Holiday Shopping – Security and Privacy

Black Friday is still nearly two weeks away, but I’ve been seeing ads for Black Friday sales for a week or two now. And many stores have already started Pre-Black Friday sales.

Cyber Monday has become just as huge a buying day as Black Friday.

Then there’s Christmas and holiday shopping. We can look forward to sales galore, crowded malls and shopping centers, and a great deal of online shopping in the next couple months.

As stores ramp up their marketing, people get in a buying frenzy and can’t wait to get the good deals.

So, what are you planning to buy? Whatever it is, you are probably looking for good prices. You may be considering which brand or model to buy.

There’s one thing that you may be overlooking. If so, you are like almost all other shoppers, at least in that respect. Almost nobody gives much thought to the security or privacy considerations for the products they buy.

 

For many products, that isn’t an issue. If I’m buying a book–one made of paper–not an electronic version, I don’t need to think much about security or privacy.

But there are an increasing number of products where it pays to think about the issue of security and privacy.

Why? What could go wrong?

If you’re buying a smart TV, it’s possible the TV you buy could be used as a platform to hack or to eavesdrop on you. (Yes, this has happened.)

Someone might be able to use that device that responds to your voice to eavesdrop on you.

Perhaps you want to pay more attention to your health and have found a device that allows you to measure your activity level and keep track of your distance. Maybe it’s time to buy that when it goes on sale. It could be a really good decision and help you feel better and live longer, by increasing your fitness. But it might also tell an attacker what your schedule is. They may be able to find out your routine, your location, and when your home is empty.

There are wristwatches that, among other things, store your account numbers so you can make a purchase without showing anyone your credit card. That could be useful. But, that same watch might also allow a thief to empty your electronic wallet.

Maybe you are just looking for a good price on a new refrigerator. You see the sales on smart refrigerators. Might as well take advantage of the new technology since you need a new frig. Why would security matter for that?

Consider what could happen if someone hacked your refrigerator. They could alter the temperature at night and cause it to warm up, then cool back down by morning. A couple nights of that and your food may spoil. You could get sick. Not a likely scenario, but a mischievous teenage hacker might think that was fun. What if your new refrigerator keeps a record of the temperature? The hacker might be able to alter the record so you don’t even find out it isn’t working properly.

A more likely scenario is that someone hacking your refrigerator could look at the temperature fluctuations. When you open the door, the temperature will rise briefly. When the door is closed, it’ll cool back down. Usually, this will happen repeatedly during the day and evening when you are at home. What if the temperatures don’t show the expected fluctuations because you’ve gone on vacation? You’re not opening the door, so the temperature remains more constant. Someone looking at that record would be able to tell that nobody is at home, just by hacking into your refrigerator.

The same could apply to a home security application or device. It seems nice to be able to monitor what’s going on at home when you’re away. But, if you can monitor it, maybe someone else can too. If they repeatedly see no activity, it probably means nobody’s home.

And, if your security system lets you unlock the door for a delivery while you’re away, a hacker could also unlock your door just as easily.

I realize that some of these scenarios aren’t likely. But some are.

 

I don’t want you to be afraid of buying new technology that will improve your life. But I do want you to think about unintended consequences.

Mostly, I want you to begin considering what COULD go wrong.

A burglar might use your new device to decide when to rob you.

A predator might use your new device to locate you or your children.

An identity thief might be able to collect information that will help them steal your identity.

Another thief might be able to collect information from a device and gain access to your bank accounts.

A hacker could take control of your new car, turning it into a weapon, against you or against someone else.

And that’s just the beginning of what could go wrong.

I don’t think we should give up the technology we have. It can be a wonderful thing. I don’t want you to be afraid of buying new technology. I just want you to give a thought to security and privacy.

 

Here’s some ideas on how to do that:

Consider the following when making a purchase:

Is it capable of collecting or storing information? If so:
    * What kind of information does it collect?
    * Is it possible that it could collect information other than what it is supposed to?
    * Are there any safety mechanisms to protect that information?
    * Is it possible someone could find a way to get around those safety mechanisms and access information they’re not supposed to?

