This one has been a long time coming! To be honest networking is not my strength. It’s one of those areas where I wish I’d been a network admin to work out some of the practicalities of different network models, but here goes anyway!

DNS

DNS is short for Domain Name System. Essentially it’s the same principle as the address book in your mobile phone. Rather than you having to remember all the phone numbers of the people you know, you can just look up their name, tap a button and you are instantly phoning them. You may be one of the people that take pride in memorising peoples phone numbers (if they still exist), but imagine for a moment that your address book contains millions of names, that would be pretty much impossible.

The DNS system does the same for the internet, it takes the domain name you enter, or click on in a search, and converts that to a server address that the network and routers that are tasked to get you to the site will actually understand.

To give you an example of this, we all know google.com, but would you remember it’s IP is 142.250.217.110 (when I checked anyway, but yours may be different – use https://www.site24x7.com/find-ip-address-of-web-site.html to find out). You can enter that IP directly in your web browser and you will end up at Google. It’s a lot easier remembering google.com though.

So what has this got to do with security? Well you can imagine that if a malicious person was substitute their own entries into DNS, they could send you anywhere they wanted rather than to the site you were expecting. For example you could change google.com to point to 40.89.244.232, which is duckduckgo.com. Arguably this would be a better choice, but it’s not where you wanted to go. Now imagine if you could create a fake bank site and send someone to login to that rather than their actual bank. All of a sudden the person being attacked has just handed over their bank username and password to the attacker!

DNS can also be a great security measure to stop phishing attacks. There will be more of this later, but imagine a smart DNS system that could check a link you just clicked and say “STOP, that site is potentially malicious”. Even more than that, online advertising can be a source of malware too. DNS can block that for you.

Recommendations for DNS

The great thing about DNS is that you can set where these addresses are looked up on your router, so you can protect your network and users just by moving from default DNS settings that probably your ISP controls to something a bit more secure. There are loads of options you can consider, and I won’t be able to go into all of them here. I would encourage you to do some digging around for yourself though.

DNS servers that deserve special mention though include: –

Open DNS – These are one of the first providers I became aware of and used for some time. Their Prosumer small business account on https://www.opendns.com/home-internet-security/. You can see that they offer many of the features mentioned above.

Pi-hole (https://pi-hole.net/) – A role your own solution which requires you to have a small raspberry pi based system on your network. This gives you amazing control of your DNS and your network in general, for the amazingly low price of free, plus the cost of the raspberry pi and the cost to power the device.

Synology NAS DNS Server – I must admit that I’m a bit of a Synology fanboy! They provide some great hardware and software combinations that are hard to beat. I haven’t played with the DNS server system available on their NAS, but it would be a good combination if you are already running their system for storage (more later).

NextDNS (https://nextdns.io/) – For me, NextDNS hits the mark! It has all the features we mentioned above and a few more besides. It’s easy to protect your mobile devices when you are out on the go using their straightforward app, their privacy policies seems to be solid and it’s really cost effective (https://nextdns.io/pricing). For me, I can get away with the Pro account that costs just US$30 per year! That’s a real bargain for what it offers.

As you can probably tell, I am an NextDNS user, so the next section will go through the settings I use for my account: –

NextDNS Features

First things first. If you chose to use an online DNS system, you need it to be fast! There’s no point in picking a secure system, if each DNS query (and there are a lot of them) is so slow, your whole network slows as a result. If you go to the bottom of the NextDNS homepage at https://nextdns.io/, you will see a map and an indication of the response time for a DNS query. Make sure your on a reasonable network and check to see there’s a server near you and that the response time is quick.

Once you have created an account, there’s an array of settings, some of which are on by default and others not. Settings to note, and that’s essentially all of them, include: –

• Use threat intelligence feeds – these are lists of known malware that are updated in real time. You need this one on.
• AI driven threat detection – although I’m not sure how this could work, I have it switched on anyway!
• Google Sage Browsing – Google looks at millions of websites per day and identifies any that are unsafe. Switching this on will use Googles list and block access to these sites and will not allow bypassing of this block (which you can do in the browser).
• Cryptojacking protection – Enabling this will stop your device being used to mine (generate) cryptocurrency.
• DNS Rebinding Protection – this stops your device from obtaining data from other devices on your network. There’s a great description of DNS Rebinding at https://www.paloaltonetworks.com/cyberpedia/what-is-dns-rebinding, but it’s safe to say, you want it on.
• IDN Homograph Attacks Protection – This uses similar but different letters to the genuine domains to make it look like you are logging onto an known website, when really you are logging in elsewhere.
• Typosquatting Protection – This is similar to the above, but is based on common misspellings like fcaebook.com instead of facebook.com.
• Domain Generation Algorithms Protection – Blocks domains generated often by malware so that the malware can “phone home” for control information.
• Block Newly Registered Domains – This one of not on as standard, however I have it switched on. It blocks domains that have been registered less than 30 days ago. This can be a problem if you are say in the business of generating websites, but my experience is genuinely positive in that I don’t see many false positives. Newly registered domains are often used in phishing attacks etc.
• Block Child Sexual Abuse Material – turn this on!

