Posted on

Safer Home Networks

As each day passes, home network security becomes more important for many of us. Working from home in the pandemic lockdowns boosted home networks from conveniences to necessities. Although returning to the office is now considered safe, many of us have discovered that we prefer to work from home some, if not all the time. Savvy employers have begun to insist on security standards when home networks are used for work and those of us who are self-employed at home must tend to our own safety.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Much can be done to increase safety. A key network security principle is network segmentation.

Segmentation is a cybersecurity concept derived from the same principle that governs ships built with watertight compartments. If a single compartment springs a leak, the ship still floats. If the security of one network segment is breached, the rest of the network is still safe.

Businesses and other organizations have long practiced segmented physical security. All employees may have a key or code to open the employee entrance, but smart organizations have separate keys for each department. Widely distributing keys that open all the locks in the business are dangerous. A criminal or rogue employee with the key to everything can steal everything.

In a typical physically segmented business, one section of the office is accounting. Only people from the accounting department have keys to accounting offices. Only shipping employees have access to the shipping room and warehouse, only some shipping staff have keys to the warehouse. And so on.

Risk averse businesses segment their computer networks in the same way. Typically, an air-conditioning technician will not be able to access accounting files, nor will an accountant have access to heating and air-conditioning controls. Unsegmented networks have been the scenes of devasting attacks, such as the Target heist of a few years ago in which an air-conditioning subcontractor’s account was used to steal customer credit card information. A better segmented network would have prevented that catastrophe.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Folks may remember that in the dark days before we were touched by the wireless light, each computer in the house had a modem attached to a phone line. While the computer modem was connected, anyone who picked up a phone was treated an earful of painful screeches. Compute intensive households had separate phone lines for each computer. DSL (Digital Subscriber Line), which is still around but no longer as common, got rid of the necessity for separate phone lines and introduced routers to home computing. The day you install a home router, you have a home network.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration.

I remember well when we got our first DSL modem and wireless router. How luxurious it felt to wander into the living room in stocking feet, sit down on the couch, and connect to the office on a laptop without plugging anything in. Never mind that it was the beginning of twenty-four-seven working days for many of us. Now broadband connections via cable or fiber often replace DSL for higher bandwidth connections but the home wireless router still prevails.

Critical Changes For Home Networks

  • Everyone, including the kids, now have smartphones that pack a computer considerably more powerful than the beige box home desktop computers that started home computing. Smartphones connect to home wireless routers whenever they have the chance.
  • Homes have embraced the “Internet of Things” (IoT). We now have doorbells, entrance locks, and security and heating systems that connect to our wireless routers so we can control them remotely through our smart phones.

At our house, the refrigerator, the kitchen range, and the microwave all want to connect to the world wide web. Network-connected speakers like Amazon Alexa, home entertainment systems, and health monitors are now common.

For the last decade, one of the cheapest and easiest features to add to a household appliance has been an interface for remote control via an app on a smartphone. Too often, these devices are from product designers with scant training in network security. Many of these devices are easily hacked. A hacker thief might use your internet connected video doorbell to detect when you are not at home and break and enter your house while you are away. Your smart lock might just pop open when the thief arrives.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration. A segmented network protects each segment from damage from other segments and each segment can be configured to permit activities that could be dangerous in other segments.

Typical Home Network Segments

Cyber security experts agree that typical home networks, especially when residents work from home some of the time, would benefit by dividing the network into at least three segments: 1) home computing, 2) Internet of Things (IoT), and 3) guests.

The home computing segment is a home network before our computing life got complicated. It contains the desktops, laptops, tablets, and phones of the primary residents. Within this segment, peripherals such as files and printers can shared, and, when necessary, one computer can access another within this segment. Most people keep their email, financial records, and financial accounts here. For a writer like me, my manuscripts are stored locally in this segment. The segment often holds home business records. For folks with online storefronts, they administer their storefront and access their business records through this segment.

The IoT segment is the wild west. The devices there are not quite trustworthy. It’s bad enough that a criminal might hack into your smart doorbell, but giving the miscreant access to your bank account and business documents doubles down on trouble. Isolating this segment allows you to take advantage of the convenience of networked devices without quite opening a vein in your arm for the crooks.

The guest segment is valuable when you have teenagers in the house who bring in friends. Sharing internet connections with visitors is basic hospitality these days, but keeping your home network secure can be a problem. You may not mind sharing your network password with your brother, but you have to worry about your kids’ squirrelly friends who just might leave their smartphone with access to your home network on a park bench or in the video arcade. Worse, even good kids might use the colossal bad judgement of adolescence to hack your system just to see if they can.

