We are pleased to announce that after many months of research and testing, we have chosen Mimecast as our replacement for McAfee SaaS.  As we wrote late last year, Intel is discontinuing its McAfee Saas SPAM protection service.  This left us with the daunting challenge of finding a suitable replacement for our hosted and on-premise Exchange.  It was important that whatever solution we chose have, at a minimum, all the features of McAfee SaaS and we believe Mimecast exceeds that requirement.

Good new for Office 365 users

For our Office 365 customers we have some good news.  Mimecast integrates with 365 beautifully.  This means we can bring to you the same SPAM and virus protection, archiving and email continuity features as we do for our on-premise Exchange customers.

What about Hosted Exchange?

At the same time we were looking for a McAfee SaaS replacement we were also working with our partners on a solution for our Hosted Exchange customers.  While Mimecast can be integrated with Hosted Exchange we found that and internally developed solution worked better.  The integration was seamless while the Mimecast solution required extensive configuration changes to work properly with Hosted Exchange.  As an added bonus, the internally developed solution is added at no additional cost.

What if I want Mimecast for Hosted Exchange?

Then you can get it.  That said, Hosted Exchange is our recommendation for small companies with simple email needs.  As such we feel that the internally developed solution is more than adequate, but Mimecast is certainly an option.

When will this be rolled out?

We have already rolled out Mimecast internally and to a few customers who agreed to help us test.  We will roll out to our remaining on-premise Exchange and Office 365 customers in the coming weeks.  Your account rep will be in touch to discuss the migration.

For our Hosted Exchange customers the migration will take place over the next few months and you will be notified prior to the migration.

If you would like to know more about our Email Protection solution please contact us via email or call us at (866) 753-6279.

Save

Save

Save

Save

Save

Save

Save

Save

Save

In case you missed it, the LinkedIn password breach happened in 2012, and this week about a 100 million previously unreleased email addresses and passwords became available for purchase.  The asking price for this list is around $2200.

Even if you don’t have a LinkedIn account you should keep reading.  LinkedIn is only one of many, MANY sites that have been breached and there will be more over time.

First things first

The first thing you should do is visit https://haveibeenpwned.com to see if your information has been leaked.  Just type in your email address and you’ll know in a few seconds.

Second… click on the “Notify Me” link on the above page.  That way you’ll get an email if your address is ever leaked in the future.

Make sure you check and subscribe all your email addresses (personal and business).

Note – there is an option for businesses to have their entire email domain monitored.  If you need help setting that up please contact us.

If your address has been leaked you will see which sites were breached.  Change those passwords immediately.

About your passwords

If you are like most people, your passwords are weak and you use the same password everywhere; Amazon, GMail, eBay, your wireless account, your banking site, etc.

Don’t do this!

A weak password can easily be hacked.  If it’s hacked (or leaked) and you use the same password everywhere then every account is compromised.

Just accept that at some point your account information is going to be hacked or leaked.  Start with that premise.  Even if you weren’t part of the LinkedIn password breach it’s almost certainly just a matter of time before you fall victim to another breach.

Do this

Use unique passwords.  Every site should have its own password so if one site is compromised the rest won’t be.

Use strong passwords.  20 random characters is a good size – upper and lower case letters, numbers and special characters (%$^#@!).  Ex.: $4sYP!VP2&7c4ppmd82N

Turn on 2 Factor Authentication (2FA) on every site that supports it.  When 2FA is turned on you need to sign on with your email (or username) and password.  Then there’s a second step where the site either sends you a text message or uses a Smartphone app called an Authenticator which generates a random code that you must put in to complete the login process.

Many sites support 2FA now and more are adding it.  What makes it such a strong security measure is that even if someone gets your email address and password they still need your phone for the code.  And those codes expire in as little as 15 seconds.  Far too short a time to be guessed.

Get a password manager

I am sure you’re thinking that unique, complex, 20 character random passwords are going to be impossible to remember.  You’re right.  So you will need a password manager to, um, manage them.

