Everyone is buzzing this week about cameras and fridges sending spam. If you’re just hearing this now, you can catch up the sensational version or find more technical details here. Should you freak out? No. However, it is concerning. It shows that manufacturers and users haven’t learned very much. The most likely cause of this problem is simply open email relays on these devices. Even if it turns out to be more complex than that, it will simply be variations on existing exploits. There is nothing particularly new or frightening here. The real issue here is that coders and users are still making basic assumptions that are wrong:
- devices in a private network are safe,
- noone is interested in hacking me.
Think you’re not interesting? You may be right, but it doesn’t matter.
Think your firewall/router keeps you safe? Wrong again. The bad guys are almost certainly already inside. You need to minimize the damage.
A very large percentage of office equipment (and household gear too) is ‘smart’ these days. What that means exactly depends on the creators, but one thing you can be sure of is that it has an operating system. The next thing you can be sure of is that, if that device is connected to a network of any kind, it is at risk. Default passwords are the norm for these devices. There isn’t usually an installation routine to force you to choose a new password. Don’t count on being invisible. If your device is on a network, it can be found. You need to find out how to change the password and you need to choose a good one.
Choosing a good password isn’t as hard as many of you think, but you do need to give it some thought. Things known to be bad:
- very short passwords (anything under 8 characters, although even 8 is seeming pretty short in the face of current computing power)
- repetitive number sequences (22222222, 12121212, 777777777, 12345678, etc.)
- real words (including slang, profanity, names and other languages)
- ‘leet’ respellings of real words (f00df1ght, sn00py)
- anything on this list
So what’s left? Well the most common recommendation is to use random sequences of numbers, letters and punctuation. That can be hard to remember, so here are some strategies to deal with that:
- Use an encrypted password keeper. There are some like KeePassX that will work on multiple devices, including your phone.The password on your keeper better be a good one you can remember. And back it up!
- choose a password that makes a sentence that you can remember when you put it all together. Just avoid using common texts or song lyrics for this treatment:
- ‘Mashlip422Y#’ (My aunt sally has lived in philidelphia for 22 Years #)
- ‘tsfratr&btpa2.hdli.’ (the squirrely ferret ran across the road & bit the postman’s ankle twice. he didn’t like it.)
- If you didn’t like the sentence approach, you can try inventing word-like structures that aren’t real words:
- Real words. Yes, I did tell you not to use real words, but if you use enough of them to make a very long password, it’s ok. There’s a great cartoon over at xkcd on this matter. Make sure you stretch your vocabulary for this and use longish words and not just nouns.
- salamander ecru scintilating megaphone
- zooming xenophilic astrolabe eggplant
- unicorn sniptuary westwind conditioner (throw in a made up word for extra paranoid fun)
Let’s leave the passwords there for a moment. I’ll deal with it in more depth another time.
The assumption that a private network is a safe place? This is where manufacturers have to share more blame. Unfortunately, all too many still think this is true. It is safest to assume that all networks have been compromised. The question there becomes how can we keep ourselves as safe as possible under the circumstances and limit the damage.
Find out what ports might be open on your public addresses. Most devices these days have automatic support to allow new devices to request open ports. Unless you’ve disabled this functionality, there could be some nasty surprises. Use an online port scanner like this one using Nmap to discover what doors you might have left open. If you don’t know why they’re open or how they’re secured, log in to your router and close them. If you don’t know how, get some help. While you’re getting help, consider closing outbound ports as well. It will help keep you off blacklists. More on that another time.
Find out what ports are open in your private network. Just because it’s inside your firewall/router doesn’t mean your safe. Unfortunately, you can’t use web-based applications like the above to do this work, so if you’re not comfortable with more low-level tools then you should get some help with this. The wonderful folks at Nmap have windows versions of their Nmap tool and even a graphical front end called Zenmap.
Once you’ve started to identify ports, you need to learn what they’re for and whether you need them. If you don’t, then close ’em up.This isn’t just for your own protection, but to be a good online citizen. You don’t want to be the one hosting the crack house. I’ll do this analysis for a real network in an article sometime soon.
Is there a magic button to press to fix your security problems? Sadly not, but step one is caring, and step two is using strong passwords. For everything else, there is help out there if you want it.
Keith Nunn has been a freelance Internet, systems and networking professional for finance, healthcare and for non-governmental organizations since 1993. His particular focus is in security and advanced IT planning. In his spare time he teaches whitewater canoeing, leads Scouts, builds furniture, sings and plays guitar.