How do I monitor my devices on the network?

In many cases, once a Wireless router has been installed, we find a place in our home or small business  for it and forget about it. As long as the devices are set up and connected via the Wi-fi network, there is little to no administration and monitoring done to the router or the IoT devices connected to the router. Since the routers and IoT devices are not routinely monitored they are prone to exploits by cybercriminals who can sneak into our devices and get access to our system.

The inherent risks of not monitoring the network and IoT devices is that criminals and hackers have access to the network router and IoT devices and are using these for malicious activity to your individual or small business network or worse leveraging these as part of broad cyber DDoS type attacks.

Here are some key steps that you can take to protect your home and small business networks:

  1. Always change the default device name for routers and IoT devices

Changing your router’s or devices default name makes it harder for malicious attackers to know what type of device it is. If a cybercriminal knows the manufacturer name of router or IoT device they will know what vulnerabilities that model has and then try to exploit them.

  1. Change the default settings including passwords.
  2. Enable encryption standards for all transmission methods
  3. Ensure constant maintenance on these devices that are not actively used by doing the following:
  • Remember to always keep your devices up to date with the most recent software available;
  • Always apply the latest security patches to ensure no security hole is left open to malicious actors.
  • check which devices connect most often to your home network and make sure they have antivirus and/or an anti-malware security software installed.
  • Make sure to protect your devices using multiple security layers consisting of specialized security software such as updated antivirus programs and traffic filtering software.

How do I secure my network for BYOD?

When a BYOD user or visitor needs network access, how do you roll out the welcome mat without leaving the door wide open to anyone who wanders by? Plenty of organizations use conventional pre-shared keys or MAC authentication to get BYOD users and visitors on the network. These mechanisms while seem reasonable have some major security flaws. What’s so bad about traditional pre-shared keys(PSKs) and MAC authentication for guest and BYOD onboarding from an IT security perspective?

Let’s look at some issues:

  1. What’s the problem with pre-shared keys?

When users ask for “the Wi-Fi password”, they are asking for pre-shared keys. Suppose an IT administrator sets up a Wi-Fi SSID with an assigned PSK, and then simply gives that PSK to anyone who requires network access. Maybe you even use this approach yourself—why not? Well, for a few reasons.

Start with the fact that when you have a single Wi-Fi password, you have no way to control who has access to it. Users can—and do—share Wi-Fi passwords with others, even people you might not want to have access to your network. When everybody’s sharing the same password, there’s also no way to revoke access to an individual user—say, when someone leaves the organization.

2. What about MAC Authentication?

At least PSKs encrypt data traffic in transit over the air. When you use MAC authentication to provide network access for BYOD and guest users, that’s not the case. Anyone can intercept that data traffic. Attackers also find it easy to spoof MAC addresses and thereby gain unauthorized access to the network.

With both PSKs and MAC authentication, you have no way to associate each device with a user. There is no effective way to block a device / user from the network for either accessing network or limiting the device’s usage on the network

Solution: The key steps to mitigate risks with the BYOD devices are:

  1. Protect sensitive data
  2. After securing your data, you must ensure the security of your network. Instead of relying on generic firewalls for your data security, it is important to deploy a dedicated solution. Then, carefully lock your network from the outside world to avoid security holes that can be initiated by BYOD and actively monitor devices connected to your network and their activity.

One tip to protect your phone when using a public USB charging socket

TL;DR: Never trust a public USB socket.  If you are forced to use one, use a power-only USB cable. There’s a catch though – you’ll read more in the last paragraph.

Imagine yourself running late for a plane on a busy Monday morning. Keys – check, suitcase – check, passport and tickets – check. To make matters worse, slightly upset by the grumpy taxi driver and length of the bag drop queue at the terminal, you find yourself staring at the red battery symbol on the dimmed smartphone screen.

Luckily, you come across one of those mobile charging stations and minutes later you’re all set for boarding.

Beware, as you might have just taken an unwanted passenger on-board with you!

USB malware

Unfortunately, using USB sockets that you don’t trust creates a huge security risk and deciding which ones you should trust is a non-trivial job to say the least! There are types of attacks that can be carried out the moment you plug the smartphone in the socket without Android/iOS even noticing.

They work in a variety of ways. Some of them interact directly with the operating system, for example during the enumeration of USB devices when the system boots up. Another type of attack abuses the DFU (Device Firmware Update) feature of the USB protocol that lets another device update the firmware of the USB device. Yet another one creates a partition in Flash memory of the USB chip to exfiltrate sensitive data flowing through the port later. If the above reasons were not enough, there is always a possibility of using the smartphone as a transient host for malware destined for other platforms, stealing data from inside the corporate network as soon as the infected device is plugged into a PC.

