Source: This article was Published technologyreview.com By Martin Giles - Contributed by Member: Juan Kyser

That’s the view of security expert Bruce Schneier, who fears lives will be lost in a cyber disaster unless governments act swiftly.

Smart gadgets are everywhere. The chances are you have them in your workplace, in your home, and perhaps on your wrist. According to an estimate from research firm Gartner, there will be over 11 billion internet-connected devices (excluding smartphones and computers) in circulation worldwide this year, almost double the number just a couple of years ago.

Many billions more will come online soon. Their connectivity is what makes them so useful, but it’s also a cybersecurity nightmare. Hackers have already shown they can compromise everything from connected cars to medical devices, and warnings are getting louder that security is being shortchanged in the stampede to bring products to market.

In a new book called Click Here to Kill Everybody, Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. The author of an influential security newsletter and blog, Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University and a lecturer in public policy at the Harvard Kennedy School. Among other roles, he’s also on the board of the Electronic Frontier Foundation and is chief technology officer of IBM Resilient, which helps companies prepare to deal with potential cyber threats.

Schneier spoke with MIT Technology Review about the risks we’re running in an ever more connected world and the policies he thinks are urgently needed to address them.

The title of your book seems deliberately alarmist. Is that just an attempt to juice sales?

It may sound like publishing clickbait, but I’m trying to make the point that the internet now affects the world in a direct physical manner, and that changes everything. It’s no longer about risks to data, but about risks to life and property. And the title really points out that there’s the physical danger here, and that things are different than they were just five years ago.

How’s this shift changing our notion of cybersecurity?

Our cars, our medical devices, our household appliances are all now computers with things attached to them. Your refrigerator is a computer that keeps things cold, and a microwave oven is a computer that makes things hot. And your car is a computer with four wheels and an engine. Computers are no longer just a screen we turn on and look at, and that’s the big change. What was computer security, its own separate realm, is now everything security.

You’ve come up with a new term, “Internet+,” to encapsulate this shift. But we already have the phrase “internet of things” to describe it, don’t we?

I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to “Internet+.”

Let’s focus on the “us” part of that equation. You say in the book that we’re becoming “virtual cyborgs.” What do you mean by that?

We’re already intimately tied to devices like our phones, which we look at many times a day, and search engines, which are kind of like our online brains. Our power system, our transportation network, our communications systems, are all on the internet. If it goes down, to a very real extent society grinds to a halt, because we’re so dependent on it at every level. Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives.

Can’t we just unplug ourselves somewhat to limit the risks?

That’s getting harder and harder to do. I tried to buy a car that wasn’t connected to the internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.

Hackers can also exploit security vulnerabilities in one kind of device to attack others, right?

There are lots of examples of this. The Mirai botnet exploited vulnerabilities in-home devices like DVRs and webcams. These things were taken over by hackers and used to launch an attack on a domain-name server, which then knocked a bunch of popular websites offline. The hackers who attacked Target got into the retailer’s payment network through a vulnerability in the IT systems of a contractor working on some of its stores.

True, but these incidents didn’t lead to loss of life or limb, and we haven’t seen many cases involving potential physical harm yet, have we?

We haven’t. Most attacks still involve violations of data, privacy, and confidentiality. But we’re entering a new era. I’m obviously concerned if someone steals my medical records, but what if they change my blood type in the database? I don’t want someone hacking my car’s Bluetooth connection and listening to my conversations, but I really don’t want them to disable the steering. These attacks on the integrity and availability of systems are the ones we really have to worry about in the future because they directly affect life and property.

There’s been lots of discussion in the US this year about cyber threats to critical infrastructure like power grids and dams. How serious are these?

We know that at least twice, Russian hackers have turned off power to bits of Ukraine’s grid as part of a broader military campaign. We know that nation-state hackers have penetrated systems at some US power companies. These hacks have been exploratory ones and haven’t caused damage, but we know it’s possible to do so. If there are military hostilities against the US, we should expect these attacks will be used. And the US will use them against our adversaries, just as we used cyberattacks to delay the nuclear programs in Iran and North Korea.

What implications does all this have for our current approach to computer security, such as issuing patches, or fixes, for software flaws?

Patching is a way of regaining security. We produce systems that aren’t very good, then find vulnerabilities and patch them. That works great with your phone or computer because the cost of insecurity is relatively low. But can we do this with a car? Is it okay to suddenly say a car is insecure, a hacker can crash it, but don’t worry because there will be a patch out next week? Can we do that with an embedded heart pacemaker? Because computers now affect the world in a direct, physical manner, we can’t afford to wait for fixes.

But we already have very strict security standards for software that’s used in sensitive cyber-physical domains like aviation, don’t we?

Right, but it’s very expensive. Those standards are there because there’s already strong government regulation in this and a few other industries. In consumer goods, you don’t have that level of safety and security, and that’s going to have to change. The market right now doesn’t reward secure software at all here. As long as you, as a company, won’t gain additional market share because of being more secure, you’re not going to spend much time on the issue

So what do we need to do to make the Internet+ era safer?

There’s no industry that’s improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company’s earnings.

But won’t things like strict liability laws have a chilling effect on innovation?

Yes, they will chill innovation—but that’s what’s needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We’re past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.

There’s a fundamental tension here, though, isn’t there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.

Governments are certainly poachers as well as gamekeepers. I think we’ll resolve this long-standing tension between offense and defense eventually, but it’s going to be a long, hard slog to get there.

Your book largely focuses on the US. Do you think it will take the lead here?

I focus on the US because it’s where the major tech companies are located and it’s the regime I know best, but I do talk about Europe a fair bit as well. The European Union is the regulatory superpower on this planet right now. I think it’s going to advance further and faster than the US. In the US, I look more to the states, and specifically Massachusetts, New York, and California.

I also think there will be international treaties and norms that put some of our connected infrastructures off-limits to nation-state cyber attacks, at least in peacetime. We urgently need action at all levels now, from local to international. My biggest fear is that there will be a cyber disaster and that governments will rush headlong to implement measures, without a lot of thought, that won’t solve the problem.

Categorized in Internet of Things

 Source: This article was Published techworm.net By Payel Dutta - Contributed by Member: Linda Manly

You sign up with one of the best email service providers and you get ready to launch the campaign you’ve been working on. You believe that this undertaking will generate good revenue for your business, and you expect to have it done as soon as possible. But then…you are taken by surprise. When you upload your mailing list, your progress comes to a halt. You are told to verify your email address, and you do not know what to do. In fact, some small business owners will give up at this point and turn to other digital marketing strategies available on the market.

However, you do not need to worry, as you can easily find a great email address verification service provider on the internet. What you need to know is that regardless of the service provider you decide to work with, email verification doesn’t have to break your bank, neither does it have to waste a lot of your time. It is a quick process that is geared towards improving your marketing efforts.

Have you been yearning to learn about email address verification? Below is everything you need to know about it.

Understanding email address verification – what is it?

Basically, this is a process that ensures that all the email addresses in your mailing list are connected to a legitimate, active inbox. Simply put, this is a process that guarantees all the messages you send have a safe destination to reach.

Why is email verification necessary?

