Cybersecurity & Older Devices - What Do You Do?

[chemistk]

I just came across this article today:

https://gizmodo.com/dont-panic-but-wi-fis-main-security-protocol-has-been-1819501001

In a nutshell, there's a new vulnerability that's been identified in what were previously pretty secure forms of WiFi encryption. In theory, if you use WPA2  encryption and someone with the know-how is in range of your network, they can intercept your traffic and steal your credit card numbers, passwords, etc.

This is not the first major vulnerability discovered on the hardware end of things. Earlier this year Android devices with bluetooth always left on were discovered to be vulnerable:

http://bgr.com/2017/09/13/bluetooth-blueborne-hack-android-ios-windows/

Of course this is not the first time, nor the last time, that a major vulnerability was discovered. A lot of this (on the latest devices) gets patched relatively quickly, but I bring this up because a lot of folks on here use older equipment that may not be updated quickly (if at all).

Take me, for example: I have a carrier unlocked Galaxy S5 that no longer can receive OTA updates. The moment I jumped off ATT, I could only update my phone in a Best Buy Store. Now that's been taken off the table, too. My Wi Fi router is almost 6 years old and I know it won't be given any new firmware updates.

I'm running a bit of a risk by having outdated hardware. I play it safe though and have Wifi and bluetooth turned off almost all the time, and in order to be in range of my wifi at home, you would have to be at my front door or at the back porch.

So I'm curious, how do folks around here feel about this kind of stuff? Does it compel you to upgrade if you can't get security updates anymore? Do you have any workarounds that you use to protect yourself?

[chemistk]

Bumping this thread because of the latest security nightmares going around (Spectre and Meltdown).

I'm still on the fence about upgrading my phone. It does concern me to a larger degree now that I still will not be able to easily update my phone (I would need to root it  which I can't have for work, or send it to Samsung and have them manually flash an update), but I don't know whether the effort outweighs the slim risk I carry.

So I'll ask again, if you knew that your phone/computer/etc. was not secure and that the most reasonable way of securing it was to purchase a newer device, would you do it?

[kaizen soze]

I have recently given this topic some thought. My smartphone does not support device encryption, which is a security problem. I use it for everything, including banking, email, and online shopping. If someone steals the phone they may find it somewhat trivial to get sensitive information off of the phone. What is my risk? It's really hard to know.

The only answer I have come up with is to educate yourself as much as you reasonably can, and then do whatever helps you sleep at night.

As for workarounds with your WiFi situation, have you considered putting VPN service on your devices that use the WiFi? Just one idea. It's not 100% secure but nothing ever is.

[Syonyk]

I think, given the nature of Meltdown and Spectre, that it's quite stupid to use devices that no longer get updates in a network-connected manner ("On the internet").  It has been for a while, as bugs regularly show up that allow an attacker full control over your hardware, but these are especially bad.

I know it's not a popular policy around these forums, but I decided about a year ago that the risks of not having updated devices outweigh the cost savings.  It's not expensive to buy a device that still gets updates - Chromebooks are a good example here for basic internet access.  If there are devices that don't get updates, don't use the internet on them, period.

The advancement of banking focused malware (some of which can compromise both a phone and a computer to suck two factor auth as needed) is quite a risk for people who use outdated computers and online banking, and the other various bits of trouble malware can cause are substantial as well.

I just consider some level of "keeping my tech current" to be part of my general budget.  That doesn't mean going out and buying the latest phone every year, but it does mean that everything I own is running an updated OS.  That may not be official (I've had to rather shoehorn High Sierra onto my old 2008 Macbook Pro), but I'll simply sell (or donate) a device now before it ends official OS support.

If something is used for very, very specific purposes, an old OS is probably OK, but not for general use.  I don't worry too much about some old iPads our church uses for kids checkin (they access one specific website on a weekly basis in locked down kiosk mode).

[chemistk]

I have recently given this topic some thought. My smartphone does not support device encryption, which is a security problem. I use it for everything, including banking, email, and online shopping. If someone steals the phone they may find it somewhat trivial to get sensitive information off of the phone. What is my risk? It's really hard to know.

The only answer I have come up with is to educate yourself as much as you reasonably can, and then do whatever helps you sleep at night.

As for workarounds with your WiFi situation, have you considered putting VPN service on your devices that use the WiFi? Just one idea. It's not 100% secure but nothing ever is.

I'm probably just going to get a new router soon regardless. Something like that, manufactured in 2012 and last updated in 2012, is just a security nightmare waiting to happen.

It all boils down to how much risk you feel you're exposing yourself to and how much risk you're willing to tolerate. I keep trying to find excuses to keep my Galaxy S5, despite the broken micro USB jack (I charge the batteries outside the phone), the broken headphone jack (who needs 'em), and the outdated Android Marshmallow OS. This might be the year I finally get something up-to-date, but I don't want to part with something that works just fine for now.

[kaizen soze]

With time spent many years ago in IT I generally err on the side of more security. Even if it means more expensive or upgrading sooner than is otherwise necessary. I agree that using known insecure tech for online banking and investing is cheap not frugal. If we're talking about someone still using windows xp, then yeah don't use that machine for anything sensitive.

I recently did some research into what happens if someone hacks one of my online financial accounts and steals from it. Vanguard for example will make you whole as long as you take certain basic precautions such as never giving someone your password. I'd suggest that people review these policies to make sure they are at least following these basic guidelines for whatever financial institutions they do business with.