Three main risks of these attacks are:

  1. data theft from the smartphone,
  2. compromise of the internal company network,
  3. unwanted device tracking.

While the risk of data theft is definitely the most pronounced and impactful, point number two, infiltration of internal network, follows closely. One study at a “large university campus” shows that users pick up and connect an estimated 45%-98% of the USB pen-drives the researchers dropped. Admittedly, this article is about USB drives, but for all intents and purposes, a smartphone that has once been plugged into an untrusted USB port might as well be treated as a USB “trojan horse” that could open a back door to your company’s network.

We won’t go into any details of how it can be carried out, but if you’re interested, take a look at the list of 29 types of USB attacks.

The remedy

The easiest thing to do to save you most of the headaches related to that if you ever run into such a situation is to use a charge-only usb cable. They are available from major retailers and are dirt cheap.

There is one caveat though – fast charging will most likely not work when a cable without data lines (D+ and D- in the USB 2.0 pinout) is used. This is due to the fact that in order to make use of the fast charging mechanism, the smartphone has to be able to communicate with the charger’s firmware. Some cable manufacturers claim that they sell products, like this one from PortaPow, that can preserve fast charging by being “hardwired with the Fast-Charge USB signal”, at the same time only saying that “this will most likely solve the problem”. We have not tested any of them though. If you have, share your experience in a comment!

Losing fast charging capability may seem like throwing the baby out with the bathwater these days, but losing data or having them stolen is likely to cost much more than the time you spend waiting.

Dangers of using unknown WiFi networks

Most consumers and professional use public networks to communicate in an ever mobile and traveling world. According to a survey of 1,025 people conducted by Symantec in May 2016, of the 60% of American consumers who believe that their information is safe when using public Wi-Fi, only 50% believe that they bear any personal responsibility for ensuring that their data is secure. 17% of those surveyed believe that individual websites are responsible for making sure that visitor data is secure, while the same percentage think that this duty falls to the Wi-Fi network provider.

In and of itself, a wireless access point (WAP) or wireless network connection isn’t inherently dangerous. It becomes so if it’s unsecured – allowing the movement of data without any form of encryption or security protection.

Before you use unknown WiFi networks or Public networks, ask yourself the following questions:

  • What’s the exact name of the network?
  • What’s the procedure for logging in?
  • Anything else that visitors should know about?

Otherwise, you run the risk of being victimized by cyber-criminals who may have set up a fake wireless access point, or Wi-Fi “honeypot” to trap unsuspecting visitors at that location.

The fake hotspot may look just like what you’d expect – down to the name and logo of the establishment. But the Wi-Fi network is one owned and operated by hackers or cyber-criminals. And logging into it through a lack of due diligence could expose you to any number of dangers they might impose. The same features that make free Wi-Fi hotspots desirable for consumers make them desirable for hackers; namely, that it requires no authentication to establish a network connection. This creates an amazing opportunity for the hacker to get unfettered access to unsecured devices on the same network. Hackers can also use an unsecured Wi-Fi connection to distribute malware. If you allow file-sharing across a network, the hacker can easily plant infected software on your computer.

As mobile Wi-Fi becomes increasingly common, you can expect Internet security issues and public Wi-Fi risks to grow over time. But this doesn’t mean you have to stay away from free Wi-Fi and tether yourself to a desk again. The vast majority of hackers are simply going after easy targets, and taking a few precautions should keep your information safe.

Solution: A Virtual Private Network (VPN) service or app is the centerpiece of your defenses against unsecured Wi-Fi. A VPN imposes strong encryption on all data moving to and from your device during each session – so even if a hacker were to intercept your connection, they’d be hard pressed to decrypt any data they find, and much more likely to discard it in favor of easier pickings from unprotected users. Also having a well-configured firewall (corporate or personal) filtering transmissions to and from the network, and an up to date suite of security software (anti-malware, anti-keylogger, etc.) still holds as well as monitoring devices on your network are essential ways of reducing risk to the network.

Keep an eye on further updates by subscribing to our mailing list.

How to regain control over the secret life of your most important app

TL;DR: Pretty much every website uses third-party code that could track or be malicious. You could stop that in most part, without giving up the website functionality installing a browser extension described below and adjusting it properly to your browsing habits. At the end of the article you’ll find a way to download a configuration file that speeds the process up.

