Episode: 2820
Title: HPR2820: 29 - CERT Home Security Tips
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2820/hpr2820.mp3
Transcribed: 2025-10-19 17:17:06

---

This episode of HBR is brought to you by Ananasthos.com, get 15% discount on all shared hosting
with the offer code HBR15, that's HBR15, better web hosting that's honest and fair at Ananasthos.com
Hello, this is Ahuku, welcoming you to Hacker Public Radio and another exciting episode. In this case, part of our series of security and privacy or privacy,
and security, depending on how you want to say it, and this one I want to report to you on something called security tip 15-002 from the Department of Homeland Security here in the United States.
And this one is called home network security, and I think it is worth just kind of taking a look at what they have to say here.
So I'm just going to report on really what they are advising people to do. And they start off by saying that people have misconceptions.
And one of their misconceptions is, well, my home network is too small to be at a risk of a cyber attack.
Let me say, well, that's not really correct. I think many of the people who listen to Hacker Public Radio understand that it's not a question of being directly attacked.
In many cases, it's just something that's out on the internet looking for anything it can find. Secondly, the second misconception is that devices are secure enough right out of the box, and we all know that is just not the case.
Okay, attacks, you know, your home network is not too small because attacks are really not personal in nature.
And the devices are not secure enough because they come with factory issued settings, default user names and passwords.
I have heard reports of devices where a single password was hard coded into every single device.
I mean, that's just absolutely insane kind of stuff that goes on. And it's particularly with the IOT devices that you see a lot of that.
So, basically, what they're just trying to say is, look, if you're a home user, there are things that you do want to take a look at.
So, what do they suggest? Okay. Now, they refer to these as mitigation techniques.
And I can tell you, as a project manager, when I hear the word mitigation, what that suggests to me is there's a risk out there.
This will, to some degree, reduce the risk or reduce the bad outcomes associated with the risk or something like that.
It doesn't mean everything is just going to be rainbows and unicorns. It'll make things better.
There's still some amount of risk. So, what do they suggest? Right at the top, update your software regularly.
I think this is so important. I believe I reported on this year or two back looking at a survey that was done of security professionals.
And this was the number one thing they said. The security professionals said, update your software.
Now, there are various ways to do that. I have one windows machine and that is just configured to apply all the updates automatically.
My Linux boxes, I have several of those. I get notifications, but I will apply those updates when they come in.
So, they refer to updating software as one of the most effective steps you can take to improve the overall security posture.
A good company will issue updates and patches, but if you don't apply them, it doesn't do you any good at all.
A lot of software applications and increasingly some devices will start to automatically check for new updates.
And then Sir, it also says if automated updates are not available, consider purchasing a software program that identifies and centrally manages all installed software updates.
Now, if you're an open source user as I mostly am, my Linux package management software is doing that very nicely for me.
So, I'm going to know about all of those things, but occasionally a software package is going to let me know, hey, I got an update available.
And usually that's something on Windows. Well, apply it.
Next, remove unnecessary services and software. This is what we call reducing the attack surface of your network and your devices, including your router.
Unused or unwanted services and software can create security holes. And particularly they mention take a look at new systems because vendors install so much bloated crapware on them.
And you really shouldn't just ignore it, you should get rid of it because that can be a vector for some kind of zero day that comes along.
And what I hear all the time with these things is the report of the security hole will include something like privilege elevation, allow someone to install and run software.
Software that they shouldn't be able to do.
Next, a cert says adjust factory default configurations. Yeah, okay.
If you get a router, for instance, a lot of routers are going to come to you with default of, you know, admin is the login and admin is the password.
Well, you know, that's the default on everything out of the box, right? So first thing you should be doing is get rid of that admin account. Use it once to get in there and create your own specific account and give that the admin rights and give it a password and then delete that default account.
Okay, simple step, but you got to do that if you want to reduce your attack surface.
