IoT and security

I guess I am interested in how other people are addressing security ... I have found that 2 different Anti-virus solutions seemed to create instability (or generate a huge stack of pop-ups needing to be regularly cleared). Is anyone segregating their Cortex PC via VLANs or putting the web interface behind a proxy or VPN? Any other tips?

Yes I think the article linked to in the first post makes a good point but I am personally not as confident as the author that security patches keep you safe - rather I'd put it as 'improve your safety'. The wannacry attack exploited ivulnerabilities in the SMB service (used for file and printer sharing) which existed for a long time before they were more publicly exposed and only then did MS provide patches. And BTW lest anyone think other O/S's were not vulnerable think again because they often share underlying libraries. Which brings me to another point - If you want to feel really paranoid just think that most IoT equipment these days, even a simple WiFi relay, uses a sledgehammer to crack a nut, i.e pretty much what might be considered a complex computing platform on a chip. This means that the top level application is relying on tons of underlying code (libraries, etc.) from all sorts of sources. Even 'open source' code is not necessarily going to expose the content of every last component it uses. This means you are hoping that no one has left some kind of vulnerability somewhere deep in the system deliberately or otherwise.

On the other hand the genie is not going to get put back into the bottle now, so the question is how best can we mitigate the threat. In some ways a PC is useful in that you do at least have some control and visibility of its security processes.

I think for a Cortex PC firewalling is an important line of defence. Since it is not a general purpose PC (or shouldn't be!), the risk of a user indavertently downloading or manually introducing malicious software is much reduced. This then leaves the possibility of someone hacking into the PC either deliberately or via some robotic method. Typically it means looking for some service which responds to connections via some port. As I mention above, from what I understand, the wannacry attack exploited some vulnerabilities in the SMB service both to get the code onto the PC (via a standard open port) and then to get it to execute. Since you don't really need file and printer sharing on a Cortex PC you could reduce the possibility of such an intrusion by blocking the relevant ports (I believe 139 and 445 but I'd include 136, 137 and 138 for good measure - both inbound and outbound). Such blocking should ideally be done at the router so that it never gets past this point to any device on the LAN, but you can also do it via a firewall at the PC itself. Of course this is just one exploited path which is now known about, so the idea is to block anything else that is extraneous.

Whilst you may not want to block such services to other devices on the LAN you can be far more aggressive at the Cortex PC (and should not rely only on any router based blocks). There is usually quite a lot of 'dross' allowed through firewalls by default so it pays to look into this more carefully - bear in mind that pre-existing vulnerabilities or nefarious code may not simply be listening on some standard port but could be actively advertising itself outwards.

I think this is and is going to become an important topic of conversation. As Karam has said the WannaCry attack was against SMB, actually it exploited a vulnerability in SMBv1 which is a 30 year old protocol that even Microsoft are trying to kill off. Most internet routers have some sort of firewall installed that should, be default, block file and print type traffic across the internet. The issue tends to be the PCs in our home which are used for internet browsing and reading email, these two activities account for virtually all entry points of a virus / malware. Now even with later versions of Windows people are misguidedly changing default secure setting, turning off UAC, disabling the OS firewall, etc. In effect turning off newer features designed to protect.

Don't fall into the trap of thinking this is a Windows problem, the Linux kernel used on many low cost routers or IoT equipment the Linux distro (for example Busybox) and the application libraries (for example OpenSSL) all have vulnerabilities and need patching. To some extent they are worse than Windows because they don't normally provide an automatic method for updating and the perception has been anything from Microsoft is insecure and anything from based on Linux or Apple is secure, this is far from the truth.

Karam's recommendation for Cortex has always been a dedicated machine and this makes sense as well as making it easier to harden and protect. Something we can do together to protect and isolate our HA from other PC on the network.

Paul

I noticed that the Telegraph front page today had an article on home gadgets under attack.

Karam's point about the opportunity for hardening the Cortex platform is a good one - it is too easy to rely on a default Windows configured for a different purpose.

must say, we're not into all the ins & outs - so, how do we check how we have things set, intentionally & inadvertently, by default, whatever ...

our biggest issue, with all computer systems we use (Windows, iOS, Android, MacOS, router & dLan OS) is transparency ... far too often we're left wondering, and wandering, trying to find out ...

simple things, like what's the computer doing at this moment - why's the HD chattering, why's response slow, why's it taking so long ...

and, far from least, what's coming in, and what's going out ...

security - how can we be secure, when we can't see what's what's going on !

and being able to intervene - all to often we set something in motion, and can't stop it ...

our dedicated PC, runs just Cortex - but it's not just Cortex, it's TeamViewer, and whatever's needed for updates (Cortex & Anti-Spyware etc), and ... and ... and ...

TaskManager can help, but only so far ...

and our PC may be dedicated, but our LANs have all sorts - printers, desktops, laptops, umpteen tablets, 'phones, NAS, etc, etc - all with a job to do & needing to be accessible ...

Chris