I can recommend a few such as Roboform, Dashlane, Keepass, Lastpass and 1password.  Some are free and some are paid.  They’re all good.  The free ones usually offer a paid version that has extra features such as syncing across multiple PCs and app versions for Smartphones and tablets.  I like the paid features and they’re really affordable so that’s what I use.

Of course, you’ll need to password protect your password manager.  Again, a strong, unique password should be used.  For this I prefer a pass-phrase that you can remember.

A pass-phrase is a password except it is not completely random.  The random example above, “$4sYP!VP2&7c4ppmd82N”, can’t be easily remembered.  But a pass-phrase like “489PushPull!!!UpDown” or “My password is 1000 times better than your PASSWORD!!!” is strong, complex and easy to remember.

Last word

Don’t write your password down and leave it somewhere that isn’t secure.  It’s the key to unlock all keys so use your best judgment.  The best way to store it is by memorizing it.  Set your password manager to ask for it at least once a day.  After a week the odds you’ll ever forget it are pretty slim.  If you must, write down a hint.  If your pass-phrase is “489PushPull!!!UpDown” just write down “489…!!!…”.  You’ll remember the rest.

If you have any questions feel free to use the comments section below.

If you’d like to deploy a password manager for use at your business or setup Have I Been Pwned? for your domain and need help contact us by email or call us at (866) 753-6279.

Helpful links:

• How to change your LinkedIn password
• How to turn on 2FA – LinkedIn
• See what sites support 2FA
• Have I Been Pwned?
• Roboform Password Manager
• Dashlane Password Manager
• 1Password Password Manager
• LastPass Password Manager
• KeePass Password Manager
• Strong Password Generator
• GRC’s Password Test -note that this test only tests the size and complexity of your password. The password “password123” will score fairly high but is easily hacked.

This update comes on the same day that ZDI disclosed two vulnerabilities in the Quicktime, which if exploited could lead to remote code execution. The vulnerabilities are heap corruption flaws that require users to visit a malicious webpage, making them perfect for drive-by downloads and phishing attacks.

“We’re not aware of any active attacks against these vulnerabilities currently. But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it,” Christopher Budd of Trend Micro wrote on the company blog.

“In this regard, QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it.”

Plenary Technology recommends that you uninstall Quicktime from all machines as soon as possible and remove the plug-in from your browser if installed.

It’s been a while since Microsoft ended support for Windows XP, making the venerable operating system open to new threats and a risky choice to run in any environment.  Now, things are about to get worse as Chrome support for XP is also coming to a close.

A wrap on Chrome support for XP

Google has announced they are ending support for their web browser, Google Chrome, on older operating systems from both Microsoft and Apple.

Just as when Microsoft stopped updating Windows XP with security patches and updates, Google will stop providing patches and security updates for Chrome on these older operating systems. This doesn’t mean that you won’t be able to continue using Chrome on your outdated devices.  It just means that you’ll be increasing your vulnerability to exploits if you do.

End of support is slated for April 2016, but a firm date has not been announced.

Operating systems effected

• Windows XP
• Windows Vista
• Mac OS 10.6 (Snow Leopard)
• Mac OS 10.7 (Lion)
• Mac OS 10.8 (Mountain Lion)

How to browse safely

In short, if you want to remain safe and secure while browsing the web with Google Chrome, you need to use a modern operating system.  This often means updating your OS and your hardware solutions. Businesses that rely heavily on legacy applications might have trouble making the transition away from XP, simply because their legacy software may not be entirely compatible with the new technology.

This is one of the problems so many businesses have when it comes to updating their technology. Organizations grow complacent with their current technology solutions, and aren’t willing to upgrade if they don’t need to. In a way, Google ending support for legacy operating systems is a good thing as it adds to the list of good reasons businesses should to migrate away from XP (and Vista) in the next few months.

As always, your comments and questions are welcome.

