There have been a number of articles in the press in the last year about Internet of Things (IOT) devices being hacked and forming parts of botnets, or just exposing data from the networks they sit on. Most users just pick up a device and type in their wireless password or plug in a network cable; being the IT Professional (ha !) that I am I decided it was time to look into network segmentation.

For those reading who do not understand what this is: the two basic categories are Trusted and Untrusted devices; I trust my personal laptop and my server (I manage their security after all), the IOT thermostat and the bargain price CCTV system I bought years back, however, are a different story. So they need to be in seperate secured areas of my home network.

Following some guides from Troy Hunt and other Ubiquiti fans, I have succeeded in splitting these two sets of network clients using my Ubiquiti Unified Security Gateway (USG). The following is a rough guide to separating your networks using Ubiquiti equipment with an optional step of creating a captive guest wifi portal for visitors. I am sure that other network equipment manufacturers provide the ability to layout a network in this way, but I do not have their hardware to test!

1. Create a VLAN for the untrusted network

A VLAN separates the network into virtual segments which can be controlled by the firewall in the USG. Access the network settings via settings > networks, and create a new network. Choose a network name such as “Untrust VLAN” setup as a corporate network with a VLAN ID and IP Range of your choosing.

2. Create a new wireless network for the new Untrusted VLAN.

The Ubiquiti Access Points (AP) have the ability to run multiple independent wireless networks which can be tied to a VLAN. We are going to use this ability to create a new wireless network which will allocate all clients directly to the untrusted VLAN. Access the wireless settings via settings > wireless networks, and create a new wireless network. Choose a network name and password (for the name I just added UT for Untrusted to my standard network name) and set the network to use the VLAN ID you picked in the previous section.

3. Ensure the networks are segmented by the firewall

Some simple firewall rules will ensure that clients on the Untrusted VLAN cannot connect to your previous trusted network. Access the firewall settings by navigating to settings > routing & firewall and locate the “LAN IN” section. This section of the firewall controls all access into network segments; although we are technically already inside our network the VLANs act as separate virtual networks. Create a new rule using the settings shown in the following screenshot. You have now successfully separated your potentialy dangerous IOT devices from your trusted personal equipment; well you will have when you move them all over to the new wireless network! I suggest you do this a few devices at a time so as to cope with any glitches in their systems!

Read more

Over the years I have interviewed a lot of developer candidates and given advice to a fair few potential developers who are looking for their first interviews. Again and again, the FizzBuzz test has cropped up, and I have seen both some fantastic and some not so fantastic answers to the problem. For those who are not aware of what the FizzBuzz test is, here is the standard question:

Write a function which prints all the numbers from 1 to 100. But when printing a number which is a multiple of three print the word “Fizz” instead of the number, when the number is a multiple of five print the word “Buzz”. If the number is a multiple of both three and five write the word “FizzBuzz” instead of the number.

FizzBuzz is a simple program, or at least it should be. I think that some people who are new to the industry find it hard because it does not fit into the standard coding styles taught in school/university, it isn’t just a simple for loop nor can you just implement an if then else. This is why it can be such a good tool to break the candidates apart from those who can code and those who can problem solve; that being said it only really works for the earlier stages of someone’s development career (although if a senior developer couldn’t solve this problem then they may need to seek alternative employment).

“So how do I FizzBuzz?”

Break it down

It really is simple when you think about it, just break it down in to its constituent requirements.

Print all the numbers from 1 to 100

Simple, just loop all the numbers and write them to the console.

using System;
public class Program {
	public static void Main() {
		for(int x = 1; x <= 100; x++) {
			Console.WriteLine(x);	
		}
	}
}

What about three?

Loop all the numbers as we did above, and test them to see if they are divisible by three.

using System;			
public class Program {
	public static void Main() {
		for (int x = 1; x <= 100; x++) {
			if (x % 3 == 0) {
				Console.WriteLine("Fizz");
			} else {
				Console.WriteLine(x);
			}
		}
		
	}
}

Add in five to the mix

Again we just loop all the numbers but throw in the second test.

using System;
					
public class Program {
     public static void Main() {
         for (int x = 1; x <= 100; x++) {
             if (x % 3 == 0) {
                 Console.WriteLine("Fizz");
             } else if (x % 5 == 0) {
                 Console.WriteLine("Buzz");
             } else {
                 Console.WriteLine(x);
             }
         }
     }
}

And finally both three and five

Not hard when you look at it written, a simple if-else-if-else-if-else! But is there another way? Of course, especially if you want to set yourself apart from the crowd.

using System;

public class Program {
	public static void Main() {
		for (int x = 1; x <= 100; x++) {
			if (x % 3 == 0 && x % 5 == 0) {
				Console.WriteLine("FizzBuzz");
			} else if (x % 3 == 0) {
				Console.WriteLine("Fizz");
			} else if (x % 5 == 0) {
				Console.WriteLine("Buzz");
			} else {
				Console.WriteLine(x);
			}
		}
	}
}

Linq-ing it up a little

When it comes down to it FizzBuzz isn’t a very hard challenge, but it can throw off some candidates especially if they have to write it by hand rather than in an IDE!

using System;
using System.Linq;
					
public class Program
{
	public static void Main() {
		Enumerable.Range(1,100).Select(
                        n => 
                        (n % 15 == 0) ? "FizzBuzz" : 
                        (n % 3 == 0) ? "Fizz" : 
                        (n % 5 == 0) ? "Buzz" : 
                        n.ToString())
                        .ToList()
                        .ForEach(Console.WriteLine);
	}
}

Read more

Meet Fred (that’s what I’m calling him); he was sat at the back of his cage at Bristol Zoo Gardens when I went to take a photograph of him. He spotted my camera and decided he wanted a better look, in the process of examining my camera he struck a pose for me!

Fred is a Brown Spider Monkey who lives in the Monkey Jungle at Bristol Zoo. The Brown Spider Monkey is critically endangered which is the step before being extinct in the wild. They are extremely charismatic and have very strong personalities, they live in small units of two males and two females. If you are from Bristol I strongly recommend taking a trip to Bristol Zoo to visit not only Fred but all his animal brethren.

More photos over on flickr.

Read more

I have written a few articles about ‘Browser Security Headers’ in recent months; I partly wrote them to encourage me to read more on the subject myself but I hope that someone starting off on the subject will find them useful.

Rather than write another quick post on the subject I have decided to reference a new training video that Troy Hunt and Scott Helme have recently published on Pluralsight. For those who have not heard of Pluralsight before it is the largest (and in my opinion the best) online training resource for those looking to learn more about technical subjects ranging from deep dive software programming videos to more “fluffy” subjects like project management and team building (there is even a video on “How to manage a developer” which I found rather entertaining). Pluralsight offer a free trial which is long enough for you to watch a few videos and decide if you feel they are worth paying for (or asking your boss to pay for as I have done).

The great thing about Troy and Scott’s new video is the format it is presented in; the two easy talking experts are not just talking at the screen with a slide show, they are discussing the subject with each other in what Pluralsight call a “play by play”. The format allows for a technical discussion as if you were sat around your desks at work (or even in the pub). They have taken an important technical subject (Browser Security Headers) and made it easy to consume and understand without too much jargon or presumed knowledge.

The course contains short modules (no more than ten or so minutes) on each of the main browser security headers:

• The importance of Browser Security Reporting
• Content Security Policies (CSP) Reporting
• HTTP Public Key Pinning (HPKP) Reporting
• Certificate Authority Authorisation (CAA) Reporting
• Certificate Transparency (CT) Reporting
• Cross Site Scripting (XSS) Reporting

I have just finished watching the video myself; the beauty of the Play by Play style of courses (two experts talking face to face) is that you can easily watch them whilst working. I watched this course whilst working on the bug backlog for my most recent project! I strongly recommend that any web developer or person looking to move into IT Security take a look at this video (sign up for the free trial if you don’t already have a Pluralsight account).

You can find the summary of ‘Modern Browser Security Reporting’ course on Pluralsight, and read more about it on Troy’s blog. And just for giggles you can see how many courses I have watched on my ‘Certificates, Courses, and the such’ page (yes I am that sad).

The header image for this post was provided for free on unsplash.com by James Pond. Thanks James!

Read more