Set up Chrome Browser Cloud Management

Enroll cloud-managed Chrome Browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome Browsers. You'll then be able to enforce policies for any users who open Chrome Browser on an enrolled device.

Step 1: Generate enrollment token

  1. In your Google Admin console (at admin.google.com)...

  2. (Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
  3. At the bottom, click Add  to generate an enrollment token.
  4. In the box, click Copy  to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

  • The token must be set at a local machine level. It won't work at the user level.
  • If the machines you are enrolling are imaged from the same Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) so that each enrolled machine has a unique identifier.

Option 2: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatory policy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Enroll browsers on Mac

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Note: If you choose to manually set policies, be aware that Mac OS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory to true

Option 2: Use a text file

Push the token in a text file called CloudManagementEnrollmentToken, under /Library/Google/Chrome/. This file must only contain the token and be encoded as a .txt file, but should not have the .txt filename extension.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each Mac OS user must enroll separately.

Enroll browsers on Linux machines

The token can be pushed by creating a text file called enrollment_token, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Step 3: Launch Chrome Browser and confirm enrollment

  1. After setting the enrollment token using one of the methods in Step 2, quit Chrome Browser (if it's open) and launch Chrome Browser on the managed device.
  2. Sign in to the Google Admin console (admin.google.com).
  3. Go to Device management  Chrome management  Managed browsers.  All browsers that have been launched with your enrollment token will appear in the browser list.
  4. (Optional) To see additional details, click a machine's name.

Notes: 

  • If you have multiple installations of Chrome Browser on a single device, they will show up in the browser list as a single managed browser.
  • Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
  • On Windows, only system installations are supported because Chrome Browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome Browser reporting.

Unenroll and re-enroll devices

To remove policies and to unenroll a device in Chrome Browser Cloud Management, delete both the enrollment token and the device token.

To re-enroll a device, delete the device token while leaving the enrollment token in place. The device token was created by Chrome during the initial enrollment. Make sure not to revoke the enrollment token. If you accidentally delete the enrollment token, create a new one.

Note: Unenrolling browsers from Chrome Browser Cloud Management doesn't delete the data that's already uploaded to the Google Admin console. To delete uploaded data, delete the corresponding device from the Admin console.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome Browser uploads the following information:

  •   Enrollment token
  •   Device ID
  •   Machine name
  •   OS platform
  •   OS version

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

source:
https://support.google.com/chrome/a/answer/9301891?hl=en

Sonicwall : Cryptojacking Apocalypse – Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

  • The White Horse: The energy it consumes or wastes
  • The Red Horse: The loss to productivity due to limited resources
  • The Black Horse: The damage it can do to a system
  • The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

Source:
https://blog.sonicwall.com/en-us/2019/05/cryptojacking-apocalypse-defeating-the-four-horsemen-of-cryptomining/

Sonicwall : 4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewallsCapture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.

Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw

Nearly 1 Million Computers Still Vulnerable to "Wormable" BlueKeep RDP Flaw

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.

If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems.

The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device's Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.

Describing the BlueKeep vulnerability as being Wormable that could allow malware to propagate to vulnerable systems just like WannaCry, Microsoft released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.

However, the latest Internet scan performed by Robert Graham, head of offensive security research firm Errata Security, revealed that, unfortunately, roughly 950,000 publicly accessible machines on the Internet are vulnerable to the BlueKeep bug.

This clearly means that even after the security patch is out, not every user and organisation has deployed it to address the issue, posing a massive risk to individuals and organizations, including industrial and healthcare environments.

Graham used "rdpscan," a quick scanning tool he built on top of his masscan port scanner that can scan the entire Internet for systems still vulnerable to the BlueKeep vulnerability, and found a whole 7 million systems that were listening on port 3389, of which around 1 million systems are still vulnerable.

"Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines," the researcher says.

"That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry, and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness."

The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.

Not just researchers, malicious hackers and cybercriminals have also started scanning the Internet for vulnerable Windows systems to target them with malware, GreyNoise Intelligence said.

"GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor," the tweetsays.

However, fortunately, so far no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.

Are you still waiting for me to tell you what you should do next? Go and fix the goddamn vulnerability if you are using one of them.

If fixing the flaw in your organisation is not possible anytime sooner, then you can take these mitigations:

  • Disable RDP services, if not required.
  • Block port 3389 using a firewall or make it accessible only over a private VPN.
  • Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.
Have something to say about this article? Comment below or share it with us on FacebookTwitter or our LinkedIn Group.

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.

Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.

Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.

In the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

"Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version."

The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoincryptocurrency.

Besides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence.

"We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology."

Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts.

Have something to say about this article? Comment below or share it with us on FacebookTwitter or our LinkedIn Group.

Trendmicro : Phishing Attacks and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.

Read on:

New Report Finds 25% of Phishing Attacks Circumvent Office 365 Security

As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number. 

