Safer Home Networks

As each day passes, home network security becomes more important for many of us. Working from home in the pandemic lockdowns boosted home networks from conveniences to necessities. Although returning to the office is now considered safe, many of us have discovered that we prefer to work from home some, if not all the time. Savvy employers have begun to insist on security standards when home networks are used for work and those of us who are self-employed at home must tend to our own safety.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Much can be done to increase safety. A key network security principle is network segmentation.

Segmentation is a cybersecurity concept derived from the same principle that governs ships built with watertight compartments. If a single compartment springs a leak, the ship still floats. If the security of one network segment is breached, the rest of the network is still safe.

Businesses and other organizations have long practiced segmented physical security. All employees may have a key or code to open the employee entrance, but smart organizations have separate keys for each department. Widely distributing keys that open all the locks in the business are dangerous. A criminal or rogue employee with the key to everything can steal everything.

In a typical physically segmented business, one section of the office is accounting. Only people from the accounting department have keys to accounting offices. Only shipping employees have access to the shipping room and warehouse, only some shipping staff have keys to the warehouse. And so on.

Risk averse businesses segment their computer networks in the same way. Typically, an air-conditioning technician will not be able to access accounting files, nor will an accountant have access to heating and air-conditioning controls. Unsegmented networks have been the scenes of devasting attacks, such as the Target heist of a few years ago in which an air-conditioning subcontractor’s account was used to steal customer credit card information. A better segmented network would have prevented that catastrophe.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Folks may remember that in the dark days before we were touched by the wireless light, each computer in the house had a modem attached to a phone line. While the computer modem was connected, anyone who picked up a phone was treated an earful of painful screeches. Compute intensive households had separate phone lines for each computer. DSL (Digital Subscriber Line), which is still around but no longer as common, got rid of the necessity for separate phone lines and introduced routers to home computing. The day you install a home router, you have a home network.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration.

I remember well when we got our first DSL modem and wireless router. How luxurious it felt to wander into the living room in stocking feet, sit down on the couch, and connect to the office on a laptop without plugging anything in. Never mind that it was the beginning of twenty-four-seven working days for many of us. Now broadband connections via cable or fiber often replace DSL for higher bandwidth connections but the home wireless router still prevails.

Critical Changes For Home Networks

  • Everyone, including the kids, now have smartphones that pack a computer considerably more powerful than the beige box home desktop computers that started home computing. Smartphones connect to home wireless routers whenever they have the chance.
  • Homes have embraced the “Internet of Things” (IoT). We now have doorbells, entrance locks, and security and heating systems that connect to our wireless routers so we can control them remotely through our smart phones.

At our house, the refrigerator, the kitchen range, and the microwave all want to connect to the world wide web. Network-connected speakers like Amazon Alexa, home entertainment systems, and health monitors are now common.

For the last decade, one of the cheapest and easiest features to add to a household appliance has been an interface for remote control via an app on a smartphone. Too often, these devices are from product designers with scant training in network security. Many of these devices are easily hacked. A hacker thief might use your internet connected video doorbell to detect when you are not at home and break and enter your house while you are away. Your smart lock might just pop open when the thief arrives.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration. A segmented network protects each segment from damage from other segments and each segment can be configured to permit activities that could be dangerous in other segments.

Typical Home Network Segments

Cyber security experts agree that typical home networks, especially when residents work from home some of the time, would benefit by dividing the network into at least three segments: 1) home computing, 2) Internet of Things (IoT), and 3) guests.

The home computing segment is a home network before our computing life got complicated. It contains the desktops, laptops, tablets, and phones of the primary residents. Within this segment, peripherals such as files and printers can shared, and, when necessary, one computer can access another within this segment. Most people keep their email, financial records, and financial accounts here. For a writer like me, my manuscripts are stored locally in this segment. The segment often holds home business records. For folks with online storefronts, they administer their storefront and access their business records through this segment.

The IoT segment is the wild west. The devices there are not quite trustworthy. It’s bad enough that a criminal might hack into your smart doorbell, but giving the miscreant access to your bank account and business documents doubles down on trouble. Isolating this segment allows you to take advantage of the convenience of networked devices without quite opening a vein in your arm for the crooks.

The guest segment is valuable when you have teenagers in the house who bring in friends. Sharing internet connections with visitors is basic hospitality these days, but keeping your home network secure can be a problem. You may not mind sharing your network password with your brother, but you have to worry about your kids’ squirrelly friends who just might leave their smartphone with access to your home network on a park bench or in the video arcade. Worse, even good kids might use the colossal bad judgement of adolescence to hack your system just to see if they can.

