Posted on

Safer Home Networks

As each day passes, home network security becomes more important for many of us. Working from home in the pandemic lockdowns boosted home networks from conveniences to necessities. Although returning to the office is now considered safe, many of us have discovered that we prefer to work from home some, if not all the time. Savvy employers have begun to insist on security standards when home networks are used for work and those of us who are self-employed at home must tend to our own safety.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Much can be done to increase safety. A key network security principle is network segmentation.

Segmentation is a cybersecurity concept derived from the same principle that governs ships built with watertight compartments. If a single compartment springs a leak, the ship still floats. If the security of one network segment is breached, the rest of the network is still safe.

Businesses and other organizations have long practiced segmented physical security. All employees may have a key or code to open the employee entrance, but smart organizations have separate keys for each department. Widely distributing keys that open all the locks in the business are dangerous. A criminal or rogue employee with the key to everything can steal everything.

In a typical physically segmented business, one section of the office is accounting. Only people from the accounting department have keys to accounting offices. Only shipping employees have access to the shipping room and warehouse, only some shipping staff have keys to the warehouse. And so on.

Risk averse businesses segment their computer networks in the same way. Typically, an air-conditioning technician will not be able to access accounting files, nor will an accountant have access to heating and air-conditioning controls. Unsegmented networks have been the scenes of devasting attacks, such as the Target heist of a few years ago in which an air-conditioning subcontractor’s account was used to steal customer credit card information. A better segmented network would have prevented that catastrophe.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Folks may remember that in the dark days before we were touched by the wireless light, each computer in the house had a modem attached to a phone line. While the computer modem was connected, anyone who picked up a phone was treated an earful of painful screeches. Compute intensive households had separate phone lines for each computer. DSL (Digital Subscriber Line), which is still around but no longer as common, got rid of the necessity for separate phone lines and introduced routers to home computing. The day you install a home router, you have a home network.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration.

I remember well when we got our first DSL modem and wireless router. How luxurious it felt to wander into the living room in stocking feet, sit down on the couch, and connect to the office on a laptop without plugging anything in. Never mind that it was the beginning of twenty-four-seven working days for many of us. Now broadband connections via cable or fiber often replace DSL for higher bandwidth connections but the home wireless router still prevails.

Critical Changes For Home Networks

  • Everyone, including the kids, now have smartphones that pack a computer considerably more powerful than the beige box home desktop computers that started home computing. Smartphones connect to home wireless routers whenever they have the chance.
  • Homes have embraced the “Internet of Things” (IoT). We now have doorbells, entrance locks, and security and heating systems that connect to our wireless routers so we can control them remotely through our smart phones.

At our house, the refrigerator, the kitchen range, and the microwave all want to connect to the world wide web. Network-connected speakers like Amazon Alexa, home entertainment systems, and health monitors are now common.

For the last decade, one of the cheapest and easiest features to add to a household appliance has been an interface for remote control via an app on a smartphone. Too often, these devices are from product designers with scant training in network security. Many of these devices are easily hacked. A hacker thief might use your internet connected video doorbell to detect when you are not at home and break and enter your house while you are away. Your smart lock might just pop open when the thief arrives.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration. A segmented network protects each segment from damage from other segments and each segment can be configured to permit activities that could be dangerous in other segments.

Typical Home Network Segments

Cyber security experts agree that typical home networks, especially when residents work from home some of the time, would benefit by dividing the network into at least three segments: 1) home computing, 2) Internet of Things (IoT), and 3) guests.

The home computing segment is a home network before our computing life got complicated. It contains the desktops, laptops, tablets, and phones of the primary residents. Within this segment, peripherals such as files and printers can shared, and, when necessary, one computer can access another within this segment. Most people keep their email, financial records, and financial accounts here. For a writer like me, my manuscripts are stored locally in this segment. The segment often holds home business records. For folks with online storefronts, they administer their storefront and access their business records through this segment.

The IoT segment is the wild west. The devices there are not quite trustworthy. It’s bad enough that a criminal might hack into your smart doorbell, but giving the miscreant access to your bank account and business documents doubles down on trouble. Isolating this segment allows you to take advantage of the convenience of networked devices without quite opening a vein in your arm for the crooks.

The guest segment is valuable when you have teenagers in the house who bring in friends. Sharing internet connections with visitors is basic hospitality these days, but keeping your home network secure can be a problem. You may not mind sharing your network password with your brother, but you have to worry about your kids’ squirrelly friends who just might leave their smartphone with access to your home network on a park bench or in the video arcade. Worse, even good kids might use the colossal bad judgement of adolescence to hack your system just to see if they can.

