Holiday shopping in 2021 looks a lot different than it once did. Fewer consumers now brave crowds to shop in person, which means more of us have spent another season shopping mostly online—a boon not just for the shoppers’ convenience, but hackers’ too.
In this episode of Security Sandbox—notably our final episode this season, and you should tune in below to hear more about what’s coming in season 2!—Amanda Fennell and Darien Lewis of Relativity’s Calder7 team discuss best practices for shopping in the modern age.
And as the holidays draw near, they also talked about how to stay secure when receiving and using your own gifts—because that shiny new TV or VR headset might be hiding a hazard or two.
Give the episode a listen to learn how to stay safe in today’s electronic landscape (and find even more tips on the Relativity Community site). From everyone here at Relativity, enjoy your holiday season!
Amanda Fennell: In today's episode of Security Sandbox, we put a holiday spin on the final episode of season one by talking with my friend, colleague, and recurring guest, Darian Lewis, about his favorite Black Friday purchases this year. I'm kidding! We're going back to the sandbox to spend a few minutes on the part about how you can keep your personal and financial information secure when shopping online. Alright, Darian Lewis, resident cybersecurity architect for Relativity. Welcome back to the show, Darian. How you doing?
Darian Lewis: Oh, doing great. How are you?
AF: Wonderful. It's a pleasure after so many years together that we still have an excuse to get on a podcast. It's the end of the year. Shopping is on everybody's mind. The holidays are upon us, and I get asked these questions a lot. So we're going to sum this up for everybody and see what advice you would give people. I'm going to actually see if I agree with you, so this should be fun. We're going to see if we can argue this out. Alright, the first one everyone seems to ask is: what's the one thing you'd like every online shopper to do to better protect themselves from hacking?
DL: During the holiday season, everyone is looking for the best deal possible. When you go looking for deals, look on the vendor's website. Don't buy some unbelievable deal in an email and a text or on some deal website. That's kind of the best way you can avoid scams and hackers.
AF: Validity—yeah, I think that's probably exactly what I would have said. Is this a valid website? Is it secure? Are you dealing with something that's a phishing scam or something that emailed you? I tend to stay away from things that solicit me, and I seek it out instead. That lowers the probability of something that's a phishing attack or scam of some type. So I guess we agree on this one. Is that right?
DL: Sounds like it. I would add to this that 2021 was the year of the mobile attack rate. People were doing the work-from-home thing because of COVID, more and more relying on mobile devices, and criminals took advantage of it. They used smishing attacks as a mass. Phishing attacks [were used] quite frequently. We've seen them in our company, and I know other companies have too, and it's one of the ways I think this holiday season that a lot of vendors are going to try and promote their deals and pump the shopping game up a little bit to get people to shop from their phones. And it's something to be wary of because a lot of things don't look the same when they're on your phone, and you can't tell the difference between what's real and what's not real, especially when they come from just a random phone number.
AF: If you are shopping online at a store and it's not, you know, Amazon, Target, Walmart, et cetera, how do you ensure that this would be a legit site and that everything you're going to do is secure?
DL: I always check first to make sure that it's HTTPS, right? You don't want to be using an unencrypted website. I look for the lock—it's on in your browser. Click it. Actually, make sure that the certificate is for the vendor that it says, and that it's still valid. It's in a valid date range. When you do shopping, make sure that, before you put any credit card information in, the lock is there in green—and use credit cards when you can instead of debit cards. A reason for that is there's a lot more protection built into credit cards in the U.S. financial system. If you can't use a credit card, then use PayPal or another similar payment service that gets in between you and the person you're buying from, so that you have additional protections in place should something go wrong. When you go shopping, always use your favorite search engine. I don't care which one you like.
AF: Is it Ask Jeeves or Bing? [Laughs]
DL: Ask Jeeves ... Well, yes, yes. In 1980, it was actually, thank you. [Laughs] Today, for me it's DuckDuckGo, but it kind of depends on what your favorite is. But go check out the vendor and query the product and see if people are complaining about it. If you've got 50,000 complaints about a product, it's probably not the one you want to buy. If you go to a website and there's tons of ads on it for other websites or unrelated services, that's usually a big red flag for a lot of reasons. One being, it's probably some small, fly-by-night thing that's trying to fake itself as being something important, but they also try and put those ads there to lure people into making some free money for them on the side. Legitimate vendors don't tend to put ads for other ventures on their site. Also, another red flag is when they’re asking for information other than what's absolutely necessary. So, you know, you're going to need to give your name, your address, and some payment info. But if people start asking for a date of birth, social security number, favorite things, where you went on your last vacation—that's a big no-no, and they shouldn't be doing it. They don't need the information. And quite honestly, they're just going to turn around and sell it. So it's better that you bow out quickly if you start seeing that going on.