Even if kids don’t visit, you can’t be sure that all your friends are as careful as you are about keeping phones free from dangerous apps and criminal bots waiting to rob your network blind. A network segment with a special password that permits connections with the outside world, but not to the devices in your home, protects you from the mistakes of your guests.

Next Steps

In the best of all worlds, I would now give you quick and easy instructions for implementing a segmented home network. I can’t. The market is still catching up and implementing a segmented home network is not simple enough to describe here. For our house, I have a jury-rigged setup that reuses an old router and a network switch that I happened to have lying around. I did some fancy configuration that I would not wish on anyone but myself.

For most people, investing in professional help may be the solution. Expect to pay for some new equipment. If you want to try setting up your own segmented network, this link contains some specific information: An Updated Guide to Do-It-Yourself Network Segmentation . I caution you that newer hardware may be available but the link will get you started.

You’ll end up with a password for each part of your home network, but you will be safer.

Password Managers

Why use a password manager?

In an earlier post, I recommended strong unique passwords for all accounts, which is good advice, but hard to follow.

I made the decision to switch to a password manager about a decade ago.

Today, most people have hundreds of online accounts ranging from old hobby accounts they haven’t signed on to for years to financial accounts that control their life’s savings. Maintaining strong unique passwords on all those accounts can be a nightmare. The worst part is that some of those old accounts may have pitifully weak security. A criminal targeting a weak site could grab your password. If you happen to have reused that password for your savings account, you could fall into a real mess causing substantial loss or embarrassment.

As an aside, rather than manage the passwords of old, unused accounts, it’s easier and safer simply to close the accounts.

My evolving password management systems

Thirty years ago, I kept a list of passwords in a private notebook.

Those were the days when conscientious IT administrators forced new passwords on you every month and ordered you not to write them down. Yeah. Right. My limited memory for random facts has little room for passwords. It was either a notebook or never get any work done.

At that time, I was a contract software engineer at Boeing. Enough time has passed that I can tell you what happened in the epic password battle between the engineers and the IT admins. Programmers find ways around passwords. Not nearly as many ways now as thirty years ago, but given time and motivation, they find ways. The engineers had a workaround for every password in our division of Boeing Computer Services. Maybe there still is. When I moved on to a startup, secret workarounds remained in place.

This is the lesson that DSH and NIST took to heart when they relaxed best practices for passwords as I described in my Password Bliss post.

At home, the password notebook for my private desktop was soon cluttered with erased or crossed out passwords. As I added new accounts, finding them became more and more difficult. I switched to a box of 3×5 cards, which I could keep in alphabetical order and replace cards as they became illegible with changes. That worked, but the system was still took effort and iron discipline to keep current, and, I confess, my stock of iron discipline is smaller than my memory for random facts.

Switching to a manager

Password managers were available, but I resisted using them because I was afraid of putting all my password treasures into one basket vulnerable to a single criminal break in. Many of my colleagues in the software industry agreed, but now, almost all have changed their minds, as have I, because we have concluded that password managers are safer despite being a single point of failure.

Security is always relative. A password manager vendor’s database should at least as well protected from intrusion as your system. The password manager should easily provide strong unique passwords for all your accounts and offer easy and convenient access to those passwords to you, your designated agents, and no one else. Reputable password managers meet these criteria and, therefore, I am eager to use them.

Nothing is completely secure, but some situations are securer than others. If you have a system for managing passwords like my box of 3×5 cards that you can maintain and keep safe and not be tempted to use reuse passwords or create weak passwords and variants on multiple accounts, stick with what you have. But if you succumb to weak and duplicate password temptations, or you find yourself toting your system to libraries or coffee shops where it could be stolen, a password manager is a safer choice.

I made the decision to switch to a password manager about a decade ago.

Free password managers

There’s a saying “if the service is free, you are the product,” which is supposed to be a warning that free services target ads and outright sell information about you. This is true. But paid services do the same thing. Always check the privacy policy of any computing product you use.

In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

The European Union and some of the states have regulations that require vendors to inform users of some forms of information sharing and allow you to opt out. Because identifying where these laws apply is difficult, vendors almost always follow the most stringent regulations and treat all users the same. Paid does not equal private.

Since password managers hold some of your most private data, caution is required. Check their privacy policies and opt out of those you don’t like when you can.

I’m an insider. I’ve sat on corporate product committees that decided to offer free services to the public. In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

Vendors carefully consider offering free products or services. Generally, selling a service is preferable to selling a product because services are recurring revenue sources. The vendor’s goal is a mix of free features that hook the consumer and paid features that entice the user to upgrade to a profitable paid service. The consumer who can get by on the free subset of features wins big, although they must accept that the vendor will court like a lovesick swain to woo free riders to upgrade. And free riders are always subject to the threat that the free services will be curtailed or eliminated at the whim of the vendor.

