Connect with us

Expert Speak

How to Secure Your Router?

Published

on

Written by Tomas Foltyn, Security Writer at ESET

How do you secure your network? For the most part, this honor goes to the one device that talks to all of your home’s internet-connected devices: your router. This humble gadget may not store any of your personal data, but with all that traffic flying through it, taking good care of this network workhorse should be a key component of your security culture. And yet, we usually ignore security concerns that have to do with our routers.

Tomas Foltyn, Security Writer at ESET.

In our technology-dependent era, one such little black box is central to any home network (okay, many routers are neither black nor boxes, but we won’t let that distract us, will we?). In fact, chances are your router doubles as a modem, or even the other way round, especially if it was supplied to you by your internet service provider (ISP). Of course, a consumer-grade router typically comes with an in-built wireless access point (WAP), so that we don’t trip over cables. Regardless of your setup, the router is integral to the security of your network.

For all the magic it can do, a typical router is normally forgotten as soon as it begins to fulfil its only obvious purpose – connecting our home to the internet. Devoid of even a speck of glamor and hidden in a corner or on the uppermost shelf, this device quietly does its thing, never attracting your attention unless something goes wrong with your internet connection. Which may prompt the question:

Why care about routers, anyway?
Simply put, a poorly secured router can put all devices on your network at the mercy of attackers. That is no hyperbole. The threats run the gamut, and a hacked router can:

And that is by no means an exhaustive list.

To harden your router and stay safe from hacker shenanigans, you need to access and properly configure the device’s settings. This may seem to be a daunting task, but that may only be due to fear of the unknown. For most, basic remedies are not, by any means, an ordeal, and they’re enough to greatly improve the security of your router.

Your router’s admin settings can usually be accessed wirelessly by typing the router’s IP address into any web browser’s URL bar (the IP address is often 192.168.1.1 or 192.168.0.1, but check the label on your device or look up the address on Google). Arguably, a better way is to connect that long-forgotten thing, probably cloaked in a thick layer of dust, to your laptop via an Ethernet cable and only then type the IP address. In many cases, you can even reach the settings via a dedicated smartphone app.

There are a few sine quibus non – beyond having a firewall turned on, of course – for a hardened router.

Ditch the defaults
Here, we can safely pick up from where we left off last week: Passwords invariably come into play when it comes to keeping your network safe and secure, doubly so when Wi-Fi connections are thrown into the mix. Out of all settings that come pre-configured for you from the manufacturer, the password to access the router’s admin interface is the first thing you should replace with a strong and unique password or passphrase. Also, if possible, pick a non-generic username instead of the default one, which commonly in this case is one of these five options: ‘admin’, ‘administrator’, ‘root’, ‘user’, and no username at all.

Besides reducing cost for the manufacturers, these and some other default configurations are intended to ease set-up and remote troubleshooting. However, the convenience factor is apt to cause trouble in that, for example, the login details are often glaringly obvious and shared across router models, and even entire brands. Indeed, the logins are there for the taking for anybody who can spare a minute searching on Google, or even less than that: suffice it to try one such absurdly easy-to-guess username/password combination (in the vein of ‘admin/password’) and it may very well work on a poorly configured router. In fact, ESET’s test on 12,000 home routers in 2016 found that one in seven such routers used “common default usernames and passwords, as well as some frequently used combinations”.

With routers that permit wireless connectivity (which is the case with pretty much all consumer routers these days), the brand and model may be given away by the default name of your wireless network. Change that name, aka Service Set Identifier (SSID), to something that doesn’t identify you or your location. You can also stop the SSID from being broadcast, but be aware that a snoop with even a modicum of technical chops will be able to sniff it out easily anyway.

Also often enabled by default is a feature called Wi-Fi Protected Setup (WPS), which was originally intended to help bring new devices onto a network. However, due to a flaw in its implementation that relies on registrar PIN numbers and that makes the number easily crackable, WPS can be easily subverted. Ultimately, this sets the stage for attacks at your wireless password, aka pre-shared key (PSK).