[TomTX]

I know it's not a popular policy around these forums, but I decided about a year ago that the risks of not having updated devices outweigh the cost savings.  It's not expensive to buy a device that still gets updates - Chromebooks are a good example here for basic internet access.  If there are devices that don't get updates, don't use the internet on them, period.

We're with you on that one. We just chucked a perfectly functional and fast router/firewall because it never had any security updates and had vulnerabilities.

[Sibley]

Well, can you update routers? That might be the better option.

[Syonyk]

Well, can you update routers? That might be the better option.

That depends entirely on the routers.

Some, yes.  Some, you might get an update or two but a few years into use, they're abandoned by the manufacturer.

Part of the reason I run Mikrotik gear at home (goofy to configure, but I've used them for decades and know my way around them very well) is because I can rely on getting regular updates for the devices.

[TomTX]

Well, can you update routers? That might be the better option.

You can if the manufacturer offers updates. Often they don't.

[kenner]

There is open source fw for routers that can be used to update old ones if the hardware is still good.  DD-WRT is my usual choice when I'm setting a network up for people who aren't particularly technically savvy (Linksys routers started shipping with a version of it a year or two back so it's not too unfamiliar looking),  but there are plenty of other options depending on your router type/preferences.

[Alittlehelpgoesalongway]

Syonyk

As I was reading the posts through this thread I noticed you updated your old 2008 Macbook to High Sierra- I really need to do this as I am on OS X 10.7.5- Any chance you can run me through the steps to get this old mac back up to date? Or does anyone have a thread out there to walk me through the steps?

Thanks!

[Optimiser]

Can anyone recommend a reasonably priced secure router?

[Syonyk]

As I was reading the posts through this thread I noticed you updated your old 2008 Macbook to High Sierra- I really need to do this as I am on OS X 10.7.5- Any chance you can run me through the steps to get this old mac back up to date? Or does anyone have a thread out there to walk me through the steps?

http://dosdude1.com/highsierra/

You may or may not be supported - if you're not, I can't offer any help.  It's not a particularly difficult process, but it isn't exactly fire-and-forget.

Can anyone recommend a reasonably priced secure router?

Anything Mikrotik.

... except that unless you've spent a lot of your life in Linux firewall rules, you won't be able to set it up. :/

[nick_mmm]

It all boils down to how much risk you feel you're exposing yourself to and how much risk you're willing to tolerate. I keep trying to find excuses to keep my Galaxy S5, despite the broken micro USB jack (I charge the batteries outside the phone), the broken headphone jack (who needs 'em), and the outdated Android Marshmallow OS. This might be the year I finally get something up-to-date, but I don't want to part with something that works just fine for now.

I had to comment, I am doing the same with my S5 and mine does not consistently charge via USB anymore!  I seriously think sometimes it was the last good smartphone with a replaceable battery.

I think in general, be smart about what you do on your devices and how they are configured can have big benefits, and matters at least as much as having an up-to-date device. For example, most Windows security vulnerabilities the past 5+ years, require someone running as a full-administrator, or visiting a "specially crafted" website.

-- some basics:
1) Don't go to unfamiliar websites, use an adblocker.
2) Change default passwords on all devices
3) Do not use dictionary passwords
4) Configure 2-factor auth for accounts you care about, like banking, email, anywhere you store your CC number, etc.
5) Avoid phishing
6) Try to avoid reusing passwords
7) If you learn of a major hack of one of your accounts, make sure to change any other accounts using the same password!
8) If something does not need internet access, don't connect it!

I do not have a number, but I would bet these type of behavioral changes matter as much or more than having the latest security updates.   

Whenever possible, update/replace devices that cannot get updates anymore or remove internet access from them.  It helps if you follow the "mustachian" lifestyle and do not have a lot of devices to begin with... who needs a wifi lightbulb?

[Syonyk]

I think in general, be smart about what you do on your devices and how they are configured can have big benefits, and matters at least as much as having an up-to-date device. For example, most Windows security vulnerabilities the past 5+ years, require someone running as a full-administrator, or visiting a "specially crafted" website.

-- some basics:
1) Don't go to unfamiliar websites, use an adblocker.
2) Change default passwords on all devices
3) Do not use dictionary passwords
4) Configure 2-factor auth for accounts you care about, like banking, email, anywhere you store your CC number, etc.
5) Avoid phishing
6) Try to avoid reusing passwords
7) If you learn of a major hack of one of your accounts, make sure to change any other accounts using the same password!
8) If something does not need internet access, don't connect it!

I do not have a number, but I would bet these type of behavioral changes matter as much or more than having the latest security updates.   

Whenever possible, update/replace devices that cannot get updates anymore or remove internet access from them.  It helps if you follow the "mustachian" lifestyle and do not have a lot of devices to begin with... who needs a wifi lightbulb?

Sorry, not running the latest security updates usually means you have known-exploitable local root exploits, or browser exploits, or other stuff that means your advice is basically worthless.  Ad blockers don't block everything, and an awful lot of attacks rely on people not updating stuff.  The bulk of successfully used exploits are known and fixed - 0-days are fairly rare.  But users don't update.

Your advice is helpful, but is not a replacement for regularly applying updates to devices.

[Alittlehelpgoesalongway]

Syonyk

I just wanted to say thank you for the response, unfortunately I am not supported.  Guess I'm on to researching new computers...yay

Thanks again for the help, its greatly appreciated 

[Syonyk]

No problem.  I don't use that for much network access either...

There's no real risk in keeping an older box around for local network only stuff, just don't use it on the internet.