And they say run up to date antivirus software.
That's probably not quite as big a deal, depending on how sophisticated you are.
But I think it is still, it provides decent protection and it's something worth looking at. Now, we don't have the level of viruses on Linux that some other operating systems have.
And particularly if you're careful in Linux to not run as root and you should never run as root.
Okay, what you should do is you should use some you should either change to root when you need to or use a pseudo command or something like that.
You know, that's what I do, for instance, when I need to install updates is I run a pseudo apt so on, you know, pseudo apt updates, pseudo apt upgrade, you know, and that's that's the two step that I go through to apply any updates that I have.
Okay, next they say install a network firewall.
All right, good thing to do.
There are various ways of doing this.
So, but the idea of a firewall is it's going to block malicious traffic and alert you if you configure it properly about potentially dangerous activity.
It can serve as a barrier.
So, most routers now come with a configurable built-in network firewall.
So, that might be a good place to, you know, just getting that set up gives you some sort of protection.
You know, make sure, of course, that it is turned on.
Now, if you want to go further, you could get, I think you could even probably do this on a Raspberry Pi or you can buy a pre-configured device that is running something like PF sense, which is a very good configurable firewall.
And in addition to a network firewall, you can install firewalls on your computers.
So, you know, there are a lot of operating systems come with a built-in firewall, up to date windows or Linux systems have them.
So, that's a good thing to do.
Let me say regularly back up your data.
Now, the reason that that's important is not so much that it will stop an attack as it will render you less vulnerable.
In the scenario you want to be thinking of is an encryption attack.
There are various programs running around on the internet that if they find a way to get in, they will then apply encryption to all of your data.
And just give you a message saying, hey, if you want to ever see your data again, you've got to give us some money.
How do you protect yourself against that?
You know, you can have all of the other protections and just you get bad luck.
You could stumble on a website that has malware on it that somehow gets passed all of your other things and encrypts your system.
Now, if you have not taken any measures to back up your data, you're now faced with either starting over without your data or paying them money.
And at that point, I'm starting to hear that not all of these, you know, when they first did this, you were usually safe if you paid the money because they wanted to establish that they were reliable.
Other people would keep giving the money, but I'm hearing now that some of these bad actors out there will just take your money and run and you still have encrypted data.
Next, enable wireless security.
This is an evolving kind of thing.
If you have a Wi-Fi router, you want to make sure that you enable the best protection you can.
Depending on how old the router is, that might be something like WPA2.
You know, if all you see is WEP, get a more modern router. WEP is not me good anymore.
So WPA2, now you're going to start seeing WPA3.
There's just a report out as I record this about, I think it's called Dragonblood, is a vulnerability in WPA3.
And I think I did a whole show about WPA3.
The problem, as Steve Gibson says, is that instead of being developed in public where people could review, comment, and help improve it, they did it all behind closed doors.
And they're treating it as a proprietary protocol and that's really stupid, but, you know, who said the people running the Wi-Fi were smart?
Still, you know, get the best protection you can on your Wi-Fi router.
And then they mention, as part of that, change the default password.
It's similar to what we talked about above, not just the password, change the default login. Change all of it.
Change the default SSID, which is the network name.
You know, give it something that's, you know, unique to you.
Disable Wi-Fi protected setup.
Now this is one of those things that supposedly makes it easier for a wireless device to join a Wi-Fi network without having to enter the wireless network password.
I hope it's obvious why that's a stupid thing to do.
And, you know, the specification is not well designed.
You know, this is the one. You may have heard about this where there's an 8-digit pin, but if you just put in 4 digits, it'll tell you if those are correct and then you can work on the second 4 digits.
You know, do the math. 4 digits is not that strong.
Okay, reduce your wireless signal strength.
So the idea here is, you know, if you're blasting Wi-Fi out to the entire neighborhood, you've got a big attack surface.
So, you know, maybe just get it so it extends to your home and doesn't really go any further.
Now, you know, there's probably going to be, you could say, no, I want to be able to, you know, take my laptop out to the back garden or whatever.
Okay, well, you're just, you're taking a risk.
Turn the network off when not in use.
Okay? That should be pretty simple to understand.
You know, if you're not blasting Wi-Fi out all the time, that's fewer opportunities for anyone to get in.
Disable universal plug-and-play.
Okay? This is another one of those things.
Hey, let's make it super easy for everything to connect to the network.
Yeah, it is super easy. Super easy for the bad guys.
Don't do it.
You know, it take the time to actually configure your devices.
You know, I've got a, you know, my Wi-Fi network, I have a long and strong high entropy password.
And that's what I do.
You know, check for firmware updates.
This is similar to what we talked about before with software updates.
The firmware on your router and similar devices.
You know, those frequently have security improvements that you want to take a look at.
Disable remote management.
Okay? I don't want to be able to come in over the internet and manage my router.
That's a bad idea. If I can do it, anyone can do it.
And finally monitor for unknown device connections.
Good idea. You know, check to see who's joining your network and what's going on.
Use something like a wire shark every once in a while just to see what's going on.
Not a bad idea.
Now, email threats are a big deal.
Fishing emails are particularly, you know, people are starting to figure out how big a deal this is.
Where I work, which is a major global company.
They now have a program where they send out fishing emails internally to employees.
If you click on one of those things, you are automatically setting yourself up for re-education, as they say.
I have never been caught by one of these yet because I am naturally very suspicious.
And it's like, wait a minute, something about this email just doesn't sound right.
It fails the smell test.
But, you know, look for, you know, suspicious sender address, generic stuff.
You know, if the email comes to you saying you need to change your password and assign email administrator.
Well, which email administrator?
That could just be a name someone decided he is.
Check the hyperlinks.
Just move your mouse cursor over the link and read the text that pops up.
So, you know, and if it's a URL shortening service, you know, I just, I'm not going to click on those things.
Watch out for attachments. Watch out for emails with poor grammar and spelling and all of that.
Then the last thing they say, improve password security. We've talked a lot about password security.
So, number one, password manager.
I use last pass.
The number of ones out there.
If you feel that, you know, you'd much rather use something other than last pass.
Hey, fine, just, you know, make sure that it is at least equivalently strong.
And the idea of doing that is you can make your passwords long and complex.
Now, you may run across someone saying, oh, horse battery staple.
Yeah, I read the XKCD. I know all about that.
The problem is, those are using words that are in the dictionary and guess what?
The bad guys have already adapted to all of that.
So, entropy consists of complete randomness.
If you can remember it, it's not strong enough.
So, what I would suggest is you use a password manager and let it generate your 12 or 16 completely random combinations of letters, numbers,
and special characters, yada, yada, yada.
And then you don't have to.
Then all you have to do is have one password that you remember to open the password manager.
I'm going to assume you have some way of doing that.
I certainly do.
And, you know, use a unique password for each account.
Because one of the things they do, if they can log into your account on some website where, you know, I wanted to comment on a blog and they made me create an account.
And then someone gets that.
And they say, what, gee, I wonder if this person used the same login name and password for their bank.
So, you don't want to do that.
And again, a password manager is going to make that so much easier to deal with.
And also avoid using personal information.
There was, you know, a few years ago, we had a vice presidential candidate whose Gmail account was hacked.
And it was because it was protected with things like which high school did she go to.
And it's like, you know, you can look, it's not, not that hard.
So, anyway, that's, that was what cert from the Department of Homeland Security had to say about all of this.
And I thought it was worth passing this long to my friends at Hacker Public Radio, so thank you and goodbye.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker Public Radio was founded by the Digital Dove Pound and the Infonomicon Computer Club.
And it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
On this otherwise stated, today's show is released under Creative Commons' Attribution, ShareAlive3.0 license.