Another feature that is often enabled by default on routers and that poses a significant security risk is Universal Plug and Play (UPnP). Unless you’re sure you need UPnP, which is intended to enable frictionless communication between networked devices but lacks any authentication mechanism, you should turn it off. Indeed, shut down any protocols and block any ports that aren’t needed, as that will reduce the attack surface on your network.

Keep snoopers at bay
When it comes to Wi-Fi passwords (and, thus, controlling who can actually access your wireless network), this is your chance to be creative. You can go up to 63 characters, but, in fairness, that shouldn’t really be necessary.  That said, make sure your password or passphrase is long and complex, so that it can withstand brute-force attacks where never-do-wells take countless stabs at a password in a bid to arrive at the right one. Of course, it must also be different from all your other login credentials, including the one you use to access the router’s admin console.

You also need to specify a security protocol for your wireless connection. There’s not much of a choice here, and the only option worth recommending is WPA2, short for ‘Wi-Fi Protected Access 2’. For homes, WPA2’s best flavor is its personal mode (WPA2-Personal aka WPA2-PSK) and underpinned by AES encryption, which is, for all intents and purposes, uncrackable with today’s computing resources. Robust over-the-air encryption scrambles all data as it travels between a Wi-Fi-connected device and a router, ensuring that a snoop cannot simply read it even if they somehow get their hands on the data.

There are two older Wi-Fi security modes that may still be available on your router – WPA’s first iteration, simply called WPA, and the truly ancient Wired Equivalent Privacy (WEP). However, there’s no reason to use either of them, especially the easily hackable WEP, as WPA2 has been mandatory on all Wi-Fi Alliance certified hardware since as far back as back 2006.

Of course, some of us are eagerly awaiting the arrival of WPA3-enabled networking hardware on the market. Since this new security standard is set to usher in several major improvements for wireless security, including better defense against password-guessing attacks, it really can’t come soon enough.

Update, update!
At heart, routers are computers, so their operating systems, embedded as firmware, need to be updated for security vulnerabilities. Indeed, routers are notorious for being riddled with security loopholes mainly due to their running outdated firmware, which is commonly because we, the router owners, never install such updates. This makes things so much easier for attackers, as many incursions are facilitated by simple scans for routers with known security holes.

To check if your router’s firmware is up-to-date, navigate to the device’s admin panel. Unless you own a modern router that updates itself automatically or alerts you to new firmware versions, you will need to visit the vendor’s website and check whether an update is available. If it is, well, you’ll know what to do. This is not a one-time task, however, so be sure to check for new updates regularly, at least several times a year.

It’s entirely possible that, because the router’s maker has stopped issuing updates for your device, there may actually be no updates to be installed. This can happen especially with older routers, in which case you’re best off simply buying a newer one.

At any rate, there’s another reward for upgrading your firmware: Beyond updates to fix vulnerabilities, the new firmware version may also include performance improvements and new features, including those that have to do with its security mechanisms.

Bonus tips
What else can you do, and with a minimal hassle factor, of course? Here are a few more quick tips:

Any router should enable you to create several networks, which is particularly handy with easily hackable Internet-of-Things (IoT) devices. If your home is ‘smart’, consider quarantining all that IoT tech in a segregated network, so that its vulnerabilities cannot be exploited to access the data on your computer, smartphone, or storage devices. You can also set up a separate network for your children and their gizmos.

Similarly, consider setting up a separate network for guests. That way, you only share your internet connection, not your network, and prevent the risk of malware from their devices jumping over to your digital assets in what is just one possible scenario how a guest can, however unknowingly, compromise your network.

It’s also good to disable remote management for your router to reduce the odds of attackers tampering with it from anywhere in the world, for example by exploiting a vulnerability. That way, physical access to your router will be required to make any changes to its settings.

Conclusion
There is far more to router security than what we touched on in this article. However, even tweaking a few settings in the ‘glue’ that holds all of your internet-enabled devices together will go a long way toward bolstering your overall security. The ‘benign neglect’ with which we usually treat our routers can turn out to be very damaging.

