with any other piece of hardware or software, firmware updates for smart devices need to be installed as soon as possible. Not many people are aware of the security risks associated with smart devices, so firmware updates are often ignored – this is why hackers are starting to target them more and more often. So, once you see that update request, make sure you click it.

5.  Limit Personal Device Usage

99.9% of the population appears to have a smartphone, so this means that almost all of your employees will be bringing a smart device to work every day. And, to ensure that they can keep up to date with Facebook, they’ll be piggybacking onto your company WiFi to create an internet connection. Therefore, it’s important that you limit personal device usage or, at least, create a sign in method which uses company email addresses. 

6.  Password Protect Everything

Finally, you must make sure that you password protect every single smart device within your business. As previously mentioned, it’s easy to assume that a printer is never going to get hacked, but it happens. By establishing a set of passwords (all different of course) for all your smart devices you’re putting that extra layer of defense in front of your business. And the more defenses you have, the less attractive your network becomes to hackers.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

60,000 BSNL Modems Affected by Malware

modem security, Password Security, Security, , ,
10
Oct 2017

Morden-Security

Your modem provides a gateway to the internet, but this entry point is highly vulnerable to hackers as 60,000 customers of BSNL have discovered.

Bharat Sanchar Nigam Limited (BSNL) is an ISP based in New Delhi, India with around 93 million customers, but even with these customer numbers they have been struggling in recent years due to the increased competition in the Asia telecommunications sector. And they now have an embarrassing malware incident on their hands, so these are certainly tough times for BSNL.

The attack which has affected BSNL is almost ridiculous in its simplicity, but it has the potential to cause huge damage for BSNL and its customers. It also carries an important lesson that every PC user can benefit from, so let’s take a look.

Hacking BSNL Modems

Using botnet attacks, the hackers were able to breach the National Internet Backbone (essentially a huge network making up the backbone of the internet in India) of BSNL and gain access to their internal modems and recently installed customer modems. From BSNL’s end, this meant that their broadband service was severely compromised with around 45% of internet connections suffering disruption. For customers using the recently installed modems, however, matters got much worse.

The malware affecting BSNL was able to change the passwords of BSNL broadband customers who had made the fatal mistake of not changing the modem’s default password of “admin”. As a result, around 60,000 customers have found themselves at risk of having their broadband connection compromised as their modem would not be able to log into the BSNL system. Affected users have reported a lack of internet access and the modems ‘red error’ LED switching on to indicate a fault.

Whilst BSNL were able to manually change the password details for their internal modems and stop any further changes to their customers’ details, they were unable to reset passwords for customers who had fallen victim to the malware. Instead, these users have to manually reset their modems and enter a new password, a task which isn’t particularly simple for your average PC user.

password-866979_960_720

The Importance of Password Changes

BSNL are rightly embarrassed about the breach that their systems have experienced and there’s still no mention of the attack on their official website. And the fact that this attack stemmed from a simple password flaw is astonishing, but not completely surprising. Many, many organizations still use the age old login name/password of Admin/Admin for gaining access to the administration side of computer systems; it’s easy to remember and provides quick access, but the problem is that every hacker knows this and will always try these login details early on in an attack.

It’s absolutely crucial that you protect your networks (and even your modems) by practicing good password security. It only takes a few moments to think of a new password and just as long to change your old one, so there really shouldn’t be any excuse. And that’s why you should always change default system passwords as soon as you’re given the chance. Otherwise, you’re at risk from being hacked and will only have yourself to blame.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

18 Million 8Tracks Users Have Had Their Details Stolen

Hacking, Password Security, Secure Database, Security, , ,
26
Sep 2017

password-security

Customer details such as passwords need to be stored in databases, but what happens when these get hacked? 8Tracks radio service recently found out.

Following a breach of the security around their user data, 8Tracks had the rather unenviable task of announcing a major password security alert. And, seeing as this had the potential to affect 18 million users who are signed up to the service, it demonstrated the fragility of cyber security when it’s not enforced to the letter – as Tumblr found out last year.

The reasons behind this breach are incredibly simple, but the impact of such a breach has the potential to cause major damage for millions of users. It’s a cautionary tale and one which can provide an important lesson to learn.

How were 8Tracks Users Hacked?

8Tracks suspect that their databases were breached following a cyber-attack on one of their employee’s Github accounts – an online storage facility for open source programming code. Github offers two-factor authentication, but, in this instance, the 8Tracks employee didn’t activate this which left them at a slight disadvantage to hackers. And, following an alert from Github that this account had been subject to an unauthorized password change, it became clear that access to 8Tracks networks had also been compromised.

It’s believed that access to prime databases and production servers were not at risk as they were protected by SSH keys which involve sophisticated cryptography and challenge-response authentication. However, the backdoor left open by the 8Tracks employee did expose back up databases which contained email addresses and passwords for 8Tracks users. The passwords, thankfully, were encrypted using salt and hash methods – these techniques make passwords very hard (but not impossible) to crack.

Although it would be highly difficult to hack these salted and hashed passwords through brute force techniques, the very small chance of success was a major headache for 8Tracks. As a result, they had to advise all their customers who had signed up with an email address – those signed up through Facebook and Google authentication were not affected – that they had to change their password immediately. 8Tracks themselves then had to secure their employee’s Github account, change passwords for their own backup systems and restrict access to their repositories.

hacking-2300793_960_720

 

What’s the Impact of the 8Tracks Hack?

It may seem as though the 8Tracks hack is all done and dusted now that users have been advised to change their passwords and the 8Tracks system secured accordingly, but there’s a further problem. For the 18 million users affected, it’s more than likely that a large number of them use the same email address and password to sign into countless services such as Facebook, online banking and even to access their organizations systems, so these are now at risk from unauthorized access.

And this is why it’s so important that password security is taken seriously. Many organizations are now turning to online password storage facilities such as LastPass which provide highly encrypted systems to store the many passwords that your employees may need on a day to day basis. Not only should you consider using systems such as this, but if you’re offered the chance of using two-factor authentication, it should be a no-brainer that you activate this immediately to create stronger defenses for your data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 4 5 6