Therefore, I’ll readily accept free password managers, although I scrutinize the privacy policy of the service and realize that I may be persuaded to upgrade to a paid service after I start using the free service. This is exactly where I sit now. I started with a free manager and upgraded to paid. Also note that I always check the privacy policies of paid services as well as free services.

In a future post, I’ll go into more detail on how to evaluate password manager features.

Password Bliss

Ah, the blissful days on my first programming job. We had no passwords. A cipher lock on the employee entrance was enough security. Those days are as gone as last winter’s snow days in August.

Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

I don’t know anyone who likes passwords. The best I can say for them is that they protect computer systems better than nothing and they are relatively easy to implement. The truth is that password protected systems are breached all the time. Passwords are better than no protection, but that’s all. Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

The end of passwords has been predicted for decades and the computer industry is inching closer, but I don’t see the end of passwords in sight.

Why? Because the alternatives also have flaws and most have high implementation costs. There are no sudden changes on the horizon. Any transition away from passwords will be gradual. The most likely change is more and stiffer nudges toward multi-factor authentication, the two-step process that is already insisted upon in many high risk systems. Multi-factor authentication, systems that usually involve your cellphone or email, are annoying but much more difficult to hack than a password alone.

If we are stuck with passwords, we ought to follow practices that increase security and maximize ease of use for users. Fortunately, NIST, the division of the federal Department of Homeland Security that makes recommendations for password security, has noticed that the password policies that annoy users also encourage them to work around the rules, usually in unsafe ways. The most recent recommendations are actually easier to follow than the old rules.

The old rule was to change passwords frequently. That’s out. When people are forced to change their passwords frequently, they resort to common passwords that are easy to remember, use simple spelling variations to reuse passwords, or write them down in obvious places, all of which make password theft easier, not harder.

The old rule about password complexity (a mixture of letters, numbers, symbols, and upper and lower case) is also out. Password crackers know that “$” substitutes for “s” and zero substitutes of the letter “o” and all the rest. Short complex passwords are not much more difficult to crack than an uncommon but short all lowercase password. Passwords over twelve characters are difficult to crack. Planning and executing a trip to Jupiter probably consumes fewer resources than cracking a eighteen character password that is not a common phrase.

Therefore, a long nonsense phrase that sticks in your memory is a strong password, unless the phrase is commonly used. A phrase that gets zero hits on a Google search is very safe. When you have a strong password, DHS recommends that you stick with it unless it gets compromised in some way. That long password will make you a tough customer to break.

The rest of the new guidelines are rules for processing and storing passwords that apply to programmers, not end users.

But there is another catch: password spraying. Hackers know that people tend to use the same password on multiple accounts. As soon as a bad guy gets a password, he sprays (tries) it on all your accounts. Most passwords are not cracked; they are obtained by trickery. For example, a bogus phone call from a fake IT guy asks for your password and you give it to him without thinking. The hacker then tries the stolen password and a hundred variations on your bank account within seconds. In order to limit the damage from such a mistake, never reuse the same password or an easy variant on different accounts.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer.

Just when you thought the new guidelines made your life easy, it all falls in when you consider the hundreds of accounts you probably have.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer: One long, strong, and memorable password for a password manager that generates and stores random passwords for all your accounts. Although they are not perfect, most people are safer with a password manager.

Choosing a password managers are a subject for another post.

Cyber War In Ukraine

I’ve added an update for May 9th below.

The hacktivist war against Russia has been dismissed as ineffective, but my own reading indicates that it is unprecedented and formidable. The final results are not yet visible, but something exciting is happening.

History

Russia has been a center of excellence for cybercrime since the dissolution of the Soviet Union in 1991 when the centrally planned and controlled Soviet economy shattered and became a kleptocracy. The accepted story is that trained software and computer engineers lost their jobs in the broken system. In desperation, they turned to cybercrime. The narrative goes on to say that the line between cybercrime and government sanctioned intelligence operations is vague in the former Soviet Union. Rumors abound that Russian cybercriminals have a free hand to demand ransom and steal data and cash in return for cooperation with Russian intelligence services. The truth of this narrative is hard to evaluate, but it’s the backdrop for the current cyber war in the Ukraine.

Scope

I went on alert for a major Russian cyber attack on February 24, 2022 when the war in Ukraine started. When I wake up in the morning on the Pacific Coast, it’s mid-afternoon in Moscow and Kyiv. The workday has barely started in New York. By the time I finish my first cup of coffee, I’ve checked for cyber attacks, assuring myself that the European and North American power grid is intact, European and U.S. oil refineries are not burning, and the international financial system is still functional.

The Ukraine war has brought many surprises. I, among many others, thought a precision blitzkrieg invasion would engulf and obliterate key targets bringing down the Ukraine in days. Ten weeks later, the Ukrainians have halted the assault on Kyiv, taken back territory, sunk a Russian naval flagship, killed several high-ranking Russian generals, and hit targets inside Russia. The damage to Ukraine is huge, but the Russian attack has faltered. We now know that the Russian army is not as war-ready as we thought.

The Russian cyber war is harder to measure. Microsoft has provided an extensive report on cyber attacks against Microsoft software in Ukraine. There have been attacks, but not the smoking mess I anticipated. The cyber war is not over and could still intensify, but it is not the dismal defeat of Ukraine that I expected.

What Happened?

I had not thought much about hacks against Russia until I read a piece in the Washington Post about the Ukraine IT Army recently. Russian computing culture is notoriously vicious. Prudent folks have shied away from hacking a such a formidable foe, but the Washington Post Article reports that since the Ukrainian invasion, more hacked Russian credentials have released on the open web than from any other country.

Usually, the U.S. is the helpless victim bleeding hacked data and Russia is presumed to be the biggest and ugliest culprit. The tables have turned. Russian businesses and institutions have been hacked and doxed— their credentials, private messages, and data have been accessed and published. Even pro-Putin Russian criminal hacking organizations are victims. If you’d like to peruse some stolen Russian data and creds from Russian residential electrical contractors, banks, the Ministry of Culture, the State Nuclear Energy Corporation, and tons more, look here. Russian cybersecurity is weak, not the impenetrable citadel we thought it was.

Some analysts downplay the significance of these attacks. I don’t, if only because they deflate the reputation of Russian cybersecurity.

Hacking Russia from Home

U.S. and European state actors, government agencies like the National Security Agency and the European Union Agency for Cybersecurity, are undoubtedly at work, but we probably won’t know their role until long after the war is over.

The great hack of Russia is a “working from home” operation.

Cyber war is not kinetic war. Launching kinetic weapons— missiles, bombers, tanks, and troops— is costly and requires large and well-established organizations at the right time and place.

But kids with smartphones can launch cyber attacks from anywhere, if they know how, and many of them do.

Professional cyber attacks use more sophisticated equipment and methods, but large organizations are not necessary and the equipment is not hard to get. Computer professionals with all the knowledge they need have adequate equipment and connections in their home offices. Nothing like the cash, trained experts, and on the ground presence required to launch a $200K Javelin missile or even a cheap $6K Switchblade drone.

For example, here is an interview with a group called AgainstTheWest. The group is secret and the assertions in the interview are unverified, but I find them plausible. They say their goal is to collect intelligence on threat actors (security jargon for instigators of risks with the capability to do harm) from Russia, Belarus, and North Korea. The group says they are five people who are certified information security professionals who work together. They have an impressive list of data on their targets that they have acquired. They say they work with various official agencies, but they are independent.

To support groups like these, the Ukrainian government has set up a Telegram list with information on potential hacking targets and the progress of the cyber war. The list has close to 280,000 members.

Impacts

The Ukrainian volunteer cyberwar is unprecedented and startling. I’ve feared a cyberwar for several years, but I anticipated a war between state actors like the U.S. Cyber Command leading the action, nothing like Ukraine’s leaderless foreign volunteer army, which is akin to guerilla warfare, but the partisans are far from the kinetic battle. Is the IT Army a spontaneous gush of altruistic support for democratic institutions? Or a destructive, undisciplined, and chaotic mob without a chain of command? Or some ungovernable mixture that will challenge order for decades to come?

We will see.

Update for May 9th

May 9th is a major holiday in Russia, commemorating the triumph of Russian troops over Nazi Germany in 1945. Both Russia and Ukraine celebrate that victory. The U.S. used to celebrate May 8 as VE Day (Victory in Europe Day) although it is no longer a national holiday. In Moscow, military parades and exhibitions of weaponry are May 9 staples.

Many experts were expecting trouble, perhaps a doubled down bombardment in eastern Ukraine or the long awaited Russian cyber attack on the West. I was up early, doom-scrolling for trouble. Nothing much happened. Reports say that the Moscow parades were, perhaps, a bit subdued but typical.

Putin attempted to connect attacking Ukraine with defeating Nazi Germany. The war in Ukraine was business-as-usual, but Russian social media platforms were hacked, according to the Washington Post. “The blood of thousands of Ukrainians and hundreds of murdered children is on your hands,” appeared on Russian television and computer screens. Internal propaganda convincing the Russian people that Putin is fighting a just war is critical if the Russian is ever to succeed. If today’s hack can be repeated and amplified, the hacktivists, whom I assume were behind the hack, will strike a powerful blow for the Ukraine.