You might be tempted to think that when you fail to verify your email list, nothing will happen to you. In fact, some misleading blogs and websites will tell you that hiring a professional email address verification service is a waste of time. Well, believe this at your peril.

If you skip this process, your digital marketing strategy that incorporates email marketing will be deemed to fail. Below are some of the things that expert email verification service providers like Zero Bounce protect you from:

  • Miserable marketing results

When you kick off your email marketing campaign, you believe that it will reach as many people of possible, and you will get the best sales for your goods or services at the end of the day. However, if the emails you are sending the messages to are not valid, you will end up accomplishing dismal results.

If you have many emails bouncing back, it means that your deliverability will be adversely affected to a great extent. This means that even those email addresses that are valid will not receive your well-intended messages.

Also, if any emails are not valid, it means that you will not get reliable metrics when measuring the success of your email marketing campaign. Your goal should be to make a connection with your target audiences. Getting a good email address verification service should not be an option, it should be at the helm of your priority list.

  • Money wastage

Email service providers will charge you depending on the number of subscribers you have. This means that the higher the number of subscribers, the more the amount of money you will pay. Therefore, if you keep invalidated lists, you will bear a recurring waste which is not worth in the first place.

  • Account suspension

Yes, spam monitors, email security services, as well as internet service providers have policies for undelivered messages, unsubscribes, and spam complaints. Therefore, if your mailing list is unmanaged, your account might be suspended on grounds of the three mentioned above.

Verifying your email address will minimize the number of undelivered messages; hence your account will be safe from suspension.

Reasons why you have many invalid email addresses

Below are some of the reasons why you have very many risky emails in your mailing list,

  • The people in your mailing list stopped using the email addresses a long time ago
  • Your list is full of role addresses, e.g., This email address is being protected from spambots. You need JavaScript enabled to view it.
  • You failed to validate the emails when filling out the web forms; hence there are lots of typos. The ZeroBounce API can help you here by verifying email registrations in real time.

Even the best marketers of all time have risky emails in their lists. Therefore, do not over-blame yourself when you find them. Just know how to remove them for better performance proactively. Also, proceed with care when choosing the right email address verification service, and your campaign will never fail to yield results.

Categorized in Internet Privacy

Source: This article was usa.kaspersky.com - Contributed by Member: Barbara Larson

Even though computers have become a constant feature of modern life, many people still don't realize the enormous risks that come from constant interaction with technology. 

Computer viruses are one of the oldest forms of malware — in other words, malicious software designed to do harm — but their ability to avoid detection and replicate themselves means that these programs will always be cause for worry. Understanding just what a virus can do to your computer is the first step to securing your system and protecting your family from attack.

A Computer Virus' Potential

The only real qualification for a piece of software to be labeled a "virus" is that the program has the ability to replicate itself onto other machines. This means that not all viruses pose a direct threat to your computer, but often even latent viruses will allow cyberthieves and hackers to install more damaging programs like worms and Trojans. 
Regardless of the intention of the computer virus, the program will take up some system resources while it runs. This slows down your system, even bringing your computer to an abrupt halt if the virus hogs enough resources or if there are many viruses running at the same time.

More often, the computer virus has some kind of malicious intent, either written into the virus itself or from the other pieces of malware that the virus installs. This software can take a number of harmful actions, like opening up a back door to the computer where hackers can take control of the system, or stealing confidential personal information like online banking credentials or credit card numbers. It could also direct your Web browser to unwanted, often pornographic, sites, or even lock the computer down and ask for a ransom to open it back up again. In the most severe cases, viruses can corrupt important computer files, rendering the system useless. Windows OS products are often targets of these types of vulnerabilities so be sure you're secure whether you are running the newest OS , XP, or Windows 8 - security is essential.

How to be a Savvy Computer-User

So with all the damage that a virus can do, you're sure to wonder how you can protect yourself and your family from these threats. The first step is the most obvious, and it all comes down to using your computer in a smart way. 
Ensure all your programs have the latest version of antivirus software installed. This is especially true for things like your operating system, security software and Web browser, but also holds true for just about any program that you frequently use. Viruses often take advantages of bugs or exploits in the code of these programs to propagate to new machines, and while the companies that make the programs are usually quick to fix the holes, those fixes only work if they have been downloaded to your computer. 


It's also important to avoid taking actions that could put your computer at risk. These include opening unsolicited email attachments, visiting unknown websites or downloading software from untrustworthy websites or peer-to-peer file transfer networks. To ensure that the entire family understands the risks, these procedures should be taught to everyone, and children should have their Internet use monitored to ensure they aren't visiting suspect websites or downloading random programs or files.

How to Install Virus Prevention and Detection Software

The next important step in protecting your computer and your family is to install trusted computer security software that can actively scan your system and provide virus protection. You should be warned, however, that not all security solutions are the same. 
Free antivirus software abounds on the Internet, but much of it isn't robust enough to offer complete protection or updated frequently enough to be of much use. Horrifyingly, some of this free software doesn't do anything at all and instead installs viruses, adware, spyware or Trojans when you try to download and install the program. 
If the price is a factor, the best option is to find a competitively priced Internet security solution that offers a free antivirus trial, so that you can see the software in action, and how your computer responds after being cleaned, before you make a purchasing decision. 
The hardest part about all of this is that while each day many threats are neutralized, more are then created in their place. This means that as long as there's an Internet, computer viruses will continue to be a problem. Ignoring the issue or thinking that it won't affect you is a sure way to get your computer compromised, and put your family's information or peace of mind at risk.

Categorized in Internet Privacy

Source: This article was published insights.speakwithageek.com - Contributed by Member: Deborah Tannen

What Is Micro-VPN?

Micro-VPNs are the smaller quantum of VPNs, at the level of an application or collection of applications. These are known as trusted applications; each of these trusted applications has a token that is authenticated before the tunnel is opened for the user utilizing a Micro VPN.

VPN And Security Concerns

In today's IT world, many workers often use their personal devices to get their work completed. This turns out to be a time-saving process for employees and company. Even though these devices help them, there are critical security concerns that arise with using your own device.

An old-style VPN approach is the most commonly used remote connectivity among organizations, to check emails and documents by an employee. The VPN tunnel that is established is device-wide, and once they are connected, any application on the personal device can navigate this tunnel, and get access to corporate resources. This means that if the employee’s device is infected with malware or malignant applications, these can potentially gain access to the tunnel. The above said security downside can be avoided, through the use of micro-VPNs, which are specific to an application instead of a device.

Security Advantages

The following are the certain advantages of using micro-VPN:

  • Takes virtual private network client from the device to the application and authenticates the user.
  • Provides access to specific corporate content without having to do a full-scale VPN on the device.
  • Acts as a security wrapper for the mobile device around an enterprise application by providing a token for successful VPN tunnel.
  • Administers mobile control policies on the application that connects to the corporate network.
  • The micro-VPN application and the corporate network can see one another; however, remaining of the device is not opened to/accessible by the client network. In addition, the user cannot access company resources from the non-enterprise application.

Citrix Solutions

Citrix XenMobile’ product, NetScaler Gateway, is based on the idea of micro-VPNs through logical VPN tunnels. NetScaler Gateway helps in creating different TCP sessions for different applications automatically.

Currently, micro-VPNs are one of the trustworthy solutions that can be deployed by the IT departments on employee’s devices to avoid exposure to unknown elements.

Find out today why you may need a VPN with help choosing the right VPN Provider.

Categorized in Internet Privacy

The Internet is massive. Millions of web pages, databases and servers all run 24 hours a day, seven days a week. But the so-called "visible" Internet—sites that can be found using search engines like Google and Yahoo—is just the tip of the iceberg. Below the surface is the Deep Web, which accounts for approximately 90 percent of all websites. As noted by ZDNet, in fact, this hidden Web is so large that it's impossible to discover exactly how many pages or sites are active at any one time. This Web was once the province of hackers, law enforcement officers and criminals. However, new technology like encryption and the anonymization browser software, Tor, now makes it possible for anyone to dive deep if they're interested.

 

Defining the Deep/Dark Web

There are a number of terms surrounding the non-visible Web, but it's worth knowing how they differ if you're planning to browse off the beaten path. According to PC Advisor, the term "Deep Web" refers to all Web pages that that are unidentifiable by search engines. The "Dark Web," meanwhile, refers to sites with criminal intent or illegal content, and "trading" sites where users can purchase illicit goods or services. In other words, the Deep covers everything under the surface that's still accessible with the right software, including the Dark Web. There's also a third term, "Dark Internet" that refers to sites and databases that are not available over public Internet connections, even if you're using Tor. Often, Dark Internet sites are used by companies or researchers to keep sensitive information private.

While many news outlets use "Deep Web" and "Dark Web" interchangeably, it's worth noting that much of the Deep is actually benign. Everything from blog posts in review to Web page redesigns still in testing to the pages you access when you bank online are part of the Deep and pose no threat to your computer or safety at large. As CNN Moneyillustrates, big search engines are like fishing boats that can only "catch" websites close to the surface. Everything else, from academic journals to private databases and more illicit content, is out of reach.

Access

Most people who wish to access the Deep Web use Tor, a service originally developed by the United States Naval Research Laboratory. Think of Tor as a Web browser like Google Chrome or Firefox. The main difference is that, instead of taking the most direct route between your computer and the deep parts of the Web, the Tor browser uses a random path of encrypted servers, also known as "nodes." This allows users to connect to the Deep Web without fear of their actions being tracked or their browser history being exposed. Sites on the Deep also use Tor (or similar software such as I2P) to remain anonymous, meaning you won't be able to find out who's running them or where they're being hosted.

Many users now leverage Tor to browse both the public Internet and the Deep. Some simply don't want government agencies or even Internet Service Providers (ISPs) to know what they're looking at online, while others have little choice—users in countries with strict access and use laws are often prevented from accessing even public sites unless they use Tor clients and virtual private networks (VPNs). The same is true for government critics and other outspoken advocates who fear backlash if their real identities were discovered. Of course, anonymity comes with a dark side since criminals and malicious hackers also prefer to operate in the shadows.

Use and Misuse

For some users, the Deep Web offers the opportunity to bypass local restrictions and access TV or movie services that may not be available in their local areas. Others go deep to download pirated music or grab movies that aren't yet in theaters. At the dark end of the Web, meanwhile, things can get scary, salacious and just plain...strange. As noted by The Guardian, for example, credit card data is available on the Dark Web for just a few dollars per record, while ZDNet notes that anything from fake citizenship documents to passports and even the services of professional hit men is available if you know where to look. Interested parties can also grab personal details and leverage them to blackmail ordinary Internet users. Consider the recent Ashley Madison hack—vast amounts of account data, including real names, addresses and phone numbers—ended up on the Dark Web for sale. This proves that, even if you don't surf the murky waters of the Dark Web, you could be at risk of blackmail (or worse) if sites you regularly use are hacked.

Illegal drugs are also a popular draw on the Dark Web. As noted by Motherboard, drug marketplace the Silk Road—which has been shut down, replaced, shut down again and then rebranded—offers any type of substance in any amount to interested parties. Business Insider, meanwhile, details some of the strange things you can track down in the Deep, including a DIY vasectomy kit and a virtual scavenger hunts that culminated in the "hunter" answering a NYC payphone at 3 a.m.

Real Risks

Thanks to the use of encryption and anonymization tools by both users and websites, there's virtually no law enforcement presence down in the Dark. This means anything—even material well outside the bounds of good taste and common decency—can be found online. This includes offensive, illegal "adult" content that would likely scar the viewer for life. A recent Wired article, for example, reports that 80 percent of Dark Web hits are connected to pedophilia and child pornography. Here, the notion of the Dark as a haven for privacy wears thin and shores up the notion that if you do choose to go Deep, always restrict access to your Tor-enabled device so children or other family members aren't at risk of stumbling across something no one should ever see. Visit the Deep Web if you're interested, but do yourself a favor: don't let kids anywhere near it and tread carefully—it's a long way down.

 Source: This article was published usa.kaspersky.com

Categorized in Deep Web

When reading Wikipedia’s 1992 Ten Commandments of Computer Ethics you can easily substitute “Internet” for “computer” and it’s amazing what you see…., for example the 1stCommandment “You shall not use the Internet to harm other people.”  Here are all Ten Commandments of Internet Ethics (with my minor edits):

  1. You shall not use the Internet to harm other people.
  2. You shall not interfere with other people’s Internet work.
  3. You shall not snoop around in other people’s Internet files.
  4. You shall not use the Internet to steal.
  5. You shall not use the Internet to bear false witness.
  6. You shall not copy or use proprietary software for which you have not paid (without permission).
  7. You shall not use other people’s Internet resources without authorization or proper compensation.
  8. You shall not appropriate other people’s intellectual output.
  9. You shall think about the social consequences of the program you are writing or the system you are designing.
  10. You shall always use the Internet in ways that ensure consideration and respect for your fellow humans.

For those of us who used the Internet 1992 it’s great to see that the Ethics of the Internet in 1992 (from the Computer Ethics Institute) applies in 2016!

Source: This article was published vogelitlawblog.com By Peter S. Vogel

Categorized in Internet Ethics

Cyber-crime has become one of the greatest threats to businesses, government institutions, and individuals, as hackers are constantly finding new targets and advanced tools to break through cyber defenses. As technology improves, new vulnerabilities are discovered and new obstacles challenge security professionals.

The past year was followed by a number of high-impact cyber-attacks. Namely, a number of devastating, high-impact cyber-attacks like rumors that the US election was hacked, marked 2017. Apart from the rumors regarding the hacked US election, there were ransomware attacks all over the world, and of course, the Equifax breach.

Unfortunately, as challenging as it is today, cyber-security threats will likely get worse in the future, as attacks get more sophisticated. As the years pass, the global security threat outlook keeps on developing. In order to fight this threat, all business entities must understand and learn how to cope with these global cyber threats.

In 2018, these cyber threats are expected to grow at a constant rate, as more complex challenges continue to surface, and cyber criminals keep coming up with new ways of attacking secure IT systems. The following are some of the biggest internet security threats that can impact the operations of IT-powered organizations in the year 2018.

Ransomware

Over the past 12 months, we saw a huge number of ransomware attacks. Ransomware is, in fact, a relatively simple form of malware that breaches defenses and locks down computer files using strong encryption. Then, hackers demand money in exchange for digital keys, needed to unlock the data. Quite often, especially if the encrypted data hasn’t been backed up, victims pay. This has made ransomware popular with criminal hackers, who have recently started demanding payment in cryptocurrencies which are extremely hard to trace.

Google, Amazon, IBM and other big cloud operators, have hired the best digital security that will protect them from such attacks. However, smaller companies can’t afford such thing, which makes them more vulnerable. For a small-scale local business, even a single tiny breach could lead to a big payday for the hackers involved. To prevent your computer from getting hijacked, avoid clicking on unknown links, keep security software up to date, and backup everything on an external hard drive.

Attacks on Cryptocurrencies

According to the latest research, currently there are 1324 cryptocurrencies in total, and this number is expected to increase. The rapid increase in the value of some cryptocurrencies has pushed thieves into massive criminal activities against virtual currency scheme. As more people mine cryptocurrencies on their computers, cybercriminals will organize more attacks designed to steal crypto coins from users, using malware to steal funds from victims’ computers or to deploy hidden mining tools on machines.

Threats to IoT (Internet of Things)

As the value of real-time data collection advances, day-by-day, individuals and business entities are increasingly making use of IoT devices. But, unlike our traditional devices, the IoT devices pose a significant challenge and a sense of less control, simply because they are not the best protected entities, and are susceptible to hacking. That’s why protecting them is so important and will continue to do so in 2018. Millions of connected devices have little or no defense against hackers who want to gain control of them and use them to enter into a network or access valuable data. The number of cyber-attacks powered by compromised IoT devices has become a great concern of the IT security industry, which is why IoT vendors are already putting more time and effort into securing their devices.

Source: This article was published alleywatch.com By VIVENNE CARDENASS

Categorized in Internet Privacy

Let’s talk seriously about industrial cybersecurity: What you don’t know can hurt you.

Industrial cyber security is all over the news, and not in a good way. Our most vital industries – including power, water, nuclear, oil and gas, chemical, food and beverage, and critical manufacturing – are under attack. The gravity of the situation became clear when the FBI and the Department of Homeland Security went public in October about existing, persistent threats. Virtually or not, bad actors are among us.

Unlike physical attacks, cyber attacks are nonstop. Cyber hackers have graduated from simple mischief and denial-of-service attacks to ransomware, theft of competitive information, interception or altering of communications, the shutdown of industrial processes, and even knowledge manipulation through the news and social networks (it’s bigger than just politics). Who knows what’s next?

Digitalization and connectivity are heightening cyber risk, though they are foundational to the Internet of Things (IoT), cloud computing, Big Data analytics, and artificial intelligence. Breaching a single connected operational technology (OT) device or system puts everything on the network at risk.

Low-security and small networks provide easy access for bad actors, whether they’re traditional hackers, black-hat hackers making money on the dark web, nation-states, or malicious insiders. Human error and negligence also are cyber risks.

To establish and sustain cybersecurity and restore the confidence of the public, greater awareness of threats and ownership of risks are imperative. In addition to mastering basic security measures, the industry needs to detect and respond to attacks with persistence and resilience. Trust is not a strategy.

Fortunately, industrial software, technology, equipment, and service providers are fast ramping up their defenses, and dozens of new cybersecurity technology and services firms are offering to help. Consultants, legislators, regulators, and standards bodies also have prominent roles, but it is the end users, ultimately, who must put the cybersecurity puzzle together.

Here, several industry and cyber professionals weigh in about industrial producers’ cybersecurity risks and responsibilities and offer their actionable recommendations.

How bad is the problem?

When companies are surveyed about their top business risk, the answer increasingly is cybersecurity, says Alan Berman, president, and CEO of the not-for-profit Disaster Recovery International Foundation (DRIF). The IoT – now a $3 trillion to $6 trillion industry – is opening new doors to cyber hackers. An estimated 50 billion connected devices (handhelds, sensors, etc.) are in use already.

Speaking at the Society of Maintenance and Reliability Professionals (SMRP) 2017 Conference, Berman noted that cyber hacking has matured to become a sophisticated industry seeking to penetrate devices and systems through the weakest link in the chain, with the goal of profitability. “It is a business and we have to deal with it as a business,” he explains.

The weakest link could be a vending machine in the plant, Berman says. “Once hackers get on the network, they can get into everything,” he says. “When that happens, it could be months before the breach is discovered. What looks like a malfunction could actually be a hack.”

Until there’s awareness within the maintenance organization of the security risks associated with adding or replacing a connected device, the number of cyberattacks an organization sees will continue to rise, says Howard Penrose, president of MotorDoc.

Penrose has easily uncovered industrial cybersecurity gaps using Shodan.io, a search engine for finding internet-connected devices. In one case, “We found numerous points of access to different IoT devices using (the organization’s) default passwords, including links to the documents with those passwords,” he says. “In another case, an OEM had installed software on wind generation systems that allowed them to be turned on or off with a smartphone app.”

Most people equate cybersecurity to the network or IT, but the things that go “boom” in the night are on the industrial control system (ICS) side, says Joe Weiss, managing partner at Applied Control Solutions. “Not enough people are looking at this,” he says.

Weiss has been compiling a nonpublic ICS cyber-incident database that he says already contains more than 1,000 actual incidents, representing about $50 billion in direct costs. Each new entry serves as a learning aid or reminder; often they’re logged in his cybersecurity blog.

“People worry about the IT/OT divide, but the real divide is what comes before and after the Ethernet packet,” suggests Weiss. “Before the packet is where the Level 0,1 devices live (sensors, actuators, drives), and that’s where cybersecurity and authentication are lacking.”

As managing director of ISA99, Weiss recently helped start a new working group for Industrial Automation and Control System Security standards to address the cybersecurity of Level 0,1 devices.

Fear or fight?

Digitalization adds significant value despite the cyber risk. “Don’t fear connectivity – the benefits are too great,” says Eddie Habibi, founder, and CEO of PAS Global. On the other hand, he cautions, the threat of cyber attack is imminent and proven; critical systems are vulnerable; and “every minute, day, or month that you put off securing your systems, they remain at risk.”

Malicious code can sit dormant on a network for months or years before it suddenly activates, explains Habibi. The consequences can be significant to safety, production, the company’s reputation, insurance costs, and even the cost of borrowing for organizations that are not considered secure. “It’s beyond the theft of data; it’s now hitting the bottom line,” he adds.

While OT operators face all of the cybersecurity risks common in IT environments, many of the tools used to mitigate those risks are not available for OT networks, observes Chris Grove, director of industrial security at Indegy. He notes the following crucial distinctions:

  1. OT networks are not designed from the ground up with security in mind, meaning that industrial controllers are not typically protected with authentication, encryption, authorization, or other standard security mechanisms.
  2. A successful cyber attack on an OT network could have safety, financial, and environmental implications.
  3. It is much more difficult to monitor OT networks than it is to monitor IT networks because of the lack of monitoring tools, the proprietary protocols in use, and network isolation.

With the right tools, such as those developed for OT asset discovery and for tracking of user activity and changes to operational code, operators can identify risky configurations, malware, human errors, and insider attacks.

“Security is not a static thing,” cautions Dr. Allan Friedman, director of cybersecurity initiatives at National Telecommunications and Information Administration (NTIA) in the U.S. Commerce Department. “It needs to be adaptive, resilient, and scalable.” He continues: “For example, don’t assume that an air-gapped system (unplugged from any network infrastructure) will stay that way. Improperly trained personnel may establish new connections, or the USB drive used for a software update may carry an infection.”

Security by design and necessity

Trust is the new currency; more regulations are coming, and cybersecurity is not an option because we are moving toward digital at the speed of light: Dr. Ilya Kabanov, global director of application security and compliance for Schneider Electric, made these three points at the ASIS 2017 international security conference.

Kabanov urges OEMs to embed privacy and security in the products themselves. “It is not security vs. innovation; security requires innovation,” he explains.

Richard Witucki, the cyber security solutions architect at Schneider Electric, agrees. “Since security by obscurity is no longer a viable option, it is incumbent upon manufacturers such as Schneider Electric to embed cyber security directly into their products,” he says. “By doing this, we enable the end users to take a much more defense-in-depth approach.”

Schneider Electric’s approach includes actively training its development teams and engineers in secure development life-cycle programs, incorporating established security controls into its products, and conducting exhaustive internal and external testing. The ISA99/IEC 62443 set of standards was chosen because it addresses cybersecurity at several levels, including the products, the systems, and the development life cycle of the products and solutions.

“We all rely on products that control our critical infrastructure to perform as expected,” Witucki says. “Ironically, because these systems are so reliable (e.g., PLCs controlling a seldom-used diesel generator for 20 years), they have now become a vulnerability within the shifting threat landscape.”

Predictive maintenance (PdM) system and service providers are also tackling cybersecurity. Paul Berberian, the condition monitoring specialist at GTI Predictive Technology, has heard customer comments ranging from “It is not an issue” and “Nothing in the plant is connected to the outside world,” to concerns about internal secrets being vulnerable through an internet connection.

“Maintenance and reliability departments want to use PdM technology, but some don’t want to fight the battle internally with IT,” explains Berberian. “In my opinion, the concern for most of these companies is that hackers will be able to find a way into their plant network through the PdM data portal.”

To mitigate this risk, GTI uses SSL certificates to ensure the security of its sites; it requires encrypted usernames and passwords for access; it encrypts the stored data, and it uses a secure (HTTPS) web address.

Operational security technology partnerships are also forming. “Manufacturers and utilities want a single, accountable provider with a reputation like Siemens’ rather than a dozen suppliers,” says PAS Global’s Habibi.

The Siemens-PAS partnership looks to help companies that are struggling to establish adequate cybersecurity regimens. The PAS Cyber Integrity analytic detection engine identifies and tracks cyber assets, enabling fleetwide, real-time monitoring of control systems. Forensic and analytics technologists at the Siemens Cyber Security Operations Center apply their expertise to this information so they can dig deeper and provide a more robust response to potential threats.

“There is a 100% probability that any company will suffer from a cyber attack, and these attacks travel with lightning speed – how resilient will your response be?” asks Leo Simonovich, vice president and global head of industrial cyber security at Siemens.

What should you do right now?

First, master the basics: access controls, backup and recovery, software updates and patching, network segmentation, system hardening, and malware prevention on endpoints. Consider using a search engine like Shodan.io to quickly gauge risk exposure.

Cybersecurity should be treated like lean manufacturing and Six Sigma initiatives; it should be a continuous process reviewed and assessed on a regular basis, says Schneider Electric’s Witucki. “It is not a goal, but a journey,” he says.

He suggests selecting a cybersecurity standard appropriate to your industry and organization and then focusing attention where it is needed most with a gap analysis or risk assessment. This starts with an inventory of all computer-based assets (hardware, software, etc.). “When you consider some of this equipment may have been operating for 20 years inside an enclosure, you start to understand why this may be difficult,” adds Witucki.

GTI’s Berberian’s urges both industrial solution providers and end users to establish a strategy and security protocol that suppliers must meet. “A strategy that everyone understands, other than ‘We will never use the cloud,’ is most helpful,” he says.

To secure complete operating environments, companies must begin by addressing the fundamentals: discovery, prioritization, monitoring, and protection of their assets, advises Siemens’ Simonovich. He also advocates that company leaders consider addressing OT cybersecurity as one of their core responsibilities. This requires ownership, a strategy that looks at the challenge holistically, and strategic partnerships with best-of-breed companies.

NTIA’s Friedman suggests the following when acquiring new equipment or devices:

  1. Ask questions regarding security: What are the risks, and how can they be mitigated?
  2. Employ basic security hygiene: Use strong passwords and security credentials; apply patches promptly; employ network segmentation; and “know what’s under the hood” (e.g., which operating system is used).
  3. Partner with other sectors and organizations on design principles: Your problems probably aren’t unique, and others may have developed useful security solutions.

Ensure that the default passwords are changed, especially in the settings of variable-frequency drives, energy monitoring devices, and other connected systems adds MotorDoc’s Penrose. Also, never let a vendor bypass security to connect to the network. “We once found that a USB WiFi card had been installed on a secure network so a vendor could access the system remotely, eliminating the isolation of the critical system's network,” he says. He adds that if the IT personnel are capable, they should be performing device vulnerability analyses.

Indegy’s Grove says that while active, passive, and hybrid ICS security monitoring approaches all have advantages, a hybrid approach is likely to provide the best value for most organizations because it “gives organizations total visibility into their OT network and environment.”

Applied Control Solutions’ Weiss reminds us that it isn’t always clear what is or isn’t a cyber event, and SCADA is not a fail-safe to identify potential cyberattacks. By design, in some cases it may not detect critical malfunctions. Weiss suggests getting involved in the new ISA99 working group and sharing your ICS cyber incidents with him (This email address is being protected from spambots. You need JavaScript enabled to view it.).

Finally, and perhaps of most importance, cautions Schneider Electric’s Kabanov, everyone from executives to end users must decide whether cyber protections make sense. If they don’t believe they do, they’ll work around them.

Much more needs to be done to protect the critical industrial sector. The bad actors already are planning their next move. What’s yours?

Source: This article was published plantservices.com By Sheila Kennedy

Categorized in Internet Privacy

IOT IS COMING and a lot of IT execs are scared silly. Or maybe it’s more accurate to say they are resigned to their fates.

In a May study of 553 IT decision makers, 78% said they thought it was at least somewhat likely that their businesses would suffer data loss or theft enabled by IoT devices. Some 72% said the speed at which IoT is advancing makes it harder to keep up with evolving security requirements.

Such fears are rooted in reality. Last October, hackers took down the company that controls much of the Internet’s domain name system infrastructure using some 100,000 “malicious endpoints” from IoT devices. More recently, the WannaCry ransomware attack crippled some Bank of China ATM networks and washing machine networks. For naysayers, those attacks validated fears that hackers could cause mayhem by commandeering our IoT devices.