Heading into the privacy settings there are also some useful things to switch on. In my system I have NextDNS blocklists switched on which is the default, but click on the “Add a blocklist” button and you can also add other lists too from a huge range they have available.

I have not got native tracking protection turned on, but you can block tracking for Windows, iOS, Amazon Alexa, Samsung etc. I have an iPhone and I know the standard lists already blocks a lot. You have to give them something for their ‘free’ software I guess!

Blocking third party trackers disguising themselves as first-party is a good idea, but can give you some odd results if you are a web developer like me. I have it switched on though.

Lastly on this page is the setting to Allow Affiliate & Tracking links. You often see these for product reviews etc and I would guess that NextDNS strips off the tracking component, usually added after the ? in the url. This one is a difficult one! If you look at a lot of reviews before buying, it might be a good things to switch on and allow these, as it means the person writing the review will at least get paid for their work. Be careful though with this setting as unlike the others you switch it on to allow the links.

Parental Control Settings

You may think that parental control settings are not applicable to small business, but there are some useful settings in here that are not available elsewhere and can be used to improve your security. Before I go further though a lot will depend on what you have on your network and how you set up Next DNS.

If you set up NextDNS on your router, it will affect ALL devices on the network and any guest networks you set up. So if you have personal devices that may want to access content that you don’t want on work devices, you have probably to use NextDNS on a per device level, which is a shame as you lose it’s security and tracking benefits on other devices. So if you feel the need to use the type of security where sites and access are limited, you have to think carefully about your network segmentation.

So what are the main features of the parental control section? You can block specific or broad categories of apps and sites. Why is this a good idea? It’s not about your staff wasting time when they are supposed to be at work, it’s more about securing yourself from data exfiltration IMHO. Blocking access to things like Signal, Telegram, Messenger etc., may stop an attacker that manages to get into your network, or staff sending out data so that they can access things later on.

The other great setting in Parental controls is the ability to Block Bypass Methods. Essentially that tries to stop people trying to bypass all the controls you have set up in NextDNS. If you have a child at school, I’m sure you’ve heard of all the ways they try to get around schools sometimes overly restrictive filtering policies.

Deny and Allow Lists

These are self explanatory. However you may find that you need to add sites to the Allowlist that you might not necessarily want on there if sites don’t work as expected. For me for example, I had to add a bunch of Google domains so that I could access and use Google Analytics.

Analytics

This is the frightening bit! It gives an overview of exactly what is happening with your web requests. It also gives you the information you need to tweak your settings so the NextDNS works for you. The following is an overview of just one device on my network for the last 7 days: –

As you can see, there’s a lot of domains that are queried by Apple on an iPhone. On the blocked side on the right hand, NextDNS is blocking some icloud metrics, a bunch of what I assume to be in-app analytics tracking and a company called appsflyer which I must admit I hadn’t heard of, but also seems to be in-app analytics.

If you are experiencing problems in apps, this is a good place to look as you may need to add some of these to your allow list.

The other section in here that I find good to review is the map at the bottom of the page. This shows which countries internet traffic goes to. You can mouse over different countries to see what is going there.

Here you can see that at some stage this iPhone accessed an unexpected domain in Russia. This was actually a time server, so nothing to be concerned about, but you can imagine that if you see a large amount of traffic going to an unexpected country, you can block it in the Deny List.

Settings

I’m going to skip over logging at the moment as really you need to change some settings first. For a business I believe that it’s important to log, but not to use those logs for anything other than security. If you think you have a staff member that’s on social media all the time when they should be working. Talk to the staff member and maybe block social media in the parental settings, don’t look for evidence of what they have been doing in the logs. If you use logs wisely they will not be seen as infringing privacy, they will be seen as the security measure that they should be.

In settings I therefore have logging enabled and log both the clients IP and the domains. That way if a system does get hacked, you can trace that back. The retention period you set really depends on you. Mine is set to 3 months, but considering that a network intrusion may mean someone has been on your system a significant amount of time (sometimes over a year), you may want to extend that. My rule-of-thumb theory for 3 months is that its a long time for a relatively small business holding no state secrets!

I chose to hold data in the EU, just because their privacy controls are the strongest.

Other settings that are useful are setting up a block page. That shows the users what has happened if they just get a blank page (and it has happened).

One that I’m not sure about is Rewrites. This is a useful feature for many businesses when they can use NextDNS to route traffic to say internal subdomains. For example, if I had an intranet (which I don’t) and used an external service to provide that which had a url of say https://simonsintranet-wghdfwh.xyz123.com you may want to rewrite that to say https://intranet.webxopt.com. Much easier to remember for your users. However this comes with a down side. If someone breaks into your NextDNS account, they can redirect anything to anywhere! Make sure you add your 2 factor authentication to minimise the chances of this happening! I’d love to see NextDNS limiting this to say higher level accounts, or even creating a ‘super-admin’ that gives access to this feature but leaves it off the normal interface.

Lastly, assuming that you have set up your account correctly in settings you will see all DNS queries going through the system…and there will be a lot of them! You can search by device, use the search box to find particular urls, limit the results to blocked queries etc. I’d like to see a date range search in here too, but I guess as it’s only used occassionally, a bit of scrolling is ok.

How to Use NextDNS

The things I like most about NextDNS is that you can cover both your network and the devices that are used outside your network. My recommendation would be to add NextDNS to your router settings. That way all DNS goes through them, but you can just install on a per device basis. NextDNS provides instructions, but setting up on a router can be tricky! Don’t forget though to add their app you all devices that may go outside the network. That way they are still protected.

Does it Work?

The short answer is YES!

I have had 3 cases where people on the network had been tricked into clicking a link they shouldn’t have. In all cases NextDNS blocked the queries and they didn’t end up on the phishing sites they clicked on.

Next Article

The next article, we will take what we know from our router and look at segmenting your network. This is a really important step in keeping your work devices separate from everything else.

It has been a long road to this article! Knowing where and how to start, when this was the area I skipped over the most in my reasearch paper at Griffith Uni., has been a difficult thing to do. However, I finally realised that we should start at the start, and that’s the first and probable the most important piece of networking equipment, your router.

Routers

The router is likely the first piece of networking equipment we have as a small business. It is either separate from a modem, or you may even have a modem that connects into your router.

So what does a router do? Essentially, it’s all in the name! A router sends web traffic to or from a computer on your network. It’s what knows that when you request a web page in your browser, that it should send that to your computer and not to someone else’s. Routers however do many more things than that and are an vital part of your network security and performance. They block traffic that hasn’t been requested, stopping attacks and can segment your network for improved security (more later).

Routers also control our WiFi, which, if you are like me, is the way I handle my networking, as it’s just easier to do than running cables and is usually ‘fast enough’ that personally, I don’t need the hassle of running a super quick cabled connection. However, we will look at cabled networks later too.

The first thing to consider is the router you should use. When I joined my Internet Service Provider (ISP), they helpfully supplied a free router. My first rule of routers is that you should instantly put this to one side and go and buy something a bit better yourself. Why would you need to do this? Firstly because it is unlikely to be powerful enough to handle small business traffic and secondly, because it will not have many of the security features you require (and is often configured to allow your ISP into your network, which is a recipe for disaster).

Buying a Router for Business

I mentioned above that an ISP supplied router probably isn’t powerful enough for small business, so what exactly do I mean by that? The graph below shows the problem.

This looks a bit scary, but actually it’s quite simple. As more connections to the router are made, from either multiple or single machines, you move from the “Comfort Zone” into the “unresponsive” zone. This essentially means once you get past a certain point, no matter what the manufacturer or ISP claims, the response time will start getting worse and worse, your network will get slower and your work will become limited by the speed of your network.

So, not all routers are equal in other words. A cheap, low powered router typically supplied by an ISP might even offer WiFi 6e (latest at the time of writing) but will have a low end processor, that will run out of capacity quickly and likely put you in the “unresponsive” zone. They will still likely be outperformed by an older router with a higher end processor in a small business situation.

Routers I would recommend for small business, can still be bought at your local electrical store or Amazon, but may cost you a few hundred dollars, but they are worth it…really! A few hundred dollars down will make your life as a small business so much easier! I would recommend routers such as: –

• Synology RT6600ax – a great small business router with strong security features (the router I personally want)
• Ubiquiti routers – Amplifi
• ASUS RT-AX routers or similar
• Netgear Nighthawk
• Palo Alto Networks – Okyo Garde (I just like this one because of the security features, but have no experience with it)

Personally I have an ASUS router that I have found to be super fast and has a lot of the features I need built into their software. Yes I want the Synology RT6600ax and may consider an upgrade in the near future for it’s stronger security and network segmentation features (more later).

Router Configuration

I am not going to go through general router configuration, as they are usually pretty straight forward these days. However, getting back to security, there are a few rules you should follow: –

• Disable uPNP – this is a feature filled with security flaws that should never be enabled, or even allowed space on routers!
  
• Disable access from outside your network. However convenient it may seem, accessing your router configuration from outside your network is asking for trouble. Just disable it and sleep better at night!
  
• Change your routers default password. This one goes without saying.
• Activate auto update. Yes, the better routers update their software, and surprisingly often. Many routers allow you to set this to happen automatically at night so you don’t need to check for updates yourself.
  
• On a busy network, I would also set the router to automatically reboot every night to clear caches, find the optimum channels to operate in etc.

I would also encourage you to have a look around your router settings. On my ASUS I have enabled some antivirus checking (although could be a potential privacy concern) using AiProtection which is a service from Trend Micro and is free on the ASUS router I use. This isn’t blocking a lot if I’m honest, but it has blocked about 300 requests in nearly 3 years of operation. This isn’t my only protection that blocks malicious urls, but it is worth switching on anyway. I did mention above that there was a potential privacy problem. Essentially it isn’t clear what information Trend Micro gets and how they use it. If your work involves some sensitive sites or downloads, it might be better to switch this off and mitigate the risk of malware or scam risks using network segmentation.

Another useful router feature for security is to also enabled logs so that I can see traffic to individual systems. From a security point of view, this means you can potentially see changes in traffic that might mean data is being extracted from your system.

