Home Network Segmentation: A Must In The IoT Era

Comment

Home Network Segmentation: A Must In The IoT Era

Over my career, in addition to teaching computer science at the undergraduate and graduate levels at numerous universities, I have also created and managed some corporate cybersecurity education programs. In both I've found that getting the more critical concepts across to people is most effective when the message is personalized and can be applied at home as well as in their work.

Why Network Segmentation Makes Sense in Your Home 

Network segmentation is a simple concept that has been used by network administrators for decades, but only recently have we seen a real need to apply this concept in the home. There are a number of contributing factors:

1.     The rapid growth of Internet of Things (IoT) devices being added to home networks.

2.     The various levels of experience, support, and cybersecurity “baked into” these devices.

3.     The high bandwidth needs of streaming services, like Netflix and Hulu, plus all of the additional IoT devices, is putting a strain on older home firewalls/routers.

A typical home network has one firewall router as shown below. This might be something purchased at Best Buy, Frye’s, Amazon or another retailer, or something sold or by an Internet Service Provider.

flatnetwork.png

This is called a flat network because there is no firewall or logical separation between any of the devices, so they can talk directly to every other device on the network.

This architecture was good when most homes just had a few computers—in the late 90s and early 2000s when mom and dad and two kids each had a laptop or desktop. In this era, people listened to mp3 players that synced music through a laptop and flip phones were all the rage. While some of these devices could access Internet data through a computer, they didn’t have Wi-Fi, or any direct access to the Internet.

The Smartphone Changed Everything

Then came the birth of the smartphone. Wi-Fi phones became prevalent and, in many situations, doubled the number of computers connected to the home router.

Next came smart TVs, smart light bulbs smart <insert “thing” here> and the age of the IoT. According to a 2017 study, North Americans have an average of 13 devices per person. That means a family of four has an average of 52 devices on their network. That may seem high, but most Americans don’t realize how much their home network has grown over the past 10 to 15 years, and they don’t realize that all of those “things” are actually computers. All of these devices have a network interface, storage, memory, processors and an operating system. Additionally, they are always connected to the Internet and are rarely patched. 

Fundamental Risk of Flat Network

Many IoT devices are just small, Linux computers put in things like light bulbs, refrigerators and thermostats. Most of these devices don’t allow for automated patching and some don’t even allow manual patching. Because of this, it is fundamentally risky to keep all of your devices on a flat network.  

One recent example is when a cybercriminal gained access to an Internet connected thermometer in the lobby of an unnamed casino. Once they got access to the thermometer, the attackers were able to pivot the attack and gain access to the high roller database and "then pulled it back across the network, out the thermostat, and up to the cloud." This likely would not have happened with the appropriate network segmentation, firewalls and security controls.

Benefits of a Segmented Home Network

Network segmentation is a way to isolate devices on separate networks to achieve better sharing of throughput or bandwidth to the Internet, securing systems with more sensitive data, and separating systems from people and other systems that don’t have a need to connect to them. 

In the typical home, this can be achieved by using two more routers. You can see in the diagram below that they are plugged into the main router using standard ethernet cables. Both of the new routers offer wired and wireless connectivity. The network on the left is used for normal computing devices, including smartphones, laptops, printers, backup drives and any devices that have more sensitive data. This is also where you would create a guest network for visitors to your house. Built-in guest networks are great so that you can give Internet access to guests without giving them network access to your other computers or printers.

The network on the right is the IoT network. This is where you put devices that don’t store sensitive data and may not be updated regularly because the functionality doesn’t exist or because manual patching happens only when the owner of those devices can remember to do it.

Isolating Problems By Segmenting Networks

Another benefit to this architecture is more efficient use of bandwidth. Many people back up their laptops and desktops to network drives. Imagine that this backup is happening automatically in the evening when the laptop isn’t being used. At the same time, the parents are watching a movie on Netflix while one of them is printing a large document. One of the children is watching YouTube videos and the other is playing a video game on an Xbox. In the architecture above, all of that traffic runs through the one home router. In the below architecture, all the backups and printing happen behind the router on the left and the streaming is all run through the router on the right.

From a cybersecurity perspective, network segmentation works to isolate problems. If a laptop gets infected with malware, it won’t be able to get to the IoT network because the firewall is in front of that IoT network. The same is true if an IoT device is compromised; the firewall on the general network will protect it from malware infected IoT devices in the same house, because of the firewall. 

