September 28, 2021

Good morning, everyone!

This week’s critical vulnerabilities: VMWare released 19 fixes for critical vulnerabilities, some of which are being actively exploited. Apple released fixes for 3 vulnerabilities in macOS Catalina and iOS 12.5.5 that are currently being exploited. SAP has released critical fixes Patch All the Things!

Cyber crime continues to explode during the current pandemic, and working from home is a major reason why. A recent security audit at NASA found that “the pandemic and work from home have greatly increased the cyber attack surface and attack attempts.” So let’s talk about just one aspect of improving security in your home office this week:

(1) Change the default admin password

I’ve talked about this before. Whenever you buy a new device, whether it’s a wireless router or a smart camera or a “connected” appliance, whatever, the first thing you want to do is change the default password. Most botnets start searching for new victims by looking for devices that are using the (known) default passwords. You can find the default password on a sticker on the device, or on a card in the box, or you may have to look it up on the manufacturer's website.

(2) Enable WPA2 encryption & disable WPS

Remember, encryption is your friend! Without encryption, anyone with a laptop and $30 worth of electronics can eavesdrop on your Internet connection.

WPA2 is the most secure standard currently available. WPS has a major security flaw that cannot be fixed.

(3) Set a strong password (security key) for connecting devices

Longer is better: think pass phrases, not passwords. You don’t want your (crazy) neighbor riding your connection!

(4) Disable remote management over the Internet

Most devices will have a checkbox somewhere in the settings with some variation of “remote administration” on its label. Disable this option (or enable “block remote administration” if that’s your label). Without remote administration, your device can only be configured by a computer on your home network, not from the Internet at large.

(5) Log out after configuring the router

In fact, get in the habit of ALWAYS logging out of anything, including websites, when you are done for the moment. Think of it like a light switch – walk into a room, turn on the light, walk out the door, flip it off. Log into websites to do stuff, then log out when you are through. If you just close the browser window without logging out of the site, you are leaving open an authenticated session. So why does that matter? Session hijacking:

an attack where a user session is taken over by an attacker. A session starts when you log into a service, for example your banking application, and ends when you log out. The attack relies on the attacker’s knowledge of your session cookie, so it is also called cookie hijacking or cookie side-jacking. Although any computer session could be hijacked, session hijacking most commonly applies to browser sessions and web applications.

(6) Register it with the manufacturer

I know it’s old school, and most people don’t think to register their products because warranties don’t mean that much these days, but there is one other good reason to register your product: if a security flaw is found, the manufacturer can notify you. For example, in the case of Mirai‘s massive DDoS attacks in 2016, many of the cameras used were from a single manufacturer, and exploited a vulnerability in the firmware. The manufacturer released a firmware upgrade for the newer cameras, and offered free replacements for older cameras that couldn’t be upgraded. Many people were completely unaware of the situation, however, and the manufacturer had no way of knowing who had purchased their products. Accordingly, many of those compromised devices remained in use by botnets until they died and were replaced.

This is of course only one aspect of securing your home network. Using network segmentations is also an important piece. And there are more things I can add to the discussion … another time!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