Finally, I’m back. Hard to believe it’s been 5 years since I
published my last post in October 2013. Many things have changed within half a
decade at the speed that we had not foreseen; artificial intelligence,
blockchain, smart devices, Internet of Things (IoT), but hey, we
still have not used up IPv4 addresses yet. Last but not least, the General
Data Protection Regulation (GDPR) has come into enforcement and lastly, DDoS attacks and ransomware have
never been more prevalent and Sundays are no
longer the quietest day for incident responders.
In my return, I will be sharing some suggestions to better
secure ourselves in increasingly vulnerable and hyper-connected world we live
in today. This month also coincides with National
Cyber Security Awareness Month (NCSAM) in the States and CyberSecMonth in the EU. I have
chosen to start with smart home as home is still a place where we spend most of
our time and we tend to let our guard down regardless of our occupation while
at home. The suggestions may largely depend on the location, service
availability, budget and technical know-how to set up hence your mileage and
effectiveness will vary considerably. Let’s start!
Connectivity
Traditionally, we have been connecting all our gadgets (computers,
smartphones, tablets, network attached storage) to a single internet
router/access point (AP) from the service provider, wired or wirelessly, which
I will refer them as primary devices. Then we gradually add other smart devices
(speakers, refrigerators, TV, media players, watches, CCTVs, baby monitors, etc.
– I will refer them as secondary devices) to the same network as primary
devices. It may not be so obvious that these new IoT devices were given little
to no security protection throughout their lifecycle, from supply chain to
software development when compared to primary devices, their lack of rigorous quality
assurance makes them easy target for exploitation. In order to defend IoT
security, it is forecasted that US$ 3.1B will be spent
globally in 2021 which is about 350% growth from 2016. How does it
translate to consumers, rather than organizations? Consumers will have to make
informed decisions with available resources at their disposal. Following
options will be ordered in terms of difficulties/cost to achieve, 1 being
easiest/cheapest to 3 most difficult/expensive. You can, of course, mix and
match any option to your liking.
Option 1 – Set up dedicated networks (SSID) for secondary devices
With assumption of most secondary devices are Wi-Fi enabled,
this involves creating new network ID on the existing router/AP only for those
devices. In most cases, those devices operate on 2.4GHz rather than 5GHz which
most primary devices support so separating them into different bands would
improve your overall wireless experience.
Option 2 – Set up tiered network with multiple routers/APs
This option requires additional AP which will be connected
to the main router where it will do different NAT than existing router.
Option 3 – Subscribe dual internet services and connect primary and secondary devices separately
This particular option is really meant for the residents of
Singapore where houses have fibre terminating points with 2 available
connections. In Singapore, it is up to the users to get both ports activated
and enjoy 1-10Gbps broadband speed from same or different ISP. The connection
would be as below diagram.
Encryption
Devil’s in the detail when it comes to encryption and there
is continuum of debates between privacy advocates and government legislators to
find a right balance to protect netizens while deterring criminals from abusing
technology. As described for connectivity, you have different options here too.
Option 1 – Use commercial VPN services
Every device connected to your home network will go through
ISP and you can only imagine what kind of monitoring and agreements they would
have with big brother. Be it as a concern of net neutrality or to maintain
privacy rights, you should consider using VPN services to encrypt
your internet traffic. There are plenty of fast and reliable
services which not only cover your home internet but also your mobile devices
while you are on the road so choose wisely.
Option 2 – Use encrypted messaging whenever possible
When combined usage with VPN, Tor could attract unwanted
surveillance in certain
countries and make you a target for enhanced spying access. There have been
many high profile cases of the use of PGP; it is simply not a good tool for present
and future privacy protection. We have been introduced WhatsApp and Signal
in recent years and they prove to be more popular every day with their coveted
end-to-end encryption delivery mechanism.
Option 3 – Build your own VPN and encryption endpoints
Worry about logs VPN service providers keep on you
regardless of their claim that they don’t. Fret not, you can build your own VPN
in the country that you want with any cloud provider. You are in control of
your budget and it is flexible to set up and maintain your own VPN servers. Algo, IPsec VPN may be your
first step in securing your internet traffic on Windows, Android, Apple and
Linux devices which supports all major cloud services, DigitalOcean, Amazon
EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway and DreamCompute
or an OpenStack based cloud hosting. Alternatively, OpenVPN
is a solid choice if you want more speed out of VPN connection with UDP tunnel.
Smart-home ready security appliances
Not all of us have same amount of time and technical
knowledge to build secure internet gateway or monitor firmware update for every
devices regularly. There comes a time when we bring in the big guns, based on
their reputation or at least their strengths in the market. Here is the tricky
part about “market”. Most device vendors only provide support or subscription
in the US and some in the UK, with little presence in other markets so that is
the most limiting factor from truly achieving their values.
