Today, hacks, data breaches, and cyberattacks are more common than ever before. Here is a list of some of the organizations and/or government entities who have had a recent breach where consumer data has been exposed.
U.S. Army, P.R Dept. of Health, Ohio State University, JP Morgan Chase, AT&T, Tricare, Steam, Sony, Sega, NHS, Morgan Stanley, Memorial Health Systems, Citigroup, Countrywide Financial Group, TD Bank, Yahoo, Medicare & Medicaid, Dropbox, Blizzard, Twitter, Ubisoft, Target, Snapchat, Facebook, Evernote, Apple, Adobe, UPS, Uber, Google, Domino’s Pizza, Wendy’s, Walmart, Slack, Scottrade, Hyatt Hotels, CVS, Ancestry, Dept. of Homeland Security, WordPress, Marriot Hotels, Microsoft, Door Dash, TikTok, Nintendo, etc.
This is just in the last 10 years, and I only listed organizations that I either know of or have had at least some interactions with directly or indirectly. The total list is substantially larger. These data breaches have exposed anywhere between “19 years’ worth of data”, to “tens of thousands”, to “3,000,000,000 records” in the case of Yahoo. If you have or had a Yahoo account, I hope you were not using that same password for anything else. Thank you Yahoo!
One thing not listed here, or anywhere for that matter is, how many private home networks have been hacked in the same amount of time. This would be very difficult to catalog, as there is no centralized collection or reporting mechanism for something like this. This is kind of like when you have a car accident, and you agree with the other driver to deal with the vehicle repairs yourself without involving the police or insurance because you both prefer not to have accidents on your vehicle and insurance records. As a result, the accident is never reported.
There is one interesting fact I was able to find. According to Windows Central, in Jan 2020 over 1 million Microsoft accounts were compromised. All the compromised accounts had one thing in common, the user was NOT using multi-factor authentication.
What is Multi-Factor Authentication?
MFA or 2FA is an electronic authentication method in which a computer user is granted access to a website, application, or service only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. These factors can be knowledge (something only the user knows like a password), possession (something only the user has, this can be a token with a code that changes every 30 seconds, or a security card with a chip that must be inserted when the user is inputting his/her credentials), and inherence (something only the user is, such as biometric authentication).
How does it help?
MFA protects the user from an unknown person trying to access their data such as personal ID details or financial assets. If a user’s credentials are compromised and someone tries to log on as the user, the login would prompt for the MFA factor (token code, biometric, a card with chip) in addition to the username and password. The attacker will more than likely not have the final authenticator piece and access will not be granted.
The MFA authentication works something like this…
How do I turn it on?
This part is a little tricky, since with many of the services that we normally consume we are not able to control the infrastructure of the service, only our access for consumption. For example, when we log into Facebook, we do not control the Facebook infrastructure that hosts or account, or Facebook’s security policies, hence we cannot change the way that they do things. Facebook however does offer Two-Factor Authentication, which you can find under the Security and Login Settings. See below…
You can either use Google Authenticator which will sync with Facebook and provide a code that can be used as the second factor in the authentication, or you can choose the SMS option, where you will receive a text message every time you are trying to log into Facebook with a one time code that will be the final authentication factor along with the username and password.
Like Facebook, other commonly used applications and services offer similar security. If the application, website, or service that you are using offers MFA, you should be taking advantage of it. From a convenience perspective, MFA implementation is a mild annoyance at most, therefore the pros far outweigh the cons. About FB and other similar services, also keep in mind that you are sharing information about yourself with friends. If those friends are not taking a proactive approach to security, the information that you have shared can be compromised if your friend’s account is compromised.
As a user, you should seek to consume technologies that offer you the ability to secure your experience and your data is you so choose. The same thing goes for technologies that you integrate into your home. When looking for smart devices, make sure that you choose vendors that offer MFA as a security feature.
The Ring Hacking.
