Checklist 129: The Internet of Things and Other Things

Congress wakes up for a moment to realize something funny is going on with the Internet of Things, some useful clarifications about how apps work, and a security presentation that sounds an awful lot like an episode of The Checklist — these are the stories we’ll discuss in today’s episode, and there’s plenty of discussion to be had! We’ll weave through the ins and outs of the legislative process and think about whether “out of sight, out of mind” applies to apps — all that and more in this week’s Checklist, where we’re ticking off these items today:

• Congress Nibbles at the Internet of Things
• Out of Sight is Not Off the Grid
• What’s the Difference Between an RSA Presentation and The Checklist?

We’re kicking things off this week with a trip to Washington, D.C., where some legislators are trying — emphasis on that word — to come up with a way to better regulate the Internet of Things. How’s that going?

Congress Nibbles at the Internet of Things

According to a report by CNET, Congress introduced a bill this past week intended to “improve” IoT security. Dubbed the Internet of Things Cybersecurity Improvement Act, the law isn’t actually about forcing device manufacturers to do anything — rather, the proposed legislation is just about preventing the government from buying hackable devices. It comes on the heels of Senate hearings last year, in which the Defense Intelligence Agency’s director declared that flawed IoT devices were the most severe threat to US cybersecurity around.

So, what’s the law do? Congress’s idea is to use the power of the purse to make the industry change its course. By requiring anything purchased for government use to have some security measures — though CNET calls the legislation’s requirements the “bare minimum” — the hope is that businesses which want to secure lucrative government contracts will make the effort. That, in turn, will trickle down to consumers and ideally pressure other businesses to do the same.

If all this sounds familiar, it’s because we discussed a similar situation out in California a few episodes back — however, this bill is very different from what Congress has proposed. California’s law stipulated some specific measures for security, such as forcing users to set their own passwords before they can use a new device, which hopefully will have a ripple effect nationwide. No business wants to fund product development twice just to produce one version for California and one for the rest of the country. While the California law did have some detractors, including those who alleged it was too vague and did not come into effect fast enough (it begins in 2020), it was overall a good step forward.

Congress’s idea? Not so much. In principle, we should be all for this. In practice, its execution currently leaves something to be desired. Legislation is undoubtedly the best tool we have to address poor security across the industry, but a milquetoast approach such as this is hardly the way to advance the common good. Not only that, but the bill directs the National Institute of Standards and Technology (NIST) to develop the security benchmarks government-procured IoT devices should follow — every five years. Think about the pace at which modern technological development moves and think about the devices you had five years ago versus today. Isn’t that an incredibly slow approach? A lot can happen in the world of computer security in five months, to say nothing of five years.

The government’s buying needs are far different from consumers, too — and consumers need protection just as much as national secrets. We can’t imagine the DoD is buying many Internet-connected picture frames with poor security, but the average shopper? Sure. 

While Congress tries to hash all this out, there are a couple of things you can consider as well when you might want to buy an Internet of Things thing. What are they?

• Ask yourself if you really need the thing you’re about to buy to be connected to the Internet. Seriously think about it; if you don’t need apps on your TV, you don’t need to connect it, and likewise with all kinds of other devices that have connectivity for no good reason. If you won’t use it, at least look for a way to turn it off completely.
• If it comes with a default password, change it — and use a secure password, too. Remember the Nest story from a few weeks back? That’s a good example of an extreme scenario that can occur when you rely on default passwords.
• Use a separate email address for registering your IoT devices, preferably one you only use those devices — and don’t use a password you’ve used anywhere else here, either.
• If you notice some weird behavior you don’t understand, disconnect all your devices. Reconnect them one by one until you see the weirdness again. The last one you connected is probably the one to blame.

We did a whole episode on this topic in the past, too. You can check that out in the archives with Episode 42: The Internet of Things: New Devices, New Concerns.

Will this law make its way through Congress, will it die in committee, or will we see some awful amendments tacked on at a later stage? No one knows for sure right now, but you can bet we’ll watch this one closely.

Out of Sight is Not Off the Grid

Out of sight may mean out of mind, but it’s not “off the grid.” Let’s start this part of our discussion with an anecdote from our host, Ken Ray:

Years ago, my father joined Facebook. Then, just a few days later, he told me he quit. I never could get a clear idea of what he thought he’d done to quit, but a month later he told me he saw where I’d said something on Facebook. I think it was about a new episode of a show or something. I’ve heard from others as well who decided an app wasn’t for them, so they deleted it… not realizing that just because they weren’t using it anymore, it didn’t mean the apps or services weren’t still interacting with them. 

It’s not always easy to know when you’ve left an app or a service behind, and it’s important to remember that just because it’s not on your device anymore, it doesn’t mean you’re necessarily free — yet. The good news is that we have a whole list of things you can do to make sure that you’ve really and truly “quit” an app for good. 

First, go to the webpage for the service and look for a way to sign in and delete your account. Some sites make this easy to find; others don’t offer it as an option at all. If you can’t find a place to do so, email the operators of the service directly and ask for them to delete your account and all its associated data. Some will be happy to help you. 

Next, delete any cookies it may have left on your computer. In Safari, press Command+comma to get to your preferences, click on the Privacy tab, then click “Manage Website Data.” Here you’ll see a list of cookies, and you can type a part of the domain into the search box to see results. Click “remove all” for the results. If you use Chrome, use the “Clear Browsing Data” function to simply delete all cookies. 