Plenary Technology can help your business transition away from XP by providing consultation, project management and hardware/software procurement services. For more information, give us a call at (866) 753-6279 or shoot us an email.  Will be happy to help.

It is the worst piece of spyware ever produced, by anyone, at any time. Ever!

At least that’s the ballyhoo (you can’t imagine how long I have waited to use “ballyhoo” in an article!) on the internet. But is it true? Should you be concerned?

The correct answer is yes… and no. Here’s why.

Windows 10 spyware

Does Windows 10 include spyware? Yeah, it does. So does Google. So does Facebook. So does Amazon. So does just about everything these days. This is the world we live in now. Have you ever looked at a product on Amazon and then seen an ad for it on another site? How do you think that happens? Spyware. But not the type of spyware that steals credit card information, social security numbers, etc. This spyware is far more benign and does provide some tangible benefits to you.

Targeted advertising

Windows 10 assigns a unique advertising ID to every PC it is installed on. This allows advertisers to best send you ads you might be interested in. If you turn off this feature you won’t get fewer ads. You will just get ads that are of even less interest to you. Would you rather receive ads about losing 10 pounds in 10 days or ads about things you’re interested in?

Cortana

Cortana, Microsoft’s digital assistant, collects data about you so that it can predict what information you might want to see at any given time. There’s no getting around it… if you want Cortana to do this you have to allow Cortana to collect data. You can’t have a digital assistant that knows your schedule, flight information and can show you “all my emails from Mom” unless you allow it to read and store that information.

Windows 10 is listening

There are other concerns such as voice, handwriting and keyboard capture. According to the “Getting to know you” section of the Windows 10 privacy settings it reads “Windows and Cortana can get to know your voice and writing to make better suggestions for you.” This data is used in many ways, from next word prediction to voice interpretation and handwriting recognition. And Microsoft DOES collect this data not just on your PC but also centrally over the internet to help improve these features for other people. According to MS, though, any data sent to them is put through vigorous, multi-pass scrubs to remove sensitive or identifying information. Additionally, all the strings of data are chopped up and de-sequenced so that they can’t be put back together. Whether you believe them or not is up to you.

Turn it all off

The good news is that, as far as we know, you turn turn off pretty much all the tracking and data collecting Windows 10 is doing. This article isn’t about HOW to do that, though, so I will let you use Google to find out how. But the question remains… is it ALL off?

Causes for concern

If, like me, you aren’t too worried about targeted ads and you believe Microsoft when they say the data they collect is virtually unusable to identify you or what you said, wrote or typed, is there anything to worry about? Unfortunately, there is.

Microsoft keeps adding little bits of spyware in their updates. Most of this, perhaps all, is just as benign as the more overt things like Cortana.

The problem is that Windows 10 updates are null of details. Prior to 10, when Microsoft pushed out updates there was plenty of information about what the update applies to and what changes it is going to make. Now, the de facto description for updates is something along the lines of “This update includes improvements to enhance the functionality of Windows 10”. Pretty vague. Completely useless. Worse, it is know that often times they roll in some new telemetry (aka spyware) with otherwise necessary updates.

This is problematic in several ways. Clearly we should be informed when new telemetry is installed. If you are inclined to try and block all the “phoning home” Windows 10 does you will likely be forever chasing your tail. It will take a fair bit of diligence on your part to keep informed about updates and what, if any, spyware has been wrapped up in them.

We should know the complete details about every update Microsoft pushes out. We bought the software and have a right to know what they’re doing to it. Spyware aside, not knowing the details of an update leave system admins wondering what the update will break. For the home user it’s not a big deal to uninstall an update that caused Netflix to stop working. But in an environment with 20, 100 or 10,000 PCs it was hard enough to manage when we knew what the updates did. Now we are flying blind.

Bottom line

The worst part of Windows 10 is the secrecy that surrounds it. The vague, useless update descriptions. The bundling of important updates with new telemetry. The fact that the privacy settings are not front and center. These all give rise to doubts about what Microsoft knows about us and who they are sharing this information with.