New Twist in the Stuxnet Story

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Cybersecurity Proposal Pits Cyber Pros Against Campaign Finance Hawks

A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.

New Sextortion Scheme Demands Payment in Bitcoin Cash

Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.  

This Free Tool Lets You Test Your Hacker Defenses

Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.

Ransomware Hits County Offices, Knocks The Weather Channel Offline

On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes. 

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed. 

Hacker Dumps Thousands of Sensitive Mexican Embassy Documents Online

A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.

Cybersecurity: UK Could Build an Automatic National Defense System, Says GCHQ Chief

The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.

Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

source:
https://blog.trendmicro.com/this-week-in-security-news-phishing-attacks-and-ransomware/

Trendmicro : Keep Your Smart Home Safe

Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products

The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.

It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.

So what are the risks—and how can you protect your home?

Governments take action

First, some good news: as consumers’ homes fill with ever-greater numbers of smart gadgets, governments are aware of the growing risks of cyber-attacks. In the US, California is leading the way with new legislation designed to force manufacturers to improve the security of their products. SB-327introduces minimum requirements such as forcing each user to set a unique device password the first time they connect.

Following hot on the heels of the Golden State is the federal government. Introduced in March, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019 doesn’t cover all IoT makers, only ones which sell products to the government. However, it is hoped that the law will have a knock-on effect with the wider industry, encouraging other manufacturers to raise their standards.

But it’s not only the US that is making moves to safeguard IoT users. The UK in May introduced a proposed new law designed to force manufacturers to adhere to key security requirements, covering things like unique passwords and security updates. In addition, retailers will only be allowed to sell devices with a clear label telling consumers how secure they are.

While Trend Micro welcomes any government moves to make smart home gadgets more secure, the truth is that it will take a while for these laws to take effect—and even longer for them to have an impact on the firms designing and building our connected devices. The US federal proposal will require a separate standards body to hunker down and draw up its requirements first, which could take months. There’s also a risk that when new laws take effect, the hackers will simply move on to use new tactics not legislated for.

That’s why consumers must act now to secure their smart home. Below we list some of the key threats and how to take action.

What’s the problem?

The more smart gadgets there are in your home, the greater the number of potential targets for hackers. Devices could be hijacked if attackers manage to guess or crack the passwords protecting them, or exploit flaws in the underlying software (firmware) that runs them.

This is made easier because some devices don’t require a user to install a password; they simply run with an easy-to-guess factory default. Many manufacturers also don’t issue regular updates (patches) either, or if they do, it’s hard for users to find out about and install them. And unlike your laptop/desktop and mobile devices, these IoT endpoints are typically too small to install AV on, further exposing them.

Finally, it’s not just the devices themselves that are at risk, but also the complex, underlying automation systems that link them together behind the scenes. This complexity creates gaps that bad guys are adept at exploiting.

So, to simplify, there are three main threat vectors facing home networks:

1) Physical danger

Devices could be remotely controlled by attackers to surveil the family. For example, by hijacking feeds from smart security cameras, or other sensors around the house such as smart door and window locks, burglars could work out when the property is empty. They could even remotely unlock doors or windows, if these are internet-connected — for example by cloning the owner’s voice and playing commands via your home assistant.

Cases have been reported in the past of hackers remotely monitoring smart homes. In one incident, a baby monitor was hacked and used to broadcast threats to the parents; while more extensive hacks of home security cameras have had their video content streamed online.

2) Data loss and malware

These same devices are also a potential gateway into the home network, which could allow hackers to grab passwords for your key online accounts like banking and email. Any data they collect on you can be sold on the dark web and used for future identity fraud. The router is in many ways the digital gateway to your smart home — the place where all your internet traffic passes through. That makes it particularly vulnerable to these kinds of attack. As well as data theft, hackers could be looking to spread malware such as ransomware and banking trojans.

One major router threat spotted in 2018 was VPNFilter—information-stealing malware which infected at least half a million routers globally by exploiting vulnerabilities in the devices.

3) Hijacked devices become botnets

In another scenario, your smart home gadgets and router are hijacked and remotely controlled not to install ransomware or steal data from your family, but to use in attacks on others. Typically, they become part of a botnet of controlled machines which are programmed to do the bidding of the hackers. This could range from launching denial-of-service (DoS) attacks on businesses to illegally mining for crypto-currency.

The most famous example of this kind of attack came in 2016, when the Mirai campaign managed to hijack tens of thousands of IoT devices by scanning for any exposed to the internet and protected only with factory default passwords. In an infamous attack, it managed to take out a key online provider, resulting in outages at some of the biggest sites on the internet, including Twitter and Netflix.

What to do next

All that said, there are some simple steps you can take today to help reduce your exposure to IoT threats. It should begin with taking time out to understand how your devices work. Are they password protected? How are they updated? Are they running unnecessary services which may expose them to attackers? A bit of research before you buy and install them will also go a long way to keeping you safe.

