Protecting Yourself Online

October 22, 2018

Protecting yourself online

This week we are going to address how to stay safe online. This is an incredibly broad topic and I think I could write a book about it. The only problem with writing a book is that the threats change on an almost daily basis which means the defenses and tips change almost that fast.

So, we will address this topic at a high level and try to provide some good information.

During week 1 we talked about how to protect your network with network segmentation as the first line of defense against external and internal attacks.

This week, we’ll move to endpoint security. Securing your operating system, web browsers, and online accounts, as well as some best practices and tips online.

Endpoint security
Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.

Operating system security
Endpoint and operating system security is really made up of many things, but to keep this blog post from becoming a textbook, we will focus on the following four items:

  1. Whole disk encryption is basically encrypting your whole hard drive so that if someone steals or gains access to your drive, they cannot read any of the data without the encryption key (the password that you set). This is also important so that when you get rid of your computer, the next person does not run some basic forensic tools on your drive and get all of your data. This has been happening for years, from purchasing hard drives online, to old printers, copiers and fax machines, and pulling all of the data - such as this story where missile defense data was discovered on an old hard drive. 

    To enable whole disk encryption, it’s best to do this on a new computer, but it can be applied at any time. On a Mac, this feature is called "Filevault" and it can be found in Preferences > Security & Privacy > Filevault. This page will walk you through enabling Filevault.

    On a Windows system you may or may not have this feature already built in. For some reason, Microsoft has really dragged their feet on integrating whole disk encryption, except on more expensive versions of Windows (Ultimate, Pro and Enterprise versions). The Microsoft solution is called "Bitlocker" and it works well and fairly seamlessly with Windows. If you don’t have Bitlocker, you may want to opt for one of the free solutions like Veracrypt. This article gives an overview of both options

    No matter what solution you use, be sure to whole-disk-encrypt any system that is storing sensitive data or has access to sensitive data, especially if it is a laptop or computer that is not otherwise behind locked doors.
     
  2. Good system passwords are essential to securing a computer that goes with you. Even if you are using whole disk encryption, if your encryption key (password) is something easy to guess (12345) or is taped on the bottom of your laptop, the encryption is bypassed, and you are no longer protected. Passwords should be more like passphrases. The most important aspect of a passphrase is that they should be long - at least 12 characters. An example would be: I have to take Fido out at 7am! This has uppercase, lowercase, numbers and special characters, is 31 characters long with spaces, and is very easy to remember.
     
  3. Endpoint firewalls have become an integrated part of our operating systems these days but we have the option to enable/disable and adjust settings for them. The most important thing you can do here is just make sure it is enabled. 

    On a Windows system, the firewall is called Windows Defender and is found in Settings > Windows Security > Firewall &network protection. Be sure this is enabled

    On a Mac the firewall can be found in Preference > Security & Privacy >Firewall. Be sure this is enabled. 
     
  4. Patching is critical for all computers. Every month we get security patches for all of our devices because every month new vulnerabilities are found. Over the years, we have seen operating systems like Windows and macOS move from making you download and install patches on your own to automated patch updates every month. Not everyone likes automated patching, and, in some cases, you can turn it off. Most software companies have taken the responsible approach of automated patching, which is great, except when your Windows laptop boots up overnight on the second Tuesday of the month and you forgot to save your open files. 

    On a mac, go into the App Store and click on App Store > Preferences and make sure Automatic Updates is checked.

    On a Windows system, go into Settings > Update & Security > Windows Update > Advanced Options and make sure your system is up to date. Windows 10 will likely not show you an option to disable patching.

Web browser security
So far, we have talked about network security and operating system security. Now let’s address application security. The most popular applications used on Internet connected systems today, is hands down, the web browser. According to a May, 2018 article Google Chrome is the most popular browser, followed by Firefox, Edge & Explorer, then Safari. No matter which browser you use, it is likely the application you use most on your computer if you are an average Internet user. All of these browsers are modern and kept up to date with automatic patching so,  a cybersecurity perspective, we need to focus primarily on plug-ins, extensions, or add-ons - whatever your browser calls them. According to a September 2018 article by Brian Krebs, a hacked Chrome extension was used to send usernames and passwords to a rogue server.

This is just one example of how attackers are directing attacks against the browser rather than the computer itself. The best thing you can do is check your browser extensions regularly and make sure there is nothing loaded that you don’t know about or don’t trust. According to one study, most browser users have about 10-20 extensions installed on their browsers with many having well over 40. That is a lot of extra software added to your browser that could give bad actors a way into your browser. It is also likely to slow your browser down a lot!

