Your Weakest Security Link? Your Children, or is it?

A while back I came across a fairly good article on the need for consciousness regarding children and computer. However I miss a few paragraphs (or even chapters) regarding necessary steps (even without children).

None of this is of course the childrens' fault, however it does provide a good opportunity to discuss computer security hygiene, and with it the lack of knowledge and focus on security and privacy in current and new generations.

To start off, the article that inspired this post: Your Weakest Security Link? Your Children - WSJ

What do you do when the biggest threat to your cybersecurity lives under your own roof?

It’s a fact of life online: a network is only as strong as its weakest link. For many people, that weakest link is their children. They inadvertently download viruses. They work around security to visit sites their parents don’t want them to. They run up huge bills using their parents’ one-click ordering.

Segregated WiFi networks
My largest concern with the article is that it does not mention the need for a wifi guest network. You should never, ever, allow external devices outside your control, or lower security devices like tablets and smartphones directly onto your LAN, these devices simply doesn't need it and should be in a separate security zone on the firewall, if you need access to local resources, use OpenVPN to set up a connection from wifi zone to lan zone, or for certain other elements open up specific ports/applications to pass through.

My usual setup involves flashing a router/accesspoint with dd-wrt (a linux based firmware). This allows setting up guest networks / virtual wireless interfaces (although not all devices will allow anything but public / WEP encryption, i.e. no WPA on the virtual interfaces, as these are by definition low security zones, this is however fine). The most important thing is that the guest network is

  • AP isolated, i.e does not allow traffic between individual devices on the network
  • only allows traffic through NAT to wan (internet), i.e. not LAN devices
  • QoS is enabled as to not interfere with your normal use

The guest network should further be restrictive in what traffic it allows, normally your visitors only require HTTP(s), POP3s, IMAPs, SMTPs, SSH (people shouldn't use non-encrypted transport channels for reading mail so the non-secured alternatives are blocked), and maybe a few other protocols, so the firewall should ensure to be restrictive as a starting point.

A proper network setup remove the primary issues discussed with children's devices being connected to network, its not any better allowing other unsecured devices onto it, so why don't you do it properly in the first place?

In fact, with todays growth of the Internet of things, you will also want a dedicated device-network that is internal (no AP-isolation, but doesn't allow traffic to lan or wan) for TV communication with speakers etc. I simply don't get people plugging this directly into the regular network. That only leads to situations such as Samsung voice-recording / surveillance everything you say.

Disk encryption
Disk encryption is necessary in order to avoid passing through the security schemes using known passwords mentioned in the article. I remember in the good old days when NTFS first got here, and how easy it was to brute-force SAN files. Without disk encryption, separating profiles (e.g. in windows 7) won't help you as anyone can boot a live OS (Linux ftw) giving access to all files, including configuration files. But quite frankly, multi-user systems are difficult to secure, hardware today is cheap, you shouldn't let your kids use your own hardware in the first place, but set up own systems for them.

Seven proxies
Be restrictive in what kind of data you allow to flow through your network. Use Proxies, proxies, and even more proxies, filter all network access appropriately through firewalls, and more importantly, make frequent use of jump servers / gateways.

If you are worried about certain types of virus intrusion, also get a firewall device supporting intrusion detection/prevention systems and an appropriate license to keep this updated. If you are concerned about your childrens internet use, all web traffic should also be forced through a proxy (such as squid) on the firewall level.

Separate core devices of the network and don't allow traffic into it even on the regular LAN without going through a jump server / gateway, e.g. using OpenVPN. I actually use this myself, for instance even though I connect my laptop to the regular wifi network, I won't get access to my Virtual Machines without being logged into the VPN. Only certain specified services are exposed by default.

Cloud services
Cloud services are great, I mean, truly, with the number of devices we have today, how else can we keep data available for our own use? The one caveat, you really, truly, REALLY, MUST run the cloud service yourself. ownCloud is a great application, that have multiple clients across operating systems and platforms for this use. File storage, calendar, contact information and a good news reader. Not much more to ask for, and if there is, there is likely already an app for it.

Don't ever allow friends or family to use iCloud, DropBox, google drive or whatnot. Of course, promote using these services to your enemies, you might want to get access to their data some day.

7 thoughts on “Your Weakest Security Link? Your Children, or is it?”

  1. Sometimes it's the children, sometimes, the (grand)parents.

    I've heard of many horror stories dealing with the clueless older-generation family member doing something that caused a machine to be compromised, thus requiring someone to come and bail them out.

    Unfortunately we have a choice. We either set everything up for them, and be their technical support person when things go wrong, we let them try and figure it out themselves (with the usual results) or we convince them to do without (yeah, I can see that happening).

    I find it easier to claim to not know a lot about ${PRODUCT} or ${DEVICE}, shifts the problem elsewhere and saves me some bother.

  2. @Stuart: Indeed, the thing is if you don't help them out you know that it on some level compromise your own security as well. Same reason I'm trying to support everyone around me having the slightest interest in OpenPGP, if they manage to use it somewhat properly, I can increase my own security since I can communicate properly with them.

  3. Indeed, medical, and industrial kit too. Lives depend on it, and some of it has the weakest security of any piece of computer-based equipment.

    Much of it is security through obscurity, and it's now that the likes of Siemens, Red Lion and others are finding their trousers have slipped down around their ankles.

    We deal with ARM-based industrial computers, I discovered the other day that NetFilter had been turned off in the (ancient) stock kernel. The same (headless) system shipped with a full X environment, XFCE and multimedia CODECs. So stuff that belongs there for security reasons, isn't, and stuff that doesn't belong there, does. Thankfully we have the sources, thus can build our own kernels.

    Home kit is just as bad and I worry about the Internet Of Things crap that goes on, as it'll be the same old story there. Some software developers should go back to mustering cattle. There's a reason why they get called SOHOpeless. (I've also seen $800 industrial routers with the same problem!)

    That would be an obvious first point, ensure that there's some level of security for things like routers out-of-the-box. The first thing the router should do is ask you to change the password and to generate a secure network password for the WIFI side.

    Segregated WLANs are a nice idea, but complex for a non-technical person to set up, having the device ship with a sane config that can then be tailored would help.

    The problem is supporting this, no company wants to do it because their L1 support would be inundated with calls from people who can't read instructions, can't understand anything technical, thus immediately decide the product is "broken" and demand a refund. Then there are people like myself who are semi-burned-out from supporting it in the workplace who can't be stuffed when they get home doing the same thing all over again.

    The way things are going, if the 3-letter agencies don't wind up killing the Internet, the malware will. Then the problem will be a distant memory.

Comments are closed.