As you can see from the above, there was a large peak in traffic from 2/11 to 4/11. Looking at the client list shows that this relates to a new PC, which was updating and downloading some content. Looking more closely at that PC, I can see some of the bloatware that was removed after installation, and some that I now know I should remove (Clash of Clans).

At a later date you can see that there is an unknown client on the network that downloaded a significant amount at 19-20h. As it happens I know what this was, but this is the type of information that is useful to be able to see. Also it’s very important to keep an eye on uploads which may indicate that data is being taken out of your network.

Using Your Router for Security

Apart from network logging, which as you can see for the above, is very useful, there are also other great features of most routers you can use for security. My favourite of these is looking at device lists and from those identifying devices where you segmenting your network.

The most obvious example of network segmentation is the ability to create “Guest Networks”. The Guest network is a great thing! You can totally isolate devices on the guest network from your business devices on another network. This leaves things you can’t control isolated from things you can. I’ll give a couple of examples of guest networks for you to set up.

IoT (Internet of Things) Network

If you are like me you probably have voice assistants, health monitoring devices, TVs, cameras etc that all need an internet connection. Many of these probably have old software that can’t or won’t be updated by the manufacturer. These are an attackers paradise!

Getting into your network via a security camera, may not seem likely, but it’s a typical way in for many attackers. Probably the most famous IoT attack was a Las Vegas casino which got hacked via a WiFi fish feeding device on their network.

We can learn from their mistake and make sure that all our IOT devices are isolated away from our business operations by setting them to all connect to an isolated guest network with access only to the internet.

Visitors Network

If your business or even your home often has visitors that need or want access to the internet, a visitors network is a great way to isolate their ‘uncontrolled’ devices from your business network.

If you have kids like me, you’ll know this problem well, when a friend of theirs comes over and wants to get on the internet as their mobile plan is running low, or they want to do their homework. They are more than likely using devices that are not well maintained or updated, may have ‘free’ versions of paid for software (which often come with extras you really don’t want), and at the very least, you do not know whether their device is a security concern or not.

This is an ideal case for a guest network. Why take the risk of potentially giving them access to your business machines if you don’t need it? Set up a guess network and just give them access to the internet connection they want.

Device List (Network Map)

This may seem like an interesting, but relatively useless section of your router software, but it is really the key to many areas of security and the network segmentation we mentioned above and protecting your business by segmenting your network into business groups (and non-business groups).

What does a network map do? It lists all the devices connected to your network. This will be your key to a lot of other network security we look at into the future, so it’s worth taking the time to look at it closely.

You can see my network here with 13 devices connected at the time. I have blanked out the names and MAC addresses for my safety, but the icons might give something away! You can see too that my router has divided the devices nicely into the 2.4GHz. 5GHz and a Guest Network.

What you will see in the clients names area is either the name of a device you recognise (eg your phones name) or a series of letters and numbers. The first thing you need to do is to be able to identify every item on this list. Those odd jumbles of letters and number are a computers way of identifying an individual item. This is what’s known as the MAC address, but as is, it’s pretty useless to you, so you need to translate that into something that you, as a person, can easily identify, like “Steves Laptop”. There are a couple of ways to do this. The first is to go through devices you know are on the network, but you can’t identify from the list and look for their MAC address in their settings. For example you can check MAC address: –

• On a PC in Settings, System, Network & Internet, click on the network you are connected to (WiFi or ethernet/wired), select your network, in the Properties section you will see Physical address (MAC)
• On an iPhone the MAC address is known as your WiFi address. To find it go to Settings, General, About and you should see the WiFi address.

Obviously this way has some issues as it can be quite time intensive for a larger number of devices. Personally, the approach I like to take is a bit more draconian! I warn everyone that I am about to cut off devices on the network where I do not know what they are, then I use the router controls to cut them off. Weirdly on my ASUS router, that is really easy to do on their mobile app, but I have yet to find similar controls on the desktop. As people jump up and down wanting their access back, you can go through the device list on your mobile, switching things on and off so that when they do get access, you know what you have just switched back on again. Take this time to adjust your router with a name for the device that you will recognise. This is again easy to do. In the case of my ASUS router, via their app.

In reality a hybrid approach to identifying devices connected to your network is probably best. Identify those you know are there using the MAC address method and those that you aren’t sure of by switching off their access. What I have found is that once you have done this once, keeping an eye on your network via a mobile app and just switching off access to anything new you don’t recognise is a good practical approach.

Exporting Device List

Another useful feature often found in a routers device list is an export feature. Make sure you do this and you should get a list that you can open up in Excel of the devices on your network. Please do this as it will be the starter for the next article on network segmentation.

Note that you might need to check this list a number of times as things go on and off your network on some routers. Others may keep a list of all devices that connect.

Summary

This has been a quick look through routers and their security options. As a summary: –

• Don’t use an ISP supplied router. Buy something more powerful.
• Disable uPNP and access from outside your network
• Change the default password
• Enable auto updates if this feature is available
• Use router based security unless there is a privacy reason not to
• Enable traffic logging to see unusual patterns
• Move your IoT devices and any home devices to separate guest networks
• Run through your devices list to identify all devices on your network
• Export the devices list for use in the next steps

The next article we will start to use the device list downloaded from your router to think about segmenting your network and keeps tabs on these devices to make sure they are not a security risk. We may also consider some additional router level security to protect all devices from malicious websites and links.

Part one of Securing Your Mobile looked at updating, your PIN, restricting access to messages, password managers and account breach checking. This week we are going to look at “SIM Jacking”, Authentication Apps and Security Keys.

Once you have been through these 2 articles and changed your phone settings accordingly, you will be A LOT more secure. Note that I’m not talking here about securing your device from attacks and spying on you as a person, but more protection against identity theft, leading to business account compromises.

After this week we will begin to look at devices on your business network.

SIM Jacking

SIM Jacking is similar to hijacking in that the criminal takes something that is yours, in the case your SIM card of your phone, and acquires it for themselves. This allows the criminal to receive all your calls and text messages including password resets sent to your mobile.

In practice SIM jacking has been far more common that the attacks mentioned in the part 1, which relied on your device being stolen, or lost. The advantage that SIM jacking has for criminals is that they can do it perform the attack from their home, or even another country, so there is little risk to themselves.

So how is SIM jacking typically carried out? This tends to be a “social engineering” attack. All that means is essentially that the attacker will do something like phone up your mobile phone provider and try to convince them that they are you, and that you have lost your phone and need a new SIM card. If they are convincing enough, the provider, being eager to help, will send a SIM card out and the attack is complete. There are also ways to bypass even this by using SMS online service providers to link up with your number. Essentially though the attacker wants access to your SMS messages so they can reset accounts and lock you out.

The good news is that many Australian phone companies are now waking up to SIM jacking and have started requiring a PIN number to grant access to your account (Telstra PIN). You have probably received notification about this if you use Telstra. If you have a business, make sure you set this up ASAP. There are instructions for doing this at https://www.telstra.com.au/support/account-payment/what-is-telstra-pin.

Although I’m not a customer, Optus at the moment does not seem to have a similar system to the Telstra PIN. I may be wrong here and please correct me if I am. However, I really hope that if they don’t have this protection, they get are acting quickly to require it, like Telstra.

It’s worth noting here that the same rules for creating a PIN that were mentioned in part 1 apply here too. Whatever you do, don’t pick a PIN from the top 10 list, your birth date etc etc as they are way too easily guessed. The most common PINS, and therefore the ones to avoid are shown again below: –

	PIN	Freq			PIN	Freq
#1	1234	10.713%		#11	9999	0.451%
#2	1111	6.016%		#12	3333	0.419%
#3	0000	1.881%		#13	5555	0.395%
#4	1212	1.197%		#14	6666	0.391%
#5	7777	0.745%		#15	1122	0.366%
#6	1004	0.616%		#16	1313	0.304%
#7	2000	0.613%		#17	8888	0.303%
#8	4444	0.526%		#18	4321	0.293%
#9	2222	0.516%		#19	2001	0.290%
#10	6969	0.512%		#20	1010	0.285%

Finally, for some interesting reading about just what damage can be done with SIM jacking, with little risk to the attacker, have a read through the below: –

• https://www.news.com.au/finance/money/costs/sydney-couple-lose-37k-after-leaked-class-list-exposes-them-to-scammers/news-story/3082fae1f9087364fdfaaf0b7cbdd8ef
• https://www.simprotect.org.au/

Authentication Apps and Devices

One common way that is often offered to secure your online accounts is 2-factor authentication.

Firstly we need to discuss what 2-factor or even multifactor authentication actually is. Traditionally we have always used a username and password to identify ourselves to websites. This is what is know as a single factor, the factor being your password, or “something you know”.

To verify further you are who you say you are we need other factors. These typically take the forms of: –

• Something you are
• Something you have

There are now other factors starting to be considered like “somewhere you are” and “something you do”, but those are not yet in normal use.

Typically at the moment we use the “something you have” factor and that is typically your mobile phone. You prove that you have your phone often by receiving a text message (less secure) or using an authenticator app.

You might also see some companies using the “somewhere you are” factor too. You have noticed this through services like Google, warn you if someone has logged in from a new location, and Lastpass which will actively prevent you from logging in if they have concerns your location is not somewhere they have seen before.

Authenticator Apps and Usage

There are quite a few different authenticator apps available for both iPhone and Android Phones. Common ones include: –

• Google Authenticator
• Microsoft Authenticator
• Twilio Authy
• Lastpass Authenticator
• Zoho OneAuth
• Duo etc.

The basic functionality is all pretty much do the same thing though. Allow you to scan a QR code (or enter a code manually) to set up the second factor. The authenticator app will then generate a 6 digit code that changes every 30 seconds which you need to enter into the site you are signing into. Because the code changes every 30 seconds, it is not something that you can guess and so it proves that you have the device with you and that you are you.

Once you have your code set up, logging in is as simple as using your normal username and password, then you are asked for the 6 digit PIN generated by your app.