Most of us should be familiar with Ring, a very common technology vendor used for doorbells, cameras, lights, and even home security. Around December of last year, Ring users’ personal information was left exposed, giving potential intruders access to their home addresses, credit card information, and footage from Ring cameras at their homes.
Ring responded in a statement by saying that their back-end infrastructure was never hacked and that these hacks were the result of users’ passwords being stolen through avenues other than its networks. At the time Ring did not require two-factor-authentication for its users to log in, but people have the option to enable it for their Ring devices. For those of you that are Ring customers, you might remember that shortly after you started to see popups within the Ring app about Two Factor Authentication, which is now required.
Just like Ring, there are many other vendors of smart devices out there. For example, searching for “smart lights” on Amazon will return about 3000 results. I looked at some of the top and sponsored results and in the description, the words security, multi-factor authentication, two-factor authentication was nowhere to be found.
Last year, I purchased a couple of smart outlets to automatically control Xmas lights around the house. The plugs come with a service that you can consume through an application which allows you to remotely interact with the outlets to turn the power on and off. To control the lights from the app, you must sign up and create an account, which requires a username (email) and password. This leads to yet another problem…
The password dilemma, one or many.
According to a Security Magazine poll conducted this past May 2020 over 50% of users are likely using the same passwords for multiple applications, technologies, or services. In other words, it does not matter how strong your password is if you have devices with poorly built in security that will give it away with minor resistance.
A better approach would be to have different passwords for different technologies. One approach to take can be to choose passwords based on the degree of importance of the data the password is related to. In other words, passwords for a simple smart light switch application that is not saving any personal data, credit card, or other payment info might be simpler than a password for a banking application. Unfortunately, the downside to this approach is convenience, it is very hard to remember a multitude of different passwords, and variations of the same password defeat the whole purpose of this approach.
Password managers are available and have become very popular, however many of them store credentials in the cloud. Most claim to be using strong encryption, but it is impossible to say for sure how the data is protected at rest. As we saw earlier, cloud services are being breached quite frequently these days. Alternatively, you could use a credentials management application or service that does not store credentials in the cloud. Those are not as common, but there are a few out there. One such application that is available for Android devices currently is BlackVault Password Manager.
What about my network?
While most services that we consume today are hosted somewhere outside of our control, many households are bringing plenty of connected technologies into the house. All of these are designed for the most part to increase our quality of life and/or maximize the efficiency of other devices. For example, Roomba devices can clean the floor on-demand or as scheduled, getting rid of dust and hair very efficiently.
We can now answer our door from anywhere, thanks to connected doorbells like Ring and others. Likewise, we have connected thermostats that can control the use of HVAC units, keeping the house at an optimal temperature, and maximizing the efficacy of the equipment. Properly configured, they can even save you a little money on your electricity bill every month. I like the Ecobee brand of connected thermostats.
Forgetting to close the garage or main door of the house is a thing of the past now with connected garage door operation systems and door locks. These technologies are at the top of the wish lists for many, and rightfully so, they make life easier.
While we are rushing to make our homes as connected and automated as we possibly can, how much attention are we paying to what that does to the overall security of our digital infrastructure. More so than ever, people are spending more time connected to the internet, should we be paying extra attention to how safe we are while doing so.
The importance of network security
Network security is vital to maintaining the integrity of your data and privacy, whatever little is left. Creating strong passwords and that not reused and using MFA whenever possible is a great start. However, all of that will not matter if your router at home is unsecured or using a weak Wi-Fi security protocol. Additionally, having all your devices together in what is commonly referred to as a “flat network” is equally bad. Luckily we can fix that rather easily.
Network Segmentation, the first line of defense, and the cheapest.
Network segmentation involves breaking down a larger network into various subnetworks or segments. If any of the subnetworks are infiltrated or compromised, the others are left untouched because they exist independently of each other. Think of it as social distancing for connected devices, because the internet is full of viruses.
