Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

12/10/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

FBI's Portland Office Spies IoT Education Opportunity

The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.

The Federal Bureau of Investigation’s office in Portland, Oregon has started an effort that it calls "Tech Tuesday" to disseminate actionable security advice to users. Last weekit got around to the Internet of Things (IoT).

The FBI concentrated its advice on limiting an IoT device's access to the Internet router that it uses, since an attacker can leverage the unimpeded path to the enterprise network that can be provided by a WiFi router for malicious activity. As far as the router itself goes, they strongly -- and wisely -- advise changing the router's factory administrative settings from the default passwords. The new passwords should be strong enough to protect the router as well.

However, the network itself needs to be secured. As Portland put it, "Keep your most private, sensitive data on a separate system from your other IoT devices."

Many unsophisticated users will think that this means two separate routers will be needed to establish the two differing networks. That approach will indeed work, but there is a better one.

"Micro-segmentation" has been around in WiFi routers for a while. It enables a router's admin to create a virtual network (VLAN) which will act as different network than the primary one; even if they are resident on the same physical router. The enterprise could isolate other network-using devices with this technique such as printers, which have been hijacked in much the same way as a router can be.

Router maker Ubiquiti has blogged about the specific steps needed to create such a VLAN. First, the VLAN is created and ID'd. A Gateway/Subnet tag is then selected for it. Establishing a DHCP service map between the ports on the router and the IP of connected clients is the next task.

Activate the VLAN with all the choices that have made by assigning it a port on the router.

The last major step is to block traffic from the new VLAN to other networks. This is done by changing the firewall of the router. It is necessary to create a new rule for the firewall that includes the identity of the network that you wish blocked from communication with the other. If done right, all traffic from all other networks to the new network is allowed, but no traffic is allowed to be initiated from the new IoT VLAN to the sensitive network that is connected.

The FBI's Oregon office is trying to bring security to users, and for that it should be commended. But the simple format that it uses in this effort may need more detail about things that can be done, and where users should go to get them done.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...