AF: So first, we've got to trust but verify—or no trust, just verify—to make sure that something is legitimate. Then making sure that you've done some of the mitigations that are in place, like using the credit card versus debit, and so on. This idea of making sure that we proactively don't put information out there that we don't need to ... Say we've done the purchase of something and we've bought it and it's come to our house; it was legitimate and it shows up. What are some security things we should think of once something comes in the house? We open it up. We take it out, put the batteries in, we charge it, we plug it in. What are some takeaways we should be giving people for all these holiday gifts?
DL: Well, can I back up just a little bit? I would like to talk about when it arrives at your house because there are some things that you should be doing there, too. When you buy packages, try and make sure that, if there's an option, you get non-disclosing packaging. If you're going to buy a 72-inch television, it shouldn't have a big picture of the new television you just purchased on it, particularly if it's going to sit on your front porch—which is also not where you should have your packages delivered to. Because people driving down the street—and this happened a lot last year—people would literally drive down the street following the FedEx truck, and whenever they delivered something interesting, they get out and take the package and go away. A lot of people now have either Ring cameras on their doors or an IP camera system to watch. That's not a bad idea, but it's just as easy to say to your delivery company, "Hey, could you deliver this to the side of my house?" And there's always an option for delivery instructions, so you should try and exercise those kinds of cautions. Just like after the holiday, when you've unpackaged your new, glorious "insert thing here," you probably shouldn't put that box all by itself sitting out on the curb. It's an advertisement to criminals that, "Hey, I got this new crap, and if you want it, it's here." So you should break down your boxes and not store them in public places until they get picked up.
AF: Darian, if everybody else wants to try to steal my daughter's LOL dolls, it's totally fine. I'm okay with that one. I hope we can get rid of all those dolls someday.
DL: I'm not so much worried about the dolls as, like I said, the big ticket items: televisions, computer systems, gaming systems, and particularly hot items, right? Those are the things that you're going to want to break down the box and cut them up and bundle them together. Put them out when you do your recycling or trash, just so you're not advertising. Cellphones, also, are a really great thing that people are looking for. A small box that has Verizon written all over the outside of it is an obvious take because it can be quickly resold on the dark web.
AF: Okay, so going back now, we know how to be more secure whenever you're shopping, be secure when you're ordering, when you're buying, when it comes to you. So then, once it comes inside that door, what should we be thinking?
DL: I've got lots of thoughts. I think that IoT is probably the worst mistake humanity has ever made, but I'll keep my personal thoughts there to a minimum and just say that most products today, if we can slap a microcontroller in them, we do. Why? Because microcontrollers cost two to three dollars. We can put a ton of flashy, blinky LEDs, which make everybody happy for some reason. And we give it internet connectivity, particularly wireless internet connectivity. And so that way, devices can be smarter and do more things. So you have to remember that when you buy a device, you need to read the setup instructions carefully and make sure that you understand how whatever it is you purchased is going to communicate with other devices that you own, how it's going to interact with your network, and what is going to reach outside your house. People now have smart refrigerators and they have smart toilets and they have smart ovens—
DL: And all these things have web interfaces on them. And so if you don't protect yourself and you don't know what it's doing, do you really know where you're opening yourself up for attack? Secondly, you need to maintain your internal network correctly, so you should assign static IPs to crazy devices that you buy. That way you know what that device is doing, and you can quickly track that traffic back to the thing that's doing it and understand anything anomalous and where it might be coming from. There's also a lot of other network configurations you may want to consider. You may want to put these devices on a separate VLAN or a different IP range so that they can only talk to each other, or just talk to the outside and not do anything else in your house. Because I personally have a lot of devices of my own—I have an Apple TV and that talks very loudly and it tries to connect to everything and it talks in Bluetooth and in wireless. And my cellphone wants to talk to all these devices. And I have some color lights that I use for backlighting the television itself. And so that wants to talk, and the game machine wants to talk. And the Oculus headset for VR is a big, popular item this year, and so that wants to talk to everybody. So these things, when they start to interact, are how more and more information about a person can be gathered. That's why you want to make sure that you have control of the communication—what it's talking to, when it's allowed to talk. At three in the morning, you don't suddenly want your game machine to become talkative if you're not playing at three in the morning. That's a bad sign.
AF: I feel like this is where we get into this conversation about things. We have a lot of smart devices in our homes. Which ones are more sketchy than others that you have to be prepared for? I would actually say it's about the source. I feel like there's a supply chain question you have to ask yourself. If you order something and it comes from some unknown entity and then you put it on your network, and all of a sudden it's like, "Hey, this really weird device just showed up that's all random numbers and letters!" and "Hey, that doesn't sound like that came from a great source!" That’s a flag. So supply chain review—we do that in a work environment, and you should do that for your own environment as well.
DL: But see, that's the problem, right? People get into the holiday shopping and they're like, "Hmm, I really want a new device, but the Oculus costs too much. But there is this thing over here called third IVR made in China with some funky company name that costs half, and it says it does all the same things. So I'm just going to get that and it's on Amazon, so it must be legitimate." And that right there is the downfall, right? Because it's on Amazon, and I have been getting more and more of these knockoff Chinese brands recommended to me on Amazon than anybody else. And I'm like, "Oh my God, I would never bring that into my house."