There are a couple of issue with authenticator apps on your phone and they both really relate to the same thing. If you are signing into a service on your phone, there’s a good chance that the something you know and something you have are actually on the same device. For example, if you use Apples keychain to sign into a device, and that requires a 2nd factor, the factor is on the device that is signing you in, so really all you have is a single factor, something you have. For this reason it is very important to use a phone secured with a strong password, and make sure you have FaceID, TouchID or an App specific PIN set up in your authenticator app.

That said, if your phone password is compromised, you would still be in trouble, so my advice would be for important accounts like email, use your authenticator on a second phone or Security Key that you maybe keep in a drawer and is not commonly used.

For larger companies with multiple employees that need access to the second factor, managing this can be a real problem. I know multiple companies that do not tend to set up two factor authentication, despite knowing the risks, just because of those painful calls and messages as you are trying to get the second factor before the login attempt times out. For those applications there is a solution…security keys.

Security Keys

A security key, or multiple security keys are by far the best way of securing your accounts with Multifactor authentication. What is a security key? They often look like USB drives as shown below

These security keys are from Yubico (https://www.yubico.com/), the leader in the field. You can see that hey are available with  USB-A, USB-C and Lightning connectors and some are available with NFC wireless connections. There are even some that have fingerprint readers built in to give you yet another factor.

Security keys are used to authenticate against the FIDO2 standard most commonly and dramatically cut down successful attacks on those accounts (Google says to zero). The only problem is, many things you sign into, are not compatible FIDO standards, such as a typical WordPress website.

Yubico’s solution is to build into the key an authenticator system that relies on an outside app (Yubico Authenticator) to generate one time passwords.

Having used a Yubikey for the last 6 months, I am convinced that the Yubico Authenticator offers not only a workaround solution for one time passcodes, but a superior way to manage small business 2^nd factor authentication. This is because multiple Yubikeys can be set up with the same authentication codes. So the solution is: –

• Buy at least 2 Yubikeys. One will be for the business owner and the other for “the office”
• Download Yubico Authenticator to all devices
• Add the second factor codes into both Yubikeys for all accounts
• The office Yubikey can be kept in a central location, maybe attached to a tracking device so it can be found if lost.
• If an office worker needs to log into account that requires authentication, they can fire up Yubico Authenticator on their device, plugin in the Yubikey to generate the code to login, then return the key to a central location. No calling round and hoping the person with the phone isn’t busy, just a simple, secure login process.
• Why the second key with the business owner? In case the first key goes missing!

Google also supply their own security key, but the industry standard is the YubiKey (https://www.yubico.com/) as it supports the most devices, the most authentication methods and was the first device of its kind.

If you really want to be sure that your logins are secure or manage your 2^nd factors more easily in a small business, get a security key!

Summary

A quick summary of the above: –

• Secure your phone from SIM jacking using an account PIN.
• Use 2 factor authentication wherever possible when signing into an online account (typically you’ll find the option in Settings, Security).
• For easier management in the office and a more secure 2 factor sign in experience, get a couple of security keys such as a Yubikeys (https://www.yubico.com/).

Next week we will start to look at network devices including routers, switches, Network Attached Storage (NAS) and more.

Your First Line of Defence – Securing Your Mobile

Our first topic on securing your business may seem like an odd one, after all mobile phones aren’t really your primary way of integrating with a work-related network. However, with all security it’s necessary to look at potential weak point where your accounts can be broken into, and that is often your mobile phone. 

To understand the importance of your phone, think about how you would recover a password from say your webmail account. Typically you would visit a website and say that your password is lost and the webmail operator would often send you a text message with a link to set a new password. An attacker that had access to your phone or your text messages, they could simply request the same SMS reset, change your password and you would be locked out and they would have full access. From there, the world would be their oyster! They could reset email accounts and from there banking passwords, business accounts etc. All that just from access to your phone. 

This section aims to provide details on how to secure your phone and ensure that the weakest link isn’t the device you are most likely to lose. 

Updating 

Really there are 2 choices for you when buying a phone and that is iPhone or Android. The first thing to consider even at this initial purchase stage is will it be secure and for how long. 

With the iPhone you have a safe bet that there will be security support well into the future. At the time of writing Apple has just updated a phone 5 years old to the latest version of it’s operating system. That is well past the average length of time a phone is kept, so an iPhone is pretty safe. It’s also worth noting that security updates happen on iPhones even after that.

Android phones can be a bit of a mixed bag. Some of the major manufacturers are now guaranteeing 3 operating system updates and security updates during this time. Google, guarantees OS and security updates for 3 years (Google, n.d.) on it’s latest Pixel phones which to be honest isn’t that great when you consider Apples doing twice that. Samsung now guarantee security updates for 4 years.

Samsung, Motorola and Nokia are generally pretty good for Android in that they offer similar guarantees to Google, but other manufacturers can be a bit spotty. We should also add here that all these manufacturers run customised versions of Android, so security updates might take a while to apply. 

Unfortunately you can see where this is heading! Really if you want a phone that see’s regular security updates over a prolonged period of time, the iPhone is an obvious choice for you. If you will happily change your phone after 2-3 years, the choice is much wider. You should probably avoid some of the less well known manufacturers even though they often seem to offer great value for money. It really isn’t worth the risk if security updates only last a year (yes I’ve bought some of those myself).

