Are you online and don't know it?

 

This week I am away from my normal routine and attending a cyber training class for Certified Ethical Hacker (CEH) certification. It's a bootcamp-style class, so lots of information every day. Today is day 2 and my brain hurts already. CEH basically teaches you how to think/act like a hacker so that you can be a better security professional and be able to recognize attacks and protect your network more securely. If you want to learn how to stop the bad guys, you have to learn how to think/act like a bad guy.

One of the things we talked about yesterday was performing searches online using specific search tags to help us narrow our search results to include only things that match what we want to search for. One of the tools shown as an example was the Google Hacking Database (https://www.exploit-db.com/google-hacking-database). This is a collection of Google searches done by other users. Our instructor showed us not only how useful this tool is but also how dangerous it is to always just "plug and play" devices. 

One of the searches he showed us was for the simple term webcam. In the results, he found this search that someone has done before:   intitle:webcam 7 inurl:8080 -intext:8080 .

This contains links to live webcams anyone can view! To see the webcam links copy and paste this search into the Google search bar (not the URL bar).

NOTE: CLICK ON THESE LINKS AT YOUR OWN RISK!!! I don't know what is on the other side of the click and take no responsibility for the images that appear once you click.

Not all of these cam owners know their webcam is available to view online like this. Some know and intentionally set their cam up in the position you see. Others don't know unless someone notifies them. My instructor said he even heard one story about a woman who set up her webcam in her baby's room and heard someone talking to the baby through the cam!

There are a few morals to this story:

1. Always change the default password of your device! Many devices come with built in usernames/passwords that the company uses during development and testing phases before sending the device to stores for sale. Rather than close these accounts up, the devices ship with the accounts still active and using the default password! And the defaults are usually extremely simple and easy to guess: admin/admin, admin/password, etc.

2. Don't know if your device has a default account built in? There are actually websites that list many default usernames and passwords for multiple devices. Datarecovery.com has one such list and it is fairly inclusive: https://datarecovery.com/rd/default-passwords/ . Devices can be anything: webcam, washer/dryer, dishwasher, etc. Anything that connects to the internet for any reason can have a default account in place.

3. Always review device settings before putting into full operational use. You want to know how your device works, what does what, etc. Don't simply plug it in and walk away. You never know what default settings are in play if you do!

4. Check out your device on the manufacturer's site and read through the FAQ section if there is one. This may identify things you didn't think to check already or even provide you with a "Whoa I didn't know my device could do that!" moment of realization. 

Cybersecurity mostly boils down to common sense. Taking a few extra moments now to review an email or go through device settings to see how it works or if there are any default accounts in use can save you a lot of time and trouble in the long run.

Cyberspace is a crazy place. Stay safe out there!

Until next time.......Code Geek out.