Every so often some small and well-organised bit of the world decides that one day in particular would be a good day to have a Day day.
At Naked Security we’re quite fond of Day days, whether it’s a day for Sysamdins or Ada Lovelace, or even 30 days in a row for Cyber Security Awareness, because it’s a great way to focus on things that we don’t do every day because, they’re too, well, every day.
With everyone focused on the same issues, we think days like today – Data Privacy Day – are a great opportunity to get useful computer security advice out there.
We know that many of you aren’t just looking after your own devices, you’re looking after computers or whole networks for friends and family too, so we like to share tips that we think are simple, practical and do-able that same day.
Today, for Data Privacy Day, we suggest you take home this simple tip for the devices and software in your care:
Don’t do defaults.
Lots of hardware and software arrives with default settings, such as passwords or SSIDs, so you can get up and running quickly and easily. Unfortunately what you gain in ease of use, and companies gain in reduced support calls, you can lose in security.
The best default passwords are unique to each individual device, but even those may have been written or stored somewhere by the manufacturer – which means your password has been outside of your control and shared passwords can’t ever be considered secret.
Worse than that are unique passwords generated by a predictable algorithm, such as the TP-LINK router that can be cracked with 70 guesses, because any kind of pattern or predictability in a password gives attackers exactly the kind of leg up they’re looking for.
In the worst (but not uncommon) case, every copy of a device or download will arrive with the same default password, or even a backdoor.
Default passwords turn up in everything, from sophisticated databases and VoIP systems to $20 home Wi-Fi routers. And the crooks know it.
Manufacturers are relying on you to change the defaults. If you don’t then you’re leaving the key in the door for hackers because they don’t have to crack your password, they can just look it up.
There are now so many devices connected to the internet with either widely known default passwords or no passwords at all that there are entire search engines devoted to them, like Shodan, an IoT search engine that doesn’t just find your insecure cameras, it takes photos with them too.
And it isn’t just your routers or IoT devices – it’s the software running on desktops, laptops and servers too. Anything that allows a connection in to your computer such as Remote Desktop or VNC is a potential target.
So this Data Privacy Day why not go home and ask yourself – what, exactly, is connected to my home network and what is accessible from the outside world either physically, via Wi-Fi or over the internet; a router? a printer? a computer running RDP? cameras? the thermostat? the doorbell? …and just maybe the kettle?
For each of those things, apply the guideline; don’t do defaults.
Make sure that you understand how to set the password on each device or piece of software and be sure that it isn’t using the one it arrived with. If you’re not sure, just change it to something strong and unique, and if you can’t change it or worse yet set one at all… turn it off and take it back to the store.