Tag: data security

Keeping hackers away from your Webcam and microphone

15/11/2016 Data security, Operating Systems No Comments

Article

Creative Labs LiveCam Connect HD Webcam

Software now exists so you can gain better control over your Webcam

How To Stop Hackers From Spying With Your Webcam | Gizmodo

My Comments

A privacy issue that is being raised regarding the use of cameras and microphones connected to your computer is the fact that malware could be written to turn your computer in to a covert listening device.

Those of us who use a traditional “three-piece” desktop computer and have a physically-separate external Webcam may find this an easier issue because you cam simply disconnect the camera from your computer. But the issue of your Webcam or your computer’s microphone being hacked to spy on you would be of concern for those of us who have the camera or microphone integrated in the computer as with portable or all-in-one equipment, or the monitor which is something that could be offered as a product differentiator by display manufacturers.

The simplest technique that has been advocated to deal with this risk is to attach an opaque sticker or opaque sticky tape over the camera’s lens. Some computer and monitor manufacturers have approached this problem using a panel that slides over the Webcam as a privacy shield. But you wouldn’t be able to control the use of your computer’s integrated microphone unless it had a hardware on-off switch.

Most of the mobile computing platforms require that newly-installed software that wants to use the camera, microphone, GPS device or other phone sensors have to ask permission from the phone’s owner before the software can be installed or use these devices. The Apple iOS App Store even vets software to make sure it is doing the right thing before it is made available through that storefront and this is also becoming so for software sold through the Google Play Android storefront and the Microsoft Store Windows storefront.

Lately there have been some software solutions written for the Windows and Macintosh platforms that allow you to take back control of the camera and microphone due to the fact that these regular-computer platforms have historically made it easier for users to install software from anywhere. But I would also suggest that you scan the computer for malware and make sure that all of the software on the computer, including the operating system, is up-to-date and patched properly.

One of these solutions is Oversight which has been written for the Macintosh platforms and can detect if software is gaining access to your Mac’s Webcam or microphone. It also can detect of two or more programs are gaining access to the Webcam which is a new tactic for Webcam-based spyware because it can take advantage of people using the Webcam for business and personal videocalls and record these conversations. The user has the ability to allow or block a program’s access to the Webcam or microphone.

For the Windows platform, a similar program called “Who Stalks My Cam” detects events relating to your computer’s Webcam such as software wanting to acquire material from it.  This has the abilities for you to stop a program that is using the Webcam running or to shut down the Webcam process. But there is also the ability to track processes that are running while the computer system is idle because some spyware processes can be set up to come alive when the system isn’t being actively used. The program even allows you to “whitelist” programs that you trust like over-the-top communications programs or video-recording software so that it doesn’t get in their way.

The ability to track usage of attached / connected cameras and microphones or similar hardware like GPS units by software running on your computer will end up becoming part of a typical desktop/endpoint security program’s feature set as people become concerned about the use of these devices by spyware. This is in conjunction with operating systems also hardening access to devices that can be used to spy on their users by implementing software certification, sandboxing, privileged access and similar techniques.

It is definitely another threat vector that we are being concerned about when it comes to data security and personal privacy.

EU wants to establish a security baseline for Internet Of Things

12/10/2016 Data security, Internet Of Things, Network Connectivity Devices No Comments

Article

Netgear DG834G ADSL2 wireless router

The security of network connectivity equipment is now in question thanks to the Krebs On Security DDoS attack

The EU’s latest idea to secure the Internet of Things? Sticky labels | Naked Security Blog

My Comments

The European Commission wants to push forward with a set of minimum standards for data security especially in context with “dedicated-function” devices including the “Internet Of Things” or “Internet Of Everything”. This also includes a simplified consumer-facing product-label system along with a customer-education program very similar to what has taken place in most countries concerning the energy efficiency of the appliances or the nutritional value of the foodstuffs we purchase.

This issue has been driven by a recent cyber attack on the Krebs On Security blog where the “Mirai” botnet was used to overload that security blog, the latest in a string of many attacks that were inflicted against data-security journalist Brian Krebs. But this botnet was hosted not on regular computers that were running malware downloaded from questionable Internet sites, nor was it hosted on Web hosts that were serving small-time Websites running a popular content management system. It was based on poorly-secured “dedicated-function” devices like network-infrastructure devices, video-surveillance devices, printers and “Internet Of Things” devices that had their firmware meddled with.

Nest Learning Thermostat courtesy of Nest Labs

… as could other Internet-Of-Things devices like these room thermostats

There will be issues that concern how we set network-enabled equipment up to operate securely along with the level of software maintenance that takes place for their firmware. A question always raised in this context is the setup or installation procedure that you perform when you first use these devices – whether this should be about a “default-for-security” procedure like requiring an administrator password of sufficient strength to be set before you can use the device.

But I also see another question concerning the “durables” class of equipment like refrigerators, televisions, building security and the like which is expected to be pushed on for a long time, typically past the time that a manufacturer would cease providing support for it. What needs to happen is an approach towards keeping the software maintained such as, perhaps, open-sourcing it or establishing a baseline software for that device.

Manufacturers could be researching ways to implement centralised simplified secure setup for consumer “Internet-Of-Things” devices along with maintaining the software that comes with these devices. This could be also about working on these issues with industry associations so that this kind of management can work industry-wide.

But the certification and distinct labelling requirement could be about enforcing secure-by-design approaches so that customers prefer hardware that has this quality. Similarly, a distinct label could be implemented to show that a device benefits from regular secure software maintenance so that it is protected against newer threats.

It usually just requires something to happen in a significant manner to be a wake-up call regarding computer and data security. But once a standard is worked out, it could answer the question of keeping “dedicated-purpose” computing devices secure.

Be careful about USB memory keys left in the letterbox

27/09/2016 Data security No Comments

Articles USB memory keys press picture courtesy of Victoria Police

Police warn of malware-laden USB sticks dropped in letterboxes | The Register

Crims place booby-trapped USB drives in letter boxes | IT News

Don’t plug it in! Scammers post infected USB sticks through letterboxes | Naked Security (Sophos blog)

From the horse’s mouth

Victoria Police

Press Release

My Comments

An issue that is being raised concerning data security is people loading data from USB memory keys that they don’t expect.

This has been used as a way to distribute malware to businessmen at conferences because these thumbdrives, like floppy discs and optical discs, have been accepted as a way to distribute conference content or “electronic brochures” and added to participants’ “show-bags” handed out at these events. The typical method of delivering a malware-laded USB stick was to abandon it at the venue, hotel or “watering-hole” bar and it would inspire people’s curiosity to pick up this memory key, plug it in to their laptop and load up what was on the stick.

Newer iterations of the desktop operating systems i.e. Windows or MacOS have made it hard to allow one to run a program off a USB memory key by default. Similarly, most of the desktop security software would implement removable-media scanning routines to automatically check for malware on a USB stick or other removable media. But there have been some USB thumbdrive variants which have had the firmware altered to run keystroke macros or meddle with network settings.

This situation has now been found to occur in a personal-computing context in some of the outer south-eastern Melbourne suburbs like Pakenham. This was where USB memory keys were left on households’ mail boxes and these thumbdrives were full of malware including fraudulent content-streaming offers. Infact Victoria Police even encouraged Australian householders who received these thumbdrives in their mailbox to contact Crimestoppers Victoria by phoning 1-800-333-000 or using the online form.

But the common security advice to deal with USB memory keys that you didn’t expect to receive is not to insert them in your computer. If you do expect to receive one of these sticks such as them being in a show-bag from a vendor or you receiving conference material on one of them, make sure that you have your operating system and desktop security software patched and updated.