AF: I think that's what social media has done. That's changed the realm over the last five, 10 years. Now when you go onto any of these different sites, you're being inundated with things, with the holidays, that they're pretty sure you're going to buy. They know enough about you with that algorithm you were talking about that they are pulling information that's very tailored to you. Really random? I have a 10 year old who has been asking me for a punching bag other than his eight year old brother, and so I get it. He wants a punching bag. Well, let me tell you, this bootcamp/fight club thing with the punching bag and the gloves and stuff like that, it is on every site that I go to right now. There's no question, as my husband loves to say with the conspiracy theories, they're listening. And they are in it to make sure that you're going to get something for the holidays. They're trying to make sure you've got that best experience. But the reason I don't buy it, the reason I don't purchase it ... I don't know the sources. I don't know where that's coming from, and I'm not bringing that into my house. Like you said, I wouldn't do it. It's not about the where, it's about the establishment of a company, and so it's not about what country it comes from or et cetera. But if it's an established company, they probably are in adherence with regulations, privacy, et cetera. They know how to be more careful with security, potentially.
DL: They're also not looking for the cheapest part. And so when you think about these devices, they really aren't getting microcontrollers that are IP-enabled. And so you don't want the 50-cent part that comes out of China. That's a knock-off of the $3 version of the same part that comes from Atmo. Is it produced in China as well? Absolutely. But it's the manufacturing and how it's engineered into a system that actually makes sense. And it's tested rather than somebody who just saw this product and said, "Hey, we can duplicate that for half the price. And here's where we'll shave that money off." And so that's where the danger comes in, and established companies really do a good job of avoiding that.
AF: Yeah, I think I'd add on there, also making sure that you reconfigure it from not using default information. That default stuff is what really gets a lot of people. When they get something, they're like, "Oh, okay, get it up and running as fast as possible, either for yourself or for a kid or whomever." And you're like whoa, whoa, hold on. We should definitely reconfigure that password.
DL: Yeah. As soon as you plug something in, go to the manufacturer's website and see if there's firmware on the device that you can update. And as soon as you get that firmware and you get it updated, add yourself a monthly calendar reminder to go back and check that firmware regularly. Change the default password. Don't use "admin" and then a password if you can help it, right? "Admin" is a very common account, and people will try dictionary attacks against the admin account because it's commonly used. If you can use a different administrative username then change that, too. A lot of routers are a particularly good example of this, where they'll have an admin account and default credentials on them. They don't expect you to change them when you buy a router, say, or lease a router from AT&T or for Comcast or Spectrum or whoever your internet provider is. Frequently, those will come with default SSIDs, default passwords for the wireless, and default passwords for the router itself. You should change all those things. You should make complex passwords the same as you do everywhere else.
"Oh, but there's so many passwords; I can't remember them all!" I love that excuse. There are password managers and they're very inexpensive, and you can have a different password for everything and you don't have to remember it. I use Dashlane personally, but LastPass and 1Password are really great products. Easy to get, easy to use, and they work on everything you have. Mine marks on my phone, my iPad, my computers, both Mac and PC. No problems keeping everything secured, and they have additional features where you can go to auto-reset passwords frequently and keep everything up to date and in the password sphere. Once you keep the firmware updated, keeping the password updated is another thing. Passwords may go away at some point in the future, right? As we move more to a no-trust kind of world. But in the meantime, we still have to maintain those, and they're going to be around for a long time.
AF: They are ... I mean, it does take us a long time in security to update to different things. I imagine the adoption cycle will be slow. Sounds like a few things that we've seen over the years, but ... Well, Darian, my biggest takeaway from the whole conversation that we've had is very similar to every conversation that we've had so far in the sandbox. It's that what takes your online shopping security presence or your organization's security posture from okay to good or from great to outstanding is the actions an individual can take. Their preparedness to decipher right from wrong, or that something feels like it isn't right.
So while people definitely are an organization’s number one security risk—we see that all the time—we believe that they're the strongest link in the chain as well. And we've got a lot more to share on that!
Surprise! We're going to spend more time on this and how to strengthen that strongest link through technology next season. We'll explore how to maximize people's potential through meaningful use of technology and process, creative, compassionate education, and a conviction that there is room for taking risk in security.
Thank you for spending season one with us in the sandbox. I'm really excited to have you join again next year. We've got a few new tricks up our sleeve that you won’t want to miss, including an awesome new partnership with CyberWire Network. Please subscribe to stay updated on new episodes. In the meantime, if you're finding yourself bored during holiday travels or you need a 20-minute break from the festivities, check out some past episodes. We'd also love to hear from you! Which episode did you love the best? What was your favorite takeaway from the season? And share your review on Apple Podcasts. I hope everyone has a very happy, healthy and, most of all, secure new year. We'll talk to you soon.