Does it connect to the Internet? Does it have a wireless connection? If so:
    * If someone were to hack it, could they get any information you don’t want them to have?
    * If a hacker were to take control of the device, could they use it to do something you wouldn’t want them to do?

If someone were to hack the product, what is the worst case scenario?
    * Will it provide information? If so, is that information something that someone could use against you or to figure out something about you that you don’t want them to know?
    * Could someone use it to harm you? (What could happen if they hacked your car while you were driving or hacked your pacemaker?)

 

In many cases you won’t know the answers to these questions. You could call the company and ask a sales person. But, in my experience, the sales reps won’t know the answer either. And, if they don’t know the answer, a lot of them will make an answer up. If you do call them, don’t assume you are getting an accurate answer.

Instead, you can do some research online.

Research the product. Suppose the product is called “Wonder Widget.” You could do Google searches for things like:
    Wonder Widget problems
    Wonder Widget complaints
    Wonder Widget security
    Wonder Widget privacy
    Wonder Widget issues
    Wonder Widget compliance

You could also do searches on the company that makes the product to see if they have a history of making products that have problems with security or privacy.

 

Some other things you can do:

    * Use your imagination. See if you can come up with an idea of how the product could be used in a way that it wasn’t intended to be used.

If you do this regularly, you may begin to discover problems that you never realized existed before. Of course, just because you can think of a way that a product could be used in an undesired way, doesn’t mean someone will actually use it that way. But, if you can think of it, so can someone else. If the issue is serious enough and there is some benefit to a malicious person in doing so, it is realistic to think that they might actually do it.

    * You can utilize your power as a consumer to make a difference.

When you buy, make your choice in light of security and privacy-e.g., buy from a company that cares about the consumer’s security and privacy.

Let the manufacturers and retailers know that you care about security and privacy and that your buying decision takes that into account

 

I’m not suggesting that you avoid buying products that might have some risk. A lot of the products being developed provide useful and desirable benefits. What I am suggesting is that you at least think about the potential problems that could result if security and privacy isn’t an important consideration when the product is designed.

For some products you want to buy, it is likely that you won’t be able to find any brand that has been designed with security and privacy in mind. I’m not suggesting that you refuse to buy it. But, at least you will know that there is some risk.

If you’re approaching a dangerous intersection, you don’t turn the car around and decide to go back home. You slow down, look all directions, be extra careful, and proceed through the intersection when it’s safe.

In the same way, if the product you are purchasing doesn’t pay enough attention to security or privacy, you may still choose to buy it. But, if you know that there are risks, you may be able to adjust how you use the product to lower that risk. In addition, you could also call the manufacturer. Tell them that, even though you bought their product, you want them to think more about security in the future.

If manufacturers think consumers will buy their products regardless of any security or privacy issues, a great many of them will not pay attention to those concerns when they create their products. However, if there is an economic incentive for them to build security and privacy protection into their products, they will pay more attention to it. If customers tell them that security and privacy matter to them, they will likely begin to pay attention to that.

You can also tell other people you know about any problems that poorly-designed products have. If the word spreads, it could make a difference.

 

We know that driving a car is potentially hazardous, but we do it anyway. There are things we can do to increase the likelihood that we will get home safely.

If you are purchasing a product that might have some security or privacy risk, spend some time thinking about ways that you might be able to reduce the risk.

Here’s an example:

Let’s say the product connects to the Internet and allows you to ask it questions. Then it searches and tells you the answer. It is voice actuated, so all you have to do is talk to it and get your answer.

But what do you think is happening when you aren’t asking it questions? In order to respond when you do ask your question, it needs to be “monitoring” the conversation in the room. Although the manufacturer may tell you it doesn’t save or transmit everything it “hears,” what if a hacker was able to modify its behavior? The hacker may be able to make it transmit all your conversations.