Think of the traditional home network, we have a modem/router usually with Wi-Fi to which we have connected perhaps other networking equipment to extend the reach of the wired or wireless network. Connected to the networking appliances we have, mobile devices and tablets, laptops, desktops, network storage, and a ton of smart devices which are also commonly referred to as the Internet of things devices(IoT).
What is the internet of things?
These are things that are embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the Internet. These devices are everywhere, partially because we want easier ways to do things, and the vendors do not mind since they are collecting data about usage which will allow them to make even more purpose-built technologies to sell to customers. Pretty soon we will have Wi-Fi connected toilets, so you can go to the bathroom remotely.
Divide and conquer.
It is important to separate devices in a network based on importance and risk. In other words, IoT devices should be segmented from laptops and desktops, and phones and tablets.
Take a look at the diagram below…
This is what a typical home network looks like. All devices can communicate with one another. By design, connected devices are meant to act this way, and traditionally attacks are always expected to come from the outside. As long as you are inside the circle, you are safe right, not so much. Consider mobile devices, they roam outside the home network with us wherever we go and join other networks many of which we don’t know if they are clean or not. At the same time, our friends are connecting to our network when they visit, and how clean are those devices?
Even the devices that never leave the network are subject to attacks particularly does that connect using Wi-Fi. Ever heard of an evil twin Wi-Fi attack? Without getting too much into the technical side of things, it involves an attacker standing up a Wi-Fi that looks exactly like yours, forcing your devices into disconnecting from your legitimate network and tricking you into connecting to the fake Wi-Fi network, and finally tricking you into inputting your password to steal it so that the attacker can legitimately connect to your network in the hope to snoop around and see what he/she can get access to.
Below is another diagram showing how a typical home network could be segmented.
First, we will take a look at Wi-Fi which is the easiest to separate. Create a Guest Wi-Fi, make sure it has its password. This should be fairly simple to configure on any average router or access point and allows a separation between your devices and your friends’ devices. You can also use the same trick to separate devices like laptops and phones from IoT devices like Alexa, and other connected smart devices.
A small switch investment will allow you to further divide the network if you have devices that are connecting using ethernet. I prefer to connect devices using ethernet over wireless whenever possible, while the advantages in signal quality and speed are not as apparent as they once were, wired devices cannot fall victim to an over the air attack. Running a bunch of wires throughout the home is not always feasible, but creating a bunch of different Guest Wi-Fis for your network is very possible.
How to properly separate devices.
When segmenting the network, we want to separate devices based on the level of risk as well as how much valuable information resides on them. You must remember that the goal of someone who invades your network is usually to reach the devices with the most personal information on them, and that is your phone or computer. The IoT devices themselves do not store any information that can be used to do financial or other harm, however, they are usually the gateway to getting to where the valuables are, remember that. Also, keep in mind that while you can install Antivirus on a computer or mobile device, such software is not available for IoT devices.
Here is an illustration of how an attack can be carried out…
This case is a little extreme, and very oversimplified, but not very far from reality. You might be thinking, that sounds like a lot of work, and out of all the people in my neighborhood I have to be very lucky to get picked as the target. You are half right, the chances of any one particular person being a target of an attack like this aren’t great. On the other hand, the degree of difficulty of doing something like this has decreased exponentially in recent years. Anyone with YouTube access, a $100 Wi-Fi scanner, and a laptop could pull this off. There is the risk to reward trade-off, however, and that is where the likelihood of this attack decreases.
Do you see that IoT Door Lock in the illustration above?
That device connects to a cloud back end to provides users with the functionality of locking and unlocking the door remotely. That backend includes a database with all of the users’ login credentials, which during a maintenance update was left unsecured by the vendor and the credentials of a couple of thousand users were leaked. If you don’t think that happens, then you did not read the beginning of this article. Now your password, which you use for this service as well as your mobile banking application is out there as well as your username which also could be used in other application, or it could be your email and can be used to research you and find out potential services that you are consuming on the web using the same credentials. Guess what? You’re still getting that bill for the truck you bought 3 states away.