Even if kids don’t visit, you can’t be sure that all your friends are as careful as you are about keeping phones free from dangerous apps and criminal bots waiting to rob your network blind. A network segment with a special password that permits connections with the outside world, but not to the devices in your home, protects you from the mistakes of your guests.

Next Steps

In the best of all worlds, I would now give you quick and easy instructions for implementing a segmented home network. I can’t. The market is still catching up and implementing a segmented home network is not simple enough to describe here. For our house, I have a jury-rigged setup that reuses an old router and a network switch that I happened to have lying around. I did some fancy configuration that I would not wish on anyone but myself.

For most people, investing in professional help may be the solution. Expect to pay for some new equipment. If you want to try setting up your own segmented network, this link contains some specific information: An Updated Guide to Do-It-Yourself Network Segmentation . I caution you that newer hardware may be available but the link will get you started.

You’ll end up with a password for each part of your home network, but you will be safer.

Posted on

Malware On Apple

Toto, I’ve a feeling we’re not in Kansas anymore

Mac fans and Apple marketing used to say Macs were immune to computer viruses. That was never entirely true, but it was mostly true. Users of Apple products really had fewer virus and malware issues.

But the landscape has evolved. Apple security incidents have gradually increased. In early February this year, 2022, the Microsoft 365 Defender Threat Intelligence Team, Microsoft’s crack computer security group, posted an analysis of a Mac trojan, a malicious software that looks innocent. The malware is surprisingly sophisticated. As it has grown in the wild, it has continually grown more malicious. This report on the Mac trojan signals the new world of Apple security.

Don’t be naïve. Everything in tech is touched by marketing. Microsoft fired this shot to convince system administrators that connecting Apple devices to Microsoft server systems can make Apples safer. You can take that claim for whatever a competitor’s claim is ever worth. The report is reliable, but it goes down best with a grain of salt.

Apple has left the farm in Kansas. It’s time to take Apple viruses and malware seriously.

History and Relationship with the Past

From the late 1980s on, Apple equipment was strong in niches like education and graphic design, but Microsoft was orders of magnitude more popular in typical homes and businesses, mostly because tons of Windows compatible software ran on cheap generic PCs from competing hardware manufacturers like Lenovo, Dell, and HP.

Apple focuses on user-friendly, high-end, premium products. They released the first commercial graphic all-in-on computer, the Macintosh, and followed it up with a string of top-shelf innovative products like the iPod, iPhone, and iPad as they continually improved their line of premium desk and laptop computers. This winning strategy eventually made them the most profitable company on earth.

Microsoft, on the other hand, has striven for a wide variety and high volume of useful products on competitive generic hardware. Clearly not a losing strategy: they became the second most profitable company on earth.

Security Through Obscurity

For years, choosing quality over quantity indirectly improved Apple’s reputation for security. Until recently, breaking into an Apple product was not an attractive project for most hackers.

Breaking into a computer system is easier than it ought to be, but it still requires time, effort, and risk. Given a choice between developing a technique for penetrating a Microsoft Windows system and an Apple system, hackers regularly chose Microsoft because the large Microsoft user base increased the chance of finding a juicy victim.

Security types call this “security by obscurity.” However, avoiding attention to avoid attack no longer helps after the victim engages an attacker’s attention.

In the last decade, Apple’s enormous success has blown away its obscurity. Now hackers see juicy Apple targets and are out to snag them.

Unix Roots

Microsoft has cleaned up its act considerably in the last decade, but early on, they had a dismissive attitude toward security. Windows developers and their predecessor DOS developers assumed that a personal computer was a standalone appliance like a toaster or a steam iron.

Securing a standalone PC meant locking the door to the office, chaining PCs to desks, and locking their cases. In those days, a physical hard drive was thought more valuable than the data it contained.

Microsoft took a long time to recognize that a PC connected to a network requires a different kind of security.

Meanwhile, the rising tide of hackers grew into a dark industry devoted to raping and pillaging Windows installations. Eventually, Microsoft realized they had to do something, and they have, but they’ve played a lot of catch-up.

Apple developers may have been slightly more aware of the dangers, but their “security by obscurity” cloak obscured impending threats.

Even so, Apple made a sound engineering decision a few years ago: instead of continuing to develop their proprietary standalone operating system, they adopted a variant of Unix, the open-source operating system long favored by academic, engineering, and enterprise developers. The popular open-source operating system, Linux, is also a Unix variant.

Disclosure: I am a dyed-in-wool and unreconstructed Unix programmer.

Unlike Windows, whose roots are in stand-alone PCs, Unix was designed for multiuser computers, and, more significantly, heavily used in colleges and universities as a teaching tool. AT&T developed Unix and then offered it as a royalty-free product to educational institutions for a small administrative fee. In those days, almost all software included source code. Universities were not allowed to distribute the source code or their work built on Unix, but they retained rights. Consequently, Unix was widely adopted by university computer science departments. This was a boon to Unix security.

I was one of the computer rats who hung out in the Western Washington University computer center in the middle of the night studying Unix and trying to break into the university multiuser system. We weren’t criminals, just inquisitive and rambunctious college students. While Windows and DOS basked in single user isolation, my cohort in university computer science programs all over the world pored over source code and beat the hell out of Unix. We learned a lot, and our archenemies, the sys admins, often other students, also learned. The upshot was Unix security systems, both code and administrative practices, were scrutinized and hardened.

When Apple made the momentous decision to replace their proprietary operating system, they became the beneficiary of all the prodding and testing my friends did in the 1980s and 90s. By adopting Unix, Apple acquired an operating system that had security pounded into its foundations—a much better position than the Windows security features bolted onto a gradually hardening insecure foundation.

So. Yes. Apple products are inherently more secure than Windows. But not much. And possibly not any longer. Microsoft, by no means a cluster of idiots, has worked hard to secure their products.

Keep in mind that secure is always a relative statement. When a professional says a system is secure, it’s a form of bluster that braces their self-confidence. A system may be more secure than others, but it’s only harder to break, not unbreakable.

Apple’s operating system is harder to hack into than older versions of Windows, but Windows today is orders of magnitude more secure than Windows of a few years ago. At the same time, Apple’s sharp engineers have only recently stepped into the target zone. They have their own catch-up game to play.

Scope

The Mac trojan Microsoft reported on began as a basic data theft exploit in late 2020. Apparently, the exploit begins like most hacking ventures: with an email that tricks an insider into letting a miscreant in. The exploit became more sophisticated over time. When the malware was first installed, it only transmitted basic system information to a master server. Over the next year, new capabilities were gradually added to the basic exploit and the malicious bot (the trojan acting as a robot under hacker remote control) started downloading installable applications.

Macs have mechanisms for preventing installation of untrusted software. The bot gained the capability to circumvent the protection. Then it began collecting and exporting more information and running code with root privilege, which is the highest level of privilege in a Unix system. For self-defense, the bot began removing and renaming the files it installed to thwart antimalware utilities that search for characteristic files to detect malware. It also started injecting ads into webpages.

I’m not going further into the details of the Mac trojan. Go to the Microsoft site, or take a look at this list of macOS malwares.

Counter Moves

I recommend that all Apple users begin to follow the basic rules of computer hygiene if they don’t already. Follow them carefully and the chances that you will run into trouble will shrink drastically. These are the rules I follow for myself. The last time I was hacked, knock on wood, I was running Windows XP.

The Rules

One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way with the skills of a con artist, not computer skills or knowledge. For example, some clever hacker impersonates your boss on the phone and asks you to email a list of employee usernames and passwords to an odd address. Clearly a dangerous request. Check it out before you comply.

Or someone claiming to be your favorite niece calls from Waco asking you to give her access to your Amazon account because she’s in a jam. Or you get a phone call from Apple asking for your account password. Don’t get rooked by liars and imposters.

These cons are called “social engineering.” Their intent is to trick you into opening the door to a hacker.

Two

Avoid dodgy websites. You know which sites. The ones that appeal to base instincts or offer something too good to be true. Super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Click on one of those kind of web sites and you can lose more than your time and money; you could also infect your computer with nasty malware that will hurt for months to come if the infection is not promptly detected and removed.

Three

Be careful with downloads and installs. The simplest and most effective way to compromise your computer, laptop, tablet, or phone is to install an application that promises to entertain or perform useful work, but also opens your device to exploitation. During an install, your computer is a patient on the operating table whose heart is in the hands of a surgeon. If the surgeon is a crook, your computer is defenseless.

To protect yourself, get your apps from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. Before you install, check the reviews and the reputation of the developer on the network. Avoid being the first to install a new app. Always download from secure (HTTPS) sites.

Get your hardware drivers directly from your operating system and device manufacturer sites. If you can’t avoid a third party site, research them thoroughly. I often go to Toms Hardware for driver information.

Four

Scan regularly for malware. Apple now has malware scanning (antivirus) built in. In addition, third party anti-malware tools are available for Apple. Almost all are effective when used properly.

Anti-malware tools are fiercely competitive, and the malware landscape changes daily. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans.

Choose a malware scanner with a solid reputation. These scanners are uniquely well-positioned to mess with your device and steal data. Choose a well-reviewed scanner from a reliable source. Some popular scanners have been accused of questionable practices.

When you have chosen a scanner you trust, accept updates and run scans often.

Five

Keep your operating system and apps patched. Hackers are always looking for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Turn away the invaders before they get in.

Automatic updates may be annoying, but the benefits outweigh the trouble. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that happens less as the sources get better at patching, and a botched patch is usually far less damaging than a successful attack.

