The British Government as part of the Investigatory Powers Bill is planning to hack children’s smart toys to snoop on suspects

News of the day is that as part of the Investigatory Powers Bill, children’s smart toys could be used by British law enforcement.

According to Antony Walker, deputy chief executive officer of techUK, IoT devices, included smart toys, can be intercepted by the UK government and used for their investigation.

“In the context of the Internet of Things you have many types of connected devices … [such as] toys [that] children can interact [with].” Mr. Walker said at the second session on the Investigatory Powers Bill, :

“These devices may sit in a child’s bedroom, but they may be accessible. In theory, the manufacturer of the products could be subject to a warrant to enable equipment interference with those devices.”

The expert highlighted the implication of smart objects for the users’ privacy and security.

“We are moving beyond a world that is just about telephony, accessing messaging services and so on,” he stated.

“In an IOT type world the definitions that seem to apply to equipment seem to apply potentially to a huge range of devices that could be used for communications purposes and other purposes as well.”

The draft Investigatory Powers Bill would make it the legal duty of Internet service providers (ISPs) to support the law enforcement in exploiting smart devices, including smart toys, to snoop on suspects.

“A range of devices that have been in the news recently, in relation to a hack, are children’s toys that children can interact with,” Walker told the committee. “These are devices that may sit in a child’s bedroom but are accessible.”

According to the Investigatory Powers Bill, the UK Government would propose to make possible to break end-to-end encryption implemented by private companies for their services.

Securing Your Home Network Routers

How are routers used in your home network?

Home routers have become an integral part of our global communications footprint as use of the Internet has grown to include home-based businesses, telework, schoolwork, social networking, entertainment, and personal financial management. Routers facilitate this broadened connectivity. Most of these devices are preconfigured at the factory and are Internet-ready for immediate use. After installing routers, users often connect immediately to the Internet without performing any additional configuration. Users may be unwilling to add configuration safeguards because configuration seems too difficult or users are reluctant to spend the time with advanced configuration settings.

Unfortunately, the default configuration of most home routers offers little security and leaves home networks vulnerable to attack. Small businesses and organizations often use these same home routers to connect to the Internet without implementing additional security precautions and expose their organizations to attack.
Why secure your home router?

Home routers are directly accessible from the Internet, are easily discoverable, are usually continuously powered-on, and are frequently vulnerable because of their default configuration. These characteristics offer an intruder the perfect target to obtain a user’s personal or business data. The wireless features incorporated into many of these devices add another vulnerable target.
How can you prevent unauthorized access to your home network?

The preventive steps listed below are designed to increase the security of home routers and reduce the vulnerability of the internal network against attacks from external sources.

    Change the default username and password: These default usernames and passwords are readily available in different publications and are well known to attackers; therefore, they should be immediately changed during the initial router installation. It’s best to use a strong password, consisting of letters, numbers, and special characters totaling at least 14 characters. Manufacturers set default usernames and passwords for these devices at the factory for their troubleshooting convenience. Furthermore, change passwords every 30 to 90 days. See Choosing and Protecting Passwords for more information on creating a strong router password.
    Change the default SSID: A service set identifier (SSID) is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a WLAN must use the same SSID to communicate with each other. Manufacturers set a default SSID at the factory, and this SSID typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit any of its known vulnerabilities. Users sometimes set the SSID to a name that reveals their organization, their location, or their own name. This information makes it easier for the attacker to identify the specific business or home network based upon an SSID that explicitly displays the organization’s name, organization’s location, or an individual’s own name. For example, an SSID that broadcasts a company name is a more attractive target then an SSID broadcasting “ABC123.” Using default or well-known SSIDs also makes brute force attacks against WPA2 keys easier. When choosing an SSID, make the SSID unique, and not tied to your personal or business identity.
    
    Don’t stay logged in to the management website for your router: Routers usually provide a website for users to configure and manage the router. Do not stay logged into this website, as a defense against cross-site request forgery (CSRF) attacks. In this context, a CSRF attack would transmit unauthorized commands from an attacker to the router’s management website.
    
    Configure Wi-Fi Protected Access 2 (WPA2)-Advanced Encryption Standard (AES) for data confidentiality: Some home routers still use Wired Equivalent Privacy (WEP), which is not recommended. In fact, if your router or device supports only WEP, but not other encryption standards, you should upgrade your network device.[1] One newer standard, WPA2-AES, encrypts the communication between the wireless router and the wireless computing device, providing stronger authentication and authorization between the devices. WPA2 incorporates the Advanced Encryption Standard (AES) 128-bit encryption that is encouraged by the National Institute of Standards and Technology (NIST). WPA2 with AES is the most secure router configuration for home use.
    
    Immediately disable WPS: Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure moderately secure wireless networks. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8-digit PIN is correct. The lack of a proper lockout policy after a certain number of failed attempts to guess the PIN on many wireless routers makes a brute-force attack much more likely to occur.
    
    Limit WLAN signal emissions: WLAN signals frequently broadcast beyond the perimeters of your home or organization. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, it’s important to consider antenna placement, antenna type, and transmission power levels. Local area networks (LANs) are inherently more secure than WLANs because they are protected by the physical structure in which they reside. Limit the broadcast coverage area when securing your WLAN. A centrally located, omnidirectional antenna is the most common type used. If possible, use a directional antenna to restrict WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will also allow you to better control WLAN coverage. Note that a sensitive antenna may pick up signals from further away than expected, a motivated attacker may still be able to reach an access point that has limited coverage.
    
    Turn the network off when not in use: While it may be impractical to turn the devices off and on frequently, consider this approach during travel or extended offline periods. The ultimate in wireless security measures shutting down the network will definitely prevent outside attackers from being able to exploit your WLAN.
    
    Disable UPnP when not needed: Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. Though the UPnP feature eases initial network configuration, it is also a security hazard. For example, malware within your network could use UPnP to open a hole in your router firewall to let intruders in. Therefore, disable UPnP unless you have a specific need for it.
    
    Upgrade firmware: Just like software on your computers, the router firmware (the software that operates it) must have current updates and patches. Many of the updates address security vulnerabilities that could affect the network. When considering a router, check the manufacturer’s website to see if the website provides updates to address security vulnerabilities.
    
    Disable remote management: Disable this to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface.
    
    Monitor for unknown device connections: Use your router’s management website to determine if any unauthorized devices have joined or attempted to join your network. If an unknown device is identified, a firewall or media access control (MAC) filtering rule can be applied on the router. For further information on how to apply these rules, see the literature provided by the manufacturer or the manufacturer’s website.

[1] If you must use WEP, it should be configured with the 128-bit key option and the longest pre-shared key the router administrator can manage. Note that WEP at its "strongest" is still easily cracked.

Secure your New Computer on the Internet

Why Should I Care About Computer Security?
Computers help us maintain our financial, social, and professional relationships. We use them for banking and bill paying, online shopping, connecting with our friends and family through email and social networking sites, researching data posted on the Internet, and so much more. We rely heavily on our computers to provide these services, yet we sometimes overlook our need to secure them. Because our computers play such critical roles in our lives, and we input and view so much personally identifiable information (PII) on them, it’s imperative to maintain computer security that ensures the safe processing and storage of our information.

Following are important steps you should consider to make your home computer more secure. While no individual step will eliminate your risk, together these defense-in-depth practices will make your home computer’s defense stronger and minimize the threat of malicious exploit.

Connect to a Secure Network
Once your computer is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your computer. Information flows from the Internet to your home network by first coming into your modem, then into your router and finally into your computer. Although cable modem, digital subscriber line (DSL), and internet service providers (ISP) purport some level of security monitoring, it’s crucial to secure your router the first securable device that receives information from the Internet. Be sure to secure it before you connect to the Internet to improve your computer’s security.

Enable and Configure a Firewall
A firewall is a device that controls the flow of information between your computer and the Internet, similar to a router. Most modern operating systems include a software firewall. In addition to the operating system’s firewall, the majority of home routers have a firewall built in. Refer to your user’s guide for instructions on how to enable your firewall. Once your firewall is enabled, consult the user’s guide to learn how to configure the security settings and set a strong password to protect it against unwanted changes. (See Understanding Firewalls for more information.)