I won’t bother suggesting you don’t make the move to Windows 10. It would be a moot point. Microsoft has made this the same for Windows 7 and 8 now as well. Do you have anything to worry about? I wish I had a solid answer. All I can tell you is that I am a little concerned and yes, Windows does send some information back to Microsoft. But this information seems to have a benefit to me, the user, and most of it can be turned off at any time. Still, doubt lingers.

We live in a world where pretty much every device we own and every service we use has some tracking. That’s concerning. Everyone has to choose for themselves whether to trust in this world or not.

My advice… be cautious.

As always you comments and question are welcome.

Not enough time in your day to deal with IT issues and security concerns? Give us a call at (866) 753-6279 or shoot us an email.

Earlier this week Intel announced that it would be pulling the plug on its McAfee SaaS line of products.  Plenary Technology is a McAfee SaaS partner and deploys this service with both our Hosted Exchange offering as well as our Email Defense Suite for customers with on-premise Exchange servers.

Please see the FAQ below for more information.

McAfee SaaS EOL FAQ

1. What has Intel Security announced regarding their McAfee SaaS security services?

Intel Security announced that they’re retiring a large number of McAfee SaaS security services, including the email protection and continuity services currently sold by Plenary Technology within our McAfee Email Defense Suite as well as our Hosted Exchange offering.

2. When did Plenary Technology learn this news?

Unfortunately, Intel Security only notified Plenary Technology two days prior to publicly announcing their decision.

3. When do these products reach end-of-life?

• Intel Security services will remain live and reliable until January 11th, 2017
• New McAfee accounts can continue to be provisioned until January 11th, 2016 (existing accounts can continue to provision new users beyond this date)
• Plenary Technology is already working on a smooth transition to services that are designed to equal—if not exceed—our current McAfee SaaS offering, well before the sunset date

4. As an Plenary Technology customer, what should I do?

At this time, no action is necessary. Intel Security has pledged to keep their services live and reliable until early 2017.

In the near future, Plenary Technology will announce new products that we will seamlessly integrate into our offerings to match and likely expand upon our current McAfee SaaS solution.

We will make an announcement regarding new security services shortly.

5. What services does Plenary Technology currently deliver from Intel Security?

Plenary Technology currently offers several McAfee SaaS services from Intel Security (formerly known as McAfee) within our Email Defense Suite, including:

•     McAfee Basic and Advanced Email Protection
•     McAfee Data Loss Prevention
•     McAfee Email Continuity
•     McAfee Email Archiving

As mentioned previously, we’re currently building a shortlist of solutions that will match and expand upon the remaining functionality currently offered within our Email Defense Suite.

6. Will I see any degradation in my current service levels?

Intel Security has committed to maintaining the current service levels through the end of next year, and perhaps longer. However, Plenary Technology will identify and deploy new solutions well in advance of any sunset date.

7. Will Plenary Technology help migrate me off of Intel Security/McAfee SaaS services?

Yes.

8. As an existing Plenary Technology customer using Intel Security/McAfee SaaS services, will I be able to provision new users to these services in 2016?

Intel Security/McAfee announced an End of Sale date of January 11th 2016. This means no new McAfee accounts can be provisioned after this date. However, new users to existing accounts are not impacted by this change, and can continue to be provisioned for both on-premise and hosted customers.

9. Once Plenary Technology has identified new solutions, will my bills go up? Will I lose features and functionality?

We are confident that the cost of our new services will be equal to or less than those within our McAfee Email Defense Suite. We are committed to finding an alternative solution that will match and likely expand on the features and functionalities available within McAfee Email Defense Suite.

10. I still have questions.

Feel free to contact us at (866) 753-6279. We’re happy to answer any further questions you may have.

Adobe’s Acrobat DC and Acrobat Reader DC were released earlier this year and, no surprise, the “cloud” is a major feature of the new version.  Saving and retrieving files to the Adobe Document Cloud (the “DC” in Acrobat Reader DC) and Office365/SharePoint has been available for some time.

