.

Security Best Practices at Home

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Mon Nov 01, 2010 1:50 pm

Security Best Practices at Home

Hi Guys

I was reading an article by Keatron Evans called "Information security at home" (http://resources.infosecinstitute.com/i ... y-at-home/) and decided to create my own list by by adding a few more pointers and wanted to know what suggestions you guys may have in expanding it further?

Standard Best Practices

1. If wireless in use, ensure WPA or WPA2 with AES encryption with a passphrase of more than 20 characters in length
2. Turn off DHCP and statically assign an address to each machine
3. Enable MAC Address Filtering on Router/Access Point and only allow devices MAC Addresses
4. Keep Access Point away from Windows and Doors
5. Keep upto date with latest security patches (OS and all other applications running)
6. Ensure Anti-virus software and Anti-malware software is installed and up to date
7. If possible browse directly to websites that you wish to shop or logon to by entering the URI into the address bar.  Do not click on links sent via email or from within forums etc but if you have to, verify the links!
8. Don’t use REAL credit cards, and certainly not your bank card to shop online. Use a prepaid Visa/Mastercard/American Express to do all your online shopping
9. When using Myspace, Twitter, Facebook. Don’t accept friends you don’t know. Don’t EVER click on links that people post in their status updates. These could easily be links to malicious sites or data.
10. Use an account with the least amount of privileges required.  There is no need to browse the internet using an account with Admin rights!
11. Ensure that websites which use a secure communications channel (HTTPS) have a valid certificate.  If the browser complains that the certificate is untrusted, DO NOT ignore it and go ahead, verfiy the certificate.
12. Ensure Firewall on Router and PCs are switched on
13. Keep Router Firmware upto date

Advanced Best Practices

For those that are more paranoid or want to be even more secure:

1. Use a browser that supports the "No-Script" add-on. Being honest it can be a bit of a pain to configure correctly but if you choose to use it do not browse the internet and "trust everything"
2. Use 2 separate Virtual Machines.  Ensure all the above steps on each VM machine where applicable and use one strictly for sensitive applications such as banking etc and the other for general browsing of the internet.

Security Away from Home

Ok, strictly speaking this may not come under home security but just had to mention the following:

1.  DO NOT browse to any websites that require a logon to access sensitive information whilst connected to any public networks (in coffee shops, trains, internet cafe's etc) whether the connection is wireless or not unless connected to a corporate network via a VPN.
2. Bear in mind that a lot of websites will often encrypt the login functionality, but once logged into the website will not use a secure cookie. Therefore the users cookie and session can be sniffed as it will all be in clear.

Please feel free to add :)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Nov 01, 2010 2:16 pm

Re: Security Best Practices at Home

1.  DO NOT browse to any websites that require a logon to access sensitive information whilst connected to any public networks (in coffee shops, trains, internet cafe's etc) whether the connection is wireless or not unless connected to a corporate network via a VPN.


Depends on how that VPN is set up. My corporate network uses split tunneling. Anything for our network goes over VPN everything else, goes over you're regular internet connection.

Personally I push everything over my ssh connection to a server at home, and then do it all from there. VNC over SSH isn't hard. It's not perfect either. But for the few things it's not good enough for, I use the ssh connection as a proxy (for Youtube and the like).
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 02, 2010 7:38 am

Re: Security Best Practices at Home

2. Turn off DHCP and statically assign an address to each machine
3. Enable MAC Address Filtering on Router/Access Point and only allow devices MAC Addresses
4. Keep Access Point away from Windows and Doors


These three points cannot even stop script kiddies!!!

They could give a false sense of security...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Tue Nov 02, 2010 9:10 am

Re: Security Best Practices at Home

H1t M0nk3y wrote:
2. Turn off DHCP and statically assign an address to each machine
3. Enable MAC Address Filtering on Router/Access Point and only allow devices MAC Addresses
4. Keep Access Point away from Windows and Doors


These three points cannot even stop script kiddies!!!

They could give a false sense of security...

H1t M0nk3y is right. I assume turning off DHCP is to defend against ARP poisoning. Assigning static address to machines does not defend against arp poisoning but static arp tables does. Hope that was implied.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Nov 02, 2010 9:23 am

Re: Security Best Practices at Home

actually, I think that number 2 is meant so if the person connects to the network they won't get an address.

How ever the same steps used to get past 3, can be used to get past 2.

* edited: self-edit to take out actual steps. (chrisj)

monitor network, get useful information, continue un-stopped.
Last edited by rattis on Tue Nov 02, 2010 9:25 am, edited 1 time in total.
OSWP, Sec+
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Nov 02, 2010 5:43 pm

Re: Security Best Practices at Home

You guys are right, but the intent of the list is to help people minimise exposure.  Obviously using wireless in the first place increases the threat level dramatically but unless your home network is being directly targeted I would probably say with the number of "open" wireless networks out there happily issuing IPs via DHCP it may put off some script kiddies!
<<

MindOverMatter

Jr. Member
Jr. Member

Posts: 62

Joined: Wed Oct 27, 2010 7:57 pm

Post Tue Nov 02, 2010 6:12 pm

Re: Security Best Practices at Home

I guess it is a "best practice", but we are covered by our CC companies and banks who can quickly investigate (not always) and reimburse us etc.. I've personally never had a problem and shopped online for years and years.

8. Don’t use REAL credit cards, and certainly not your bank card to shop online. Use a prepaid Visa/Mastercard/American Express to do all your online shopping
A+, Network+, Security+, CIW Associate, CCNA, C|EH
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 22, 2010 3:17 pm

Re: Security Best Practices at Home

I used to have my wireless access point's SSID as Jess, my first name. I didn't really see it as a big deal since nobody knew who I was, it used WPA2 and did not broadcast the SSID (I know that people could still sniff out the SSID).

Well, one of my neighbor's did eventually sniff out my SSID. Shortly after I got my CEH certification package and put the sticker on my window, my neighbor approached me and said "hey, you must be Jess. You have the only WiFi network I can't break into here!". He was using BackTrack 2 at the time. Of course I don't approve of breaking into people WiFi networks, but I thought that was kind of amusing. I never used my name as my SSID again because of this, and I also took the sticker down.

On a side note, at one point I was leeching off of a neighbors open WiFi, until I started scanning the network and found all kinds of personal info available as a shared drive from a Mac. When I found it, I quickly told him about it (it was easy to found out which apartment he lived in from the documents), and I think he just unplugged his router because I never saw it again.

WiFi, in my opinion, is one of the biggest flaws in home networking, unless you know how to do it right. A lot of people like to just use it the way it comes out of the box, there are probably a dozen 'linksys' or 'netgear' access points in my neighborhood.

As far as coffee shops WiFi, I think it's pretty safe, especially if the sites you go to have valid SSL certificates. If I do something involving sensitive personal information, I'll tunnel over SSH, and I feel extra safe with that. I'd honestly be more worried about someone shoulder surfing.
Put that in your pipe and grep it!
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Dec 22, 2010 4:00 pm

Re: Security Best Practices at Home

I just want to point out that cloaking your SSID may actually foster insecurity, or at the very least create privacy concerns.

What do I mean? Surely hiding the SSID is security by obscurity at the very least which is poor security alone but good to provide an additional layer nonetheless, right?

I understand the sentiment but disagree and here's why.

Reason 1 - Consider Karma, you know that fun tool that answers to wireless probe requests for network X and says "Oh! Oh! that's me! that's me! here I am, connect to me!" Congrats, you've just opened yourself to an AP impersonation attack

Reason 2 - It doesn't actually provide any real security and creates complacence due to a false sense of security. Sure you've hidden it from random passersby and Netstumbler users but who are the real threats? if you are cloaking your SSID you are also probably using decent encryption and changed default passwords, and maybe even robust authentication depending on your geekitude. The threats that concern me are the skilled, dedicated attackers with a malicious objective. not the guy trying to leech free wifi. That skilled attacker is not going to stumble his way through my neighborhood, he's going to use Kismet or something similar and sniff the connection strings right out of the air and he's going to have my SSID either way.

Reason 3 - When you hard code the SSID in your config you are advertising your network SSID to anyone sniffing these connections as you walk the preferred network list probing for that hardcoded network. Ever hear of wigle.net? It's fun stuff. You can search for the GPS coordinates and mapping data for a given SSID or for networks within a certain geographical area.

For instance, I spend a lot of time in airports. Let's say I was to sniff the SSID of travelling public and find say "John Chapman's Network" I look it up on wigle.net and find out where John lives. He's not home. Sweet! Maybe I will look him up on Facebook and find out if he has a wife and kids or if there is details about travel plans or pictures of their big screen tv. Awesome! Let's drive to his house and rob him blind. Obviously I would never do that as I'm an ethical professional but you get the point. What if the SSID was for "Pornhouse Internet Cafe" or "Chicken ranch"? I'm sure the mythical private investigator following me on behalf of my wife would love to report those as well!

Cloaking is bad. Friends don't let friends cloak wireless.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Wed Dec 22, 2010 4:59 pm

Re: Security Best Practices at Home

Since rainbow tables are generated with SSIDs, I would suggest using a randomly generated SSID of sufficient length (depends on wireless vendor) and then a strong passphrase (randomly generated as well perhaps).  I would expect that to be good enough for home networks.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 22, 2010 5:01 pm

Re: Security Best Practices at Home

tturner wrote:Reason 1 - Consider Karma, you know that fun tool that answers to wireless probe requests for network X and says "Oh! Oh! that's me! that's me! here I am, connect to me!" Congrats, you've just opened yourself to an AP impersonation attack

Isn't everyone with a preshared key vulnerable to that, anyway, if there are clients probing to connect to saved networks?

tturner wrote:Reason 2 - It doesn't actually provide any real security and creates complacence due to a false sense of security. Sure you've hidden it from random passersby and Netstumbler users but who are the real threats? if you are cloaking your SSID you are also probably using decent encryption and changed default passwords, and maybe even robust authentication depending on your geekitude. The threats that concern me are the skilled, dedicated attackers with a malicious objective. not the guy trying to leech free wifi. That skilled attacker is not going to stumble his way through my neighborhood, he's going to use Kismet or something similar and sniff the connection strings right out of the air and he's going to have my SSID either way.

If an advanced user can get your SSID either way, than you are only protecting yourself from basic users, but not making yourself more susceptible to advanced attaackers.

tturner wrote:Reason 3 - When you hard code the SSID in your config you are advertising your network SSID to anyone sniffing these connections as you walk the preferred network list probing for that hardcoded network. Ever hear of wigle.net? It's fun stuff. You can search for the GPS coordinates and mapping data for a given SSID or for networks within a certain geographical area.

For instance, I spend a lot of time in airports. Let's say I was to sniff the SSID of travelling public and find say "John Chapman's Network" I look it up on wigle.net and find out where John lives. He's not home. Sweet! Maybe I will look him up on Facebook and find out if he has a wife and kids or if there is details about travel plans or pictures of their big screen tv. Awesome! Let's drive to his house and rob him blind. Obviously I would never do that as I'm an ethical professional but you get the point. What if the SSID was for "Pornhouse Internet Cafe" or "Chicken ranch"? I'm sure the mythical private investigator following me on behalf of my wife would love to report those as well!

If you don't put your name in your SSID, would that even be an issue? Again, that could happen even if you don't hide your SSID.

Don't get me wrong, I don't recommend hiding your SSID as a kind of defense against attackers, but does it really make you less secure than if it is broadcasting?
Put that in your pipe and grep it!

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software