More malware being discovered for the Macintosh platform

07/07/2016 Data security, Operating Systems No Comments

Article

Apple MacBook Pro running MacOS X Mavericks - press picture courtesy of Apple

Even Apple Macintosh users need to keep secure computing habits

Mac Malware Opens OS X Backdoor to Attackers | Tom’s Guide

My Comments

A lot of Apple Macintosh users have jumped to this platform based on an initial fact that there was very little malware written for it. But now, as more people are using Macs, they are becoming a target for malware including some “backdoor” software which weakens the MacOS’s defences against other malware.

This time, what was being called out was a Trojan-horse program that pretends to be a file-conversion program, the kind of program that is easily downloaded in a hurry.

Keep your Mac’s operating system and software patched and updated

A good practice regarding keeping your Mac secure, as with other computing platforms, is to make sure that the MacOS operating system is up-to-date with all the patches that Apple releases. This is because Apple may have released bug-fixes or remedied exploits that have been discovered in your version of the MacOS operating system.

Preferably, I would recommend you have this set up to work automatically so that when you are connected to the Internet via Wi-Fi or Ethernet, your Mac is kept updated and patched.

You can set this up to be performed automatically by going to [Apple] – [System Preferences]. Then you go to the App Store panel if you have one of the newer versions of MacOS (Yosemite onwards) then check the boxes for “Automatically check for updates” and “Download newly available updates in the background”. This will then make the “Install OS X Updates” option available which you should check.

For Macs that run prior versions, you would still go via [Apple]-[Software Update] and set the appropriate options to automatically patch your version of MacOS X.

You can manually update and patch your Mac by visiting the App Store if you are in Yosemite or newer versions and tick off all of the software that needs updating in the Updates panel. For prior operating systems, you would need to visit the [Apple]-[Software Update] menu and click the option to download and install the latest patches for your Mac.

You can still visit the Updates panel in the App Store and go through all the apps that need updating so you can be sure they are up-to-date. If you have software that isn’t delivered via the App Store, use its interface or the software developer’s Website to keep it up-to-date. This is also important because older versions of application and other software can carry bugs or exploits.

This is something you should do when you switch your Mac on if you haven’t used your Mac or haven’t connected it to the Internet for a significant amount of time, such as with a secondary-use MacBook or a Mac that you use as part of multi-platform computing.

Upgrade your Mac’s operating system if you can

It may be worth upgrading your Mac’s operating system to a newer version if your computer can handle it. In most cases, you can update the system for either pennies’ worth or for free. Here, you could check the App Store or Apple’s website regarding newer operating systems for your Mac.

The main advantages that these new operating systems offer encompass system-wide hardening including the availability of the Mac App Store where the software is verified before it is made available.

Make sure you download software from reputable sources

For all computing platforms, one requirement for safe and secure computing is to obtain computer software from known reputable sources.

In the case of the Macintosh, either download new software from the Mac App Store where the software is verified or from the website of a trusted and known developer. Even when you obtain software from the Mac App Store, check the quality of the software by looking through the reviews that are posted about it and checking the reviews also for other software offered by the same developer. I have written an article about obtaining software from app stores because there has been a risk of them turning in to the equivalent of bulletin boards and download sites that host poor-quality software.

When it comes to software delivered in a packaged form, avoid the temptation to install from anything unless you have bought it yourself from a reputable dealer.

Consider desktop-security software for the Mac

This may sound foreign to Apple Macintosh users but you may also find that it may be worth considering the installation of a desktop-security / endpoint-security program on your Mac. It is more so if you or others who use your Mac are not astute when it comes to downloading software or handling the Internet.

Most of the developers who have written these kind of programs for the Windows-based computers have now written versions of these programs for the Macintosh platform because of the rise of threats against this platform. Like with Windows, the better desktop-security programs also offer protection against Internet-borne threats such as site-reputation checking, content filtering, and spam filtering. Similarly, better-quality software runs in a manner that doesn’t impinge on your Mac’s performance.

Conclusion

Like other computer platforms like DOS / Windows, the Apple Macintosh needs its users to be careful about keeping their computer and data secure. This includes keeping the operating system up-to-date along with being sure about what software you have on your computer.