A new release in October added Dropbox to the mix and there are indications that other services will soon follow.

While I am all for cloud services there are times when turning these features off is a plus.  Not every business owner wants all their employees to be able to access company documents while outside the office, for instance.  Confidential information and the cloud don’t always mix well and keeping your internal documents internal is an ongoing challenge.

The default for most applications, and Acrobat Reader DC is no exception, is to turn these cloud integration features on.

Here are three ways you can shut them off.

Adobe Customization Wizard DC

The Adobe Customization Wizard DC is one option.  The wizard allows you to set installation options, including cloud services, and then distribute a custom Acrobat Reader DC installer.

This wizard requires a Windows Installer package which, in turn, requires a distribution license.  This is a great solution for businesses that have already locked down their desktops and laptops and want to push a customized installation out.

This, however, is not usually the case with the small businesses we work with.

Group Policy

Adobe also offers ADM packages for configuring Acrobat Reader DC via Group Policy.  Group policies can be enforced at the user or machine level and can be applied to different groups, however it does require that you have at least one server running Active Directory.

The benefits of this option are:

• No distribution license required
• No special installer needed
• Can be applied to already installed and configured machines
• Is enforceable and cannot be overridden

For businesses that have a domain controller and are running Active Directory this is the solution of choice.  EDIT – upon further testing I found that the ADM is woefully limited and cannot be used to prevent cloud access.

Registry

The final option is to make some registry changes.  Companies that aren’t a good fit for the Wizard or Group Policy options are in luck.  Adobe has provided all the registry entries you need to lock down Acrobat Reader DC.

For the purposes of this article I will tell you which ones are most important in regards to the cloud.

DISCLAIMER – These instructions are provided as is.  Proceed at your own risk.  Editing the registry can have unintended consequences and we do not take responsibility for any problems that may arise as a result of following these instructions.  Please be sure you understand the implications of editing the registry.  We highly recommend that you backup your registry before proceeding.  For more information see this article.

Disable Adobe Cloud Services (Document Cloud)

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cServices if it does not already exist
Add DWORD bToggleAdobeDocumentServices to KEY cServices
Set bToggleAdobeDocumentServices value to 1

NOTES
This setting does not affect Adobe Send for Signature, preference synchronization, or third party connectors. For the base release, it also did not disable Send and Track; however, it does control Send and Track with the July, 2015 release. To disable all services, use bUpdater. Possible values include:

    0: Enable Document Cloud services.
    1: Disable Document Cloud services.

Disable 3rd Party Integrations (Dropbox,…)

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cServices if it does not already exist
Add DWORD bToggleWebConnectors to KEY cServices
Set bToggleWebConnectors value to 1

NOTES
Allows configuring in-product access to third party services for file storage. Dropbox support began with the Oct. 13, 2015 release. Possible values include:
    0: Enable 3rd party connectors.
    1: Disable 3rd party connectors.

Disable Office 365 / Sharepoint integration

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cSharePoint if it does not already exist
Add DWORD bDisableSharePointFeatures to KEY cSharePoint
Set bDisableSharePointFeatures value to 1

NOTES
Controls the application's ability to detect that a file came from a Sharepoint server, disables the check-out prompt, and removes the SharePoint specific menu items. Possible values include:
    0: Enable SharePoint and Office 365 integration.
    1: Disable SharePoint and Office 365 integration.

These entries will prevent your users from saving files to the Adobe Document Cloud, Office 365/SharePoint and Dropbox (for now, more to come).  In a small business with only a few users the entries can be applied to individual machines one at a time.

If you want to cut down the time it takes to make these changes you can export the registry keys from a computer that has been changed and then import those keys on the remaining computers.

For detailed instructions on exporting and importing registry keys see the following article.