Modern web browsers have grown into creatures resembling, to a large extent, the very operating systems they run on. Yes, I’m looking at you, Chrome/ium. I haven’t found any research on it, but I’d wager that almost all the people using desktops or laptops have a browser open in the background at any given time. As a consequence of their nature and footprint, browsers attack surface is much bigger than any other regular application. Yet when you look at what they are driven by, it’s mostly content outside your control! Unless you’re submitting forms all day, the vast majority of requests initiated by your browser will be in response to external stimuli, which are likely to modify the Document Object Model (DOM).

Of course designers and programmers go to great lengths to mitigate those dangers, but paranoid security conscious type individuals (& organizations) never like to bestow safety so easily into the hands of others. Back in the days of using Windows as my primary operating system, I loved the feature of ZoneAlarm firewall which displayed a notification any time any process tried to access the Internet along with buttons to grant or deny the request. For a very long time it’s been bugging me that I couldn’t conveniently see and influence where my browser sends data. Thus, I was excited to discover that a similar concept had been implemented for Chrome and Firefox.

Enter the (u)Matrix

I stumbled upon uMatrix a couple of months ago. Unsurprisingly, it has been occupying the first place in my personal ranking of Firefox extensions ever since.

It has evolved from http-switchboard, which split into uBlock Origin and uMatrix itself. While uBlock focuses on pre-defined list of requests to block, its cousin acts like a configurable firewall, preventing the browser from making certain types of requests in various contexts – visited domains. Let’s say you visit your favourite blog, which loads some JavaScript off facebook.com. With uMatrix you can block exactly those requests without affecting content fetched from other domains when visiting that blog.

By default, there are no restrictions on loading anything from the domain you’re visiting and its subdomains. All the other domains, however, are restricted to only serve images and CSS. The extension comes with several lists of known malicious and tracking domains, where nothing is fetched from. It goes without saying that everything is configurable and in fact pretty soon after uMatrix is first enabled you discover that it breaks the Internet.

With great power comes great responsibility

Isn’t it empowering to finally know all the places your browser is calling when you visit your favourites? Frankly, I never knew many of the blocked tracking domains existed. Some of them pop up in the dashboard regularly. That said, before you jump straight in and install uMatrix in every browser under your management, let’s take a look at the immediate repercussions of doing so.

Most places on the Web these days are better described by the word *application* than *website*. Media-rich content and large quantities of JavaScript abound. Unfortunately, that means that the experience of browsing those sites is going to be severely affected with default settings of uMatrix. The effects range from disappearing or misaligned menus to completely broken apps like Google Docs to you being greeted with a blank page. Yep, there are sites out there that just won’t load at all without 3rd party JavaScript. Graceful degradation, anyone?

Usually once you’ve loaded a page and glanced at the dashboard it’s obvious what needs to be allowed to load. More often than not, however, loading one script causes a request to yet another (sub-)domain, so it may take up to six “allow-reload” cycles until you get the page fully working. In most cases, once the main page is okay you need to allow a couple more cells until the login area/form is functional, if the site has one.

Bending the rules

Naturally, the initial ‘learning’ phase depends on how many websites you visit most often. For me, after a week of regular browsing and adjusting the matrix I was able to come back to previous level of comfort. That is, with the added peace of mind that all the AdWords and Facebook tracking code is no longer following me everywhere I go.

I realise that a week of clicking around and mashing F5 (refresh) just to browse might seem to be too much. Therefore I want to share with you my curated rules file that you can import straight into uMatrix. It contains a minimal set of rules necessary for the following web apps sans tracking at the time of writing:

  • airbnb.com
  • amazon.com
  • atlassian.com
  • bitbucket.org
  • booking.com
  • currencyfair.com
  • disqus.com
  • docsend.com
  • easyjet.com
  • facebook.com
  • fast.com
  • github.com
  • google.com
  • klm.com
  • linkedin.com
  • mailchimp.com
  • mailgun.com
  • meetup.com
  • mouser.com
  • nationalexpress.com
  • nationalrail.co.uk
  • noip.com
  • opennic.org
  • openstreetmap.org
  • paypal.com
  • protonvpn.com
  • ryanair.com
  • skype.com
  • slack.com
  • toggl.com
  • trello.com
  • twitter.com
  • vimeo.com
  • whatsapp.com
  • youtube.com
  • zoho.com
  • zoho.eu

Fetching scripts from code.jquery.com and ajax.googleapis.com is allowed for all domains.

Furthermore, it enables referrer spoofing and User-agent spoofing for every domain. It makes it harder to fingerprint your browser and doesn’t break any of the sites I visit on a regular basis.

Sign up to our newsletter to receive the configuration file along with the installation instructions! You’ve now got a foundation to build upon.

I hope this helps making your online identity less exposed, even if just by a tad. I’m waiting to hear about your experience of uMatrix!