Here are a few best practice tips to get you started:

  • Change factory default passwords to strong and unique credentials.
  • Switch on two-factor authentication for even more log-in protection, if offered.
  • Regularly check for firmware updates and apply as soon as they’re available. This may require you to visit the manufacturer’s website from time-to-time.
  • Use WPA2 on your routers for encrypted Wi-Fi.
  • Disable UPnP and any remote management features.
  • Set up a guest network on your router, which will help protect your main network, its devices and data, from network worms and other malware inadvertently introduced by guests.
  • Protect your computers and smartphones with AV and only download legitimate smart home apps.

How Trend Micro can help

Trend Micro is here to offer you peace-of-mind when it comes to protecting your smart home. The first step is diagnostic: download our Housecall™ for Home Networks tool to check your network. It will run a comprehensive scan on all your smart home gadgets, highlighting any vulnerabilities and other risks, and providing helpful advice for keeping your network and devices secure.

Next up, install Trend Micro Home Network Security (HNS) for comprehensive protection on all your home devices. It blocks dangerous file downloads and malicious websites, protects your personal/financial data from theft, and will keep ransomware, phishing and other threats at bay. HNS provides instant threat notifications, lets you disconnect any unwanted devices from your network, and offers full control over your devices from your Android or iOS smartphone with the paired HNS monitoring app.

Watch our Trend Micro Home Network Security videos to find out more about how HNS helps protect your network.

Source:
https://blog.trendmicro.com/keep-your-smart-home-safe-heres-what-you-can-do-today-to-secure-your-products/

Ubiquiti Unifi reset to Factory Defaults

UniFi - How to Reset the UniFi Access Point to Factory Defaults


Overview


This article describes different methods of resetting a UniFi Access Point (UAP) to factory defaults. We'll discuss options to reset the unit via the UniFi Controller software, SSH, and physical reset. This article applies to all models and versions of UniFi Access Points, the location of the reset button in each different model may vary. Reference the specific Quick Start Guide of each product to locate it.

ATTENTION: Regardless of the method used, do not disconnect the device during the reset process.

Table of Contents


  1. UniFi Controller Reset
  2. SSH Reset
  3. Physical Reset
  4. Troubleshooting: UAP not Resetting
  5. Related Articles

UniFi Controller Reset


Back to Top

If the UAP has been adopted by the UniFi Controller, it can be reset from the controller. Do so by "Forgetting" the device.

  1. Log in to the UniFi Controller. In the Devices page, click on the UAP you wish to reset. This will open the Properties panel.
  2. Select the Configuration tab, and click Manage Device to expand.
  3. Click the Forget button. This will erase all configuration and history for that device, effectively resetting it.

SSH Reset


Back to Top

Access the UAP via SSH, and once in, issue the commands syswrapper.sh restore-default and hit enter. The UAP should quickly reboot with factory default settings. Remember to not disconnect UAP from power source during this process. See Related Articles below if you need guidance on how to SSH into a device.


Physical Reset


Back to Top

On the back of the UAP there is a small hole whereby a user can use a paperclip to depress a button and reset the UAP back to its factory default settings.

  1. Press and hold the reset button for 10 seconds while AP is connected.
  2. Release the button (the LEDs on the UAP will stop glowing).
  3. Do not disconnect the UAP from its power source during the reboot process.
  4. The UAP will restore factory settings.

Once the white LED (or amber LED, depending on your model) re-appears and remains steady, you can commence with UAP adoption once more.

NOTE: The location of the reset button might vary on different UAP models, find your device's in the Quick Start Guide. You can download the current Quick Start Guide in https://www.ubnt.com/download/unifi/ using the left hand menu to find the correct product and scrolling down to the Documentation section.

Troubleshooting: UAP not Resetting


Back to Top

If despite numerous tries to reset the UAP, the device will not reset to factory default settings please follow these steps to troubleshoot:

Firmware Problem

  1. Make sure you tried more than one of the methods described in this article and followed each step carefully.
  2. Consider the LED patterns of the UAP when attempting to recover. See Related Articles below for more information.
  3. Ping on 192.168.1.20 to see if device is on and back to default state.

Hardware Problem

  1. Swap out cables and PoE injectors.
  2. Ping on 192.168.1.20 to see if device is on and back to default state.

Source:
https://help.ubnt.com/hc/en-us/articles/205143490-UniFi-How-to-Reset-the-UniFi-Access-Point-to-Factory-Defaults

Ubiquiti Telnet Commands

telnet/ssh commands

UniFi Command Line Interface - Ubiquiti Networks

info                      display AP information
set-default               restore to factory default
set-inform <inform_url>   attempt inform URL (e.g. set-inform http://192.168.0.8:8080/inform)
upgrade <firmware_url>    upgrade firmware (e.g. upgrade http://192.168.0.8/unifi_fw.bin)
reboot                    reboot the AP

 

source:
https://community.ubnt.com/t5/UniFi-Wireless/Telnet-commands/td-p/1338536