08/27/2018
Newbie2Security: Is the Cloud Safe, Part II
0A reader asked a particularly complex question recently: “Is the cloud safe to use?”
In my continuing answer to that complicated question, let’s look at the Internet of Things and what you can do to keep your own things safe.
The Internet of Things (IoT) is a collective term to describe all the connected boxes, devices, and widgets that don’t fall into the category of desktops, laptops, and phones/tablets. In some cases, even those devices are considered IoT technology; but generally this refers to home automation, home assistants, set-top boxes, and other such gear that is steadily but surely sneaking its way into our homes and hearts.
The security of IoT devices depends a lot on both you and the cloud vendor that manages the online components of those devices. Let’s take a look at things to watch out for.
1 – The trust factor. While the very latest gizmo to automate your home might sound cool, remember that these devices are only as secure as the companies that make them. Millions of IoT devices became infected with malware that turned them into distributed denial-of-service (DDoS) attackers due to a back-door that vendors put into the devices to make them easier to manage remotely.
DDoS (Distributed Denial-of-Service) is a type of attack where thousands or even millions of devices all over the internet start flooding a website with bogus data traffic. Since a website can only handle a fixed amount of traffic at any one time, all these devices suddenly blasting it with data requests causes legitimate users of the site to be unable to reach it. Effectively, the site is offline to real users even though there’s nothing wrong with the site itself – it’s simply overwhelmed with all the requests and cannot talk to anyone else.
Working with vendors that you trust is critical to avoiding this situation. While any vendor can make a mistake or have bugs in their code, those who are well-known and well-reviewed are less likely to let a major flaw end up taking their whole network offline or allowing their devices to be compromised. They also react much faster if they should get attacked, pushing out updates and changes quickly to fix the problem. A fly-by-night vendor, on the other hand, may just stop supporting a product and leaving all their users out in the cold when the next security problem comes up.
2 – Limiting what devices can do. Does your home lighting system need to speak directly to the internet? Probably not, and therefore it should not. While some systems like home thermostats do have a good reason to be accessible to the outside world (so you can remotely change the temperature), it shouldn’t be allowed when it isn’t necessary. Reputable vendors use home hubs and other technology to limit how much of their system needs to talk to the internet at all – and most vendors allow for you to limit that connectivity further. In short, if it doesn’t have to talk to the internet, it shouldn’t – full stop. If a vendor demands that the device be able to connect to their servers when there’s no reason to; choose another vendor. One great example is software updates for smart LED lights. Why should the light-bulb have to talk to the internet when updates can be done via a smartphone app or other method that doesn’t require every bulb have an internet connection individually?
3 – Segregate your networks. Most home internet routers have an easy-to-use method for creating a guest network. Guest networks are great for IoT devices that have no need to speak to your computers and tablets, but still do need internet access. Basically a guest network is a WiFi network on your home router that can talk to the internet, but cannot talk to anything else that’s using the same router. This means that if someone does manage to compromise your IoT devices, they cannot use that as a way to access your home computer or other systems. The one exception here is for devices that indeed to have to talk to the rest of the things on your home network – like home assistants and other tools. They’ll have to go on your main WiFi network; so keep the trust factor high in your mind.
4 – Use basic security precautions at all times. Alexa, Google Home, and Apple HomePod all listen all the time, and can’t figure out your voice from anyone else’s except for some tricks they do. They can’t stop someone else from voice ordering products or changing settings since their voice identification systems aren’t sharp enough to figure out it’s not you talking. This means you should set up purchase passcodes, and limit their ability to access sensitive stuff via their configuration apps. You should also think twice about letting them communicate to outside devices (such as Alexa’s ability to call other people who own and Alexa). It might be convenient, but the phone still works for that purpose (or email, or text messaging, etc.). One recent case of Alexa accidentally sending a voice message with mildly embarrassing info to a contact in its address book is a great example of why you have to be very careful. Amazon did note that it was because of an incredibly rare set of circumstances, but it’s still possible and should be taken into account before you set up “drop in” or similar features.
Finally, as these services are attached to online accounts with various vendors, you should keep your account secured with two-factor logins and password hygiene at all times. Just like any other website you access, your username and password can be easily stolen or compromised if you’re not careful, and you have to take that into consideration.