I guess the other thing to mention is that once you see an update, particularly a security update, run it as soon as you can. The way an attacker looks at updates is that they can compare before and after code, work out what the problem is and use that to infect as many devices as possible in the time before the update is applied to fix a device. If you update early, the risk is therefore much lower. Again, unfortunately iOS has a big advantage over Android here. Apple updates are usually there and waiting the next day, Android updates can take weeks or months on none Google devices.

Your PIN – how secure is it? 

Once you have settled on your phone, you will need to set up security. Most phones now have facial recognition, fingerprint sensors or both, and you should definitely set those up. However they also have a fallback to a PIN or pattern. Patterns are often guessable by looking at the smudges on the phone and there are typical patterns that people use (https://arstechnica.com/information-technology/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/), so they may not as secure an option you may think.

PIN codes are also problematic because a 4 or 6 number PIN is just not long enough to guarantee security and again typical PINs are common (https://www.datagenetics.com/blog/september32012/index.html). You can see from this list that common PINs are single digits, easy to type sequences, birthdates etc. All sadly very guessable. In fact this was one of the things I had to change when initially writing this article. Although my PIN certainly wasn’t in the top 20, or even the top 100, it was definitely in the top 1000. The long and the short of it is that if you have a PIN code, it probably isn’t that secure. If you have one of the below, change it immediately!

	PIN	Freq			PIN	Freq
#1	1234	10.713%		#11	9999	0.451%
#2	1111	6.016%		#12	3333	0.419%
#3	0000	1.881%		#13	5555	0.395%
#4	1212	1.197%		#14	6666	0.391%
#5	7777	0.745%		#15	1122	0.366%
#6	1004	0.616%		#16	1313	0.304%
#7	2000	0.613%		#17	8888	0.303%
#8	4444	0.526%		#18	4321	0.293%
#9	2222	0.516%		#19	2001	0.290%
#10	6969	0.512%		#20	1010	0.285%

Many phones will have a setting to wipe the phone after 10 unsuccessful password attempts. That seems like a secure option, but as you can see from the above, a lot of peoples PIN numbers are very guessable and there are techniques available that interrupt that reporting back the unsuccessful password attempt (Cellebrite, n.d.). Essentially that means infinite attempts in an automated system that can guess multiple times a second. The result is cracking a PIN in “no more than 13 minutes for a 4-digit passcode, 22 hours for 6 digits, and 92 days for 8 digits. The default length prompted by iOS is 6 digits.” (World Socialist Website, 2020).  

When thinking about our PINs we are really going back to the early days of smartphone when we all tended to use short PINs because that was all that was available, and you had to enter it multiple times a day to unlock your phone. However in a world of facial recognition and fingerprint sensors, that is no longer the case. To make your phone far more secure swap your PIN for a password and make it reasonably long, maybe a short sentence with capitals and numbers. That will make your phone almost impossible to crack within a reasonable lifetime even with advanced hacking software like Cellebrite. 

The way to do this with an iPhone is simple, when you know how, but weirdly well hidden.

• Go to Settings, then do one of the following: –
  • On an iPhone with Face ID: Tap “Face ID & Passcode”
  • On an iPhone with a home button: Tap “Touch ID and Passcode”
• Tap “Turn Passcode On” or “Change Passcode”
• After you have added in your old passcode, you will probably see the typical iOS 6 digit PIN and number pad at the bottom (see image 1)
• Tap the “Passcode Options” and you should see the options as shown in image 2
• Tap the Custom Alphanumeric Code option and type in your new password.
• While you are in this area, check to make sure you have “Erase Data” switched on, so that 10 failed attempts at your passcode will erase your phone data.

Having lived the “Alphanumeric” life for the past 6 months or so, I can tell you that you hardly notice the difference. For the vast majority of the time FaceID or TouchID do the unlocking, and you only every need to enter your password very occasionally.

I should note here that there is strong integration between an iPhone and an Apple Watch, so you should similarly strengthen your Apple Watch security. That is a more painful experience, so you might like to take the alternate approach of switching off mobile network coverage, so that if your watch is lost, it’s hopefully out of range of your phone and can’t receive reset text messages. Alternatively, just buy the cheaper Apple Watch!

On Android the change from a PIN to a password is more obvious. Although note that depending on the version of Android and the phone you have, this procedure may be different.

• Go to settings, then tap “Security and Location”
• In the Device Security section tap “Screen Lock”
• Enter your existing PIN and you should be taken to a “Choose screen lock” menu
• Tap Password
• Agree that this password should also be used for Secure start-up, then set your password.

Why is this so important? Well the fallback security method in all cases is that PIN, so if you have set your bank, password manager or authenticator app to use say Face ID and your camera is covered, it will ask for your PIN instead, so an easy-to-guess PIN opens up every app you want to keep secure on your phone. 

