Chinese Clothes Irons, Coffee Pots and Online Thermostats… That can Hack You…

The BBC covered some interesting news coming out of Russia this week. Apparently Russian hackers put chips inside Chinese made irons and kettles that would hack local networks. This shouldn’t be too shocking as for years security researchers have been warning of the dangers of embedded devices.

Welcome to the new world of computer security!

When is the last time you updated the system patches on your Coffee Pot? Downloaded the latest Anti-Virus for your Thermostat? These may be questions that become common in the next decade. Especially as the push to put everything online climbs and the “Internet of Things” continues to grow.

According to the BBC report, Russian hackers put chips inside Chinese made clothes Irons and electric kettles that look for local Wi-Fi networks, and then hacks them. The devices then spreads malware to systems it finds:

“Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks.”

Security experts have been talking about the subject for years now. And this exact scenario sounds eerily familiar to a couple recent security conference talks by Daniel Buentello about weaponizing innocuous every day items like Coffee Pots and Thermostats:

In the talks, Buentello mentions the possibility of compromising an online thermostat and using it to hack systems on local networks and infect them with malware. He also explained that the device could be programmed to monitor the compromised computers and re-infect a system in the case someone removed the virus.

And of course the compromised thermostat would be programmed to continue to also act like a normal thermostat to belie its true intention.

Attacks like this are made possible by the use of embedded servers that are being used in these online devices. These chips are basically fully functional (mostly) Linux based servers that are vulnerable to attack just like any other server on the web.

Except that companies normally don’t make Anti-Virus for thermostats…

Sadly now we will need to keep an eye out for firmware updates and security issues for any electronic devices in our homes or companies that connect out to the internet.

It was just a matter of time before hackers started taking advantage of these embedded chips and it seems that Russian hackers may be leading the charge.

And as a twist to what one Reddit commenter mentioned, In Soviet Russia you don’t hack the Coffee Pot, The Coffee Pot hacks you!

Obama’s Facebook and Twitter Compromised by Syrian Hackers

The Syrian Electronic Army (SEA), a Syrian based hacker group known for redirection and denial of service attacks on media and political targets, briefly altered links from Obama’s social media sites to point to videos created by the SEA.

The attack was made possible not by hacking the websites, but by compromising the link shortening service that the President’s campaign team used on several websites.

According to the SEA’s twitter feed, for a while Twitter eventually blocked the links all together and visitors saw this:

In a series of e-mails to news site Mashable, allegedly the SEA hackers claimed they compromised BarackObama.com by attacking one of the site’s administrators:

“In a follow-up email, the SEA provided screenshots that show how it altered the links in Obama’s social media posts. The group appears to have hacked the email address of Suzanne Snurpus, one of the administrators of BarackObama.com, and it gained access to a control panel for the site.”

For more information see the Mashable website.

Removing your Location and Personal Details from “Spooky-o” (Spokeo.com)

Spokeo.com is one of the coolest websites on the web when you are trying to find someone, but it can also be very creepy. In most cases Spokeo lists your name, relatives, location and even a picture of your house. Available to anyone on the web.

But how do you get out of their database?

If you live in the US and want to find information about someone, just go to Spokeo.com, put in their name and state and you can find a lot of information about them including the location where the person lives and past locations going back years!

This has led some people to nick-name the search site, “Spooky-o.com” as at times it indeed can be pretty spooky.

But how does it work?

So, if you search for Bill Gates in the US you find this:

There seems to be a lot of Bill Gates in the US.

But what about Bill H. Gates in Medina, Washington?

Well, that narrows down the search quite a bit. One of the returns shows this:

Without a Spokeo account, you can see parts of the address, phone and e-mail address. But with an account you can get a lot more information. This is something that a lot of people probably won’t want to be publicly accessible.

So, how can you get out of Spokeo’s database?

Thankfully, Spokeo provides an opt-out page which will remove your information from their database. Simply look up your name in spokeo and copy the url of the page you want removed. Then, surf to:

http://www.spokeo.com/optout

And fill out a small form including the spokeo url and your e-mail address.

Once Spokeo receives the form, they do in fact remove that record from Spokeo.

If you have multiple records listed, unfortunately you have to do it multiple times.

Social Engineers use sites like Spokeo to gather information about a target. If you want to remove your information from Spokeo, hopefully this will help provide you with a little more internet privacy.

Granted your personal information is still out there, the form does not remove you from the sources that Spokeo uses, but at least it removes it from one location!

Hackers could Control your Home Webcam and Microphone from Afar

A recent surfacing of some old ransomeware malware has had some people really concerned. But viruses can be much more sinister (and creepy) than just encrypting your files and holding them ransom. What if hackers could come into the privacy of your home and use your webcam to spy on you?

Well, they can.

And they are.

We have firewalls, Anti-Virus programs and defense in depth to prevent people from getting access to our precious data. But what many don’t realize is how incredible simple it is for malware to turn on a victim’s webcam and microphone to record a person from almost anywhere in the world.

Let me give you an example.

What if a hacker sent a teen, your teen in fact, a malicious file? And what if your daughter ran it and it allowed the creep to access her webcam and watch her?

So in essence, the teen is just checking her mail, or social media messages, and clicks on a file that doesn’t seem to do anything. So she just goes on to the next message.

But on the attacker side, he see’s this:

A live video feed!

Okay, before I get a ton of e-mail complaints, this is my daughter and she volunteered to be the “victim” for this article.

But she in fact did run a program that allowed me to fully control her laptop webcam.

And I could control her microphone too…

It is not just malware that is of concern. Putting an unsecured or lightly secured video cam out on the web can be just as unnerving.

Recently, a dad came into their two year old daughter’s room to hear some guy on their internet enabled baby monitor talking to her:

“As Gilbert walked down the hall and entered the room, he says he heard the voice say, “Wake up Allyson, you little [expletive].” The camera on their trusted baby monitor then rotated to watch Marc walk into the room as he rushed to unplug it.”

There are tons of open and lightly secured video cams out on the web and all are easily findable by using the Shodan search engine.

Users need to be aware of these possible invasions of privacy and need to secure their systems against them.

Do not put any device on the internet that is just using the default password. Use long complex passwords. Or better yet, don’t put it on the internet at all!

To secure your home systems – Keep your Anti-Virus, Operating System, and security software up to date. Never click on unsolicited links or programs sent to you in e-mail or social media sites.

Some may even prefer to turn off, block or unplug their cameras or microphones when not in use.

Be safe out there. Remember that many current threats can easily bypass Anti-Virus. You need to practice and teach your children safe surfing techniques.