Online accounts
The last topic to discuss in this blog is online accounts and security. This is another big topic so we will hone it down to a few items to keep this blog post readable.

Passwords. We love to hate them, and we hate to use them. Don’t worry, there is a lot of work happening to get rid of passwords. Here is one example, but for now, we have to live with them. As I mentioned earlier, make passphrases that are over 12 characters long and yes, you can use spaces in most cases. Make sure you create something you can remember. A better option would be to use a password manager. 

The best approach to passwords is the have a unique password for every website, application, etc. but how are we supposed to remember hundreds of unique passwords or passphrases? You’re not! This is where the password manager comes into play. This is a tool that will store all of your passwords and other sensitive data in an encrypted blob on your computer and, optionally, in the cloud. You alone should have the keys to decrypt your blob of data and thus you only need to remember one password, that of your password manager.

In many cases, the password manager will even enter in the password for you, so feel free to have a 45-character password if the site allows it because you won’t even have to type it in! Here is a review of password managers from July 2018. Your browser will likely offer to store passwords for you as well but there are some risks associated with that. However, it is a far better solution than reusing passwords because if an attacker learns a username password pair, they will try that combination against every social media and Internet service they can find.  I have only used a few password managers, and I have been a happy LastPass user for years.

Phishing attacks are prevalent and growing in numbers. They are also much more advanced than in the past. Read this blog and this one, to learn about some of the more advanced attack types and how to identify them. STAY ALERT!

BONUS TIP
This one is a little more advanced, but be aware that changing the DNS settings on your computer can help reduce the attack surface. DNS, or Domain Name System, is the way that a domain name (www.google.com) is turned into an IP address (172.217.25.100). The Internet doesn’t know what "google.com" is so a DNS acts like an address book to translate that domain name into something that can be routed on the Internet. When you use the Internet, you are likely using your ISP’s DNS. This is fine, but there are some public DNS servers that offer a lot more than just address translation.

Changing your DNS servers to 1.1.1.1 or 9.9.9.9 can add some additional threat intelligence to your Internet browsing. So, if you, or more likely something malicous on your computer, happens to try to go to a malicious Internet address, these DNS servers will not allow it.  

Here’s a link to show how to change DNS settings in Windows 10 and here is how to change the macOS DNS settings.

I hope you found this to be helpful, and I wish safe computing to everyone!

Cybersecurity

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

View the most updated version of this document here:

https://techsupportca.freshdesk.com/en/support/solutions/articles/17000113531-i-series-nvr-firmware-upgrade-instructions

 

The I-series NVR (such as the DS-7716NI-I4) is one of Hikvision's most popular and feature-rich recorders. As such, many firmware revisions have been introduced over the years to continually ensure the product is compatible with the newest technology available. Due to the many revisions, we recommend that the user closely follows the instructions below in order to reduce the amount of time spent as well as the chance of failure.

 

Database Optimization and Repair

As more affordable IP cameras are introduced over time with greater video resolution and data sizes, more efficient database management also becomes necessary. The introduction of firmware v4.0 brought about a new database architecture in order to be futureproof.

 

After upgrading to v4.X, the recorder database will need to be converted and optimized. If you are experiencing issues where playback is expected but not found, make sure "Database Repair" is performed as indicated in the procedures and scenarios below.

 

Preparing the Upgrade

Before proceeding with upgrade, it is recommended that NVR configuration file is exported from the NVR over the network or on to a local USB drive.

 

Upgrading from v3.4.92 build 170518 or Older

  1. All recorders must reach v3.4.92 before proceeding further. Upgrading from versions before v3.4.92 directly to any version of v4.X will likely cause the recorder to fail.
  2. If the recorder is already at v3.4.92, a full factory default is highly recommended before upgrading to any version of v4.X. There is a high chance of unit failure (requiring RMA) if the unit is not defaulted before upgrade.
  3. After reaching v3.4.92 and performing a full factory default, an upgrade directly to v4.50.00 is acceptable.
  4. After the upgrade is completed and the recorder is reprogrammed, it may be beneficial to perform a Database Repair. For details, refer to the section "Database Optimization and Repair" above.
  5. To verify repair progress, you may refer to the HDD status, or search the recorder log for repair started and stopped entries. Note that while the HDD is repairing, new recordings are still being made, but some existing recordings may not be searchable until repair is complete.
  6. If you continue to observe playback issues after database repair, ensure there are no power, network, or motion detection issues. Should the problem persist, contact technical support.