Even if kids don’t visit, you can’t be sure that all your friends are as careful as you are about keeping phones free from dangerous apps and criminal bots waiting to rob your network blind. A network segment with a special password that permits connections with the outside world, but not to the devices in your home, protects you from the mistakes of your guests.

Next Steps

In the best of all worlds, I would now give you quick and easy instructions for implementing a segmented home network. I can’t. The market is still catching up and implementing a segmented home network is not simple enough to describe here. For our house, I have a jury-rigged setup that reuses an old router and a network switch that I happened to have lying around. I did some fancy configuration that I would not wish on anyone but myself.

For most people, investing in professional help may be the solution. Expect to pay for some new equipment. If you want to try setting up your own segmented network, this link contains some specific information: An Updated Guide to Do-It-Yourself Network Segmentation . I caution you that newer hardware may be available but the link will get you started.

You’ll end up with a password for each part of your home network, but you will be safer.

Posted on

Frustrate Phone Hackers

The NSA mobile device best practices contains the easiest and best tip for cellphone cybersafety I have heard in years. I’m surprised I had not thought of mentioning it. I regularly tell folks to turn off their computers when they are not using them because it discourages hackers. The same applies to cellphones.

The NSA suggests powering down once a week. I say, more often is better if you can swing it.

Here’s why. Everyone, including criminal hackers, likes a regular work week and hates to waste effort. Just like the rest of us, criminals want a regular, productive five-day, nine-to-five work week. When law enforcement tries to discover the source of a hack, they often identify the time zone of the hacker by looking at file and event dates and times. They know when hackers in China, for one example, like to start and end their day, even when they knock off for lunch.

Now, suppose some ordinary nine-to-five criminal has succeeded in pwning (taken over) your computer or cellphone. They come back from their borsch, pelmeni, and sour cream, raring to resume stripping you bare. They discover your computer has disappeared. Nasty words follow in foreign languages. Do you suppose they will wait patiently for you to power up? Not a chance. Most likely, after having lost a morning’s work getting ready to knock you over, they will not make the same mistake twice. They will move on to easier pickings. If you are lucky, your unreliable habits will annoy the hinks to the point that they throw you on their private “do not hack list.”

Recent trends in hacking make shutting down and restarting even more desirable. For decades, anti-virus and malware tools have relied on file signatures for detecting attacks. The tools scan computer file systems for files with characteristics (names, sizes, time stamps, and embedded sequences of characters) that signify infection. Having identified an infection, the tool moves or removes files and takes other steps to kill the infection.

Hackers know all about the way these tools work and they have responded with more subtle ways of infecting computers. Most of these involve avoiding detectable file changes by injecting nasty stuff into memory— the high-speed short-term information storage that disappears when a computer is rebooted.

And there you have it: power down a computer or phone with that kind of infection and the infection is gone. All that lovely hacking work destroyed. What a shame. Not.

I have regular irregular habits. I have a tablet in our living room that I use occasionally. I regularly shut it off when I’m not using it. Some days, it’s up all day and until late at night. Other days, it’s never up. I have several computers in my office. When the witching hour arrives and I decide to turn in for the night, I power them off. My last act of the day is to shut down and restart my phone. Midnight on the U.S. west coast is 10am in Moscow, a location where a lot of hacking goes on.

The next day, I power up the computers in my office as needed. On days I spend working in the yard or running errands, they may be up only for an hour or two. The point is to include irregularity for hackers into your regular habits.

I’ll end this post with a few other good habits for using smart cellphones:

  • Enable automatic updates whenever possible. Operating system and app vendors discover security vulnerabilities and fix them all the time. Let them help you be safe.
  • Going through the Google, Apple, and Microsoft app stores decreases vulnerability, but does not guarantee that an app will be safe. Frequently installed and favorably reviewed apps are the safest. If you must go outside the app store walled garden, be very very careful.
  • Minimize the number of apps you have installed. If you don’t use an app, remove it. Every app you have installed is a potential security vulnerability. If you don’t use it, why let an app increase the possibility that you will be hacked?
  • Secure your phone. Entering a PIN is a pain but leaving your unsecured phone next to a coffee shop cream pitcher or among the half inch copper elbow fittings at Home Depot could be the prelude to a disaster. I have concerns with biometrics like facial and fingerprint scans, but they are better than nothing if you can’t be bothered with anything more secure. Some phones will unlock your phone when it is at certain locations, like home and work. Consider using that feature.

Periodically restarting your phone is the simplest step you can take. Do it. Wait a day or two. Do it again.