Finally, go to your Settings app on iOS and choose “Privacy.” You’ll see a list of apps there; these are the apps which request access to data on your phone. Review the apps here and revoke permission for any apps that you don’t want to allow to continue.

Let’s circle back to our original point, though, which is that merely deleting an app from your phone does not always stop it from having an impact on your life. A story came to our attention through Twitter that demonstrates this point well. An elderly grandmother was receiving a $14 a week charge for a coloring book app she’d downloaded for a grandchild — and continued to receive the charges after she’d deleted the app, apparently unaware of them in the first place. So, we think it’s important to note:

Deleting an app does not cancel an associated service!

There are many reasons this does not occur, but it does seem like something Apple could improve upon with some effort. Adding a prompt asking if you’d like to cancel your subscription during the app deletion process, for example, could be a useful way to get around this problem. In the meantime, familiarize yourself with the steps necessary to cancel your subscription services on an iPhone when finished with them. We covered this on a previous episode, too, but here’s a quick refresher on what to do next:

1. Go to the iTunes Store on your computer or iOS Device
2. On an iOS Device, scroll to the bottom of the store page and tap on Apple ID 3.
3. On a computer, tap on “Account” on the right-hand side of iTunes
4. Once you’re in, look for the word “Subscriptions.”
5. Tap that, and there you can see what subscriptions you have going and disable them if you so desire.

What’s the Difference Between an RSA Presentation and The Checklist?

If you were at last week’s RSA Conference, you got to enjoy a presentation of The Checklist — well, not really, but it sure sounded similar!

A cybersecurity company known as Crowdstrike gave a presentation at this year’s RSA Conference busting the myth that Macs are harder to hack and more difficult to exploit. Their talk went into detail about many of the techniques they’ve seen used firsthand on Apple computers. Before we go any further, though, what’s this all about? 

The RSA Conference is one of the most prestigious computer security conference series in the world, with tens of thousands in attendance. This year, it seems the RSA foundation wanted to spotlight the lack of awareness surrounding the potential vulnerabilities of the Mac platform. CNET then chose to write up a piece about the discussion — and it all sounds a lot like what we’ve been saying on our show for the past three years! That’s not to brag, though; we’re just happy to see that greater awareness is finally coming to these issues. With that in mind, let’s look at some of the points Crowdstrike made and discuss how we can protect ourselves.

The first point Crowdstrike made was that Macs are still vulnerable to users who unknowingly download malware. This malware can go deep into the system and can do things such as stealing passwords out of the Keychain or leaving a backdoor so the bad guys can come back into the system any time they like. Needless to say, if malware gets a foothold on your machine like this, it’s an open treasure chest for the hackers. Crowdstrike’s speakers encouraged listeners to leave macOS’s built-in Gatekeeper enabled. 

A quick reminder: Gatekeeper is Apple’s way of making sure you don’t download and run malware by preventing non-trusted apps from starting. There are two (really three, but only two that matter) options to know about; head to your system preferences and select Security & Privacy again. 

Under “General,” you’ll see the phrase, “Allow apps downloaded from…” followed by two options: App Store only, and App Store & Identified Developers. The former option is clear enough — you won’t be able to run anything but software straight out of the Mac App Store. It’s the default and safest option; this is what most people should use. The second option allows independent third-party software with signed certificates to run, but it’s not foolproof. The third “allow anything” option is hidden by default and not recommended. 

Next up, Crowdstrike told listeners to disable macros, which pop up in Microsoft productivity software, and to turn off an auto-open feature in Safari which could lead users to launch malware mistakenly. Don’t know what macros are, though?  Macros are miniature programs or scripts that users can create in Microsoft Office software to automate repetitive tasks into a few keystrokes. Macros can be very powerful, but when used by the bad guys they aren’t always easy to guard against — so hackers love to use them to launch exploits on both Macs and PC’s. Turn them off so that can’t happen.

Safari has a preference to open “safe” files after downloading, such as a text file or image, but they might not always be so safe. Head to your Safari preferences, choose General, and turn off the option for “opening safe files.” Then scan your downloaded files quickly before you open anything.

Finally, Crowdstrike pointed out that users need to be more cautious about what they click. They found some malware that required users to click not one but two prompts to give it permission to run — and users still did. Read your dialogue boxes and be careful.

Before clicking on links, try to hover over links and make sure they point to the right domain. If you get an email from your bank asking you to click a link to update your information, log in normally to the official site to see if that’s true. Don’t risk getting phished because you weren’t sure what to watch out for in your email inbox! Phishing scammers are very good at making fake emails looks very authentic!

That’s every item on our list for this week, but before we wrap things up, we’d like to ask you, our readers, for a favor. If you like the show, tell a friend! Share an episode with a family member! In other words, let’s spread the security knowledge around a little more. Let your friends and family know where they can easily learn helpful security tips, tricks, and how-tos while staying up to date on what’s going on in the wide and wild world of modern technology. 

You know where a good place to start would be — right here in The Checklist Archives. In our archives, you’ll find easily accessible show notes for a quick catch-up, and complete show audio recordings for when you want to sit back, relax, and listen, and links to take you deeper into each of the stories we cover. It’s easy to use and always available on your favorite streaming service, too.