Checklist 276: Bad Guys Imitating Good Guys and Revisiting Internet of Things Things
On this week’s Checklist:
Apple fooled by fake Emergency Data Requests
Krebs on Security reports that criminals are using forged Emergency Data Requests (EDRs) to trick tech companies into handing over user data.
What is an EDR, you ask? As Krebs explains:
…in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
According to a Bloomberg report, insiders say that Apple and Facebook both fell for these scams, providing “basic subscriber details, such as a customer’s address, phone number and IP address…”
Of course, you can’t just send an EDR to a tech company from your Gmail account and expect them to answer it! The reason that these fake EDRs are working is that the bad guys have hacked police and government agencies, and are using the compromised websites to send emails from official accounts. That makes it very hard for the folks in Silicon Valley to know if a request is legitimate or not.
The fallout from phony EDRs
So what are the hackers doing with all of this information?
People familiar with the investigation into the incidents say that criminals are using it for harassment campaigns — and we have to warn you, it’s some truly awful stuff. In a separate piece, Bloomberg says:
The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse…
What can be done about fake EDRs?
The issue of fraudulent EDRs doesn’t have an easy solution.
There are tons of police stations and government accounts around the world. They have varying degrees of security protection for their IT infrastructure. Long story short: some of them are going to get hacked, and that’s not going to change any time soon.
Alex Stamos, former Chief Security Officer at Facebook, suggests that police departments take steps to prevent account compromises from happening in the first place, such as implementing two-factor authentication for their employees.
But what about tech companies? How can they know if an EDR is coming from a hacked account or not?
Stamos says that companies might want to require confirmation callbacks so that they can verify that the person requesting an EDR is really who they say they are.
Another idea, floated by former FBI agent Matt Donahue in a Krebs on Security interview, is to create a system that assigns a trustworthiness rating to EDR requesters. It would work a bit like a “credit rating” for the police departments and governments making EDRs. Anyone using the system would also be able to see information about the individual making the request that could help them determine whether or not it was genuine.
IoT attacks on the rise
The Internet of Things (IoT) is under attack, according to VentureBeat. The report says that there were 900 million attacks against IoT devices in 2021. The list of attacked devices includes routers, storage devices, access points, cameras, and smart home devices.
To anyone familiar with security in the IoT space — or the lack thereof — this will come as no surprise. Smart devices are notoriously vulnerable, and have been for years. And unfortunately, a lot of smart device manufacturers still treat cybersecurity as an afterthought, placing the burden of security on, well, you.
For this reason, it’s a good time to review the things you can do to keep your Internet of Things things a little bit more secure:
Ask if it needs to be smart
Some devices really do need to be connected to the Internet to work. But if your fancy new smart toaster will work just as well as a “dumb” toaster, then the safest thing to do is avoid connecting it to a network.
Stick to the experts
If you want to buy a smart thing for networked use, stay with reputable and well-established manufacturers — and ideally ones that have experience with technology and cybersecurity. That means no companies that just popped up last month, and none whose engineers have zero experience dealing with security issues. To put it bluntly: Apple and Toshiba are far safer bets than a coffee company that felt the world needed smart espresso machines.
Don’t buy from the bargain bin
A discontinued (or soon to be discontinued) product may be a good deal, but no one is going to be supporting it. That could leave you exposed if a vulnerability is discovered in the future, because there won’t be any team of security engineers rolling out a patch!
Read the reviews
Trouble in one technical area often signals a wider problem with software development and quality control. This can be a sign that the company’s security is not up to snuff. If users report buggy app interfaces or trouble running updates, those are definite red flags.
Change the password
Lots of IoT products come with a preset username and password — as in, the exact same one for every single model of the device in the world. That’s great news for hackers: Since lots of people never change those defaults, hacking them is as easy as typing in “admin, admin”! Don’t be low-hanging fruit — change the default username and password on a new device as soon as you can.
Read the manual
There are manufacturers (the good ones, anyway) that will actually put a lot of time and effort into making sure that users can properly secure their devices. They publish guides and knowledge base articles on their websites. These often go into great detail about topics like software and firmware updates, changing default passwords, and customizing security settings. If you have a new IoT device, make use of these resources: Take a few minutes to learn about your smart thing’s security features.