Click to comment

Leave a Reply

Expert Speak

Watch Out for These Scams Targeting Amazon Customers

Published

on

Written by Amer Owaida, Security Writer at ESET

Amazon is the largest online marketplace in the world boasting over US$386 billion in revenue in 2020 with 200 million subscribers to its Amazon Prime service just in the United States. And that’s just a fraction of the whole customer base that it serves around the globe year-round. Of course, such a huge customer pool attracts cybercriminals who are looking to make a bank by scamming unsuspecting victims with a variety of tricks that they have in their arsenal of scammery.

Fake order phishing email
As with any major service, Amazon is no stranger to being spoofed or impersonated by enterprising fraudsters who are looking to dupe people out of their personal information or to access credentials to their accounts. The emails you may receive can take on various forms, however, they usually impersonate a common Amazon dispatch email, that regular customers have encountered many times over. For example, you might receive one confirming a purchase that you didn’t make and tries to trick you into clicking on various links that look like contact information to Amazon’s customer service.

These links can then redirect to something looking like the official Amazon login page, however, when you try to sign in you will have divulged your credentials to the scammer. Alternatively, by clicking on the link or attachment in the email you may download a malicious payload to your device that will attempt to download keylogging software that will try to harvest your credentials to any services you use.

Generally speaking, unless the fraudster behind the scam did an immaculate job with the counterfeit email there are several warning signs that will give it away as an attempt at phishing. If the email contains, typos, grammar mistakes, or an attachment it is most assuredly a scam. When checking out a link that you’ve received in an email, by hovering your cursor over it, check whether the address is something.amazon.com where something is one of many valid Amazon subdomains – for example, pay.amazon.com or www.amazon.com. If you suspect that you’re being phished you should contact Amazon directly, since it takes these issues seriously.

Gift card scams
Gift card fraud is another perennial problem that you can encounter. The con-artists may utilize different strategies to dupe their victims, however, the ultimate goal remains the same – trick them into purchasing and sending Amazon gift cards. Popular tactics usually include evoking a sense of urgency or pressure in order to make victims act quickly rather than give deep thought to the contents of the message or phone call.

Victims may receive unsolicited email messages or phone calls about a pressing issue involving their social security numbers or benefits and to resolve it they’ll have to pay a penalty using gift cards. Alternatively, victims may be told that a family member is in trouble and needs financial help. There are multiple scenarios at play where fraudsters can also impersonate Amazon itself, claim to be someone from the management of the victim’s employer, you name it.

However, fortunately, most of these scams can be uncovered quite easily if you keep a cool head. Government officials will never ask you to pay a fine or penalty with a gift card, so you can be 100% sure that if you get such a request it’s a scam. As for the rest of the scenarios, to verify the claims you just need to call your family member to see if they’re in trouble or the person from your company that requested the gift cards. And of course, it goes without saying that you should contact all of the aforementioned people or institutions through the verified official channels.

Payment scams
Payment scams come in many shapes and sizes, and while the form may differ, in the end, the scammers behind them are after only one thing – the contents of your bank account. There are multiple ways that this can occur. One tactic that is often utilized is trying to convince you to pay outside Amazon’s secure platform. The crooks will try to lure you in various ways by offering a discounted price, for example, however, if you relent, the most probable outcome is that you’ll both lose your money and won’t get the product.

And additionally, you won’t be able to lodge a complaint with Amazon since you paid the fraudulent charges outside the confines of their platform. Other flavors of payment scams to watch out for include paying to claim a prize that you’ve supposedly won or to a seller whose identity you can’t verify, and avoid offers that seem too good to be true or that you find suspicious.

The obvious advice, in this case, is to stick to Amazon’s platform for all orders and payments. Even the company itself warns against sending money outside the confines of its platform: “Don’t send money (by cash, wire transfer, Western Union, PayPal, MoneyGram, or other means, including by Amazon Payments) to a seller who claims that Amazon or Amazon Payments will guarantee the transaction, refund your funds if you’re not satisfied with the purchase, or hold your funds in escrow.”

Dodgy phone calls
Sometimes scammers will resort to more “analog” means to try and hoodwink their victims – fake support calls. The content of the calls might vary, however, they often sound like a pre-recorded message impersonating Amazon claiming it has registered something wrong with your account, something that would pique your interest – a fishy purchase, lost package, etc.