ISPs another vector for tech-support scams

24/06/2016 Computer Systems, Data security, Internet Access And Service No Comments

Article

Tech support scams target victims via their ISP | BBC News

Fraudsters impersonate victims’ ISPs in new tech support scam | Graham Cluley Blog

My Comments

Previously, as I have known from close friends’ experiences, there have been the fake tech-support phone calls claiming to be from Microsoft or another major software vendor. This was with me congratulating a person who wasn’t computer-literate immediately hanging up on one of these calls along with someone else asking another of these scammers for their Australian Business Number (equivalent to a VAT number in Europe).

These scams have evolved to a pop-up message pretending to be from one of the major software firms but asking them to call a number listed on that message. Typically this comes in the form of a virus or pirated-software alert as the message and some of these messages even appear on the lock screen that you normally enter your password.

Now the messages are appearing to come from ISPs, typically the ones who have most of the Internet business in the US, UK and Canada. But this is about the ISP detecting malware on the customer’s system with a requirement to call a fake customer-support number.

In this case, they identify a customer’s ISP based on a “spy pixel” ad on a site infected with malware or a “malvertisement”. The ads are typically served through large ad networks offering low-risk advertising products. This is used to identify the customer’s “outside” or WAN IP address which effectively is the same for all computers accessing the Internet from the same router.

Here, most residential and small-business Internet services have this IP address automatically determined upon login or at regular intervals and is obtained from a pool of known IP addresses that were assigned to that ISP to give to their customers. There is logic in the malware used to identify which ISP a customer is with based which IP address pool the IP address is a member of.

In these cases, call the ISP using the number they have provided you for technical support: typically written on their own Website which you should type in the URL for; written on any documents that you receive from them like accounts or brochures, as part of doing business with them; or by looking them up in the phone book. As well, don’t give any account numbers or personally-identifiable information to unsolicited approaches for technical support that you are not sure about.

But in all cases, you are most likely to initiate the call for personal or business tech support yourself when you need this support because you know your computer and network and how these systems perform. Typically you will approach one of the computer experts in your community, your workplace’s IT department if they have one, or your computer supplier for knowledge or assistance.

Dealing with the bloatware that comes with your computer

10/06/2016 Computer Systems No Comments

Article

Lenovo Yoga 3 Pro convertible notebook at Rydges Hotel Melbourne

Being able to keep stock of the software that comes with your laptop or all-in-one computer can prevent unwanted conduits to your data.

Windows PC makers hang customers out to dry with flawed crapware updaters | PC World

My Comments

A common issue with laptop and all-in-one computers sold through the popular retail channels is the supply of “bloatware” or “crapware” with these computers. This is typically low-value software including trial or demo packages that are pre-installed on consumer-grade computers but doesn’t necessarily include drivers or manufacturer-supplied software that enables the particular features that the computer has. I have covered this issue before in relationship to the Superfish software that Lenovo had furnished with some of their consumer-focused laptops.

This can also apply to software delivered on a CD-ROM with retail-pack system parts, peripheral devices or consumer-electronics devices like digital cameras or keyboards. Some of the software is ostensibly supplied as a way to give the customer a “foot in the door” when it comes to a particular function or computing task, which tends to apply to trial versions of desktop security software or entry-level video editors and DVD / Blu-Ray playback software.

This wouldn’t necessarily happen with computer systems supplied to big businesses or contractor-supplied equipment because it is easier for these customer groups to call for a standard operating environment when they purchase their technology. Similarly, the traditional desktop computers that are built and sold be independent computer stores and dedicated computer-store chains aren’t as likely to be full of the “bloatware”.

The key issue that has been raised is the poor quality-assurance that occurs when it comes to supplying and maintaining this software. Here, there isn’t a secure path for software delivery especially whenever the software is updated or upgraded to a paid-up premium version. The software can be substituted by a man-in-the-middle attack that can be easily facilitated on an unsecured public-access Wi-Fi network. As well, there isn’t any way to verify the authenticity of the software updates, whether it is the software intended to be or actually delivered as part of the update.

This is part of the culture associated with the low-value software that the OEMs are paid to deliver with the systems that they sell to consumers and small businesses, but can affect the device drivers and functionality-enablement software.

Respected software names like Microsoft and Apple implement a secure delivery path for both server-to-device delivery and backend data transfer. As well, they implement a digitally-signed manifest (“shopping list” of files to be substituted in an update) and digitally-verified software files so that the programs can’t be altered surreptitiously.

Dell and Lenovo implement a TLS secure path for the software-manifest delivery while Lenovo implements a digitally-signed software manifest. But these policies are not applied across a manufacturer’s product line.

What can we do?

The best practice for consumers, small businesses and community organisations to do is to “strip back” the bloatware that isn’t being used. Most such software can be uninstalled through the “Programs and Features” option in the Windows Control Panel or through the uninstall routine in the software. Preferably, they should keep just the drivers and functionality software on their system.

On the other hand, they could facilitate a supervised semi-automatic software update for the OEM-supplied software and do this on their home or small-business network. If they are using any of the third-party software that has been provisioned by the OEM, it may be a better idea to visit the software developer’s Website and draw down newer versions of that software from there.

What is needed for OEM-supplied software update processes

If an OEM wishes to provision extra software with a computer, peripheral or consumer-electronics device; they need to make sure that this software is of high-quality, and respects customers’ security, privacy and data sovereignty wishes.

This includes a secure software-maintenance policy such as:

  • a secure software-delivery path with latest standards and protocols between the device and the software-provisioning servers and the software distribution backbone
  • digitally-signed software files and update manifests with verification occurring before and after delivery

Third-party software developers who wish to package software with a computer systems should be required to maintain this software to the same standard as what would be expected if they sold the software to customers themselves or through a traditional retailer. This includes allowing a person to upgrade from an OEM version to a premium version or instigate a subscription through their storefront rather the OEM’s storefront.

Spear-phishing doesn’t necessarily involve links or attachments

10/03/2016 Data security, Small-business computing No Comments

Article

Snapchat, Seagate among companies duped in tax-fraud scam | Mashable

My Comments

Compose Email or New Email form

Spear-phishing email doesn’t necessarily have to have links or attachments

An issue that has come to highlight lately is spear-phishing where an email is sent to particular departments within a business to extort critical financial or other information from that business.

This recently happened to a number of American businesses including Snapchat and Seagate where the human-resources departments were told in an “official manner purporting to be from the CEO” to turn out W-2 tax forms about their employees.

For those of you in countries other than the USA, this is a statement provided by your employer which states what you earned including the taxes that are withheld and would be known as a P60 in the UK and Ireland or a Group Certificate in Australia. When in the wrong hands, these statements can be a goldmine of data that can be useful for identity theft and tax fraud.

But this may be different from a garden-variety spear-phish attack because there isn’t a requirement to visit a Website via a link or open an attachment that comes with the email. Rather this is to prepare the information in a specified computer-file format to be sent as an attachment with the email’s reply.

What was highlighted was that the spear-phish email used the look of official company correspondence such as use of the company’s trade dress (logos, colour scheme, typography) and disclaimers associated with such correspondence. As well, such emails appear to come from someone high up in the business. The spear-phishers were able to identify “who’s the boss” by performing Google or LinkedIn searches and this data could simply be found on “About Us”, shareholder-information or similar pages on a company’s public-facing Website. Such correspondence also can surface at certain seasons like holiday seasons, tax-filing seasons or special events.

This is a classic form of social engineering in the business and the staff were caving in to human error and weren’t vigilant. Here, if they see an email with an important request coming from their boss, they would follow up on this request forthwith as expected for business life. This is similar to the classic distraction-burglary or burglary-artifice scam where a householder is under pressure to let people who look like officials in to their home and these bogus officials commit crimes against the household. It can also affect small businesses as well as larger businesses and organisations, because such a request could also come from the business’s owner, a franchisor (in the case of franchised businesses) or someone who is higher up in the business’s food chain.

