A Gift to Renew All Ages
Updated September 28, 2015.
Not to creep anyone out, but I’d like to announce that I know something unique about all of you. Now relax, because this revelation doesn’t come from sniffing browser histories or stalking social networks. Rather, I mean this in a Morephus-esque sorta way: When you seek, you instantly begin to discover…or whatever motivational, semi-Taoist choice of words you prefer.
You see, you are reading this site. Therefore, I can immediately deduce that you have at least a minimal interest in info-social awareness. Even merely the intent awakens your senses, instantly ranking you a student among pupils, having concern for both the digital security and privacy of yourself and those close to you. What’s more, is that in today’s ultra-interconnected world, it’s become a sorely overlooked fact that when your info is safe and privacy respected, so is mine and vice versa, ad infinitum.
So this holiday season, why not spread the love? Instead of following the herd’s hyper-consumerism that has come to define our so-called “advanced” civilization, increasing the revenue of companies who could not care less about you and your family while wasting your financial resources on petty bullshit which will be outdated and outcast in less than a year; why not use your own Infosec-Fu to better the status quo, even if only in your corner of the world?
Save money, accomplish something meaningful AND prevent pwnage? I’ve got your attention now, don’t I.
So What’s the Plan?
This holiday season you’ll be using your skills to harden the home networks and/or computers of your friends and family. Your primary targets are the non-technical people, the ones who don’t change anything from default settings. It may sound simple or may seem daunting but either way, you hold all the cards; it’s something you can do to whichever degree your comfort zone, schedule or will power allow. No one is expecting you to provide self-compiled OpenBSD installations or a lifetime of tech support for their Smart Toaster.
Instead, you’ll be taking the Special Forces approach of getting in, meeting the objectives and then hauling ass outta there. You take the position of authority. You’re there to specify what’s being done and why, not to become trapped behind enemy lines from ambushes like, “This one time, the internet window closed, but I didn’t close it. Can you fix that? Oh, and sometimes the printer…”
It’s entirely up to you how far you want to take this. To get your imaginative juices flowing, here are some easy things you can do which won’t cause any suffering, costs nothing and establishes a foundation massively more secure than out-of-the-box settings.
roadband Modems & Routers
Feel very free to let nmap loose on the local network (and even the network’s perimeter device) to see what open ports and listening services you can close up. If you plan to go all out and flash a device with something like DD-WRT or Tomato, !do your homework! to make sure the exact version of the device supports the firmware you’re intending to use, and does so well. Failure to heed this advice WILL result in stress, a cornucopia of expletives and terrible shame.
However, whether factory firmwares or otherwise:
- Change the device’s administrative login name and password.
- Create a strong WiFi WPA2 (AES/CCMP) password, then enter it into the household’s devices. Make sure WiFi SSIDs don’t contain personal or property-identifying information.
- Write down AND create an uneditable PDF file of any login credentials you assign. Use a monospace font so characters like 1, l and I won’t look identical.
- Disable uPnP and other unused services. Disable WiFi Protected Setup (WPS).
- For where there’s a separate modem and router, give the router’s WAN interface a static IP address, assign this in the modem’s config page and disable DHCP in the modem.
- Assign a static IP to anything stationary on the network (printers, desktop computers, game consoles, media devices, etc.). Then reserve those IP addresses in the router for the corresponding device’s MAC address.
- Don’t do over WiFi what can be done with wires. May present a small cost, but if you can connect, say, a Smart TV by ethernet to the router, no need for it to use WiFi when often these devices are sitting right next to each other. Better signal quality, less power used, less heat generated and minimal RF congestion—all win to be had.
- Disable wireless access to the modem and router configuration pages so that they can only be accessed by ethernet. Do this ONLY if the household has a desktop computer or a laptop with an ethernet port, or an Ethernet over USB adapter.
- Consider enabling WiFi AP isolation so wireless devices on the network can’t talk to each other. One more reason to connect TVs and Rokus and such things by ethernet, but WiFi devices like Chromecast and Matchstick obviously won’t work with this.
Desktops & Laptops
Here I’ll largely assume Windows machines. For OS X, I won’t parrot what’s already well laid out in several sources. If there’s a Linux computer in the household, the place is probably in good hands already, though you may find useful my Inventory for Debian Family Hardening, a lot of which applies to other distros too.
- Is a fresh installation of Windows possible? If so, do it. Yes, it’s more work for you but a clean slate is so important and after, you’ll get bonus points for how much faster the computer feels. The installation will go much quicker if you can install from a USB stick rather than DVD. Make sure you back up ALL of the person’s data beforehand!
- Replace each account on each computer with a standard user account and leave UAC at its default setting. Instruct that only these standard accounts are to be used.
- Install all the system updates listed as “Important” and from there, set up automatic updating. It’s not ideal, but is better than no updating at all. Install the latest version of EMET and bump up the restrictions on internet-facing applications. Go ahead and leave Windows Defender/Microsoft Security Essentials enabled.
- Install Chrome and/or Firefox to use in place of or along side Internet Explorer (my rule: any computer should have at least 2 browser choices). Add μBlock Origin and HTTPS Everywhere for Chrome or Firefox. In Chrome, switch on Click-to-Play plugins and set Firefox’s plugins to “Ask”. Turn off Chrome’s automatic downloads and unsandboxed plugins. In both browsers, enable Safe Browsing and consider disabling 3rd party cookies. If you stumble upon Java browser plugins, find out exactly why they’re present and remove them if not absolutely necessary; update JRE if they are.
- If Internet Explorer is wanted or needed, lock it down. Always use the most recent version and enable Enhanced Protected Mode for full 64-bit processes (and AppContainer if on Win 8+). Enable SmartScreen filtering and install Tracking Protection Lists. Consider disabling 3rd party cookies and enabling ActiveX filtering, though blocking ActiveX will require user input for some sites.
- Set all networks to Public and only share the required directories and/or attached devices.
- Disable unneeded network services, stuff like Remote Desktop, Remote Registry, NetBIOS, Computer Browser, and file, printer and internet connection sharing.
- Disable AutoPlay for (at least) USB devices.
- Consider BitLocker for laptops.
- Consider DNSCrypt.
- Open up the computer’s chassis and use compressed air to blow out the dust inside.
- Have any old hard drives laying around? Consider wiping them, then giving them away with offers to back up someone else’s personal data or configure as network storage.
- If possible and the owner is willing, consider providing a crash course in free software and migrating the computer to Mint, an Ubuntu LTS, or other Linux distro. Prioritize desktop stability and support lifespan.
Be Legit, Stay Classy
There’s a lot more that can be done and it’s as easy to get creative as it is to get complicated and carried away. New hardware, 3rd party applications, securing smartphones and tablets; anything is your call to make. However, be extremely clear with everyone involved about what you’re doing, don’t push your limits with other peoples’ stuff and don’t try gaining accord for your services by inciting fear.
Next comes the topic of how you choose initiate this social contract. I say that for maximum impact (and some legitimacy) you should present some kind of tangible vouncher or symbol of your gesture. Otherwise, you show up for the holidays empty handed with nothing but a verbal assurance. You risk being the roommate who drinks all your beer who, to placate you in the moment, promises to replace the microbrews but never actually does. You, dear reader, are no Scumbag Steve.
Below are 3 basic but free gift certificate templates. More can be found with a web search or design your own for extra credit. Upon presentation of said voucher, you’ve successfully and admirably attempted to better the world. And though I’ve written this a few weeks before Christmas, it of course applies equally to any other day on the calendar. Well, it may cause a weird Valentine’s Day moment or two, but you be the judge. Good luck.