 

Upgrading from Any v4.X Build to v4.50.00.

  1. Any v4.X build can be upgraded directly to v4.50.00.
  2. Export configuration is highly recommended before performing the upgrade.
  3. If upgrading from any v4.X version that was not v4.22.005, a Database Repair is recommended. Refer to Step 4 and onwards in the previous section.

 

Downgrading

Downgrading is not recommended. Due to new features and parameters constantly being added, downgrading may cause the NVR to factory default itself or require a manual default to operate properly.

View the most updated version of this document here:
K-Series DVR upgrade instruction
The Turbo 4 Hybrid DVR K series has multiple models and across different platform and chipset. It also has similar firmware development of other recording product line; DVR K series has also introduced the GUI4.0 to ensure the series to be compatible to the newest technology available. The new database architecture is also brought into the DVR firmware v4.0 to be future proof and for better recording search experience. 
 


Database Optimization and Repair

As more affordable cameras introduced over time with greater video resolution and data sizes, more efficient database management also becomes necessary. The introduction of firmware v4.0 brought about a new database architecture in order to be futureproof.
After upgrading to v4.X, the recorder database will need to be converted and optimize. If you are experiencing issues, where playback is expected but not found, please make sure to perform "Database Rebuild" as indicated in the procedures and scenarios below.
 


Preparing the Upgrade

Before proceeding with upgrade, it is recommend exporting DVR configuration file from the DVR over the network or on to a local USB drive.

 

Action after firmware upgraded 

1. Upgrade the DVR according to the chart above. 

2. Reconfirming Channel's Recording Schedule 

    - Confirm channel's recording schedule is enable. 

    - Check if the channel is on correct recording schedule.

3. Double Check Storage Setting

    - Make sure all channel are assigned to record on its HDD group when the Storage setting is under Group Mode. 

4. Perform Database Rebuild locally. 

    • Some version above support Database Rebuild via web access - K51 and K72

    • Perform Database Rebuild regardless if system is having any database issue symptom. 

    • Database Rebuild process is average ~30 to 60min per TB. The process may still varies depends recording data.

    • After Database Rebuild - Check log to confirm Database Rebuild has went thru properly. 

    • If Database Rebuild Started and Stopped log has been log only within few minutes. Database rebuild may not has been completed properly. It is strongly recommend performing the Database Rebuild again.

    • To check log > System > Log > Information > Database Rebuild Started and Stopped.

    • If the log option is not available - access system via SSH can also obtain similar result.

5. Recording Data is still missing after database rebuild process. 

If the data has not been recorded or has been overwritten, Database rebuild process is not able retrieve those lost data. Have the system upgraded to the latest available firmware version above to prevent any future data lost is strongly recommended for all application.

 

 

 

 

In light of the global semiconductor shortage, Hikvision has made some hardware changes to the DS-76xxNI-Q1(2)/P NVRs, also known as “Q series.”

 

These changes do not have any effect on the performance, specifications, or the user interface of the NVRs. For the ease of reference, these modified units are known as “C-Version” units. This is clearly indicated on the NVR label and on the box by the serial number.

 

The only difference between the “C-Version” and “non-C-Version” is the firmware. The firmware is not interchangeable:

 

  • The C-Version NVRs must use firmware version v4.31.102 or higher.
  • The non-C-Version (Q series) NVRs must use firmware version v4.30.085 or older.

 

Please do not be alarmed if a “Firmware Mismatch” message pops up on the screen during the firmware upgrade. This simply means that the firmware does not match the NVR’s hardware. Simply download the correct firmware and the upgrade will go through without any issue.

In light of the global semiconductor shortage, Hikvision has made some hardware changes to the Value Express Series NVRs

These changes do not have any effect on the performance and specification of the recorders. For ease of reference, these modified units are known as “C-Version” units. This is clearly indicated on the NVR label and on the box by the serial number.

The only difference between the “C-Version” and “non-C-Version” is the firmware. The firmware is not interchangeable:

  • The C-Version NVRs must use firmware version v4.30.216 or higher.
  • The non-C-Version (Q series) NVRs must use firmware version v3.4.104 or older.

Please do not be alarmed if a “Firmware Mismatch” message pops up on the screen during the firmware upgrade. This simply means that the firmware does not match the NVR’s hardware. Simply download the correct firmware and the upgrade will go through without any issue.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).