Personally, I don’t want that in my house. But perhaps the convenience is something you do want. If you want one of those, how could you use it in a way that reduces the potential risk?

You could unplug it when you aren’t going to ask it a question. (It’s not as convenient to use it if you have to plug it in first. But it would be safer.)

You could keep it in a room that you are not in and go into the room where it is located when you want to ask a question. You could even have a radio playing in that room so it can’t pick up your voice from the other room (hopefully).

At the very least, you could make sure that you don’t have any sensitive conversations within range of that device. For example, if you are calling your bank and have to give out your social security number (last four digits) in order to talk with them, you may want to be sure that you are not within “earshot” of the device when you make that call.

Perhaps that is being too paranoid. Perhaps that device truly does not allow anyone to listen in and does not store or transmit any information except when you intend it to respond. Personally, I don’t want to take that chance. But maybe you are OK with that.

 

My point is that many of the things that are being created these days do have some security and/or privacy risks. It is up to you to decide what level of risk you are comfortable with. But, if you care about security and privacy at all, it is important to consider the possibility of risk. Then, if you determine there is risk, you have choices.

You can decide not to buy it.
You can decide that you are willing to accept the risk.
You can decide to use the product anyway but find some way to lower the risk to a level you are comfortable with.

Enjoy your holiday shopping (and your holidays). Be safe.

How to Keep Children Safe

Last week I raised the topic of talking to the children we care about to assure their safety.

This week I want to provide some guidance and resources to do that.

If you are a parent, talk with your kids. If you are a grandparent, talk with your grandchildren and also encourage your children to talk with their kids. If there are other kids you care about, see that someone talks with them, so they stay safe.

There are resources to help with this. But, first, let me suggest some ideas on what to talk about.

Continue reading “How to Keep Children Safe”

Eternal Vigilance? Come On! Get Real!

I’ve talked about the importance of awareness, caution, and paying attention. I’ve talked about the danger of opening attachments and clicking on links.

I’ve said that it takes just one mistake to compromise your computer or put you at risk. And I’ve suggested “eternal vigilance” as a way of guarding against that risk.

But how realistic is that, really? Continue reading “Eternal Vigilance? Come On! Get Real!”

Before You Hit Delete

(NOTE: Significant Computer Part Failure has delayed my ability to create these graphics I want to add to this post. Please check back. It may be awhile.)

What do you do if you are running out of space on your computer? In my last post, I said I often find that people start deleting files and sometimes delete the wrong ones. Then, their computer no longer works properly.

I want to provide some guidance, before you hit “delete.”
Continue reading “Before You Hit Delete”

The Security Soluton – Part 4

Today, we conclude the discussion of a “four-step solution” to security problems. Once you have taken reasonable measures to keep bad things from happening and accepted that they will sometimes still occur, you can move onto the next step. You can take measures to limit the negative consequences if they do occur. Continue reading “The Security Soluton – Part 4”

(A Critical Part of) The Solution – Part 3

Today I want to provide a very important part of the solution to security problems: Realize that bad things will still occur despite all efforts to prevent them.

That may sound strange. How can it be a solution to say that we can’t come up with a solution that will keep bad things from happening? I will get to that in a moment.

But first, I want address the idea that we can stop bad things from happening.

We buy antivirus software in the hope that it will keep us free from viruses. It won’t. It will detect and stop a lot of viruses. But it won’t catch them all. Sorry about that. Continue reading “(A Critical Part of) The Solution – Part 3”

The Security Solution – Part 1

Last week I suggested a “solution” to the problem of bad things happening in the cyber world. We want to avoid bad things from happening when we go online or when we use our computers (or phones, tablets, etc.).

I have repeatedly said you can’t prevent bad things from happening. But that doesn’t mean we are defenseless. The “solution” that I talked about last week is a blueprint for what we CAN do. This isn’t a method we are taught when we learn security. So, you won’t find it in a textbook. But it is a way of looking at the problem that summarizes a lot of the learning and experience from a formal program and translates it into a way of applying it. Continue reading “The Security Solution – Part 1”