At the same time, the IoT industry continues its steady growth path. Gartner predicts that by 2020 there will be some 21 billion IoT devices in existence, up from 5 billion in 2015. About 8 billion of those devices will be industrial, not consumer devices. Both present a juicy target for hackers.

For some, it seems like IoT is a slow-motion wreck playing out in real time. “The reason that the industry hasn’t backed off is the value proposition is very powerful,” said Chris Moyer, CTO, and VP-cybersecurity at DXC. “The risk proposition is also very powerful and that’s where the balancing is going on.”

Regardless of the industry’s appetite, IoT isn’t likely to get a scale until the industry addresses its security issue. That will take a cooperation among vendors, government intervention, and standardization. In 2017, none of those things appear to be on the horizon.

What’s wrong with IoT security

The consensus is that IoT is still under-secured and presents possibly catastrophic security risks as companies trust IoT devices for business, operational and safety decisions.  Existing standards are not in place and vendors keep struggling to embed the right level of intelligence and management into products.  Add the increasing collaboration among attackers and then it creates a need to address these challenges across a set of dimensions.

Consider what we face with the security of IoT devices;

  • Unlike PCs or smartphones, IoT devices are generally short on processing power and memory. That means that they lack robust security solutions and encryption protocols that would protect them from threats.
  • Because such devices are connected to the Internet, they will encounter threats daily. And search engines for IoT devices exist that offer hackers an entrée into webcams, routers and security systems.
  • Security was never contemplated in the design or development stages for many of these Internet-connected devices.
  • It’s not just the devices themselves that lack security capability; many of the networks and protocols that connect them don’t have a robust end-to-end encryption mechanism.
  • Many IoT devices require manual intervention to be upgraded while others can’t be upgraded at all. “Some of these devices were built very rapidly with limited design thinking beyond Iteration 1 and they’re not update-able,” said Moyer.
  • IoT devices are a “weak link” that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall network.
  • Many IoT devices have default passwords that hackers can look up online. The Mirai distributed denial of services attack was possible because of this very fact.
  • The devices may have “backdoors” that provide openings for hackers.
  • The cost of security for a device may negate its financial value. “When you have a 2-cent component, when you put a dollar’s worth of security on top of it, you’ve just broken the business model,” said Beau Woods, an IoT security expert.
  • The devices also produce a huge amount of data. “It’s not just 21 billion devices you have to work with,” said Kieran McCorry, director of technology programs at DXC. “It’s all the data generated from 21 billion devices. There are huge amounts of data that are almost orders of magnitude more than the number of devices that are out there producing that data. It’s a massive data-crunching problem.”

Taking such shortcomings into account, businesses can protect themselves to a certain extent by following best practices for IoT security. But if compliance isn’t 100% (which it won’t be) then, inevitably, attacks will occur and the industry will lose faith in IoT. That’s why security standards are imperative.

Who will set the standards?

Various government agencies already regulate some IoT devices. For instance, the FAA regulates drones and the National Highway Traffic Safety Administration regulates autonomous vehicles. The Department of Homeland Security is getting involved with IoT-based smart cities initiatives. The FDA also has oversight of IoT medical devices.

At the moment though, no government agency oversees the IoT used in smart factories or consumer-focused IoT devices for smart homes. In 2015, the Federal Trade Commission issued a report on IoT that included advice on best practices. In early 2017, the FTC also issued a “challenge” to the public to create a “tool that would address security vulnerabilities caused by out-of-date software in IoT devices” and offered a $25,000 prize for the winner.

Moyer said that while the government will regulate some aspects of IoT, he believes that only the industry can create a standard. He envisions two pathways to such a standard: Either buyer will push for one and refuse to purchase items that don’t support a standard or a dominant player or two will set a de facto standard with its market dominance. “I don’t think it’s going to happen that way,” Moyer said, noting that no such player exists.

Instead of one or two standards, the industry has several right now and none appears to be edging toward dominance. Those include vendor-based standards and ones put forth by the IoT Security Foundation, the IEEE, the Trusted Computing Group, the IoT World Alliance and the Industrial Internet Consortium Security Working Group. All of those bodies are working on standards, protocols and best practices for security IoT environments.

Ultimately what will change the market is buyers, who will begin demanding standards, Moyer said. “Standards get set for lots of reasons,” Moyer said. “Some are regulatory but a lot is because buyers say it’s important to me.”

Lacking standards, Woods sees several paths to improve IoT security. One is transparency in business models. “If you’re buying 1,000 fleet vehicles, one might be able to do over-the-air updates and the other we’d have to replace manually and it would take seven months,” Woods said. “It’s a different risk calculus.”

Another solution is to require manufacturers to assume liability for their devices. Woods said that’s currently the case for hardware devices, but it is often unclear who assumes liability for software malfunctions.

AI to the rescue?

A wildcard in this scenario is artificial intelligence. Proponents argue that machine learning can spot general usage patterns and alert the system when abnormalities occur. Bitdefender, for instance, looks at cloud server data from all endpoints and uses machine learning to identify abnormal or malicious behavior. Just as a credit card’s system might flag a $1,000 splurge in a foreign country as suspicious, a ML system might identify unusual behavior from a sensor or smart device. Because IoT devices are limited in function, it should be relatively easy to spot such abnormalities.

Since the use of machine learning for security is still new, defenders of this approach advocate using a security system that includes human intervention.

The real solution: A combination of everything

While AI may play a bigger role in IoT security than initially thought, a comprehensive IoT solution will include a bit of everything, including government regulation, standards, and AI.

The industry is capable of creating such a solution, but the catch is that it needs to do it on a very accelerated timetable. At the moment, in the race between IoT security and IoT adoption, the latter is winning.

So what can companies do now to latch on to IoT without making security compromises? Moyer had a few suggestions:

  1. Take an integration approach. This is a case where more is better. Moyer said that companies using IoT should integrate management solutions and bring the IoT platform in for primary connectivity and data movement and pull that data into an analytics environment that’s more sophisticated and lets them do a behavioral analysis, which can be automated. “By integrating those components, you can be more confident that what you’ve got from a feed in an IoT environment is more statistically valid,” he said.
  2. Pick the right IoT devices. Those are devices that have a super-strong ecosystem and a set of partners that are being open about how they’re sharing information.
  3. Use IoT Gateways and Edge Devices. To mitigate against an overall lack of security, many companies are using IoT gateways and edge devices to segregate and provide layers of protection between insecure devices and the Internet.
  4. Get involved in creating standards. On a macro level, the best thing you can do to ensure IoT security over the long run is to get involved in setting standards both in your particular industry and in tech as a whole.

This article was produced by WIRED Brand Lab for DXC Technology.

Categorized in Internet of Things

A comprehensive guide for choosing and setting up secure Wi-Fi.

Your router, that box sitting in a corner of your house giving you internet access, is in many ways more important than your laptop or mobile phone. It might not store any of your personal information directly, but sensitive data passes through it every time you access various online services and can be stolen or manipulated if the router is hacked.