Restrict Access to Messages 

Another convenience that is also a security issue is that ecosystems such as iOS often let you access messages, from other devices. So it’s important to make sure that you have similar PIN/Password setting security on other devices or if that’s too much of a problem (say it’s you child’s iPad), then check your iPhone settings to make sure verification messages are only appearing on your device: – 

• In iOS go to Settings then scroll down and tap Messages.
• Tap “Text Message Forwarding”
• You should see a similar screen to the below (image 3). Make sure all of these are off and your recovery messages will only appear on your phone.
• While you are here, go to Settings, Phone and make sure “Calls on Other Devices” is off so that recovery calls can’t be picked up on other devices.
• Lastly, and this one can be a bit of an inconvenience, you need to make sure messages that may reset accounts aren’t visible via a notification when the screen is locked. To do that go to
  • Settings
  • Notifications
  • Scroll to Messages
  • Scroll down to Lock Screen Appearance and make sure Shows Previews is set to “When Unlocked”. You still get a notification that you have received something, but you can’t read exactly what it is until the phone is unlocked.

Password Managers – an essential tool 

Ok, so I am going to say the unthinkable. I would rather change browsers than change my password manager. I really think that much of them. What do they do? It’s really all in the name, they allow you to: – 

• Store all your passwords in one location. 
• Have access to your passwords in a way that you only ever have to remember the password to your password manager. 
• Set long, strong and non-repeating passwords easily for any site. 

Most people not using password managers choose a potentially insecure method of setting passwords. They either have a standard password they use on almost everything, or they have a technique that used a standard password part and something that is customised to the site. For example in Google they might choose the password “MyPasswordOnGoogle”.  

Both of these methods of choosing passwords are fundamentally flawed if ANY sites you use are compromised. If you use a standard password and that becomes know, it’s very likely hackers will try that password on other sites. Even worse, if the email associated with the account is say a Gmail account, they will likely try the password there too. Once you lose control of your email, all bets are off as they will be able to reset bank passwords and more using your email as verification. A password technique that includes the site name would suffer from the same issues. 

These days you are very likely to have your email address on 2 or 3 sites that have been compromised, so you can see how important it is not to duplicate passwords. Don’t think these need to be small sites that are compromised either. Yahoo, Adobe, Optus and many other large corporations have been compromised. Recently, T-mobile in the US had a data breach for 50 million customers (CSO Online, 2021 ). This included names, date-of-birth, email, phone numbers, social security numbers, driver license numbers etc. The Optus hack currently in the news is very similar. In other words everything needed for identity theft and to apply for credit at other locations. If you have the same password on that account as you have used elsewhere, you can be sure that there will be compromise attempts on other accounts you own too. Don’t think large companies are any more secure than the smaller ones when it comes to protecting your security, they may have more procedures in place, but as we know, they are bigger targets and all companies can make mistakes and leave account details open. 

Password managers are a great solution to the problem of password management though now have some add on features such as: – 

Automatic generation of long, strong passwords

Phishing protection as a password manager won’t be fooled by lookalike domains that are often used to try to get you to login to a fake site so that they can steal your password details

• Automatic password completion on a site.
• Secure note storage
• Secure file storage
• Secure password sharing
• Security alerts on compromised accounts

As a business, secure password sharing is a great feature. It allows you to give others access to sites, without giving them the password. These features can come at a cost, but it is generally small and well worth it. 

Recommended password managers include: – 

• Lastpass 
• 1password 
• Dashlane 
• Bitwarden
• Apple’s keychain – which is now available cross platform as long as you are a Chrome user (Apple, n.d.)

There are now moves to create a passwordless login system based on your mobile phone. This will help significantly with password management, as essentially you won’t need to have passwords to manage. This will take time to roll out, but in the meantime, get a password manager, they are one of the few things that both increase your security and convenience.

Account Data Breach Checking 

One of the features of many password managers is that they check the dark web to make sure that your account hasn’t been involved in a data breach. Lastpass include this feature in their Security Dashboard, Dark web monitoring section as an example. What they will do is look at all the email in your account and check to see if they have been involved in any known data breaches. They actually check email against the “have I been pwned” site (have I been pwned, n.d.) databases. 

Have I been pwned is a site that has been around a long time and is maintained by Troy Hunt (a Gold Coast resident). As good as the email checks through a password manager is, as a business it’s a good idea to know more about the business domain, and that is where the “have I been pwned” site has some great features. The Domain search (https://haveibeenpwned.com/DomainSearch) feature is invaluable for business. It allows you to add in your business domain name and your email address, it will then monitor your domain and let you know if any email in that domain has been compromised. Even better this is a free feature on the site. 

If you do see a notification email from the have I been pwned site, it very important to jump on it quickly and either change the password for the site you have been warned about, or delete your account on the site if you are no longer using it. 

Securing Your Mobile Part 2!

At this point I’m realising that this article is pretty long and we still need to cover SIM Jacking, Authentication Apps and Security Keys. That means a part 2 next week!

Summary

A quick summary of the above: –

• Update your phone as soon as updates are available
• PINs are the fallback method of identification and are not secure enough. Change your PIN for a password. With face and fingerprint security taking over most of the time it’s only a slight inconvenience for a massive bump in security
• Limit access to text messages that may include reset codes for accounts
• Get yourself a password manager, one of the few devices that make security more convenient
• Check your domain for compromised accounts using https://haveibeenpwned.com/DomainSearch
• Read next weeks article on SIM Jacking, Authentication and Security Keys! I had to add that one!