SegmentedNetwork.png

 Of course, additional routers could be added if one would like to extend the layers of trust. Consider putting TVs and game consoles are on separate networks than light bulbs and thermostats. Or put devices that get automatic updates on a separate network than those that don’t. That way if your smart fish tank thermometer is hacked, it can’t get to your backup drive.

 

Comment

FBI Router Reboot Recommendation

Comment

FBI Router Reboot Recommendation

FBI Router Reboot Recommendation

By: Chuck Davis

@ckdiii

www.ckd3.com

As I am sure you have heard, the FBI is recommending that anyone with a home router or small office router, reboot them. If you are not familiar with this FBI recommendation, then there are a few links at the end, to get you up to speed.

The reason for the FBI's reboot recommendation is that a piece of malware, named VPNFilter, has infected hundreds of thousands of routers all across the Internet. Rebooting an infected router forces the malware to reload which will initiate an attempted connection to malware command and control (C&C) servers. The FBI has already taken control over some, if not all of the C&C servers so the reloading of the malware will do two things. 

  1. It will flush it from actively running on your router.
  2. When an infected router tries to connect to the C&C servers (taken over by the FBI) it will let the FBI know which, and how many systems are infected.

An alternative and possibly better solution, is to reset your router to factory defaults, then set it up again as if it was new. This is usually accomplished by pushing a button on the router with a paperclip. Check your router documentation to learn how to do this.

ROUTER SET UP STEPS

Be sure you do the following things when you set up any small office/home office (SOHO) router.

  1. Change the default administration password to something long and strong. A passphrase or sentence e.g. "My passphrase is 100x better than yours!" (Yes, you can likely use spaces in your passphrase)
  2. Change the default SSID. You don’t need to make it difficult, just make it unique. Hackers love default values so make sure you change it. Something like changing “Netgear” to “StreetNet100” Stay away from a name that identifies you.
  3. Change the default wifi password. This is the password that devices need to know to join your wireless network. 
  4. Use WPA2. WPA2 is the standard for encrypting WiFi connections. Never use "no encryption", WEP or WPA
  5. Upgrade your router firmware!!!
  6. Turn off remote administration. You likely do not need to log into your router from the Internet, so turn it off. 
  7. Turn of WI-FI Protected Setup (WPS). This makes it push-button easy to add devices to your wifi router. It’s also super easy to hack!
  8. DNS: If you are feeling bold and ambitious, you can change the DNS that your router uses (and the devices that connect to it) to something that adds some security features. By default, your router will use your ISP’s DNS. However, you can change it to anything you want. I would recommend 9.9.9.9 because it filters out know malware servers, and/or 1.1.1.1 and 1.0.0.1 which is fast, and promotes privacy. (links below to learn more)
  9. Disable Universal Plug and Play (UPnP) unless you know you need it but in any case, make sure it is not accessible from the Internet.
  10. Once you are done with all of this. Run the ShieldsUp! tool to see if your router looks to be vulnerable from the outside. https://www.grc.com/shieldsup 

BONUS TIP: For those of you who are a bit more adventurous and/or paranoid, you might try the three router configuration for your home network. This is where you put two routers behind your main router. One is for IoT devices and the other is for your computers, phones, backup drives, etc. This architecture creates network segmentation between the IoT devices and the devices that hold your data.

If you are in the market for a new router, I would recommend the Amplifi router for most people. https://amplifi.com/ 

References:

https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/

https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html

https://www.pcmag.com/news/361373/malware-that-can-brick-wi-fi-routers-hits-500-000-devices 

https://1.1.1.1/

https://www.quad9.net/

https://www.grc.com/shieldsup 

 

Comment

Anatomy of a Phishing Attack

Comment

Anatomy of a Phishing Attack

Phishing is the use of social engineering to obtain personal information for the purposes of identity theft. Phishing typically comes in the form of an email, disguised to look as if it was sent by a trusted source, and requesting personal information or authentication credentials.

As the tools to detect phishing become more effective, the phishing attacks themselves are becoming increasingly advanced and more difficult to identify.

This paper will show how a recent phishing attack from October 31, 2012, is representative of the type of attack that is not detected by spam filters and is likely to trick many recipients. 

Comment