A compromised router can also serve as a platform for attacking other devices on your local networks, such as your phone or laptop, or for launching denial-of-service attacks against internet websites. This can get your IP address blacklisted and can slow down your internet speed.

Because it's exposed directly to the outside world, your router is frequently targeted by automated scans, probes, and exploits, even if you don't see those attacks. And compared to your laptop or phone, your router doesn't have an antivirus program or other security software to protect it.

Unfortunately, most routers are black boxes and users have little control over their software and configurations, especially when it comes to devices supplied by internet service providers to their customers. That said, there are certain actions that users can take to considerably decrease the likelihood of their routers falling victim to automated attacks.

Many of those actions are quite basic, but others require a bit of technical knowledge and some understanding of networking concepts. For less technical users, it might simply be easier to buy a security-focused router with automatic updates such as the EeroGoogle OnHubNorton CoreBitdefender Box, or F-Secure Sense. The downside is that those routers are expensive, some require annual subscriptions for certain services, and their level of customization is very limited. Ultimately, their users need to trust the vendors to do the right thing.

If you don’t want to get one of those, or already have a router, follow along for a detailed, step-by-step guide on how to secure it.

Choosing a router

If you prefer getting a cheaper router or modem that you can tweak your needs, avoid getting one from your ISP. Those devices are typically manufactured in bulk by companies in China and elsewhere and they come with customized firmware that the ISPs might not fully control. This means that security issues can take a very long time to fix and in some cases, they never get patched.

Some ISPs force users to use gateway devices they supply because they come pre-configured for remote assistance and there have been many cases when those remote management features have been poorly implemented, leaving devices open to hacking. Furthermore, users cannot disable remote access because they're often not given full administrative control over such devices.

Whether users can be forced to use a particular modem or router by their ISP varies from country to country. In the US, regulations by the Federal Communications Commission (FCC) are supposed to prevent this, but it can still happen. There are also more subtle device lock-ins where ISPs allow users to install their own devices, but certain services like VoIP will not work without an ISP-supplied device.

If your internet provider doesn't allow you to bring your own device onto its network, at least ask if their device can be configured in bridge mode and if you can install your own router behind it. Bridge mode disables routing functionality in favor of your own device. Also, ask if your ISP's device is remotely managed and if you can opt out and disable that service.

The market for home and small office routers is very diverse so choosing the right router will depend on budget, the space that needs to be covered by its wireless signal, the type of internet connection you have, and other desired features like USB ports for attached storage, etc. However, once you get your list down to a few candidates, it's important to choose a device from a manufacturer that takes security seriously.

Research the company’s security track record: How did it handle vulnerabilities being discovered in its products in the past? How quickly did it release patches? Does it have a dedicated contact for handling security reports? Does it have a vulnerability disclosure policy or does it run a bug bounty program? Use Google to search for terms like “[vendor name] router vulnerability” or “[vendor name] router exploit” and read past reports from security researchers about how they interacted with those companies. Look at the disclosure timelines in those reports to see how fast the companies developed and released patches after being notified of a vulnerability.

It's also important to determine, if possible, how long a device will continue to receive firmware updates after you buy it. With product life cycles becoming shorter and shorter across the industry, you might end up buying a product released two years ago that will reach end-of-support in one year or in several months. And that's not something you want with a router.

Unfortunately, router vendors rarely publish this information on their websites, so obtaining it might involve calling or emailing the company’s support department in your respective country, as there are region-specific device models or hardware revisions with different support periods. You can also look at the firmware update history of the router you intend to buy or of a router from the manufacturer’s same line of products, to get an idea of what update frequency you can expect from the company.

Choose a device that can also run open-source community-maintained firmware like OpenWrt/LEDE because it's always good to have options and these third-party projects excel at providing support for older devices that manufacturers no longer update. You can check the device support list of such firmware projects—OpenWrtLEDEDD-WRTAdvancedTomatoAsuswrt-Merlin—to inform your buying decision.

Once you have a router, it's time to make a few important settings. Start by reading the manual to find out how to connect to the device and access its administration interface. This is usually done from a computer through a web browser.

Change the default admin password

Never leave your router with the default administrator password as this is one of the most common reasons for compromises. Attackers use botnets to scan the entire internet for exposed routers and try to authenticate with publicly known default credentials or with weak and easy-to-guess passwords. Choose a strong password and, if given the option, also change the username to the default administrative account.

Last year, a botnet called Mirai enslaved over 250,000 routers, IP cameras, and other Internet-of-Things devices by connecting to them over Telnet and SSH with default or weak administrative credentials. The botnet was then used to launch some of the largest DDoS attacks ever recorded. More recently, a Mirai clone infected over 100,000 DSL models in Argentina and other countries.

Secure the administrative interface

Many routers allow users to expose the admin interface to the internet for remote administration and some older devices even have it configured this way by default. This is a very bad idea even if the admin password is changed because many of the vulnerabilities found in routers are located in their web-based management interfaces.

If you need remote administration for your router, read up on how to set up a virtual private network (VPN) server to securely connect into your local network from the internet and then perform management tasks through that connection. Your router might even have the option to act as a VPN server, but unless you understand how to configure VPNs, turning on that feature might be risky and could expose your network to additional attacks.

It's also a common misconception that if a router's administrative interface is not exposed to the internet, the device is safe. For a number of years now, attackers have been launching attacks against routers through cross-site request forgery (CSRF) techniques. Those attacks hijack users' browsers when visiting malicious or compromised websites and force them to send unauthorized requests to routers through local network connections.

In 2015, a researcher known as Kafeine detected a large-scale CSRF attack launched through malicious advertisements placed on legitimate websites. The attack code was capable of targeting over 40 different router models from various manufacturers and attempted to change their Domain Name System (DNS) settings through command injection exploits or through default administrative credentials.

By replacing the DNS servers configured on routers with rogue servers under their control, attackers can direct users to fake versions of the websites they are trying to visit. This is a powerful attack because there's no indication in the browser address bar that something is amiss unless the website uses the secure HTTPS protocol. Even then, attackers can use techniques such as TLS/SSL stripping and many users might not notice that the green padlock is missing. In 2014, DNS hijacking attacks through compromised home routers were used to phish online banking credentials from users in Poland and Brazil.

CSRF attacks usually try to locate routers over the local area network at common IP addresses like 192.168.0.1 or 192.168.1.1 that manufacturers configure by default. However, users can change the local IP address of their routers to something else, for example, 192.168.33.1 or even 192.168.33.22. There's no technical reason why the router should have the first address in an IP netblock and this simple change can stop many automated CSRF attacks in their tracks.

There are some other techniques that attackers could combine with CSRF to discover the LAN IP address of a router, even when it’s not the default one. However, some routers allow restricting access to their administrative interfaces by IP address.

If this option is available, you can configure the allowed IP address to be different than those automatically assigned by the router to your devices via the Dynamic Host Configuration Protocol (DHCP). For example, configure your DHCP address pool to be from 192.168.33.50 to 192.168.33.100, but specify 192.168.33.101 as the IP address allowed to access the router's administrative interface.

This address will never be automatically assigned to a device, but you can manually configure your computer to temporarily use it whenever you need to make changes to your router's settings. After the changes are done, set your computer to automatically obtain an IP address via DHCP again.