Option 1 – Buy off the shelf devices and pay for service subscription
In this certain use case, Norton Core
earns a worthy spot by incorporating latest Wi-Fi, enterprise level Global
Intelligence Network (mostly known as GIN in security circles). It has all
standard features of consumer grade routers which will sits between broadband
modem and your devices, wired or wireless. Of course, Norton isn’t the only
player in the segment so you can choose from Bitdefender BOX, CUJO or F-Secure SENSE.
Whether you have Windows, Apple or Android devices at home, you
should consider installing anti-malware
software on them, be it from single vendor or pick one for each platform. Additionally, you
will have to be vigilant about ransomware that threaten your invaluable
memories and lifework. Don’t forget to backup too.
Option 2 – You can do one better with open source security distros
Nowadays, you can get inexpensive barebone PCs with dual or
triple network interfaces which can be used to build your own router, firewall,
or both depending on the operating system that it is loaded. One of the
all-time favourite and well-known images is from pfSense based on highly stable
FreeBSD, which has been leading this category for long time with ample features
including VPN, firewall, dynamic DNS, wireless access point and traffic
shaping. Again here, you have other options such as IPFire, OPNsense, Sophos
XG Firewall and if you want paid versions, there is Untangle
NG Firewall.
Option 3 – Configure custom Linux box with minimum packages
Being option 3 of this topic, you may get the idea this will
not be the easiest of the pack but it will give you the highest flexibility in
terms of control you need to set up your own router or firewall. You can even
use Raspberry
Pi if you wish, at least as a wireless access point/router for connection
up to 100Mbps. Next stop, if you need high performance network bandwidth to
fully utilize fibre broadband i.e. 100Mbps to 1-10Gbps, you will need to spend
more on the hardware. I’d suggest nothing could go wrong with mini-ITX (mITX) motherboards
with PCI-E slots to seat 10G
NICs. From that, you can add specific packages to meet your requirements,
DNS, DHCP, proxy, content filtering, and so on. In my opinion, with decreasing
price of 10G switches and NASes, investing on 10G native router/firewall is
worth the trouble in future-proofing your network.
Authentication
If anything to attract the most attention, that will
definitely be authentication. We have lost over 517 million passwords from
various data breaches and it will only keep on increasing. We have been
acknowledging passwords
are dead apparently it is not the case. Despite embracing multiple methods
of authentication, inherited from corporate realm of token for VPN connection
to soft-tokens embedded in modern banking apps. Personally, I was never a big
fan of SMS
OTP and that is not going to change anytime soon especially after SIM-swaps
and inconvenience while travelling or it
could have been used for other purposes more than receiving OTP.
So what is going to replace passwords? Luckily for us, there
are upcoming standards, technologies and alliances which will bring password-less
ecosystems to the mass. As any new technology adoption, there will be wide
ranging hindrance to implement end to end secure authentication on devices,
browsers, and applications. You can start the transformation journey by getting
familiar with security tokens like U2F smart keys, like
these from Yubico,
Google
or Kensington.
If you haven’t enabled 2 factor authentication by now, this should be your next
action!
Option 1 – Use a good password manager
How else we are supposed to remember “secure” passwords and
entering them in the websites or applications, and I am not going to propose
sticky notes under the keyboard here. Pick either free or paid version of password
managers, like KeePass, 1Password, LastPass and check out their compatibility for
your requirements. Some can use U2F keys to unlock as an added protection.
Option 2 – Switch to soft-tokens
While this is not something you can develop yourself and it
is entirely dependent on the companies we have relationship with. This may be
offered by banks, social networks, enterprise applications so when you receive
notification to sign up for this service,
do enroll it immediately. At minimum, this will save you from carrying hardware
tokens or paying for roaming charges to receive SMS. Authy and Google
Authenticator are by far most commonly used in consumer space.
Option 3 – Get yourself a security key and forget about passwords
Seriously, a good sensible choice you could make is to ditch
password and use U2F MFA. For example, Yubikey now supports more than 100
services that links to almost every activity in our daily life, from Facebook
to Dropbox, Windows to cryptocurrencies, and might
have saved the US election. You can find out if the service provider
supports OTP or U2F from DongleAuth.
I guess I have touched on sufficient basic security
awareness materials with this post from securing smart homes to protecting digital
identities. I must borrow a line from flight safety announcements: Save yourself before saving others; in digital world, secure yourself before protecting others.
And hopefully, it will not take another 5 years for a new post. Till next time.
And hopefully, it will not take another 5 years for a new post. Till next time.