However, if you properly segmented your network and you are using different passwords for different things all of that could be avoided. No truck bill 😊
What do I need for this?
A strong password policy is free, the most important thing to remember is… well passwords, many of them. More is better.
For segmentation, if your network is small then most routers can accomplish what is needed through the creation of Guest Wi-Fi which limits devices’ ability to communicate with other devices in the same network.
Here is have listed a fairly economical router that can create up to 3 Guest Wi-Fi networks in addition to an internal one. Link here.
Additionally, you can cascade routers which means that you guy 2 routers instead of 1 and create segmentation that way.
If you have wired devices then a small 8 or 16 port switch that supports VLANs should be sufficient to allow you to segment different connected devices like for example a connected smart TV, from a computer. I am a fan of TP-Link switches, they make affordable and lasting hardware that is pretty simple to operate.
Here are some choices…
If you fancy a fully integrated solution for a more comprehensive network visibility and management experience then you want Ubiquiti.
Ubiquiti’s UniFi line of network devices offers a fully integrated solution that allows you to customize the network and achieve the degree of segmentation needed to make sure that all devices have their respective segments based on the degree of risk and importance. To build a fully integrated network solution for your home using Ubiquiti you will need 3 things: A router, a switch, and an access point. How many of each you need depends on the foot print of your network.
Ubiquiti products have such a high degree of network visibility and management customization that they are often found in small businesses as well as home networks. While I have my reservations about Ubiquiti as a true enterprise networking solution (would not be my go-to option), it is a great consumer product for home networks. Ubiquiti offers some security features that are not found on most other routers.
Do your updates.
Out of date software is another potential weak point to any network. Devices accessing the internet should be patched and running the latest version of all used software whenever possible. As annoying and distracting as software updates are, the alternative is far worse. Most operating systems now allow users to set specific times for updates to be conducted, so there is no excuse. Yet users continue to ignore computer and mobile device software updates.
This is the final piece of this article’s puzzle. You must resist the urge to ignore those update notification no matter how annoying or distracting they might be and embrace the fact that this medicine, while not tasty, is good for you.
Hackers behind apps?
Mobile apps are usually consumed through App Stores located on your mobile device. Most of the time these apps are legitimate but that is not always the case. Downloading an app with hidden malware is a real possibility. Here is a recent article about Google removing potentially harmful apps from the Play store, and another from Apple. I found these just by doing a quick Google search on the topic and I pick a couple that were fairly recent and towards the top of the results. What made this apps harmful does not necessarily have anything to do with this article, other than to illustrate that potential harmful software exists even in legitimate market places, and the importance of the updating your software.
Security updates are designed to patch vulnerabilities that have been found on devices that can be exploited by those same people trying to disguise harmful apps in App Stores. These vulnerabilities can lead to someone taking control of your device and forcing you into paying ransomware for your data or stealing your data to use it or sell it. Not to mention that if your device is infected and you join someone’s network you can infect them as well.
Ok, Let’s recap.
If you are making a list of things to do to achieve good network hygiene, here are some steps to follow:
- Strong passwords, more is better. Use different passwords for different things. Use a password manager if you have difficulty remembering. Change your passwords periodically.
- Use Multi-Factor Authentication and stay away from services and apps that do not offer it whenever possible.
- Have a Guest Wi-Fi for guests, with a different password.
- Have a Guest Wi-Fi, or separate Wi-Fi for wireless IoT (smart devices).
- Segment the network to limit the reach and damage of a breach.
- Say YES, to updates.
At least 3 of these 6 steps can more than likely be accomplished without spending any money and all of them will help you keep the network secure and your data safe. The more of these steps you follow, the better your chances are.
It seems nowadays that breaches are inevitable, however, there is a big difference between a paper cut and a cut that requires stitches.