Also, if possible, configure the router interface to use HTTPS and always access it from a private/incognito browser window, so that no authenticated session that could be abused via CSRF remains active in the browser. Don’t allow the browser to save the username and password either.

Shut down risky services

Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, any service that’s not used should be disabled to reduce the attack surface.

Over the years, security researchers have found many undocumented "backdoor" accounts in routers that were accessible over Telnet or SSH and which provided full control over those devices. Since there's no way for a regular user to determine if such accounts exist in a router or not, disabling these services is the best course of action.

Another problematic service is Universal Plug and Play (UPnP), which allows devices to discover each other on networks and share their configurations so they can automatically set up services like data sharing and media streaming.

Many UPnP vulnerabilities have been found in home routers over the years, enabling attacks that ranged from sensitive information exposure to remote code execution leading to full compromise.

A router's UPnP service should never be exposed to the internet and, unless absolutely needed, it shouldn't be enabled on the local area network either. There's no simple way to tell if a router's UPnP implementation is vulnerable and the service can be used by other network devices to automatically punch holes through the router's firewall. That's how many IP cameras, baby monitors, and network-attached storage boxes become accessible on the internet without their owners knowing.

Other services that have been plagued by vulnerabilities and should be disabled include the Simple Network Management Protocol (SNMP), the Home Network Administration Protocol (HNAP) and the Customer Premises Equipment WAN Management Protocol (CWMP), also known as TR-069.

SNMP is mostly used in corporate environments, so many home routers don't have the feature, but some do, especially those supplied by ISPs. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices and in April, two researchers found a weakness in the SNMP implementation of 78 cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link, and Thomson. That flaw could have allowed attackers to extract sensitive information such as administrative credentials and Wi-Fi passwords from devices and to modify their configurations.

HNAP is a proprietary administration protocol that's only found in devices from certain vendors. In 2010, a group of researchers found vulnerabilities in the HNAP implementation of some D-Link routers and in 2014 a worm called The Moon used information leaked through HNAP to target and infect Linksys routers by exploiting an authentication bypass vulnerability.

CWMP or TR-069 is a remote management protocol used by ISPs and flawed implementations have been exploited by Mirai last year to infect or to crash DSL modems from ISPs in Ireland, the U.K., and Germany. Unfortunately, there's usually no way for users to disable TR-069, which is another reason to avoid ISP-supplied devices.

One thing's certain: Attackers are increasingly attacking routers from inside local area networks, using infected computers or mobile devices as a launchpad. Over the past year researchers have found both Windows and Android malware programs in the wild that were designed specifically to hack into routers over local area networks. This is useful for attackers because infected laptops and phones will be connected to their owners to different networks, reaching routers that wouldn’t otherwise be exposed to attacks over the internet.

Security firm McAfee also found an online banking trojan dubbed Pinkslipbot that transforms infected computers into web proxy servers accessible from the internet by using UPnP to automatically request port forwarding from routers.

The Vault7 documents published by WikiLeaks this year describe a set of tools supposedly used by the US Central Intelligence Agency to hack into routers and replace their firmware with one designed to spy on traffic. The toolset includes an exploit named Tomato that can extract a router's administrative password through UPnP from inside the local area network, as well as custom firmware dubbed CherryBlossom that reportedly works on consumer and small business routers from 10 manufacturers.

Unfortunately, when building devices, many manufacturers don't include local area network attacks in their threat model and leave various administration and debugging ports exposed on the LAN interface. So it's often up to users to determine what services are running and to close them, where possible.

Users can scan their routers from inside their local networks to identify open ports and protocols using various tools, a popular one being Nmap with its graphical user interface called Zenmap. Scanning a router from outside the LAN is more problematic because port scanning on the internet might have legal implications depending on jurisdiction. It's not recommended to do this from your own computer, but you can use a third-party online service like ShieldsUP or Pentest-Tools.com to do it on your behalf.

Secure your Wi-Fi network

When setting up your Wi-Fi network, choose a long, hard-to-guess passphrase, also known as a Pre-shared Key (PSK)—consider a minimum of 12 alphanumeric characters and special symbols—and always use the WPA2 (Wi-Fi Protected Access II) security protocol. WPA and WEP are not safe and should never be used.

Disable Wi-Fi Protected Setup (WPS), a feature that allows connecting devices to the network by using a PIN printed on a sticker or by pushing a physical button on the router. Some vendors' WPS implementations are vulnerable to brute-force attacks and it's not easy to determine which ones.

Some routers offer the option to set up a guest wireless network that's isolated from the rest of your LAN and you can use it let friends and other visitors use your internet connection without sharing your main Wi-Fi password. Those guests might not have malicious intentions, but their devices might be infected with malware, so it's not a good idea to give them access to your whole network. Since their devices can also be used to attack the router is probably best not to let them use your internet connection at all, guest network or not, but that might not be an easy thing to explain to them.

Update your router's firmware

Very few routers have fully automatic update capabilities, but some do provide manual update checking mechanisms in their interfaces or email-based notifications for update availability. Unfortunately, these features might stop working over time as manufacturers make changes to their servers and URLs without taking old models into consideration. Therefore, it’s also good to periodically check the manufacturer's support website for updates.

Some more advanced stuff

If you disable UPnP but want a service that runs inside the LAN to be accessible from the internet—say an FTPS (FTP Secure) server running on your home computer—you will need to manually set up a port forwarding rule for it in the router's configuration. If you do this, you should strongly consider restricting which external IP addresses are allowed to connect to that service, as most routers allow defining an IP address range for port forwarding rules. Also, consider the risks of making those services available externally, especially if they don’t encrypt traffic.

If you don't use it for guests, the router's guest wireless network can be used to isolate internet-of-things devices on your LAN. Many IoT devices are managed through mobile apps via cloud-based services so they don't need to talk directly to your phone over the local network beyond initial setup.

Doing this protects your computers from the often vulnerable IoT devices and your IoT devices from your computers, in case they become infected. Of course, if you decide to use the guest wireless network for this purpose, change its password and stop sharing it with other people.

Similar network segmentation can be achieved through VLANs (virtual local area networks), but this feature is not commonly available in consumer routers unless those devices run third-party firmware like OpenWRT/LEDE, DD-WRT or AdvancedTomato. These community-built Linux-based operating systems for routers unlock advanced networking features and using them might actually improve security, because their developers tend to patch vulnerabilities quicker than router vendors.

However, flashing custom firmware on a router will typically void its warranty and, if not done properly, might leave the device in an unusable state. Don't attempt this unless you have the technical knowledge to do it and fully understand the risks involved.

Following the recommendations in this guide will significantly lower the chances of your router falling victim to automatic attacks and being enslaved in a botnet that launches the next internet-breaking DDoS attack. However, if a sophisticated hacker with advanced reverse-engineering skills decides to specifically target you, there’s very little you can do to prevent them from eventually breaking into your home router, regardless of what settings you made. But why make it easy for them, right?

 Source: This article was published motherboard.vice.com By Jacob Holcomb

Categorized in How to
Page 1 of 7

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now