According to a warning issued by the United States Federal Trade Commission, the message will then either inform you to press 1 to speak to a customer support agent or give you a number to call back. If you engage in conversation, the scammers will most likely try to wheedle sensitive data out of you like your personal information or your payment data.

The most sensible thing to do, before going into full-blown panic mode, is to check if there is anything suspicious going on by contacting Amazon through the direct channels listed on the support section of their website. The company does acknowledge that in some cases it may make outbound calls but it will never ask customers to reveal any sensitive personal information in order to verify their identity.

In summary
When it comes to online shopping and its related activities the saying “trust but verify” remains as true as ever. To sum it up, most of the scams can be avoided if you remain vigilant, curious, and keep your wits about you. If you receive any unsolicited emails be extra careful to verify their provenance and never divulge personal sensitive information to anyone claiming to be a “customer support representative or agent”.

Continue Reading

Expert Speak

Create a Ring of Security Around Your Home

Published

on

With an app and a couple of gadgets, technology can provide peace of mind in the toughest of times – whether you’re at home or away, says Mohammad Meraj Hoda, vice president of Business Development – Middle East & Africa at Ring

Over the last year, we have learned that there’s no such thing as a predictable routine. Even as UAE authorities do their utmost to prevent the spread of the coronavirus, once-mundane everyday schedules can easily be disrupted by abrupt school closures, sudden quarantines or even an endless procession of deliveries of all kinds. At times when it can all get a bit too much, an extra layer of security can offer peace of mind.

But when you can’t bring in new household help with visa and travel restrictions, technology can do your bidding instead. Indeed, technology is now so far advanced that with a couple of installs and a few quick tweaks, you can protect your home inside and out. With a video doorbell, indoor cameras around the house, and an app, you can create a ring of security around your home within a few minutes.

When you choose a single brand of products, such as Ring, the appliances can easily work together, and best of all, everything can be monitored from your smartphone – even if you happen to be elsewhere physically. As UAE residents have become more alert to visitors and the risks accompanying them, convenience and safety are more important than ever. This is where Ring’s bouquet of products can help.

Video Doorbells Help Everyone
Since they were first created in 2013, video doorbells have proved their worth repeatedly in many different situations around the world. From a bear trying to open a car door to meteors flying through the skies, they have captured a number of untoward and unwanted visitors around the world. Products such as the Ring Video Doorbell 3 are activated by motion around your front door and begin recording events within their line of sight. Because Ring video doorbells connect to the internet via your home Wi-Fi system, this video feed can be set to be livestreamed straight to your phone, or you can access it later.

Even if you are at home, there is no need to go to the door. You can see who your visitors are from your smartphone. With the Ring Video Doorbell 3, you simply tap on the alert to check who’s at the door and even communicate with them. Even if you are at home, you can safely keep your distance from visitors, and if necessary, ask them to leave packages at your door.

Indoor Cameras Offer Peace of Mind
Meanwhile, for family-focused people who are away in the office or at an event outside the home (perhaps even in another emirate!), an indoor camera provides the assurance that no untoward incidents have taken place at home. Perhaps you want to chat with those who are at home, verify if your teenage kids are getting to their homework, or if your cat has been playing up while you’re away. A quick check is easy with a compact indoor camera such as Ring’s new Indoor Cam, which slots unobtrusively into small spaces around the home.

This clever new device makes it easy to speak with older family members or see if school children have reached home. Between the indoor cameras and the outdoor doorbell camera, you can easily keep an eye on every corner of your home from anywhere. In addition, with Ring’s Protect Plan, it’s easy to add an extra layer of security to your home.

Although life has become more challenging on so many fronts, technology can help the stresses of living through these strange times. A little planning and a few moments’ work can go a long way to securing peace of mind for everyone at home.

Continue Reading

Expert Speak

One in Six People Use Pet’s Name as Password, Says ESET

Published

on

Written by Amer Owaida, Security Writer at ESET

(more…)

Continue Reading
Advertisement
Advertisement
Advertisement
Advertisement

Latest Reviews

Follow us on Facebook

%d bloggers like this: