6 August 2020

Keeping your home network secure

  1. Privacy
    1. Use a VPN that isn't part of 5/9/14 eyes, has unlimited data, doesn't log you https://www.vpn.com/guide/spreadsheet/
    2. Reduce Microsoft telemetry with O&O ShutUp - and why
    3. Pi-hole
  2. Updates
    1. OS
    2. Apps, firmware, drivers
  3. Credentials
    1. Passphrases instead of passwords, or random passwords and a password manager
    2. Unique passwords for everything - haveibeenpwned.com
    3. Enable 2FA on all accounts
    4. Change default passwords on all IoT devices including the router
  4. Router
    1. Move to WPA3 and change and hide your SSID so your model of router isn't publically available and it can't be tracked to your name. Disable older methods (be exclusive, not inclusive)
    2. Disable WPS, UPnP, remote management, port sharing, update the router or move to one with granular control like creating a second network for IoT devices
    3. Disable DHCP and use static addresses and known MACs, and change the IP range from 192.168.xxx.xxx
    4. If feasible, turn off the just the WiFi when you're not in so there is less chance of attack. Keep anything critical on LAN connections.
    5. When travelling, take a travel router with you, and/or use an SSH tunnel to your home address (the Firewalla has the option of a VPN server)
  5. Services
    1. Disable remote access
    2. Disable Samba v1
    3. Secure DNS
    4. Disable bluetooth and any listening devices e.g. Google Home, Amazon Alexa, Apple Siri
    5. Port scanner e.g. nmap (use internally and externally) - prefer instead of website port scanners
  6. Internet
    1. Use an internet security product rather than just antivirus (e.g. sandboxed browsers for banking, phishing filter, granular control of incoming and outgoing apps)
      1. https://rjcuk.blogspot.com/2021/05/antivirus-internet-security-products.html
    2. Use more than one AV product or set of tools
    3. On any downloads, check SHAs where possible and use VirusTotal, enable SmartScreen, run apps in sandboxes where preferable
    4. Setup a honeypot
    5. Network/IP/LAN monitors and scans including scanning from the internet for open ports
  7. Isolation
    1. Use VMs, containers or sandboxes (Windows 10 has one now)
    2. Wipe and reinstall your machine regularly
      1. Attendees of Black Hat conferences go as far as to dump their laptops afterwards
      2. If you're going to the US, use burner equipment - why
      3. Elliot in Mr Robot uses the microwave, but I don't recommend it - more advice
    3. Encrypt your HDD/SSD
    4. Route all traffic through a local gateway/proxy e.g. Raspberry Pi
      1. Squid proxy for just HTTP/S
    5. Firewall e.g. Firewalla
    6. Use a guest network for IoT devices and friends
  8. Physical security
    1. Turn things off when not at home
    2. Don't leave any devices "on display" - lock them away when not using them
    3. Scheduled offsite backups - encrypt the data itself (some tools can provide this) e.g. cloud
    4. Cameras e.g. Ring. Either keep wireless ones on a separate guest network, or get wired ones instead.
      1. You could use Powerline but it doesn't work for everyone and your electrical grid may be shared with your neighbours.
  9. Use Linux
  10. Other general advice
    1. Online safety
    2. Cyber aware
  11. Security hardware
    1. linitx.com
    2. ebuyer.com
    3. novatech.com