Use guest networks to secure IoT “smart” devices

A neighbor asked me about a recommendation Steve Gibson and Leo Laporte made a couple of weeks ago about securing your IoT household “smart” devices, like doorbells, thermostats, televisions, and anything else that wasn’t traditionally computerized, by putting it on a guest network.

The short answer is yes, it’s something you should do. It doesn’t make them perfectly safe, but it’s the best you can do, so you should. But I would do it a bit differently from Gibson–I think the ideal setup has two guest networks.

Read more

Listen to this if you think a router makes you invincible

One myth that I hear over and over is that having a router on your Internet connection makes you invisible, and makes you somehow invincible. I even heard someone say recently that if you have a router/firewall, you don’t need to run antivirus software.

Security researcher HD Moore appeared last week on Risky Business and he talked about ways that entire classes of routers can be compromised. Give it a listen. Read more

Steve Gibson on Truecrypt

Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.

The important thing to remember right now is that we still don’t know what’s going on.

Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.

That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.

So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.

Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.

Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.

Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.

Long passwords aren’t necessarily good passwords

Well, crud. Not all long passwords are good passwords.

I’ve suspected for a long time that street addresses aren’t good to use–the formula is too simple–but now it seems that even mashing together a sentence into a long password doesn’t work. (That isn’t something I do often, but I’ve done it at least once or twice.) Read more

Ways to keep your password from being guessed–today

Articles like Ars Technica’s Why passwords have never been weaker — and crackers have never been stronger are getting more and more common these days.

In a positive development, I don’t think the story had been live more than an hour or two before people started asking me questions. That’s good, because that tells me that people care.
Read more

Spinrite 6: An overdue review

Spinrite 6: An overdue review

Spinrite 5 is an old friend. It got me out of some jams in the late ’90s, but as new versions of Windows that defaulted to NTFS came into my life, Spinrite 5 ceased being an option, since it only worked on FAT-formatted drives.

I’ve had occasion now to use Spinrite 6, its successor, which still runs under old-fashioned MS-DOS but now understands a multitude of filesystems. Other than that, it hasn’t changed much: It’s an obsessively thorough repair and maintenance tool for hard drives.

SSDs will eventually make Spinrite unnecessary, but there are still a lot more conventional hard drives being shipped each year than SSDs. Read more

Defrag scareware

This isn’t exactly news, as word has been going around for a couple of weeks, but if you haven’t heard about it elsewhere, there are some fake defragmenters going around.

I heard mention of it today, and it reminded me that I saw one last week when I was working on my mother in law’s computer. This was especially obnoxious, considering that at the time, I was running Firefox and I was visiting a mainstream site.

So there are a couple of things you need to keep in mind.
Read more

DNS and iTunes and other streaming media

There are reports floating about regarding third-party DNS affecting downloads of movies and other media, particularly from iTunes.

So, if tweaking DNS settings used to be what all the cool kids are doing, maybe it’s about to become less trendy, thanks to advice circulating to ditch third-party, centralized DNS providers like Google and OpenDNS, because they “defeat the distributed nature of DNS itself.”

The answer of what DNS to use and why is more complex than that.
Read more

The solution to paper passwords

I know your passwords are either written down or insecure. I know it just as surely as I know New Year’s Day is January 1.

I know because passwords have to be incredibly complex to be secure, and I know because the typical person has to juggle half a dozen of them, or more. Think about it. Your work account. Amazon. Ebay. Paypal. Facebook. Your bank. Your personal e-mail. Your credit card. Your online billpay service.

I know you’re not going to memorize a half dozen gibberish passwords that look like 5E%c2.3730pK$0/.

So you have them written down somewhere, which is OK, or you have them all set to the same thing (hopefully not “popcorn”), which isn’t OK. Even if you’re using 5E%c2.3730pK$0/ as your password.

A secured piece of paper works fine until you lose it, or you’re out somewhere and don’t have it.

The solution is a product called Lastpass. Software legend Steve Gibson talked about it at great length at http://www.grc.com/sn/sn-256.htm.

Basically it’s a program, which can run standalone or as a browser plug-in, that stores passwords securely. It mathematically slices and dices the data so that all that’s stored on LastPass’ servers is undecodable gibberish, but, given your e-mail address, your password, and a printable grid you can keep in your wallet, you can decode your password database from any computer, anywhere you happen to be.

There’s a lot of nasty math involved in cryptography, and I won’t pretend it’s my best subject. Gibson goes a lot further into the details than I want to get into. As someone who knows enough about cryptography to get CompTIA Security+ certification, and someone who’s read the official CISSP book chapter on cryptography twice, it sounds good to me.

An additional feature is the ability to store things you need rarely, but when you need them, you need them desperately. Things like your credit card numbers, driver’s license number, and your kids’ social security numbers.

There’s a free version of Lastpass, and a premium version that works on mobile phones and mobile software like Portable Firefox, which costs $12 per year.

The free version runs on Windows, Mac OS X, and Linux, which covers more than 99% of the computers out there today. And it runs in every major browser.

When you go to run Lastpass, it will import your stored passwords from your web browser(s). And it will give you a rating, based on how secure your passwords are and how often you re-use them. It will generate secure, random gibberish passwords for you and help you visit sites and change your passwords. Along the way it grades you, helping you to increase your security.

It can synchronize too. So if something happens and I have to change my Amazon password and I’m at work, my wife gets the changes, so if she needs to get into Amazon, she doesn’t have to do anything different.

It makes good security an awful lot less painful. I can pretty much say, without reservation, knowing nothing about you except that you use a computer, that you need this.

WordPress Appliance - Powered by TurnKey Linux