Securing my home network, #DoIEvenBother

 

When I get back home after a long day at work, it’s dark, and my mind often wanders into thoughts of how secure (physically) my home actually is. As I unlock the front gate, then the flyscreen door, then the actual front-door (3 locks), I grin as I consider how easy it is for someone to simply break a window to get in, or jimmy the flimsy sliding door locks on the side of the house. I suppose it’s more of a deterrent than anything else. Why do I concern myself with these things? Well, I’ve had my prized possessions stolen before.  My mountain bikes mean the world to me, and the scum of the earth bike thieves took them. Absolute scum.

As I opeDoorLockn my door, it’s nice to see that my TV is still hanging on the wall, and everything is as I left it. I suspect this is a thought that goes through the minds of a lot of people. Did I remember to lock the front door? Who REALLY cares if you didn’t? (Well to start off with, without any signs of forced entry, it’s unlikely your insurance company will replace that TV!). If you were confident you left it unlocked, chances are you’d turn around, even if it meant being late to that important meeting, and lock up. Why do we give so much credence to physical security, yet the majority of us don’t even bat an eyelid in regards to our meta-physical security, our data… (which I know technically isn’t meta-physical, It just sounds so cool I had to say it…)

 “Home network security is something that we tend to overlook, and I suspect the primary reason is that we don’t value its contents to the same extent as our physical world.”

Let’s take the worst-case scenario. Assuming your home network gets 100% pwned. What will you lose? Let’s follow Doctor Angela Ziegler as an example. Doctor Ziegler is a medical scientist conducting some ground-breaking research at the state-of-the-art facilities at work. She works long hours and tends to bring work home with her on her work issue laptop. At home, she enjoys watching live gaming streams of overwatch on twitch, and the occasional episode of the (legitimately downloaded) TV-Show “Where Are My Pants?”.

At home, she has a NAS drive she purchased from her local target, containing precious photos of her colleagues (some who have passed away, others suffered a worse fate), as well as some auxiliary research papers. Connected appliances such as her cloud controlled Air-conditioner, and her Lucky-Goldstar (LG) Internet Connected refrigerator also form part of her network, along with all the latest generation gaming consoles.
Back at the office, we trust that all her research is secured by the security team, but what about back home?
Who setup the network at home? Were there any thoughts towards security during its design? Was it even designed, or did she just use the default Huawei Modem/Router supplied by her ISP?

Securing home network

What are the risks here? What does Dr. Ziegler have to lose? If your thoughts jumped to the NAS drive, with the photos and research, you would be partially correct. This is indeed the most obvious concern, if this data were to be lost, would it be replaceable? A TV at home is easy to replace, in fact, you would probably upgrade, but the photos, they are gone. What dollar value would Dr. Ziegler place on these? If you could buy your own photos that were previously lost, how much would you pay? Especially if it contains photos of friends and family who are no longer with us… Think ransomware. Apart from the personal effects, what about the auxiliary research documents? What value do they have for Dr. Ziegler, and the organisation funding her research? What if these got into the hands of a competitor? (Talon)

If you are thinking that those documents should be stored on the servers back at the office… yeah, that’s fair… in best practice. However, as humans, we are often the weakest part of any network. We are lazy, and take shortcuts when available. It’s far quicker for Dr. Ziegler to have these files locally when she works from home, rather than VPN in to the office, using that annoying 2-factor authentication the security team back at the office implemented… Where did she leave that key-fob anyway?

On that note, she doesn’t only use her work issue laptop for research either. She sometimes uses her personal desktop (gaming rig) to crunch some numbers. After all, it’s far more powerful. This is the same machine she uses to watch twitch.tv streams and browse the Internet. What security does she have on this machine? Surprisingly, the common answer here is “none”.

We have barely scraped the surface though. Remember those connected appliances? It wasn’t long ago that a vulnerability in Miele dishwashers was discovered (Article Here), allowing an attacker root access to them. So what? I hear you cry. What’s the attacker going to do? Clean my dishes?