Six

Use strong passwords. Password cracking is more sophisticated today than when the old rules were written. Long (sixteen characters or more) random passwords are still difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. I like memorable nonsense phrases like ‘MyPetRockSaysHi!’.

A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the worst breaches in recent years have been based on duplicated passwords.

Current opinion is now that changing passwords frequently is counterproductive because it leads to weaker and duplicated passwords. A strong password that has never been revealed or compromised does not ever need to be changed.

Multi-factor authentication (MFA) is now common. Use it in addition to a password. Multi-factor authentication is harder to hack than the strongest password. For example, sites and devices that request a fingerprint or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low.

The strongest multi-factor systems use an app generated token, like a 5-character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

The Future

More secure platforms are possible in the future because the many platforms of today were naively designed without much thought to the potential for abuse.

Bitter experience has burned off the naiveté. Computer security will always be a challenge because computing systems are maddeningly complex. Developers and designers will never be able to foresee every security flaw.

In the early days of our current computing platforms, software developers did not think much about security. The goal was to build a network to interconnect systems and make them reachable, not put up barriers to access. In retrospect, that was jaw-droppingly naive. The hackers of today still take advantage of that naiveté.

Fortunately, the industry is wiser now.  With new attitudes, improvement is possible.

I must credit my Whatcom County Library System friend, Neil McKay and computer communications expert, Steve Stroh, for their substantial help.

Posted on

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.
Posted on

BYOD- The Agreement

BYOD, Bring Your Own Device, is important, but it has its growing pains.

BYOD is, in a sense, a symmetric reflection of enterprise cloud computing. In cloud computing, the enterprise delegates the provision and maintenance of backend infrastructure to a cloud provider. In BYOD, the enterprise delegates the provision and maintenance of frontend infrastructure to its own employees. In both cloud and BYOD, the enterprise and its IT team loses some control.

BYOD has issues similar to the basic cloud computing and out-sourcing problem: how does an enterprise protect itself when it grants a third party substantial control of its business? For cloud, the third party is the cloud provider, for out-sourcing, it is the out-sourcer. For BYOD, it is the enterprise’s own employees.

Nevertheless, enterprises have responded to BYOD and cloud differently. When an enterprise decides to embark on a cloud implementation, it is both a technical and a business decision. On the technical side, engineers ask questions about supported architectures and interfaces, adequate capacities, availability, and the like. On the business side, managers examine billing rates and contracts, service level agreements, security issues and governance. Audits are performed, and future audits planned. Only after these rounds of due diligence are cloud contracts signed. Sometimes the commitments are made more casually, but best practice has become to treat cloud implementations with businesslike due diligence.

On the BYOD side, similar due diligence should occur, but the form of that due diligence has yet to shake out completely. A casual attitude is common. BYOD is a win on the balance sheet and cash flow statement and a spike in employee satisfaction. This enthusiasm for BYOD has meant that BYOD policy agreements, the equivalent of cloud contracts and service level agreements, are not as common as might be expected.

This is understandable. The issues are complex. BYOD becomes safer for the enterprise as the stringency of the BYOD policy increases. However, a stringent policy is not so attractive to employees. It can force them to purchase from a short list of acceptable devices with an equally short list of acceptable apps, accept arbitrary scans of their device, and even agree to arbitrary total reset of the device by the enterprise. With this kind of control, employees may not be so enthusiastic about BYOD. At the same time, privacy issues may arise and there is some speculation that some current hacking laws might prevent employers from intruding on employee devices.

There are also complex support issues. Must the employer replace or repair the employee’s device when the device is damaged on the employer’s premises while performing work for the employer? This situation is very similar to a cloud outage in which the consumer and provider contend over whether the cause was the consumer’s virtual load balancer or the provider’s infrastructure that caused the outage. In the cloud case, best practice is to have contracts and service level agreements that lay down the rules for resolving the conflict. BYOD needs the same. The challenge is to formulate agreements that benefit both the enterprise and the employee.

In my current book and in this blog, I talk about some of the complexity of BYOD, how it complicates and challenges IT management. BYOD is a challenge, but it does not have to be the tsunami.

Some key questions are

  • How much control does the enterprise retain over its data and processes?
  • What rights does the enterprise have to deal with breaches in integrity?
  • What responsibility does the enterprise have for the physical device owned by the employee?

There are reasonable answers for all these questions although they will vary from enterprise to enterprise. When the answers take the form of signed agreements between the enterprise and the employees, IT can begin to support BYOD realistically. Security can be checked and maintained, incidents can be dealt with, and break/fix decisions are not yelling matches or worse.

With reasonable agreements in place, BYOD support can get real. There is more to say about real, efficient BYOD support that I hope to discuss in the future.