Network Security Archive

The UK to mandate security standards for home network routers and smart devices

Articles UK Flag

UK mulls security warnings for smart home devices | Engadget

New UK Laws to Make Broadband Routers and IoT Kit More Secure | ISP Review

From the horse’s mouth

UK Government – Department of Digital, Culture, Media and Sport

Plans announced to introduce new laws for internet connected devices (Press Release}

My Comments

A common issue that is being continually raised through the IT security circles is the lack of security associated with network-infrastructure devices and dedicated-function devices. This is more so with devices that are targeted at households or small businesses.

Typical issues include use of simple default user credentials which are rarely changed by the end-user once the device is commissioned and the ability to slip malware on to this class of device. This led to situations like the Mirai botnet used for distributed denial-of-service attacks along with a recent Russia-sponsored malware attack involving home-network routers.

Various government bodies aren’t letting industry handle this issue themselves and are using secondary legislation or mandated standards to enforce the availability of devices that are “secure by design”. This is in addition to technology standards bodies like Z-Wave who stand behind logo-driven standards using their clout to enforce a secure-by-design approach.

Netgear DG834G ADSL2 wireless router

Home-network routers will soon be required to have a cybersecurity-compliance label to be sold in the UK

The German federal government took a step towards having home-network routers “secure by design”. This is by having the BSI who are the country’s federal office for information security determine the TR-03148 secure-design standard for this class of device.  This addresses minimum standards for Wi-Fi network segments, the device management account and user experience, along with software quality control for the device’s firmware.

Similarly, the European Union have started on the legal framework for a “secure-by-design” certification approach, perhaps with what the press describe as an analogy to the “traffic-light” labelling on food and drink packaging to indicate nutritional value. It is based on their GDPR data-security and user-privacy efforts and both the German and European efforts are underscoring the European concern about data security and user privacy thanks to the existence of police states within Europe through the 20th century.

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

… as will smart-home devices like the Amazon Echo

But the UK government have taken their own steps towards mandating home-network devices be designed for security. It will use their consumer-protection and trading-standards laws to have a security-rating label on these devices, with a long-term view of making these labels mandatory. It is in a similar vein to various product-labelling requirements for other consumer goods to denote factors like energy or water consumption or functionality abilities.

Here, the device will be have requirements like proper credential management for user and management credentials; proper software quality and integrity control including update and end-of-support policies; simplified setup and maintenance procedures; and the ability to remove personal data from the device or reset it to a known state such as when the customer relinquishes the device.

Other countries may use their trading-standards laws in this same vein to enforce a secure-by-design approach for dedicated-function devices sold to consumers and small businesses. It may also be part of various data-security and user-privacy remits that various jurisdictions will be pursuing.

The emphasis on having proper software quality and integrity requirements as part of a secure-by-design approach for modem routers, smart TVs and “smart-home” devices is something I value. This is due to the fact that a bug in the device’s firmware could make it vulnerable to a security exploit. As well, it will also encourage the ability to have these devices work with highly-optimised firmware and implement newer requirements effectively.

At least more countries are taking a step towards proper cybersecurity requirements for devices sold to households and small businesses by using labels and trading-standards requirements for this purpose.

Send to Kindle

Another router answers the needs for a secure home network

Article

eero: A Mesh WiFi Router Built for Security (Product Review) | Krebs On Security

My Comments

A common issue raised in relation to home-network routers is that they aren’t really designed for security. It applies more to the equipment that is sold through the popular retail locations like the electronics chains.

This is due to issues like firmware that isn’t always kept up to date along with an insecure “out-of-box” management-console login experience. The latter situation manifests typically in the form of a default username and password that is common across a product range rather than unique to each device.

The eero router which is effectively a Wi-Fi mesh system has answered these issues courtesy of the following: firmware that is updated automatically and a secure-setup routine based around an enabling code sent to your phone. The former method has been practised by AVM with their latest firmware for the Fritz!Box routers with these devices automatically updating. The latter method has been practised through the use of a mobile-platform app where you enter your name, email address and mobile phone number. This requires you to receive a one-time password from your smartphone by SMS. You enter this to the mobile app before you determine your home network’s ESSID and passphrase.

This kind of login experience for the management Web page could be very similar to a well-bred two-factor authentication routine that comes in to play for some online services whenever you add another device or, in some cases, as you log in. Here, the FIDO U2F standard or support for Google Authenticator could be implemented in a router to permit secure login to the management page.

As for Wi-FI implementation, this router implements a proprietary mesh technology with each extender implementing separate radio transceivers for both the backhaul link and the client-side link. This allows for full bandwidth to be served to the Wi-Fi client devices. Each router device also has two Ethernet ports with one of those being configured for WAN (Internet) connection. Personally, I would like to see both ports switch to LAN mode on an eero router if it is serving as a repeater. This would earn its place with video peripherals, printers or desktop computers.

What I see of this is a step in the right direction for improved security for small networks and other manufacturers could learn from eero and AVM in working on a secure setup routine along with automatically-updated firmware.

Send to Kindle

New online-abuse Website launched in the UK

Articles

UK government tackles online abuse with anti-trolling website | We Live Security blog (ESET)

Cyberbullies: Anti-trolling website launched to help victims | The Independent

Government launches anti-trolling website to help victims of online abuse | The Guardian

Previous Coverage

What can you do about people who use the Social Web to menace

Dealing with Internet trolls

From the horse’s mouth

Stop Online Abuse (UK-based)

My Comments

The UK government have launched a Website focusing on online abuse and how to deal with it, including legal remedies and resources.

It is focused more towards women and the LGBT (gay/lesbian/bi/trans) community who are facing these issues because, from various surveys, these user groups are often copping it the most. This covers online abouse related to domestic violence, sexism and sexual harassment, along with homophobia and related anti-LGBT abuse. But there are other situations where people do suffer in silence such as general racism, issues-focused or business-level disputes.

I see the “Stop Online Abuse” website applying to all situations where the Internet is involved and a lot of the commentary is very generic. But I do see some limitations with the legal remedies because there may be difficulties with applying them when situations happen across jurisdictions as is the norm with the Internet.

For example, the crime of “sending messages using any public electronic communications network such as Twitter or Facebook, which are grossly offensive or of an indecent, obscene or menacing character” that is part of the UK’s Communications Act 2003 may have a legal equivalent in your jurisdiction. This may be in the form of one or more national communications statute that proscribes the use of a communications service or “common carriage service” to harass others. Similarly, there are court injunctions that were cited for the UK like the Family Law Act 1996 Non-Molestation Order or the Protection From Harassment Act 1997 restraining order that have equivalents under your jurisdiction’s criminal, civil or family law but with different names.

It is worth contacting your local citizen’s advice bureau or similar government or voluntary organisation for more resources. Infact, locating an organisation that specialises in your particular circumstances like a domestic-violence support organisation may provide you with better information suited to your exact needs.

Similarly, it is a wise move for these organisations to “bone up” on the issue of online abuse so they can provide the right advice to suit their clients’ situations and needs. National, regional and local governments along with the judiciary can also see this site as a chance to provide a Web-hosted “one-stop shop” for their constituents to know more about these issues. This is in addition to creating legislative remedies for online-abuse problems. As well, as each case is litigated in a family, criminal or civil context, the knowledge created from the legal action can be used to tackle this situation better in the courtroom.

Send to Kindle

The French have fielded another alternative to TrueCrypt

Article (French language / Langue Française)

VeraCrypt, une alternative française à TrueCrypt | Le Monde Informatique

From the horse’s mouth

Idrix

VeraCrypt product page

My Comments

TrueCrypt is a source-available encryption engine used primarily in Windows 7 and 8 as part of the BitLocker volume encryption function that the operating systems offer. Lately, further maintenance of this encryption engine had ceased with accusations of the likes of NSA putting pressure on the developers to cease maintaining it.

A few other third-party encryption engines have surfaced from Europe such as the VeraCrypt engine from France and a fork of this engine constructed in Switzerland. This is in response to Europeans having a distrust for “big government” having access to personal data due to being burnt by the Hitler, Mussolini and Franco regimes in the West and the Communist governments in Russia and the East.

Idrix has worked on the French VeraCrypt project which is pitched as being easy to use for small business, non-profit organisations and individual users. Like all encryption software, it doesn’t support the ability to “trans-crypt” i.e. convert an encrypted volume over to another encryption mechanism.

It will be initially issued for the Windows regular-computer platform but a port is being expected soon for the MacOS X (Apple Macintosh) and Linux platforms. As well, it is being made available for free and as open-source software.

But what I see of this is an attempt for European companies to “break through” the US stranglehold that can accompany the computer software scene and for European culture and norms to be respected in this field.

Send to Kindle

Samsung’s Knox security platform available to consumers and small business

Article

Samsung opens up Knox security platform to all consumers

From the horse’s mouth

Samsung

Product Page

Lookout

Press Release

Product Page

My Comments

With the increased trend for BYOD and smartphone/tablet-based computing, there has been the call for mobile device management and mobile application management in order to achieve the goal of corporate data security.

Typically the solutions that are being offered out there are very costly and require an in-house information-technology team to manage them. This also includes the requirement to implement corporate messaging systems like Microsoft Exchange ActiveDirectory and use them as data hubs for these systems. This kind of situation may not appeal to personal users who value the security of their personal data. Nor does it work well for small organisations where one person is effectively the “chief cook and bottle-washer” for that organisation. You may be lucky to benefit from this technology if you deal with an IT value-added reseller that works with these systems and pitches them to these organisations.

But the security realities are still the same, especially with personal data or if your business hub is your briefcase, a corner of a room at home, a small office, or a small shop.

Here, Samsung has opened up the Knox security platform for their Galaxy-based Android mobile devices in a manner that makes the platform available to everyone by partnering with Lookout . It implements sandboxing so you can corral private data and have it treated more securely compared to other data. This includes allowing applications that you pre-approve to touch that data and limit what they can do to the data. For larger business setups, it could allow business data to be “wiped off” the smartphone when a user leaves the business without personal data being affected, but this context could be implemented when a smartphone is being retired from active service or you effectively “hand the keys over” to someone else as, per se, part of selling your business.

One question that may need to be asked is whether this solution may allow many data corrals so you as a small-business operator or professional have greater control over data such as intellectual property that pertains to different contracts or a person who has business work but also does volunteer work for a charity.

At least Samsung have taken the step to offer enterprise-desired security solutions to the “rest of us” rather than fencing it off for the “big end of town” and is something that could be encouraged for data security or similar application classes.

Send to Kindle

The issue of cybercrime now reaches the national level

Article (Broadcast transcript)

HACKED! – Four Corners (ABC) Video and transcript through this link

Previous coverage on HomeNetworking01.info

Interview and Presentation–Security Issues associated with cloud-based computing (Interview with Alastair MacGibbon and Brahman Thyagalingham )

Symantec Symposium 2012 – My Observations From This Event

My Comments

I had watched the Four Corners “Hacked” broadcast concerning data security and cyber espionage, which encompassed the issue of the cyber attacks affecting nations as a whole.

The show had touched on a few key points, some of which were raised in the previous events that I attended. Here, it underscored the factor of hacking being part of espionage by nation-states like China. The targets of this espionage were intellectual-property belonging to private-sector companies or government departments, especially where military information was involved.

Example incidents include the recent theft of blueprints for ASIO’s new offices along with a cyber attack against Codan who is an electronics supplier to Australian and allied defence forces. The tactics that were used against Codan included use of a public-access Wi-Fi network to install malware on a laptop belonging to a representative of that company when they visited China, along with a “spear-phishing” attack on their email. It also underscored the fact that it is not the entity’s computer networks that are at risk but the “crown jewels” i.e. the key intellectual property that belongs to the entity.

The same show also underscored the use of malware to target essential-services systems like a nuclear enrichment plant in Iran and an Indian telecommunications satellite. Here, they raised the spectre of electricity grids, telecommunications backbones and similar infrastructure being targeted by sophisticated cyber attacks. This becomes more real as most essential-services systems become computer-controlled and connected to the Internet and I would like to see the issue of these systems designed with fail-safe operation in mind such as working offline and providing the core services at known specifications if things go wrong online.

Later on in this show, Alastair MacGibbon had called for the Australian government to require businesses and other organisations to publicly disclose cyber attacks and wanted this across the board for all entities. This was previously underscored by him through the interview and presentation where he described Australia’s data protection laws as being careless as typical of the “She’ll Be Right” nation.

The Australian Government had improved their data-protection laws by tabling bills that require cyber-attack disclosure on the larger public companies rather than all companies.

As well, the issue of cyber espionage by nation-states was being considered as the equivalent of wartime activities like nuclear war and treatment of civillians and needed to be tackled on an international level in a similar way that other similar wartime activities have been dealt with. Personally, I see the latest cyber-attacks, especially those emanating from countries that were behind the Iron Curtain, as the makings of another “Cold War” and these have to be treated accordingly.

Send to Kindle

Facebook uses the trusted-person concept to help you get back to your account

Articles

Locked Out Of Your Facebook Account? Trusted Contacts Will Save You | Gizmodo Australia

Facebook puts account security in the hands of your friends |CNet

My Comments

Commonly most of us leave a set of keys for our home with someone else that we trust like a close friend or neighbour. This is to allow us to get back in to our home if we lock ourselves out, which can be easily done if you can lock that front door without the need for a key typically by flicking a thumbturn or pressing a button.

Facebook has taken this practice to their account-security procedures by allowing us to work with a “trusted person” to gain access to our accounts. Here, you let Facebook know the contact details of the three to five trusted people and if a lockout occurs, Facebook would send the codes to these people and you contact these people preferably via phone or SMS for these codes. This can come in handy with older people who forget their Facebook credentials or if someone’s account was hacked and the password was changed.

Facebook are in a position to do this not just because of them being a highly-popular social network but users are using their Facebook parameters to sign in to a large number of consumer-oriented Websites and mobile apps. I wouldn’t put it past Microsoft or Google to implement this in to their account systems, especially more so with Microsoft using the Web-hosted credentials as the key to our Windows 8 computers.

Send to Kindle

Password-vault software can work well but needs to go further

As I was reviewing the Fujitsu Lifebook SH771 business ultraportable computer lately, I had a chance to use the Fujitsu-supplied Softex Omnipass password vault that came with this computer. It worked with the Fujitsu laptop’s fingerprint reader to permit a “login-with-fingerprint” experience for the sites I regularly visit. For example, I was simply logging in to Facebook, this site’s admin panel, LinkedIn, ProBlogger forum and the like simply by swiping my finger acrss that laptop’s fingerprint sensor.

What is a password-vault program

A password-vault program stores the passwords you need for various applications and online services in an encrypted local file which I would describe as a “keyring file” and inserts the correct usernames and passwords in to the login forms for the applications and Web sites. You can only get to this password list if you log in using a master password or similar credentials.

This works well with a security-preferred arrangement where you create separate passwords for each online service that you use and avoid using single-sign-on options of the kind that Facebook and Google offer with other sites. Some of these programs work with varying authentication setups such as a fingerprint reader or a smart card. They can even support two-factor authentication arrangements like using your fingerprint or a Trusted Platform Module token as well as you keying in your master password  for a high-security operating environment.

Some of these programs also have a password-generation module so that you can insert a random high-security password string in to the “New Password” and “Confirm New Password” fields of a password-change form.

The login experience with these programs

When a password-vault program is running, it works with the browser or some applications to detect login screens. Then, you can set them to capture your user credentials from the login screen, typically by invoking a “Remember Password” function.

Then, when you subsequently log in to the Website, you authenticate yourself to the password vault with your Master Password, fingerprint or whatever you set up and the program logs you in to that site with the correct username and password for that site. Some programs may require you to authenticate when you log in to the computer or start the Web browser and persist the authentication while you are browsing the Web.

You can have a situation where the behaviour of these programs can be very inconsistent with capturing or supplying passwords. For example, it can happen with single-sign-on user experiences, admin-level / user-level setups or some newspaper paywalls that show the extra information after you log in. The same situation can occur with applications that the password-vault program doesn’t understand like some content-creation tools that allow uploading of content to a Website.

When can they be handy

The password-vault program can be handy if you maintain many different passwords for many different applications and Web sites; and you want to log in to them without trying to recall different passwords for different sites.

They also come in to their own if you are using a computer setup that uses advanced authentication setups like like most business laptops and you want to exploit these features.

What needs to be done

An improved user experience for these programs could be provided in a few ways. For example, there could be a standard “hook” interface that allows a password vault to link with the login experience without it looking for “username-password” forms when catching or supplying user credentials. This can deal with the way paywall setups expose the full article on the same screen after you log in; or other difficult login environments. Similarly, the standard API could also work with desktop applications that require the user credentials.

Similarly, there could be support for a standard file format and public-key / public-key encryption setup to allow a “keyring” file to be used with different password-vault programs. This could also cater for transporting authentication parameters between the two different programs; and could allow the “keyring” to be used on different computers. It is more so if you offload the “keyring” file to a USB memory key that is on the same physical keyring as your house keys for example.

Conclusion

I would like to see further innovation occurring with “password-vault” programs, whether as third-party software or as part of an operating system, browser or desktop-security program. This is to encourage us to keep our computing and online experience very secure as it should be.

Send to Kindle

The newly-discovered security risk in all-platform runtime environments

Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

Send to Kindle

Apple has now released a software fix for the Flashback trojan

Articles

A look at Apple’s Flashback removal tool | MacFixIt – CNET Reviews

Apple releases fix for Flashback malware | Engadget

Downloads – Apple’s support Website

Java Update for MacOS 10.6

Java for MacOS Lion

My Comments

Apple has reacted to the groundswell of concern about the recent Flashback malware and have issued updates to its Java runtime environment for both MacOS Snow Leopard and Lion.

Here, they have implemented a check-and-remove routine for this Trojan as part of the installation routine for the new Java runtime environment. For most Macintosh users, this will simplify the process of removing any existence of this malware as well as keeping this runtime environment up-to-date.

The CNET article also gave a detailed review of what goes on as well as how to fix situations if the installation takes too long and the procedure hangs. As I have posted previously, Apple could improve on the issue of providing system maintenance and desktop security software so that Mac users can keep these systems in good order.

Send to Kindle