Tech Friday with Dave Hatter - May 22nd 2020 - SPONSORED BY INTRUST IT


  • The largest cyberattack yet may be on the immediate horizon:
    • COVID-19 has forced companies to accelerate their digital transformation because employees need to work from home
    • The pandemic is demonstrating that technology has progressed to the point where people can work remotely
    • Email, chat, videoconferencing, collaboration software and cloud applications allow colleagues to work together productively and collaboratively
    • A new report from Microsoft suggests remote work is here to stay
    • Microsoft CEO Satya Nadella recently revealed that their Teams collaboration tool now has more than 75 million daily active users and 200 million meeting participants in a single day
    • The pandemic has forced people unaccustomed to using tech tools to quickly adapt. Some of these workers are becoming more efficient
    • But many of these folks were forced to setup shop quickly on home networks with personal devices
    • Many of these devices and/or networks are insecure and have insecure devices connected to them
    • The more devices connected to a network, the larger its attack surface
    • Each connected device (like your kids' phones, tablets and video games) is a potential gateway that hackers can leverage for access and/or to steal data
    • This situation is a dream come true for cyber criminals who can steal data from your devices and possibly use your devices to gain access to your company's network
    • Hackers broke into Lockheed Martin through remote workers
    • Sadly, it's likely only a matter of time before there is a major breach
    • Folks need to take cybersecurity seriously and realize that each of us is potential target
    • Learn more here:https://www.forbes.com/sites/stephenmcbride1/2020/05/14/why-the-largest-cyberattack-in-history-will-happen-within-six-months/#42c363e0577c
    • View the MS report here:https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/09/remote-work-trend-report-meetings/
  • Your car is a rolling privacy nightmare:
    • Washington Post writer Geoffrey Fowler recently reported on the attempts by a hacker to determine what information is being collected by the systems in a randomly selected 2017 car
    • Not surprisingly, quite a bit of information is collected. Most new cars are rolling computers bristling with sensors
    • Fowler wanted to see just how much information GM is getting from its connected cars and chose a 2017 Volt for testing
    • Fowler wrote "My Chevy's dashboard didn't say what the car was recording. It wasn't in the owner's manual. There was no way to download it"
    • It's unclear exactly what data is collected, who has access to it, how it might be shared, or how it's secured
    • A GM spokesperson told Car and Driver: "Nothing happens in terms of connected services without customer consent"
    • GM said vehicle data such as location, vehicle health and status, and operating information "enables many important safety and connectivity services [including] automatic crash notification (alerting first responders to an accident scene), stolen vehicle locator, and vehicle health monitoring (monthly emails to an owner advising them of service and maintenance status)."
    • He discovered the car was recording details about where the car was driven and parked, call logs, identification information for his phone and contact information from his phone, "right down to people's address, emails and even photos."
    • Fowler said "On a recent drive, a 2017 Chevrolet collected my precise location. It stored my phone’s ID and the people I called. It judged my acceleration and braking style, beaming back reports to its maker General Motors over an always-on Internet connection"
    • Fowler also purchased a a Chevy infotainment computer on eBay, which yielded information about the previous owner including pictures of an individual that the previous owner referred to as "Sweetie:
    • Data collection such as that mentioned above is not unique to any one brand or model, nearly all newer cars have connectivity and nearly all of them are collecting data to some extent
    • A security researcher bought an old Tesla infotainment system full of personal information about the previous owner including home address and WiFi passwords
    • eBay has infotainment systems from brands such as BMW, Ford, Cadillac and Mercedes-Benz currently for sale
    • "This isn't just a Tesla thing, it's every single infotainment system," said Justin Schorr, president of DJS Associates, a vehicle forensics firm that reconstructs crashes using on-board data. "Think of all the vehicles with screens, this is ubiquitous almost."
    • "Everything that can be used for a nefarious purpose, will eventually be found by a nefarious person and used for a nefarious purpose," Schorr said. "If you pair your phone with a rental car, and that car gets in a crash two years later, personal information about you could be pulled off it."
    • In 2017, the U.S. Government Accountability Office (GAO) explored the data privacy policies of automakers and found that the 13 companies under their lens are not exactly using best practices
    • The GAO said that manufacturers "offered few options besides opting out of all connected vehicle services to consumers who did not want to share their data."
    • At present, there are no federal laws to regulate what automakers can collect or use when it comes to personal driving data
    • Since 2014, 20 automakers (including GM) have pledged "to meet or exceed commitments contained in the Automotive Consumer Privacy Protection Principles established to protect personal information collected through in-car technologies," according to the Auto Alliance
    • The first principle is "provide customers with clear, meaningful information about the types of information collected and how it is used"
    • It does not appear that the first principle is being met
    • New regulations such as the California Consumer Privacy Act (CCPA) may force new practices
    • You can limit the amount of information that a car can collect by not connecting your phone to the car via USB or Bluetooth,charge it using a charger
    • Fowler recommended an app called "Privacy4Cars" to remove your data from cars you use but don't own:https://www.privacy4cars.com/home/default.aspx
    • Phil Neray from start-up CyberX, suggested doing a factory reset and/or taking your vehicle to a dealer and ask them to wipe it clean of data before selling it
    • 5G connectivity may make it more difficult to restrict access to your data in the future
    • Read the GAO report here:https://www.gao.gov/assets/690/686284.pdf
    • Read Fowler's article here:https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/
  • Personal information stolen from the typical US citizen at least 4 times in 2019:
    • A study reported that on average, a US citizen had their personal information leaked at least four times in 2019
    • It's important to note that this based on publicly reported data and does not account for other breaches that may not have been reported or are as yet unknown
    • The report includes the 14 largest breaches in 2019 including First American Corporation with of 885 million records leaked and Facebook with three separate breaches exposing a total of at least 808.5 million records
    • The average of 4 leaks is dependent on how often you use the Internet. More online activity means more likelihood of a breach
    • "The most common outlets for breached data were Social Media Sites, Tech (Apps, other software) and Websites (including online retail) so take care to only use your passwords once on each site so that a single personal data exposure doesn't expose your entire online world," the report said
    • Facebook alone had three of the largest breaches last year
    • "What makes these data breaches so scary and infuriating, is that we want and sometimes need to trust companies such as Facebook, Adobe and First American with our personal information," the report said. "Personal digital hygiene would not have prevented many of these back-end data breaches but it can help minimize the impact."
    • The personal information (PII) leaked varies in significance as well
    • Some leaks only contained credentials (passwords and usernames) for a given site. Others, like those from Facebook, included detailed information
    • "Security today is both the responsibility of the company that has your data, as well as the individual user. Organizations need to re-evaluate how they do security, because doing the same thing hasn't been working. Security for their internet facing applications needs to be considered from the start of the app design and continue through production and deployment," Timothy Chiu, vice president of marketing at K2 Cyber Security
    • One way to protect your data is to reduce your online footprint
    • Another is to deal with only the most reputable companies
    • A third is to follow good cybersecurity practices
    • Read the study here:https://www.interest.com/personal-finance/the-average-american-had-personal-information-stolen-at-least-4-times-in-2019/