The cloud has been a great tool overall.  The ability to work from anywhere with any device has made workers more mobile.  Sharing documents speeds up business processes.  But enabling all these features without some consideration can lead to problems later on.

The fact that these features are turned on by default is risky and business owners, as if they don’t have enough to worry about already, need to keep this in mind.

As always your questions and comments are welcome below.

Is all this too much for you?  Looking to lock down your network and protect your company documents?  Then give us a call at (866) 753-6279 or send us an email.

It’s National Cyber Security Month

This year, for NCSM let’s talk about the iCloud hacks.  If you haven’t heard about this, welcome back from whatever planet you’ve been visiting.  Starting in August some “private” photos of celebrities started being leaked.  More are being leaked even now.

Most likely, these accounts just had simple or easily guessed passwords.  There are no reports as of now showing that the problem was with Apple’s security.

So I want to take a moment and suggest you do two things.

Use Unique Passwords

I have said it before but it bears repeating… Use different passwords for every site.  They can be similar, but they should be different.  Here’s why.

If one account is hacked then any accounts you have with the same username and password are vulnerable.

“But how are they going to know which sites I use?”

Fair question.  The answer is “they won’t”.  But hackers have software that will test hundreds or thousands of sites with you username and password.  And if the username and password work, they may have access to your online banking portal, trading account, whatever high value targets you may have.

Enable 2FA

Turn on two-factor authentication (2FA).

Not all sites have this option, but many do and more are hopping on the bandwagon every day.  The way 2FA works is, after you enter your username and password, you get prompted for a second form of authentication.  This is usually a code (there are other methods but this one is most prevalent) sent to your cell phone as a text message.  The code is unique, has an expiration time and can only be used once.  Thus, if someone has hacked your password they still need a unique code to complete the login process.

Here’s a site that shows which popular sites support 2FA, which don’t and which are in the process of implementing it.  They even link to setup instructions for those that do.

Read the fine print!

If you’re like me, you never read the fine print.  For all I know, Apple may have rights I wouldn’t give my attorney.  How far can these agreements go? Well, the Cyber Security Research Institute added a “Herod clause” to the terms and conditions of a free Wi-Fi hotspot in London.

Here’s the link to the full story.

Here comes Windows 10

Microsoft has recently released a beta version (or what they now call a “technical preview”) of the next version of Windows.  Speculation as to why they skipped a number is a popular subject and there are several theories.  My guess is that “Windows 9” is far to easy to refer to as “Windows NEIN!”

I have just downloaded the beta version and will be testing it over the next couple weeks but here’s what I know so far…

The START button is back.  You can start programs just like you used to in Windows 7 and earlier.

And the desktop has changed, too. No longer designed with a “tablet first” mandate, the new desktop is not “touch-centric” when used on a desktop or PC.

I am not much for predictions, but I think these two changes will be enough to make Windows 10 widely adopted by businesses.  I will post a follow-up on this after I have had some time to test it.

As always, questions or comments are welcome below.

Looking to enable 2FA within your company?  Give us a call at 866-753-6279 or email us.

Tomorrow, September 10th, 2014 is the INTERNET SLOWDOWN.  Don’t worry, it’s not a real slowdown.  But many site will be displaying images and information on what the internet will be like if the big communications companies get their way.  Even Netflix is joining in to support Net Neutrality.

Why is Net Neutrality important?  For that matter, what is it?

Today, everyone pays for bandwidth.  It doesn’t matter if you’re transferring files, streaming video or browsing websites.  You buy bandwidth and you use it for a regular fee.  If the big communications companies get their way, some traffic will get prioritization for a fee.

What’s wrong with that?

First, it stifles competition.  Startups will need more funding to pay those premiums.  The costs could be prohibitive.  They might have a better solution or technology, but because they can’t afford the prioritized traffic premium no one will be interested.

Second, it’s going to cost you, too.  No expense goes unpaid by the consumer.  If Netflix pays more, you pay more.

