Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

12/10/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

FBI's Portland Office Spies IoT Education Opportunity

The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.

The Federal Bureau of Investigation’s office in Portland, Oregon has started an effort that it calls "Tech Tuesday" to disseminate actionable security advice to users. Last weekit got around to the Internet of Things (IoT).

The FBI concentrated its advice on limiting an IoT device's access to the Internet router that it uses, since an attacker can leverage the unimpeded path to the enterprise network that can be provided by a WiFi router for malicious activity. As far as the router itself goes, they strongly -- and wisely -- advise changing the router's factory administrative settings from the default passwords. The new passwords should be strong enough to protect the router as well.

However, the network itself needs to be secured. As Portland put it, "Keep your most private, sensitive data on a separate system from your other IoT devices."

Many unsophisticated users will think that this means two separate routers will be needed to establish the two differing networks. That approach will indeed work, but there is a better one.

"Micro-segmentation" has been around in WiFi routers for a while. It enables a router's admin to create a virtual network (VLAN) which will act as different network than the primary one; even if they are resident on the same physical router. The enterprise could isolate other network-using devices with this technique such as printers, which have been hijacked in much the same way as a router can be.

Router maker Ubiquiti has blogged about the specific steps needed to create such a VLAN. First, the VLAN is created and ID'd. A Gateway/Subnet tag is then selected for it. Establishing a DHCP service map between the ports on the router and the IP of connected clients is the next task.

Activate the VLAN with all the choices that have made by assigning it a port on the router.

The last major step is to block traffic from the new VLAN to other networks. This is done by changing the firewall of the router. It is necessary to create a new rule for the firewall that includes the identity of the network that you wish blocked from communication with the other. If done right, all traffic from all other networks to the new network is allowed, but no traffic is allowed to be initiated from the new IoT VLAN to the sensitive network that is connected.

The FBI's Oregon office is trying to bring security to users, and for that it should be commended. But the simple format that it uses in this effort may need more detail about things that can be done, and where users should go to get them done.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-5770
PUBLISHED: 2020-08-03
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5771
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive.
CVE-2020-5772
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file.