Which one of you brought down the Internet… again?

DISCLAIMER: I’m getting a little technical but this is not a comprehensive article on Internet security. It does provide some simple (relatively) ideas to help you secure your home network. 


Yep.. the Internet got nailed last Friday and it was mostly due to home connected devices… IOT – The Internet of Things. Get to know that buzzword, it’s worth $175/hr. if you’re a tech security consultant.

[share this article]

The hack – like most hacks – is primarily due to weak default passwords that never get changed upon installation.

Read a little bit about it here:
http://www.nbcnews.com/tech/security/internet-outage-shows-how-sophisticated-attacks-can-target-your-home-n671561

What should be done?

There is both an industry fix and a user (person at home .. um.. that’s you) fix.

The Tech Industry

For years I’ve been suggesting that devices should NOT work by default. When you un-box that router or thermostat or home camera, the first step to make it operational should be a setup that walks you through setting a strong access password. When/if you need to reset the device, it forces you to go through the same setup.

Why?

Let’s assume there are 20, 30, or even 500 default username and password combinations. When a home user visits a compromised website (you porn watchers and your “tech genius” kids stealing music), it only takes seconds for a script to scan your network, find devices, and try passwords against them. Voila! They’re in and your device is now theirs.

If the industry did not allow a device to be operational until a password is set, the hacker’s job becomes more challenging. Simple, eh?

Well.. no – because it puts a MUCH greater customer service burden on the manufacturer. People don’t like having to set passwords.. It is complicated to them and they will call customer service for help. That cost time and money.

Secure sounds good on paper… but it is a pain to enact. Virtually every time we set a password policy for a company, it is most often broken by an executive who wants his policy changed. He has too much on his plate to remember to change his password every 45 days.

Yep.. I’m talking to you Mr. CFO. And again, your child is NOT a tech genius – or he is – but please stop allowing him to “optimize” your computer. Hackers love technical geniuses.

So the industry could do a LOT to fix this.. And eventually they will but for now, it is too costly. We want cheap, not secure devices. Okay.. everyone will say they want secure but it is sort of like salad at McDonald’s. They add it to the menu and it will pull a few people in, but when they get there, they still order a Big Mac.

So… What should you do?

A simple password policy/strategy

Have a key account and then separate passwords by social media (less important) and banking and personal (more important).

Key account:

For me, it’s a Google account I have. I have a idiotic passphrase for that account. No other accounts share this passphrase. And I change it every 30 to 45 days. Here is an example of one of my former – never to be used again – passphrases. And yes.. I’ve modified it so you cannot use it to try to hack my account.

PUFFdaddythemagicDRAGON!bythesea

That’s 32 characters. Upper and lower-case but really only a single special character. Hacking a long passphrase is much harder than an 8 to 10 character phrase even with special characters.

I have had some very strange and possibly self-incriminating passphrases. 😉

This is my recovery account for almost all other accounts.

Watch John Oliver’s interview with Edward Snowden. While funny, there is actually some good advice here.

 

Social Media Passwords:

I don’t store much personal data on social media. So I change my passwords less frequently. My social media passwords are similar to each other – but completely different than my key account phrase above. They are typically 10-12 characters.

Banking/Financial Passwords:

I use somewhat similar passphrases between my banking accounts. I change them every 30-45 days. Passphrases.. catch that. Not passwords.

Home Devices Passwords:

Couple things here.. I change the root/default login on every device I plug into my network. I probably do not change those passwords often enough. I don’t let my kids know what they are – damned computer geniuses.


Generally speaking, a simple -but diligent approach to your passwords would help you A LOT to avoid being part of the problem – and protecting your information.

Or go off the grid

The other option is to unplug – go off the grid.. Grow a big shaggy beard and talk about the silent black helicopters and aliens… But then you’d have to stand on your front porch and shout your angry political rants to the neighbors – or go visit them to show them what you are eating.

And no one wants to be that guy/girl.

[share this article]

4 thoughts on “Which one of you brought down the Internet… again?

  1. Reply
    Nichelle Manuel - October 24, 2016

    Matthew, you hit the nail on the head. I wish, “the weakest link” (humans), were more proactive instead of reactive. I informed people what to do on their end via my social media pages once I heard the news Friday morning. I am sure a few will follow through and others will not do anything until it hits them directly.

    Three months ago I changed my cable provider and asked for the ip address, username and password for the router. The guy who came out to install, told me there was no another one. Which, I knew was not true. All he knew was the SSID and password. I looked up the device to get the ip address, default username and password while he was there. I showed him the information. He honestly did not know. I changed the default username and password. According to my dissertation research 87% of the population do not know this information. They are trusting the company that install their cable.

    1. Reply
      Matthew Moran - October 24, 2016

      Hey Nichelle,

      Thanks for taking the time to read and comment. Long time.. are you teaching?

      Most non-techs find the jargon too confusing and vendors, in a rush to hit the market, don’t want to build controls that take time and cost money. A few more events like this and that is likely to change.

      Thanks again.

  2. Reply
    Scott Finnell - October 25, 2016

    I have a question, when I tried to change the Comcast router from the default password it came with, my phone, and other devices were unable to connect to it. After I went in and restored the default password, I could connect my devices. Yes, I did go in and change the login password for every device.

    1. Reply
      Matthew Moran - October 27, 2016

      Hey Scott.. your router’s login and password should not impact the WiFi connectivity at all. I’m not sure why that would be the case.. but feel free to contact me offline if you want to explore and fix that issue.

Add your thoughts here! You know you want to...