Third, it’s unfair.  Imagine if you had to pay different prices for water pumped to your home based on use.  Drinking water was one price, but water used for the dishwasher had a premium.  You still had just the one pipe delivering water to your house but because the dishwasher uses much more water than drinking does you have to pay extra for that.  Even sillier… you don’t pay the premium, Maytag does.

Finally, it gives the big communications companies, the big ISPs, too much sway on the market.  It allows them to pick winners and losers.  If some traffic is prioritized guess what?  Other traffic will be de-prioritized. The internet is too big a part of our economy to allow that kind of tinkering.

The data must flow equally.

Like water or electricity to your home or business, data, too, should flow equally to large and small companies.  In the end, I think this is the real issue.  Let me know what you think.

EDIT – Here’s a video that does a pretty good job further explaining why Net Neutrality is important.

2nd EDIT – Leave it to John Oliver to explain it better.

Comments?  Questions?  There’s a place for them below.

It’s happening now

If you’ve watched TV lately chances are you have seen those “Internet of Things” commercials.  Really cool idea and one my friend, Robert and I discussed back around 1999.  We predicted TVs, lamps, refrigerators, etc… all connected to and controlled over the Internet.

It may have taken a 15 years but it looks like our prediction has come true.

For the record, I admit that this wasn’t a real stretch of the imagination and I am sure a lot of people thought the same thing, but they don’t write for this blog.

Am I happy?

Kind of.  I mean, come on!  Who hasn’t left home and wondered “did I turn off the stove?”  Well, soon you will be able to not just check to see if you did, but also turn it off remotely with an app.  How awesome is that?

But all that awesomeness comes with some risk.

Fast, cheap and easy

Manufacturers live by three drivers.  Make it fast, make it cheap and make it easy to use.  These drivers have served them well.  Devices for the Internet of Things, however, will require strong security and my bet is that it will be a while before manufacturers will properly address this.

Why?  Because it will slow down delivery, it will cost more money and it will make the devices a little less easy to use.

Think back, if you will, to the late 90s.  Everyone wanted to get on the Internet and manufacturers were eager to capitalize on that.  Hardware and software vendors alike rushed to get product out the door.

It wasn’t long before we found out how insecure all that mess was.  Browser exploits, viruses, identity theft, sniffing WI-FI packets out of the air… more insecurity than a teenager.  And while there have been big strides in security we are still faced with many of these same problems.  And with every new technology that gets introduced (think smartphones) there are always flaws that make them vulnerable.

HP recently did a study that showed 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities including password security, encryption and personal data issues.

So if the “Internet of things” takes off like everyone thinks it will (Gartner predicts 26 billion devices by 2020), we are going to face a whole new set of security issues.

So what if my lamp isn’t secure?

Fair enough.  But recently I saw someone demonstrate a hack into an Internet of Things power strip that controlled 4 lamps.  Using the hack he was able to turn the power strip on and off 100 times per second.  That was pretty interesting.

More interesting was learning that light bulbs tend to explode when you do that.

Sure, that’s a pretty basic example of what an Internet of Things “thing” can do if not properly secured but I admit it’s not very scary.  I mean, a house fire is scary but what is really scary are the “things” that we won’t think about until after the fact.  You know… when it’s too late.

Did you know, for instance, there are websites that list unsecured web cameras?  Many of them are used at store registers where clerks handle credit cards.  And since they are HD cameras it’s not hard to capture credit card information by viewing a still frame.

And what about the new Internet of Things thermostats?  Imagine some kid down the street hacking into that and turning the heat off in winter.

It’s what we don’t know… what we don’t predict… that should be of concern.

As long as there is money to be made by hacking into connected devices there will be plenty of people trying.  So maybe “scary” is a bit strong.  But it is certainly something to be aware of.

In any event, things are going to be interesting over the next few years.

What’s YOUR impression of the “Internet of Things”?  Let me know in the comments.

Looking for help securing your company resources?  Give us a call at 866-753-6279 or email us here.