Install and Use Antivirus and Antispyware Software
Installing an antivirus and antispyware software program and keeping it up to date is a critical step in protecting your computer. Many types of antivirus and antispyware software can detect the possible presence of malware by looking for patterns in the files or memory of your computer. This software uses virus signatures provided by software vendors to look for malware. Antivirus vendors frequently create new signatures to keep their software effective against newly discovered malware. Many antivirus and antispyware programs offer automatic updating. Enable that feature so your software always has the most current signatures. If automatic updates aren’t offered, be sure to install the software from a reputable source, like the vendor’s website or a CD from the vendor.

Remove Unnecessary Software
Intruders can attack your computer by exploiting software vulnerabilities (that is, flaws or weaknesses), so the less software you have installed, the fewer avenues for potential attack. Check the software installed on your computer. If you don’t know what a software program does and don’t use it, research it to determine whether it’s necessary. Remove any software you feel isn’t necessary after confirming it’s safe to remove the software.

Back up important files and data before removing unnecessary software in case you accidentally remove software essential to the operating system. If possible, locate the installation media for the software in case you need to reinstall it.

Modify Unnecessary Default Features Like removing unnecessary software and disabling nonessential services, modifying unnecessary default features eliminates opportunities for attack. Review the features that came enabled by default on your computer and disable or customize those you don’t need or plan on using. As with nonessential services, be sure to research these features before disabling or modifying them.

Operate Under the Principle of Least Privilege
In most instances of a malware infection, the malware can operate only under the rights of the logged-in user. To minimize the impact the malware can have if it successfully infects a computer, consider using a standard or restricted user account for day-to-day activities and only  logging in with the administrator account (which has full operating privileges on the system) when you need to install or remove software or change system settings from the computer.

Secure Your Web Browser
Web browsers installed on new computers usually don’t have secure default settings. Securing your browser is another critical step in improving your computer’s security because an increasing number of attacks take advantage of web browsers.
   

Apply Software Updates and Enable Future Automatic Updates
Most software vendors release updates to patch or fix vulnerabilities, flaws, and weaknesses (bugs) in their software. Because intruders can exploit these bugs to attack your computer, keeping your software updated is important to help prevent infection.

When you set up a new computer, go to your software vendors’ websites to check for and install all available updates. Enable automatic updates if your vendors offer it; that will ensure your software is always updated, and you won’t have to remember to do it yourself. Many operating systems and software have options for automatic updates. As you’re setting up your new computer, be sure to enable these options if offered. Be cautious, however, because intruders can set up malicious websites that look nearly identical to legitimate sites. Only download software updates directly from a vendor’s website, from a reputable source, or through automatic updating.

Use Good Security Practices
You can do some simple things to improve your computer’s security. Some of the most important are:
     Use caution with email attachments and untrusted links. Malware is commonly spread by people clicking on an email attachment or a link that launches the malware. Don’t open attachments or click on links unless you’re certain they’re safe, even if they come from a person you know. Some malware sends itself through an infected computer. While the email may appear to come from someone you know, it really came from a compromised computer. Be especially wary of attachments with sensational names, emails that contain misspellings, or emails that try to entice you into clicking on a link or attachment.
    
    Use caution when providing sensitive information. Some email or web pages that appear to come from a legitimate source may actually be the work of an attacker. An example is an email claiming to be sent from a system administrator requesting your password or other sensitive information or directing you to a website requesting that information. While Internet service providers may request that you change your password, they will never specify what you should change it to or ask you what it is.
    
    Create strong passwords. Passwords that have eight or more characters, use a variety of uppercase and lowercase letters, and contain at least one symbol and number are best. Don’t use passwords that people can easily guess like your birthday or your child’s name. Password detection software can conduct dictionary attacks to try common words that may be used as passwords or conduct brute-force attacks where the login screen is pummeled with random attempts until it succeeds. The longer and more complex a password is, the harder these tools have to work to crack it. Also, when setting security verification questions, choose questions for which it is unlikely that an Internet search would yield the correct answer.