A similar scam which is known as “whaling”, targets business owners, managers and other known organisational figureheads with email purporting to come from partners, suppliers / service-providers like your landlord or officials such as the taxman or the Trading-Standards officials. It has the same effect as spear-phishing where you are subject to trickery to divulge sensitive information. This situation can affect businesses and organisations of all sizes from the small pizza shop on the corner to the large business in town.

The red flags to be aware of with spear-phishing or whaling are: is the request out of the ordinary whether for your business or for normal business practice; whether the domains for “reply” or “origin” email addresses match the known domains for the business;  or whether the writing style reflects the purported sender’s style or the accepted norms for business correspondence in the locale.

But most importantly, verify the facts from the horse’s mouth. This means sending a separate email to the proper source at the address you know them to be at or, preferably, making a phone call to check those facts. It is more important if the request happens to come “out of the blue”.

As well, be wary of out-of-the-ordinary correspondence you receive by email around the critical occasions like tax time.

Once you know what is in the norm for your organisation and industry, you should then rely on your “sixth sense” to identify if something is suspicious and report it straightaway.

Another router answers the needs for a secure home network

10/03/2016 Data security, Network Connectivity Devices, Network Management, Network Security, Wireless Networking No Comments

Article

eero: A Mesh WiFi Router Built for Security (Product Review) | Krebs On Security

My Comments

A common issue raised in relation to home-network routers is that they aren’t really designed for security. It applies more to the equipment that is sold through the popular retail locations like the electronics chains.

This is due to issues like firmware that isn’t always kept up to date along with an insecure “out-of-box” management-console login experience. The latter situation manifests typically in the form of a default username and password that is common across a product range rather than unique to each device.

The eero router which is effectively a Wi-Fi mesh system has answered these issues courtesy of the following: firmware that is updated automatically and a secure-setup routine based around an enabling code sent to your phone. The former method has been practised by AVM with their latest firmware for the Fritz!Box routers with these devices automatically updating. The latter method has been practised through the use of a mobile-platform app where you enter your name, email address and mobile phone number. This requires you to receive a one-time password from your smartphone by SMS. You enter this to the mobile app before you determine your home network’s ESSID and passphrase.

This kind of login experience for the management Web page could be very similar to a well-bred two-factor authentication routine that comes in to play for some online services whenever you add another device or, in some cases, as you log in. Here, the FIDO U2F standard or support for Google Authenticator could be implemented in a router to permit secure login to the management page.

As for Wi-FI implementation, this router implements a proprietary mesh technology with each extender implementing separate radio transceivers for both the backhaul link and the client-side link. This allows for full bandwidth to be served to the Wi-Fi client devices. Each router device also has two Ethernet ports with one of those being configured for WAN (Internet) connection. Personally, I would like to see both ports switch to LAN mode on an eero router if it is serving as a repeater. This would earn its place with video peripherals, printers or desktop computers.

What I see of this is a step in the right direction for improved security for small networks and other manufacturers could learn from eero and AVM in working on a secure setup routine along with automatically-updated firmware.

Could you end up determining which country your data is held in?

13/11/2015 Current and Future Trends, Data security No Comments

Article

Microsoft will host data in Germany to hide it from US spies | The Verge

My Comments

Edward Snowden has raised a very significant issue concerning the confidentiality and sovereignty of your data when he leaked what went on with the NSA. This has affected how individuals and organisations do business with American-chartered IT organisations like all of Silicon Valley.

The data sovereignty question is even being extended towards data held within nations that implement a federation or similar geopolitical structure like the USA, Canada, Germany, Switzerland or Australia. This situation could even apply to the United Kingdom thanks to the devolved countries like Scotland and Wales acquiring independent powers similar to a state in a federation. Here the question that come in to play is which state’s rules govern the data that is being created. It has come in to play since the US Supreme Court overturned Roe vs Wade and placed women at risk of trouble if they seek abortions within the USA’s “Red” states, because of the increased computerisation of our business and personal lives.

But what has happened was that Microsoft took up a new model for setting up data storage which is in the form of a “data trustee”. This model is similar to how a trust fund operates where a third party who is known as a trustee, is tasked to control funds and assets that come in to that fund for the benefit of the recipients.

In this case, Microsoft is setting up data centers in Germany and delegating Deutsche Telekom, a telco entirely chartered in Germany, to control these data-storage facilities as a “data trustee” for them. But the data stored on these facilities will be Microsoft’s and their customers’ data.

Why Germany? Warum Deutschland? This is because Germany, a country which has been passed through some horrible periods of history where big government abused citizens’ privacy in the form of the Third Reich and East Germany, have enacted some of the world’s tightest privacy laws.

What I see of this is that a person who signs up to a Webmail service, online storage service, Webhost or similar online service could be given the option to have the data held on servers in a nominated country, most likely rated according to the country’s standard of privacy and data sovereignty. Similarly, companies chartered in countries with rigorous data privacy and confidentiality standards could end up doing valuable business in renting data center space or providing online services to local and foreign individuals and companies wanting stronger privacy.

On the other hand, these countries could end up with the same reputation that Switzerland had with its banks. This was where Switzerland’s financial-secrecy laws were abused by people and companies who were laundering or concealing ill-gotten gains in Swiss banks to avoid official scrutiny. In relationship to data, this could allow for data associated with criminal activity such as child-abuse imagery or pirated software to be concealed in countries with high data-privacy standards.

But the authorities in those countries can act as a legal filter to make sure that any official data requests are for legitimate crime-fighting and personal-safety reasons rather than to suppress internationally-recognised core freedoms and liberties.

Created 13 November 2015. Updated 8 July 2022 to encompass the reversal of Roe vs Wade and the ramifications associated with countries that implement a federation or similar geopolitical structure.

A clear reality surfaces with the Internet Of Things

05/11/2015 Data security, Internet Of Things No Comments

Article

Linksys EA8500 broadband router press picture courtesy of Linksys USA

A tight healthy operating software update cycle can keeep routers and other devices from being part of botnets

Hacked Shopping Mall CCTV Cameras Are Launching DDoS Attacks | Tripwire – The State Of Security

My Comments

What is being highlighted now is that devices that are normally dedicated-purpose devices are becoming more sophisticated in a way that they are effectively computers in their own right. This was highlighted with some network video-surveillance cameras used as part of a shopping mall’s security armour.

What had happened was that these cameras were found to be compromised and loaded with malware so that they also are part of a botnet like what comonly happened in the 2000s where multiple computers loaded with malware were used as part of zombie attacks on one or more targets. In a similar way to a poorly-maintained computer, they were found to run with default passwords of the “admin – admin” kind and were subject to brute-force dictionary attacks.

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

The article’s author highlighted that there need to be work done concerning dedicated-purpose devices, whether they are the network-infrastructure devices like routers or devices that are part of the “Internet Of Everything”.

Here, the devices need to run constantly-updated software, which is something that is considered necessary if the device is expected to have a long service life. The best example would be some of the routers offered to the European market like the Freebox Révolution or the AVM Fritz!Box where they receive constantly-updated firmware that at least can be downloaded at the click of an option button or, preferably, automatically updated like what happens with Windows and OS X and what is done with recent iterations of the AVM Fritz!Box firmware.

As well, a device’s setup routine should require the user to create secure credentials for the management interface. In some cases, if a device is part of a system, the system-wide management console could exchange system-specific access credentials with the member devices.

What has commonly been said is that the Internet of Things needs to face a severe security incident as a “wake-up call” for such devices to be “designed for security”. This is similar to incidents involving desktop computing, the Internet and mobile computing have served a similar purpose like the way Windows implemented privilege escalation on an as-needed basis since Windows Vista.