Announcement

Collapse
No announcement yet.

High Level Overview of MYHS Connection Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tillsy
    replied
    Originally posted by Krumpy View Post
    The challenge they have is the age old problem that there are only 1440 minutes in a day.
    Oh come on four of those minutes are bonus - precise number of minutes in an Earth day is 1,436. Albeit they're taken back again each leap year LOL

    Leave a comment:


  • Krumpy
    replied
    Originally posted by bmsmithvb View Post
    I think with the community of experts that we have here in this forum, as a collective, we can address security concerns. We can't expect HomeSeer folks to be experts in the security realm, we just want them to build excellent home automation software.

    They are indeed knowledgeable. The challenge they have is the age old problem that there are only 1440 minutes in a day. So none of this is a negative on the company. If customers do not demand security then it will become secondary practice. We are all human.

    And, yes, they need help and our support. Speaking up creates support.

    Leave a comment:


  • Krumpy
    replied
    I am re-reading the PCI DSS documentation again. It’s been a while. Again, if it is good enough for the credit card industry, then I am sure that there are good nuggets in there that would apply to the home automation industry.

    Not all security “experts” agree. Hence why it is valuable to have a baseline standard. I figure (maybe in a odd way) PCI DSS is a good baseline. Take from it what is valuable. There are others as well.

    Leave a comment:


  • bmsmithvb
    replied
    I think with the community of experts that we have here in this forum, as a collective, we can address security concerns. We can't expect HomeSeer folks to be experts in the security realm, we just want them to build excellent home automation software.

    Leave a comment:


  • Krumpy
    replied
    I have performed a cursory check. It is very limited. I am just starting to poke the bear. To my earlier post above, the only way one can completely have a secure computing system is for it to not be connected to a network. If you do connect to a network then there are associating risks. Those risks need to be managed. The enclosed is subjective, but points that further investigation may be warranted. I would like to thank HomeSeer Technologies for "supporting" this security initiative by keeping this post on this forum.

    Do we really need to continue to support TLS 1.0 and TLS 1.1 as part of MYHS? This certainly points to risk, exposure, and weakness! A Qualys SSL LABS checker shows that these are still supported on some backend systems. Maybe there are sound reasons to why these crypto technologies are still in place. Do we really need to still support Android 2.3.7 - 4.3? I would think that a security remediation plan to address this is not a large effort.

    Ahhh! The HomeSeer store has these technologies disabled. Good! So, if the store has this remediated, why not MYHS? Logically, if the credit card consortium requires the deprecation of TLS 1.0 (subjectively 1.1 as well), then why is MYHS not remediated? I would think that we can demand cross-platform security practices between shop.homeseer.com and myhs.homeseer.com infrastructures. As a baseline, if it is good for one then it should be good for the other, right? I am sure that it is an oversight. But, these oversights are weakness'. Hence why it is important to document security practices and policies, and periodically audit them.


    A document from Microsoft: TLS 1.0 and 1.1 deprecation - Microsoft Tech Community


    Another document: From Why It’s Dangerous to Use Outdated TLS Security Protocols | Venafi


    Deprecation of TLS 1.0 and TLS 1.1


    Internet Engineering Task Force (IETF) has released a document where they explicitly state that TLS 1.0 and TLS 1.1 must not be used and they plan to deprecate both protocols by the end of 2019.


    It is true that both protocols can be considered as “ancient history” in terms of internet and computer times. TLS 1.0 is already twenty years old as it was first deployed in January 1999. Not surprisingly, the Payment Card Industry (PCI) hasdeprecated TLS 1.0 since 30 June 2018. Now any e-commerce site or retailer which still uses TLS 1.0 to encrypt credit card transactions will fail PCI compliance. Therefore, PCI has provided guidance to use TLS 1.1, 1.2, or 1.3 in order to securely process credit card payments.


    On the other hand, TLS 1.1 was released in April 2006. It only had minor improvements from TLS 1.0, and was developed to address weaknesses discovered in TLS 1.0, primarily in the areas of initialization vector selection and padding error processing.


    Both protocols have various vulnerabilities and the specific details on attacks against them as well as their mitigations are provided in NIST SP800-52r2 among other documents.


    In line with the IETF, Microsoft, Apple, Google, and Mozilla declared that their “best before date” for both TLS 1.0 and TLS 1.1 is March 2020. The major web browser developers have announced that they will drop TLS 1.0 and TLS 1.1 nearly a year and a half in advance in order to give web-hosting companies and cloud services providers plenty of time to phase the old versions out.

    Leave a comment:


  • Krumpy
    replied
    Ok, I'll bite. Here it goes.

    I have been using HomeSeer since April of 1998 and have vested interest in keeping this platform going both financially and from a Information Systems Security perspective. I am going to ask (and I think that others such as well) that there becomes further transparency and disclosure of both the financial and security fronts.

    You may think that asking for transparency on the financial side and business operations aspect is odd or crazy. Well, I did as well when I had this thought. But think this through. Ultimately, we want to make sure that the organization is able to continue successfully in the future for years to come. HomeSeer Technologies (HST) should not consider this as us meddling into their operations and finances, but rather that this community supports this platform and is concerned about the success in the future. This is a good thing as we are all in this together! So this is more of a food for thought thing rather than specific asks for HST to show us their financial books. It is a hint for HST to consider this as an opportunity to think creatively as we support them. There is a thread on this message board which lists all the home automation technologies in the past 30 years that have gone dark. I would hate to see HomeSeer listed at some point. This is my way of expressing concern and support, and that we do care!

    Second, on the Information System Security front. There needs to be more focus to ensure that the HomeSeer platform with all sub-products (such as MYHS) are "secure". The word "secure" is multi-faceted and has deep reaches and meaning while keeping in mind that we rely on this technology in our homes! It is important! Enough said, right? The challenge that HST may face is that with further focus towards security, it may increase the price to play. Think about this, is it worth it? Well, I would say yes, but not sure that the greater community will by in. So, it is important for us to be supportive and raise our concern.

    My ask on the ISS (information systems security) perspective is further disclosure:
    • We know that the HomeSeer platform is based on Microsoft technologies. We know that certain components operate in the cloud. It would be appreciated if we could get further high-level details. But this may not be possible as it could provide further details to potential attack vectors to bad actors. That is certainly true.
    • If not already done so, HST shall document and implement physical and information systems security practices and policies.
    • HomeSeer Technologies should appoint a security officer many times referred to as CISO (Chief Information Security Officer). He/she will provide attestation to the community (on at least a quarterly basis) a statement that to their best knowledge all systems security practices are compliant per policy. If there are any deficiencies, then an action plan should be created. You may think that this is harsh and time consuming. Well, it is. And therefore, I personally think that the "price to play" will go up. I would even be willing to facilitate this role if HST management is on board to provide me the supporting information. I am a CISSP and have done this before. There are others in this community as well. SOMEONE needs to facilitate this role or else we can not say that it is "secure" as the supporting checks and balances do not exist, and security complacement will set in over time. We are all human... This is not anything negative. It is a fact of reality once we pull our head out of the sand. Only once this process is taken seriously and executed over time will this platform become "secure"!

    In closing.... The fact of reality is that security practices often are referred to as an onion. There must be an approach of multiple layers. There are always risks, and keep in mind that we all have accepted those risks by using any technology that is connected to a network.

    Leave a comment:


  • ts1234
    started a topic High Level Overview of MYHS Connection Security

    High Level Overview of MYHS Connection Security

    This came up in another thread. How secure is the MYHS connection to the networks inside all of our homes, our phones, our tablets? I don't expect to be given low level specifics, but think we should know enough to understand there is no reason for concern. Is this documented somewhere?
Working...
X