Sure, you want to start using that new webcam right out of the box, but there’s an extra step you should take before you connect it to your home network and expose it to the Internet. Many connected devices come with factory settings for the user names and passwords, such as admin and 1234 or something just as simple. Many users don’t bother to change them. That’s how the Mirai malware was used in October to mount the largest distributed denial of service (DDOS) attack to date and shut legitimate users out of top sites like Twitter and Netflix. That attack targeted the Dyn domain name service provider, which helps to shuttle traffic around the Web.

DDOS attacks seek to overwhelm sites with requests. By targeting a service that sends traffic to other sites, the attack was able to jam up some of the most popular sites.

The malware allows hackers to search the Web for connected devices whose user names and passwords haven’t been changed from the factory defaults and to take them over. Infected devices, known as bots, can be ordered to mount attacks without the owner’s knowledge. Hackers may command so-called “botnets” comprising tens of thousands of compromised devices. Botnets were formerly assembled with infected personal computers, but the explosion of Internet-connected devices—and better security practices among computer users—has made the Internet of Things the new target. Changing the factory default user names and passwords on your

Internet-connected devices can make life a little harder for Web criminals and keep your device from being drafted into a zombie botnet army.

The Department of Homeland Security suggests keeping the software up to date on all your Internet-connected devices and making sure your home wireless network stays secure.

Another growing security concern: voice-activated devices. It turns out digital assistants like Amazon’s Alexa, Apple’s Siri and Android devices using Google Now are perfectly happy to talk to strangers—and maybe do their bidding.