IoT devices can be incredibly useful, or just downright fun, or both. But always remember that these are devices that can open dangerous doors into your home and office. Take precautions to make sure they don’t and you can use them safely to make your life better and more enjoyable.
08/29/2018
Newbie2Security: Is the Cloud Safe, Part III
0by Mike Talon • Newbie2Security
A reader asked a particularly complex question recently: “Is the cloud safe to use?”
In my continuing answer to that complicated question, let’s look at the cloud desktop experiences.
Cloud desktops are becoming more and more common as we move toward doing more within the cloud, as opposed to on our own networks and hardware. A cloud desktop is exactly what it sounds like; namely, a virtual desktop computer that runs within a cloud vendor and not on your own desktop, laptop, or tablet itself. They’re currently very popular for PC gaming when you want to play a very resource-heavy game and don’t own a powerful gaming desktop – or a PC at all. I myself use one to play PC games on my Mac (there’s a post on Paperspace and Parsec from a while back still posted here on the blog). While cloud desktops are incredibly useful, they’re still quite expensive to run and therefore not something everyone would use. That’s changing though, as prices come down just like all technology. This means you might be interested in using one in the near future if you’re not using one already.
If you do use or end up using a cloud desktop, its security is a lot different than using the cloud to sync data, or manage your Internet of Things (IoT) devices. Since a cloud desktop is an entire Operating System (Windows, Linux, etc.), it has to be secured in very much the same way as a desktop or laptop – but without the physical security you can put around a physical device you own and control.
So, how do you secure cloud desktops? Let’s take a look:
1 – Remember it’s a desktop. You should always keep your cloud desktop up to date with patches and fixes, and install and maintain an anti-malware tool on it as well. In much the same way as you would do these things on your own desktops and laptops, you must do them on cloud desktops too. Some service providers take care of some or all of these things for you; so check to see what they do in terms of updates and anti-malware and what you are responsible for yourself.
2 – The trust factor exists here too. Much like with IoT devices in the previous article, you have to know your cloud desktop vendor and put your trust in them. Most cloud desktop platforms are very new, so you won’t find a well-established company to go with; but you can research the company and find out if you should be trusting them. Where are they located? Is it in your country or off-shore? What back-end do they use to host their services – is it an established platform like AWS or RackSpace, or some cloud company no one has ever heard of? Who handles their billing – is it a reputable vendor like PayPal or directly with credit card companies (including all the Visa/MasterCard/Amex security methods) or with some payment provider no one has heard of? All of these questions can help you create a good profile of the company and their practices to base you trust decision on.
3 – Be careful what you put there. A cloud desktop can hold a lot of information on you. For example, if you use it for gaming, then the cloud desktop has your Steam and EA account info on there in all likelihood. It also might have billing information stored in memory when you buy things while you’re on the cloud desktop (like new games and software). That’s a bit of a problem, since you don’t have physical possession of the desktop itself, and won’t know if – for example – it’s stolen.
You can limit this liability by only logging into sites and applications you absolutely have to. Your Steam account is pretty much required, but you can turn on SteamGuard (two-factor login) to make sure no one can log in just by stealing the cloud desktop. You can also only update Steam and other payment information on your own desktop, rather than doing it via the interface on the cloud desktop. You can purchase games and other software on your own computer, get the access/registration keys via your own desktop email, then download the software and put in the key without having to put your credit card info into forms on the cloud desktop. For game apps like Steam and EA Origin, you can even make your purchases at their websites on your own desktop, then let the apps in the cloud desktop download the games next time you open the app there.
It’s also not necessary to even install or set up email apps/accounts on the cloud desktop at all – you can do that on your desktop or laptop and just cut and paste as required. Browsers don’t need to be synced to your Google/Apple/Firefox account, and therefore you don’t need to log into those services on the cloud desktop. Small steps like these don’t have a large impact on your cloud desktop experience and limiting what data is actually typed into or uploaded to the cloud desktop also limits what an attacker can get if they break in.
Cloud desktops can make life easier and open up the ability to do things you can’t do on your own desktop. As prices come down, they’ll become an option for more and more people – and a target for more and more attackers. Using them safely is very much possible, with a little strategy and forethought you can compute in the cloud with no problems at all.
Share this: