Information Technology

The FBI’s Internet Crime Center (IC3) is warning that scammers are exploiting verification weaknesses in job-focused networking sites to post legitimate looking ads, capture personal information and steal money from job seekers. Scammers “continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI warns in a new public service announcement. 

ZDNet Recommends

The bogus ads threaten to damage the impersonated firm’s reputation and financial loss for the job seeker. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)According to IC3’s complaint reports, the average reported loss from this scheme since early 2019 has been $3,000 per victim.In one notable scheme, attackers used a real company account on an employment-oriented network site to post fraudulent job postings.”The lack of strong security verification standards on one recruitment website allowed anyone to post a job on the site, including on official company pages,” the FBI notes.  

“Those postings would appear alongside legitimate jobs posted by the business, making it difficult for applicants and the spoofed company to discern which job posting was real and which one was fraudulent.”  The FBI doesn’t disclose which site lacked verification checks. However, BleepingComputer reported in August that a feature on LinkedIn allowed anyone to post a new job ad from the account of a known brand without providing verification. Additionally, admins of the company account couldn’t take down the fraudulent job ad.  Microsoft-owned LinkedIn last week published its latest Transparency Report, highlighting how many scam postings and fake accounts it took down in the six months to June 30, 2021. It claims its automated defenses blocked 97.1% of all fake accounts during the period, amounting to 11.6 million fake accounts stopped at registration. However, some 85,700 accounts were stopped after users reported them.   It also proactively removed 66.1 million spam and scam pieces of content on LinkedIn, but removed 232,000 pieces of such content after members reported them.   According to the FBI warning, scammers also replicated legitimate job postings, changed the contact information, and then posted the now-fraudulent job ad on other networking sites, The job recruitment scam ads borrow a lot of real information from impersonated hiring firms, including logos, images, email address and spoofed websites. In some cases, the scammers use the names and positions of actual company employees to improve online impersonation and then use those borrowed identities during the fee interview and hiring process. The FBI cites three examples of these scams over the past year where real employees names were used.As the FBI warned in 2020, fake job scams are an old trick, but online recruitment and teleconferencing apps have made it more lucrative and easy to create false interviews. Stolen personal information is used to take over a victim’s financial accounts, open new accounts, or use it to obtain fake driver’s licenses or passports. Victims are often offered work-from-home jobs and are sent a bogus employment contract to sign, and then asked to submit driver’s licenses, Social Security numbers, direct deposit information, and credit card information. Victims are asked to pay upfront for background checks, job training, and startup supplies and told they will be reimbursed in their first paycheck. After victims pay, the scammers vanish.  More

Samba has fixed a vulnerability in all versions of its software prior to version 4.13.17 that allowed for a remote actor to execute code as root, thanks to an out-of-bounds heap read write vulnerability.”The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability,” Samba said in its security notice. “Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.” Discovered by Orange Tsai from Devcore and labelled as CVE-2021-44142, Samba said the vfs_fruit module that improves compatibility for OS X clients is vulnerable in its default configuration. If the options fruit:metadata=netatalk or fruit:resource=file are set to something else, the vulnerability does not work, but doing so comes with a warning. “Changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost,” Samba said. Therefore, Samba says the preferred workaround to patching is to remove fruit from the configuration.

The vulnerability was given a near-perfect score of 9.9 in the CVSSv3.1 scale. Versions 4.13.17, 4.14.12, and 4.15.5 of Samba have been released to fix the issue. While traditional desktop and server users are able to update through the normal processes, those running NAS systems, particularly older ones, will need to wait for any potential firmware upgrades. Those releases also fix issues CVE-2022-0336 rated at 8.8 and CVE-2021-44141 rated at 4.2. For CVE-2022-0336, Samba Active Directory users that can write to an account’s servicePrincipalName (SPN) attribute are able to impersonate services thanks to a number of checks being skipped. “An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity,” Samba said. The CVE-2021-44141 issue relates to clients being able to use symlinks to work out if a file or directory exists in an area not exported through Samba. For the attack to work both SMB1 and Unix extensions need to be turned on — using SMB2 is enough to foil the attack. “SMB1 has been disabled on Samba since version 4.11.0 and onwards,” Samba said. Related Coverage More

Zero trust-type security, which no self-respecting security software provider doesn’t now provide, is a good leap forward in the never-ending battle against the bad hacker actors of the world. But it’s turning out not to be the complete answer to storing corporate data securely for an enterprise and its users.Zero trust enables enterprises to restrict access controls to networks, applications, and environments without sacrificing performance and causing user ire. A zero-trust approach trusts no one, no matter how high on a security clearance ladder he or she may be. Multiple entry codes will always be needed. But ZT still needs assistance in order to provide the 24/7 security and airtight access processes required by many enterprises, and AI is providing that help.This is where next-gen data protection providers such as Fortinet, Dell Technologies, Forcepoint, and Cohesity come into the picture, because they all bring multiple weapons to this problem. Many of those tools use AI to identify intruders and stop exploits faster than had been available previously.Cohesity is the latest to produce new capabilities augmenting ZT and aimed squarely at solving the rampant ransomware problem that so many organizations – both for-profit and nonprofit – have suffered in the last few years. Early on, cybercriminals focused only on encrypting a victim’s production data. Cohesity, among others, countered by enabling users to rapidly restore from backup data. Then, criminals started to destroy or encrypt backup volumes themselves. Cohesity countered with immutability. Now, bad actors are exfiltrating the data and threatening to post it on the dark web. To help its users address the latest threats, Cohesity unveiled at its Cohesity Connect conference the following SaaS offerings, which are now included in the company’s Data Management as a Service platform: Cohesity DataGovern: A data security and governance service that uses AI/ML to automate the discovery of sensitive data and detect anomalous access and usage patterns that could indicate a cyberattack in play — the key to thwarting bad actors trying to exfiltrate data. Project Fort Knox: A service that allows users to maintain an isolated copy of their data in a Cohesity-managed vault to improve data resiliency in the face of ransomware attacks. In addition to immutability, the company said, this gives users another way to thwart attackers trying to encrypt data. The four pillars of next-gen data managementCohesity CEO Mohit Aron told ZDNet that any provider describing its platform as “next-gen data management” must include the following four characteristics: Must be intuitive and simple to use at scale: Enterprise line-of-business employees should be able to use the platform at will to manage all their data optimally as needed.Must include zero-trust security: Specific ransomware protection is built into this. Must be AI-powered: “The platform needs to be smart, so when something goes down, it can auto-heal itself. It must have AI-based detection of ransomware. So the whole platform must be AI-powered,” Aron said.  Cohesity’s AI/ML-based classification software is used to identify sensitive data — including personally identifiable information (PII) — in backup and production data, and determine who has access to it, helping to harden environments before attacks occur.Must have third-party extensibility: “Users shouldn’t just be able to take benefit of the products that we build, but on this platform, they should be able to extend the power of this platform by third-party applications and integrations,” Aron said. 

“Relying on legacy backup as an insurance policy no longer is sufficient,” Cohesity Head of Product Matt Waxman said. “Users need next-gen technology that makes it easy to identify sensitive data, detect anomalies, isolate data, and stay ahead of modern threats. That’s what we’re focused on in our Threat Defense architecture.”  How the AI is implementedIn order for technologists, data architects, and software developers to learn more about how to utilize AI, ZDNet asked the following questions of Aron, who offered these details:ZDnet: What AI and ML tools are you using specifically? Aron: Applications of AI/ML are spread across multiple areas of our product, both on the SaaS side and on-premises. One set of use cases is the use of time series (looking at data over time) anomaly detection techniques that identify potential data security threats, such as a ransomware attack, and provide alerts and guidance to the administrator.   Another category is the use of a combination of supervised/semi-supervised models for security analytics and data governance. For proactive performance optimization use cases, we use a variety of time-series regression models. ZDnet: Are you using models and algorithms out of a box, such as DataRobot or other sources? Aron: For simpler use cases, we use off-the-shelf models with minimal tuning. For more complex ones, we integrate a set of off-the-shelf models to achieve better accuracy. ZDnet: What cloud services are you using? Aron: Our Data Management as a Service portfolio of SaaS offerings runs on AWS. Our data management platform also runs on Microsoft Azure and Google Cloud. ZDnet: Are you using the AI workflow tools that come with that cloud? Aron: We leverage SageMaker workflows where applicable; however, we do build our own workflows deployed on Kubernetes to support a variety of deployment models.ZDnet: How are you labeling data for the ML and AI workflows? Aron: For labeling data for supervised learning use cases, we leverage pre-labeled data collected from our wide customer base in combination with our own data labeling inference workflows for augmentation. ZDnet: Can you give us a ballpark estimate on how much data you are processing?Aron: We estimate that we process hundreds of millions of events on a daily basis for a variety of ML-enabled use cases. More

What a time to be alive! Hot on the heels of Forrester’s release of our definition of modern Zero Trust (ZT), the US Office of Management and Budget (OMB) released a memo entitled Moving the US Government Toward Zero Trust Cybersecurity Principles. Coincidence? Yes. A big deal? Also, yes. If executed as mandated, not only will government agencies meet the security maturity levels of large organizations in the private sector (they did just start hiring at that level, remember), they’ll also surpass them. This major transformative effort sets a new bar for all sectors and is a cause for celebration. It also breaks down barriers to Zero Trust adoption by providing security leaders across industries a set of priorities in line with each of the five Zero Trust pillars, which they can seek executive buy-in — made all the easier by a high-profile government mandate — and build into their budgets and timelines. Celebrate this strategy Zero Trust advocates should be jumping for joy over the federal government’s understanding of modern Zero Trust and how it is operationalized. Forrester designated seven operational domains of Zero Trust: five for security controls and two for interaction across the domains when we created Zero Trust eXtended (ZTX). The Cybersecurity and Infrastructure Security Agency (CISA) and the OMB recognize these seven and add one more: governance. So, for the past decade, where there was previously much confusion around how to define or operationalize Zero Trust, today there is an outpouring of aligned definitions, thanks to the White House Executive Order released in early 2021. Importantly, CISA’s view takes cues from Forrester’s original shaping of Zero Trust when we first defined it over 12 years ago. Our guns are pointing in the same direction. Second, the OMB strategy document has depth and breadth. In all these domains, OMB doesn’t just make the right call, it makes the bold call and doubles down on Zero Trust. Examples abound!
Forrester
There are a handful of half measures, which is fewer than we were expecting for government IT composed largely of islands of varying technological maturity. This includes encrypted email and some leeway on how people do ZT in the network (which is understandable, because the network is still the hardest part). Why This Matters 

Many organizations lack a cogent cybersecurity strategy; at least now US federal agencies aren’t among them. And while better cybersecurity is a worthy goal, don’t forget that sabers rattle in both a middle kingdom and the remains of a superpower, neither of which have qualms about cyber warfare. For many initiatives, the devil is in the details. That’s not true for the OMB Zero Trust strategy; as we mentioned above, it’s really good. Here, the devil will be in the execution. To what extent will every agency, contractors, and all their subcontractors operationalize Zero Trust? The short Among the timelines included in the OMB strategy are several short-term tasks, such as providing CISA and the General Services Administration any non-.gov hostnames (a mere 60 days) and the welcoming of external vulnerability reports for internet-accessible systems. Within one year, enforced password rotation should be kicked into the gutter, where it belongs. Crucially, within 60 days, agencies must submit to OMB and CISA an implementation plan for FY22–FY24 for OMB concurrence and a budget estimate for FY23–FY24. As budget estimates align with roadmaps, many a CISO will need help revising these quickly. The recent cybersecurity hiring improvements may help draw patriots from the private sector for some agencies, but others will have to draw on third parties for strategy consulting. Having worked with many Forrester clients (federal, state, and city government agencies), we know that agencies: Have different levels of technological and cybersecurity maturity. Will undergo Zero Trust maturity assessments and gap analyses based off the recently published CISA Zero Trust maturity model. Getting to the long term The OMB Zero Trust strategy mandates many significant (and challenging) security improvements for each federal agency over the long term. Two themes within the OMB strategy provide help for the government CISO: cloud and collaboration. Regarding collaboration, paraphrasing section two, “[teams] within and across agencies should collaborate to jointly develop pilot initiatives and governmentwide guidance on categorizing data based on protection needs, ultimately building a foundation to automate security access rules.” And it’s not just teams. The memorandum has sage words for the execs: “Agency chief financial officers, chief acquisition officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain Zero Trust capabilities. It is critical that agency leadership and the entire C-suite be aligned and committed to overhauling an agency’s security architecture and operations.” The OMB strategy also mentions “cloud” an eye-popping 44 times in its 29 pages. “Agencies should make use of the rich security features present in cloud infrastructure,” states the memorandum’s opening. Many of the mandates, to be sure, are more easily accomplished with cloud-based architectures (think: enterprise-wide management of anything). The OMB strategy has guidance around cloud for all five of the main Zero Trust pillars: identity, devices, networks, workloads, and data. Mark this day We have ordered additional rations of ibuprofen for the current and former Forrester analysts aligned to Zero Trust, as several have sprained themselves with virtual high fives and physical pats on their own backs in celebration of this memorandum. Hyperbole aside, let us observe and celebrate the monumental progress that the US federal government has achieved toward Zero Trust: in 2020, the NIST Zero Trust architecture (SP 800-207); in 2021, the Biden Executive Order on Zero Trust and the CISA Zero Trust maturity model; and now, in 2022, the most specific and ambitious document yet, the OMB Zero Trust strategy. This post was written by Senior Research Analyst David Holmes and it originally appeared here.  More

Outrage continues to swirl around a proposed plan from the Treasury Department to require some taxpayers to submit to facial recognition and biometric surveillance in order to access their accounts online. The proposal faced further scrutiny after it was revealed the IRS planned to involve controversial facial recognition company ID.me in the effort. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website — called Dump ID.me — allowing people to sign a petition against the IRS plan. This campaign site comes after days of criticism from privacy, justice, and civil rights groups concerned about the potential for a company like ID.me to have access to peoples’ most sensitive data. 

ID.me’s CEO Blake Hall faced widespread backlash for a LinkedIn post where he admitted that the company had been lying about the way its tool works. The company initially claimed it only runs a 1:1 match, but Hall revealed that it does run some 1:many matches and compares peoples’ images to a massive database, news first reported by CyberScoop’s Tonya Riley.  Caitlin Seeley George, campaign director at Fight for the Future, said the plan to use facial recognition on taxpayers was bad from the start, and it only got worse as more information was revealed.”Part of why we launched this effort is because we think it’s critical that the IRS hears public concerns about this issue. There’s already been a swift outcry from civil rights organizations and experts, but people broadly understand that they should not have to hand over their biometrics in order to access their IRS information (or at all, really),” George told ZDNet. “ID.me is a particularly troubling tool, especially with the revelation that they have been publicly lying about how it works and the types of verification it does,” George added. “But all facial recognition tools will cause a lot of the same issues: they will amass a database of peoples’ most sensitive information that can be shared with other agencies and law enforcement, and also will be a target for hackers. No government agency should be using facial recognition or other biometrics to verify identity.”

Late last week, Bloomberg reported that the Treasury Department is now considering other vendors for the facial recognition project, but the outrage over the situation has sparked further concern about the widespread use of facial recognition across the federal government as well as state governments. 

Fast Company reported that ID.me is now used by the Department of Veterans Affairs, the Social Security Administration, and several other federal agencies. Jay Stanley, senior policy analyst at the ACLU, told ZDNet that dozens of agencies across the country mandate facial recognition in order to access government benefits. The IRS began forcing some people to use ID.me in order to access the expanded child tax credits that were part of President Joe Biden’s American Rescue Plan. There are a range of issues with facial recognition, most notably that it has been proven repeatedly to be inaccurate with the faces of Black and brown people as well as women. Artificial intelligence researchers Inioluwa Deborah Raji and Dr. Joy Buolamwini released a study in 2019 proving that Amazon’s facial recognition software made more mistakes when identifying the faces of Black people, particularly Black women.  Also: Backlash to retail use of facial recognition grows after Michigan teen unfairly kicked out of skating rinkStanley added that the use of facial recognition by government agencies creates a number of accessibility issues for people, noting that some state agencies use it to vet unemployment insurance recipients. It requires strong internet connections — something many people don’t have — and puts an undue burden on people attempting to access benefits Congress has deemed them eligible for, according to Stanley. “Its just not right to use a technology with those kinds of biases for such a public purpose. This kind of core government functions shouldn’t be done by a private company,” he said, adding that ID.me would not be subject privacy laws and certain checks and balances, despite carrying out an essential government function. Many states are using facial recognition for government services through funding coming from the federal government, and Stanley said strings need to be attached to ensure the algorithms aren’t biased. Aubrey Turner, executive advisor at Ping Identity, was critical of the outrage directed toward the IRS effort. Turner acknowledged the privacy and demographic bias concerns raised by watchdogs but said everyone’s images are captured by traffic cameras, security cameras at the airport and through social media accounts. 

“Not going so far as to call it fake outrage, but let’s be pragmatic for a moment. Overall, I think it’s a good idea for the IRS to include modern identity proofing as part of the account registration/access process. Known as document-centric identity proofing within the IAM industry, the process of uploading the document (e.g., drivers license) and taking a selfie (capturing biometric data) is to attain a desired level of confidence the taxpayer user is who they claim to be while mitigating counterfeiting/forgeries. Notwithstanding the security aspect, there is also a user convenience component. This same proofing process can also be a means to reducing and removing passwords for the account enrollment process, which also has positive user experience upside,” Turner said. “Facial recognition can certainly be creepy if used inappropriately in marketing with social media apps. But it can also be tremendously convenient clearing airport security or unlocking your smartphone. The realities of today’s cyber threats means we have to find innovative and dynamic ways to prevent things like account takeover,” Turner added.”Technological innovation is accelerating faster than at any point in modern history, and there will always be misalignment between tech and regulations. There are emerging use cases and things we have yet to conceive that will certainly challenge our notions of the balance of privacy, security, and convenience. But the bottom line is that we can’t let perfect get in the way of progress,” Turner said.He noted that a debate should be had about whether the government should have built the system itself, but said “private enterprises often innovate to close gaps.”Also: Facebook is shutting down its facial recognition systemRegardless of the outrage, more businesses will be leveraging identity proofing processes that utilize biometric and behavioral data, Turner added. “I think not using these more secure methods [is] worse than the alternatives. This is the first in an oncoming wave, so the government should be fostering this innovation and not putting up roadblocks,” Turner said. “I think there are legitimate privacy concerns with facial recognition and biometric data that shouldn’t be ignored. The time for digital identity proofing has come (will only continue to grow in government and private sectors), so we should embrace it versus being outraged without practical alternatives to the realities of today’s cyber security challenges.”Buolamwini — who has become an advocate against facial recognition since publishing her study — released a letter to the Biden Administration last week where she said the real-world impact on marginalized communities will “likely get worse because of the unchecked proliferation of facial recognition technologies generally.” “These technologies are being deployed at an unprecedented rate across state and federal agencies. They are imposed on the public without sufficient public scrutiny, debate, or oversight, causing harm to the populous generally,” Buolamwini said. “No biometric technologies should be adopted by the government to police access to services or benefits, certainly not without cautious consideration of the dangers they pose, due diligence in outside testing, and the consent of those exposed to potential abuse, data exploitation, and other harms that affect us all.”

Government More

Mozilla announced on Tuesday that it is adding Multi-Account Containers, one of the most popular add-ons in Firefox, to the desktop version of the company’s VPN service. 

ZDNet Recommends

Mozilla VPN 2.7’s addition of multi-account containers will allow users to separate personal and work profiles as well as others for shopping, banking and more. The tool in Firefox allowed people to separate each profile into color-coded tabs and custom labels.”Combined with Mozilla’s VPN, it adds an extra layer of protection to their compartmentalized browsing activity, and additional safeguarding of their location information, as well,” a Mozilla spokesperson said. “Bringing the multi-hop feature, a popular component of Mozilla VPN’s desktop offering, to the mobile version will let Android and iOS users use two VPN servers instead of one, giving them and their browsing a little extra privacy.”According to Mozilla, multi-account containers were initially rolled out in 2017, and it quickly became a favorite of users. 
Mozilla
“Instead of opening a new window or different browser to check your work email, you could easily separate that activity in a container tab. We created tab-specific containers like personal, work, shopping, banking and social media and added options so you can personalize it by color, logo or a different name,” Mozilla explained. Also: Google unveils differential privacy tool for Python developers processing data

“Behind the scenes, the websites and their cookies are isolated from the other containers, thus allowing you to sign into two different accounts on the same site (one for work and one for personal). The Multi-Account Containers Add-on has had more than thousands of users who’ve called it a ‘productivity hack,’ ‘simply phenomenal,’ and ‘perfect for privacy.'”The company used the example of a person on a business trip to Paris needing to check their personal bank account from their work computer. A user would be able to separate their activity from their work. “For those who aren’t yet ready for travel and are keeping in touch with family and friends through emails and video, you can set one of your containers to shopping and change the server to the nearest city of your loved ones’ home and check out local shops to have flowers or a meal delivered to their home for that special occasion or just to say hello,” Mozilla added. Mozilla also added the multi-hop feature to the Android and iOS versions of the app, allowing people to use two VPN servers instead of one. The feature is targeted toward people who are “ultra-conservative when it comes to privacy”, like political activists, journalists and more. Mozilla recently added “Total Cookie Protection” to the platform as a way to stop cookies from tracking you across the web. More

A cyberattack on two German oil suppliers has forced energy giant Shell to reroute oil supplies to other depots, according to Reuters and the Handelsblatt newspaper. Handelsblatt was the first to report on Monday that oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, had suffered a cyberattack that crippled their loading and unloading systems. Oiltanking had a throughput of 155 million tons in 2019, according to Handelsblatt.  

ZDNet Recommends

By Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. Oiltanking did not respond to requests for comment but confirmed the attack to The Stack and said they “have declared force majeure.” They reportedly discovered the attack on Saturday. The incident follows another cyberattack on billion-dollar German logistics firm Hellmann Worldwide Logistics that took place in December.  German officials spoke at a news conference about the issue. Arne Schonbohm, president of the Federal Office for Information Security, said the attack on Oiltanking was “serious, but not grave.” German intelligence officials released a warning last week about APT27 using the malware variant HYPERBRO against German commercial companies. “According to current knowledge, the attackers have been exploiting vulnerabilities in Microsoft Exchange and in the Zoho AdSelf Service Plus1 software since March 2021 as a gateway for the attacks. It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers,” German intelligence service BfV said.

“The cyber espionage group APT27 has been active since at least 2010. The BfV is currently observing an increase in attacks against German targets by the group using the HYPERBRO malware.”Rumors that the Oiltanking incident is a ransomware attack reignited concerns about attacks on oil companies. Last year, US oil giant Colonial Pipeline dealt with a devastating ransomware attack that crippled its business services and left significant parts of the East Coast without access to gas for less than a week. “Impacting elements of the fuel, heating, and combustibles supply chain during the winter season potentially puts human safety and wellbeing in the crosshairs — these types of attacks underscore the very serious risks posed by criminals to foundational parts of essential services and infrastructure,” said Tim Wade, technical director at Vectra.  More

Image: Firewalla
Firewalla is expanding its product lineup today with its fourth network security device. As is the case with each product in Firewalla’s lineup, the

$319 Purple

takes a different approach to provide an extra layer of security to your home network.  In addition to two gigabit Ethernet ports on the Purple — a device that’s roughly the size of a Raspberry Pi — the Purple can also be used to create a short-range Wi-Fi network when you’re working in a coffee shop or a hotel while traveling. 

ZDNet Recommends

You can use the Purple as a router at home. You can also set it up between your modem and router to monitor your traffic, look for malicious websites, and send you alerts via the Firewalla iPhone or Android app.  I’ve now used every Firewalla device available, and they all do exactly what is advertised. With Purple, I was able to migrate the settings and rules I had set up from when I tested

Firewalla Gold,

and the Purple was up and running in a few minutes. That includes my ad blocking and routing rules, along with VPN and DDNS settings.  That means you can connect to your home network via a VPN connection, either protecting your Wi-Fi activity while you’re away from home or allowing you to access devices and files stored on your home’s network.  I haven’t had a reason yet to leave the house and take Purple with me, but messing around with the app and reading through the instructions makes it look simple enough.  The only catch is that you’ll need to complete the initial setup of Purple before you take it with you.

Firewalla also has

Blue Plus,

Red,

and

Gold.

Each one varies in cost and overall network speed, with the Gold and Purple being the most capable and powerful of the bunch. You can learn more about Firewalla’s network security products either by visiting Firewalla’s website or reading my review of the Blue. More