Fair response I suppose. I guess it would be possible to control different aspects of the machine itself, but that’s not the likely goal for an attacker (although I can think of a few funny pranks to do). They could use your machine as part of a botnet, to be used for an attack on an external party (such as DDOS’ing Blizzards servers), or they could use it to move laterally through your network. I.e. once they have control of your dishwasher, they can attack your NAS drive. This same concept applies to all devices on your network.

The good news is, it’s not that hard to follow some security best practices at home. Simple things like changing the default passwords on your devices and NAS go a surprisingly long way, Setting up Wifi with a strong password and appropriate encryption, segregating work from play by not using the same machines, and ensuring that a sufficient endpoint solution (anti-virus, anti-malware etc) is present on ALL your machines.  Above all, backup your important documents! Not just on a NAS locally, but offsite too. There are many cloud-based backup solutions that could be used for Photos and Private material… BUT NOT FOR SENSITIVE WORK CONTENT!

I will address Doctor Zieglers not so unique situation in a later post, detailing a potential solution. The first step however, is identifying the risk. So the next time you return home, and follow your own unlocking routine, maybe have a think about what it is that you’re securing, and more importantly, what you’re not!

 

Ronen

Written by Ronen Meshel
You can read more about Ronen on his website: ronen.it/

Paessler AG – PRTG: Cloud Monitoring has never been this simple

With its incredible elasticity and complexity, cloud computing is proving to be an organizational challenge, not only on the adoption level but also from a system monitoring perspective as well.

Organizational IT today seems to be “cloud provider agnostic”. It is an enterprise commonplace to see SAAS components provided by one cloud provider and IAAS provided by another. Moreover, while shifting towards the cloud, many organizations have not relinquished their traditional data-centre infrastructure. In general, the overall organizational IT model is “Hybrid”.

In such a model, monitoring becomes a massive challenge because you need a different monitoring system for each of the model’s heterogeneous components. You need “CloudWatch” to monitor your AWS instances, “Azure Monitor” for monitoring Microsoft Azure resources besides a monitoring system for your traditional data centre systems. This is challenging because administrators will need to learn, master and monitor each of these monitoring systems separately. Wouldn’t it make more sense to amalgamate all these systems into one central and well-crafted system?

Paessler AG has catered for this need through its PRTG solution. PRTG is “spot-on” for monitoring a hybrid cloud Infrastructure. This solution is the result of nineteen years of efforts and experience in the NPMD industry. Pre-customized for many different cloud services, it brings together all your organization’s monitoring needs into one central platform. PRTG is feature rich, versatile and portable to the extent that you can install it on your smart phone. Furthermore, PRTG will notify IT admins if- and only if – a threshold value is exceeded. This means elimination of daily email notifications, which only let you know everything is OK. Unless of course if you opt for this feature.

PRTG creates a structure for modern enterprise monitoring. It brings order from amidst the chaos of today’s Hybrid IT. This awesome solution empowers you to turn your cloud monitoring process into a systematic practice.

Paessler AG – PRTG adds value to your business by helping you reap the cost benefits of your cloud strategy. This is because the main argument for many cloud services is cost savings. These savings can quickly erode without a capable monitoring solution that provides unprecedented visibility and pinpoints potential issues in no time.

Red Education has proudly become Paessler’s first official training partner in the Asia-Pacific region. With its ability to deliver courses all over this region besides its long reputation for customer-focused excellence, Red Education is pleased to announce the delivery of its first Paessler PRTG training course on Monday the 24th of October 2016. The course official name is “Paessler AG – PRTG: How to install, configure and monitor”. It is available for registration here

Wasfi Bounni's Photo

By: Wasfi Bounni
Senior Instructor/Consultant at Red Education

Happy Friday!

To ring in the weekend on this glorious Friday, here is a good way to spend 8 minutes.

Enjoy the smooth words from the Palo Alto Networks Ignite Speech for 2016.

