Tag Archives: Blog Post Shout Out

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.

Blog Post Shout Out: SHA-1 Migration and Internet of Things (IoT)

With the transition to SHA-2 rapidly approaching (January 2017) if you have not already begun the migration process for your website or are having difficulties locating all of the certificates that need migrating; the following article that I wish to provide a respectful shout out to may be of assistance. The article includes advice on making the best use of the remaining time:

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade by Phill Muncaster (Infosecurity Magazine)

This issue is also of note since Google (like the other browser vendors is moving away from SHA-1) will remove support for SHA-1 in Chrome version 56. Further details are provided in their blog post. The source of the statistics for the Infosecurity Magazine article was this blog post from Venafi, an organisation that provides cryptography related solutions and services to enterprises.

=======================
With the DDoS attack (defined) against the DNS service Dyn last month attributed to Internet of Things (defined) devices further steps need to be taken to secure them. To assist with this, the US CERT have written a PDF document titled “Strategic Principles for Securing the IoT”. It is intended for consumers, operators and manufacturers of IoT devices. It is available from the link below:

Securing the Internet of Things (US-CERT)

=======================
Thank you.

Blog Post Shout Out: Securing Internet of Things and WiFi

With Internet of Things (IoT) devices becoming part of everyday life properly implementing public key encryption (defined) within them is a critical step that should not be overlooked.

Facilitating the use of such devices is very widespread wireless access which should also be secured as much as possible (especially in corporate environments) so as not to inadvertently provide an easy means of accessing your internal network.

For both of the above technologies I wanted to provide a respectful shout-out to the following blog posts that provides step by step advice on securing wireless networks (includes physical security and hardening guest network access) as well as how public key cryptography should be implemented and used within IoT devices:

9 things to check after installing wireless access points by Eric Geier (Computerworld)
4.5 million web servers have private keys that are publicly known! by Paul Ducklin (Sophos Security)

I hope that you find the above posts/resources useful. Thank you.

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

================================
In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
================================
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.

Blog Post Shout Out: Further Tips To Prevent Ransomware

With growing numbers of organizations, companies and individuals being affected by ransomware we need to take precautions before we are affected so that if the worse should happen we can recover.

For the second time this month I wish to provide a respectful shout-out to the following blog post that provides further tips on preventing ransomware that were not present in previous posts.

For example, using the principle of least privilege (not using a privileged user account on your device when you don’t have to e.g. for everyday general use), security awareness (being aware/having knowledge of current computer security trends and knowing what to avoid/which warning signs to look out for) as well as a new security feature developed by Microsoft for Office 2016 in an effort to prevent the spread of ransomware. I hope that you will find the post linked to below useful:

8 tips for preventing ransomware by John Zorabedian (Sophos Security)

Further practical advice on preventing ransomware is provided in a previous blog post.

Thank you.

Blog Post Shout Out March 2016: Focus on Internet of Things (IoT)

With the increasing popularity of standard everyday appliances and devices e.g. webcams, thermostats, TVs all way up to critical infrastructure e.g. power and water treatment plants being connected to the internet, we need to take measures to better defend them against attack. This is necessary since many devices were not designed/built with security in mind.

To assist you with better securing these devices I wanted to provide a respectful shout-out to following blog posts/articles that will help you defend your devices whether they be installed in a corporate environment or your home:

7 tips for securing the Internet of Things by Chester Wisniewski (Sophos Security)

5 Tips to Protect Networks Against Shodan Searches by Aaron Weiss (eSecurityPlanet)

Should CIOs worry about the Internet of Hackable Things? by Jen A. Miller (CIO.com)

These resources should better prepare you for any potential/actual attacks against these devices. Thank you.

Blog Post Shout Out March 2016

With the growing prevalence of ransomware; it’s prudent to take steps to avoid becoming infected with this malware and losing your data as well as being able to recover quickly without paying the ransom.

For these reasons I wanted to provide a respectful shout-out to the following blog posts that provide practical advice to businesses and consumers/personal users on how to protect yourself from ransomware and the “Locky” variant of ransomware:

The Simple Way to Stop your Business from Being Extorted by Ransomware by Graham Cluley (writing for Bitdefender)

“Locky” ransomware – what you need to know by Paul Ducklin (Sophos Security)

Update: 12th March 2016:
Got ransomware? What are your options? by Paul Ducklin (Sophos Security)

Massive Volume of Ransomware by Rodel Mendrez (SpiderLabs) : Details how to defend against the Locky ransomware being spread using JavaScript within spam messages.

Further information/discussion on ransomware is provided in a previous blog post. I hope that you find the above posts useful. Thank you.