 

Palo Alto Networks SSL Interception and Google Chrome’s QUIC

SSL interception on Palo Alto Networks (PAN) devices can be super powerful and is often considered a must if you’re not content with just seeing “SSL” come up as the application. Offloading this SSL traffic means we can no longer scan it for things like viruses, spyware, or even file content we might not be content with letting out (or into) our network (double “content” intended, now known as 2CON).

As you are probably aware, SSL interception requires a Signing CA to be imported (or generated) to be used as a Forward-Trust certificate on the PAN device. Do NOT use the same certificate as the Forward-Untrust as you will then be issuing valid certificates to clients for sites that have Untrusted-Issuers themselves. Once this is ready to go, you will need to import it into every client who will be intercepted. Without this CA on workstations, users will be constantly prompted with every HTTPS site they visit, and the certs issued are from an unknown issuer. Fair enough.

Googles Chrome is a little interesting in this regard. More than just “Best Practice” you really do not want your users to get used to adding exceptions for sites. Chrome takes it a step further, basically stopping you entirely from accessing Google Apps and sites if Chrome sees a non-trusted certificate. There is no option for adding an exception and continuing. You just… Stop.

Google Error: Your connection is not private

Here you can see the reason for the error is CERT_COMMON_NAME_INVALID, hinting at a different issue, not an untrusted issuer!

 

Thankfully, doing the right thing and importing the CA into your OS fixes this (Chrome uses the same certificate store as Windows/IE/Edge). An even better approach, if your clients are all on the domain, is to use a CA that has been issued by the domains CA. That way, thanks to the chain of trust, they already trust the issuer. Happy days (unless you’re a firefox user as it uses a different cert store).

You would be forgiven for thinking at this point that everything is honky-dory. The issue is this semi-awesome thing called QUIC. You can read the wiki article about it here, but essentially, some of the folks at google have been working on an experimental way to improve perceived perception of the performance of HTTPS sites. Perceived perception… Anyway, QUIC uses multiplexed UDP connections to handle equivalent SSL/TLS negotiations. PAN detects this as an application, and you can block it if you like. The issue we have here, is our SSL interception won’t be triggered. We will see the QUIC protocol taking effect, then SSL traffic. We can’t generate a cert for the site in question as we don’t see the original cert being transferred. What this leads to is no interception of any site that has QUIC enabled, assuming clients are using Chrome, and its in its default state. The good news is most servers/sites aren’t very quick on their uptake of QUIC (2QUIC). As of today, (May 12,2016) www.google.com for example does NOT utilise QUIC, but YouTube does! This affects Chrome on Windows, Mac, Linux, Chrome OS, and Android. I have long defected from iOS and the Apple Eco-System, so you would need to test Chrome on an iOS device to confirm if it behaves in the same way.

More good news, it’s not too difficult to fix. As an end-user, all you would need to do is type chrome://flags in your browser, then scroll down to the “Experimental QUIC protocol” field, and toggle it to disabled:

Modify the Experimental QUIC field to have a value of “Disabled”

 

Once complete, you will need to restart Chrome and test. A visit to YouTube will confirm that SSL interception is now working! I would recommend watching a video while confirming that the certificate being displayed is issued by your CA. You will need to open it in a new window of course.

The PAN device might actually still detect the YouTube app regardless of SSL interception status, after you have visited YouTube for extended periods of time, I would pop over to gmail, login and confirm the cert is issued by you, and test by sending an email with some explicit text that should be blocked by a custom file blocking profile on a test policy (You would need to create this ahead of time). Something like “The new Macbook is great” would be a great string to block.

You can push these settings through Group Policy for your domain users, although I have found it’s a little hit and miss and may be dependent on which version of Chrome a user has. Also, I’ve heard that even with the change in place, if you go to Chrome://flags it may incorrectly still display enabled, even though under the hood it is indeed disabled. The proper test is to go to a site you know is QUIC enabled, like gmail, and confirm that SSL interception is working on that client.

More information can be found on Palo Alto Networks LIVE site here.

Ronen Meshel

Written by Ronen Meshel
You can read more about Ronen on his website: ronen.it/