Re: [math-fun] Secure internet (OT)
Hi Dan: If you have reasonably current Apple gear, and *if it is configured properly* (the default configuration for Apple gear is "usually" pretty good), and if you use reasonable passwords, then you should be reasonably secure. If you have Apple gear that is so old that it is no longer receiving updates, then get new gear that is, because so many vulnerabilities have been found just in the past year or so, that firmware updates are mandatory. Apple is better than most other vendors at trying to keep their customers "reasonably" secure. An antivirus (AV) program is a government surveillance expert's dream: if you hand it a "definition" file, it is a shopping list of files the AV program is constantly pawing through your system trying to find. So the easiest way for a hacker to find something on your computer is to hack the AV program and ask *it* to look for the stuff. AV programs also tend to get the highest access "privileges", so once they've been compromised, you're toast. Nowadays, the biggest problems aren't the gear or its software, but clicking on "phishing" emails. If you click on what you *thought* was an email from your bank or your internet service provider, you will be in big trouble. This is how the Democratic National Committee was hacked -- it wasn't due to any HW/SW vulnerability. The other problem with individual home networks these days is that it takes only *one* vulnerable device to be hacked for someone to gain a foothold into your home network. After that, the hacked device can bang away incessantly 24x7 until it finds additional vulnerabilities. For example, a "smart" TV, a "smart" speaker, a "smart" home security camera, a "smart" thermostat, a "smart" fitness device, etc., can all be hacked. If any of these devices ask for your wifi password, simply use Nancy Reagan's rule: "just say no". If you have kids, or kids want to use your wifi, consider getting a separate wifi router that is used *only* for guests; they just aren't that expensive anymore (I purchased one for $35 new that works just fine, but it isn't Apple). There is one excellent rule for home routers: disable "plug-and-play" (UPnP), and don't allow any other devices -- e.g., game consoles -- to turn it back on. UPnP has been involved in too many vulnerabilities. Make sure that you use "WPA2" for your wifi passwords, and use relatively long WPA2 passwords. So-called "WEP" is totally broken & can be hacked in mere minutes. WPA3 will be even better when it finally comes out, as it provides for better protection against brute force attacks by someone in your neighborhood, or in a parked van. You might consider changing your DNS provider to Google (8.8.8.8), rather than relying on your own ISP's DNS service. While this gives Google access to every DNS lookup, Google is probably less likely to give you a fraudulent IP address from such a lookup. You can change the DNS server not only in your browser(s), but also in your computer, and in your router. Another rule that may be difficult for many people to agree to: turn off "SMB" file access on your home network. The Microsoft "SMB" protocols have been an infinite source of vulnerabilities. Another rule: completely remove Adobe Flash from every device that you own. It has also been a nightmare of vulnerabilities. Tor is just fine; I use it every day for general browsing. Because of the Tor Project's paranoia, they've done a lot to try to keep someone from the internet from messing up your machine(s). However, I wouldn't use Tor for accessing your bank accounts, because that would force your traffic to go overseas and back, and eliminates the possibility that your bank's own routing safeguards will protect you. There have been a number of articles on using VPN's (Virtual Private Networks). If you choose to go this route(!), make sure that you trust your VPN provider implicitly, because 1) they can see (and potentially manipulate) everything; and 2) you've now made it impossible for many other safeguards to operate -- e.g., firewalls. You should find out your own current IP address (there are a number of web sites that will tell you what it is just now; it can change from day to day or even hour to hour). Then run a *port scan* against your own IP address. If *any port is open*, then you should find out what it is and close it. Unless you are running your own web site or email server, you shouldn't have any ports open onto the main internet. At 07:09 PM 9/9/2018, Dan Asimov wrote:
I've had at least two computer breaches in the past two years, and further reason to suspect my internet setup is not secure.
So I wonder if math-fun folks who know about such things can suggest to me how to set up a (relatively!) secure home internet from scratch.
I'm a Mac shop, so will need Apple-compatible stuff.
My concerns include the following:
1) I'd like the router security to be reasonably unbreakable;
I'm not sure how to achieve this.
2) I'd like my own internet use to be private and reasonably un-break-in-able;
This would involve at least some security software; I've used MacScan in the past without evident problems; I don't trust Norton or McAfee.
Maybe it also would require the Tor browser or something like it? I've avoided this so far because I don't want to find myself on some gov't watchlist just because I use it.
3) I would also like to be protected from someone in a windowless van down the street, containing special equipment, eavesdropping on my internet use.
Humor me for a moment no matter how unlikely you may think this scenario.
Is there a not-too-expensive way to reasonably protect oneself from that kind of eavesdropping? (Or at least a way to catch and have prosecuted the perpetrators?)
All helpful comments will be much appreciated!
Dan
If you have a modem, you probably can access it through the 192.168.1.1 gateway (or similar address), one good thing to do is to change the default password of that device to something else than 'admin' and 'admin', by doing that, nobody can acces your IP number easily. (also mentioned by Henry Baker) change the wifi access to WPA2 and a strong password, best regards, Simon Plouffe Le 2018-09-10 à 06:48, Henry Baker a écrit :
Hi Dan:
If you have reasonably current Apple gear, and *if it is configured properly* (the default configuration for Apple gear is "usually" pretty good), and if you use reasonable passwords, then you should be reasonably secure.
If you have Apple gear that is so old that it is no longer receiving updates, then get new gear that is, because so many vulnerabilities have been found just in the past year or so, that firmware updates are mandatory.
Apple is better than most other vendors at trying to keep their customers "reasonably" secure.
An antivirus (AV) program is a government surveillance expert's dream: if you hand it a "definition" file, it is a shopping list of files the AV program is constantly pawing through your system trying to find. So the easiest way for a hacker to find something on your computer is to hack the AV program and ask *it* to look for the stuff. AV programs also tend to get the highest access "privileges", so once they've been compromised, you're toast.
Nowadays, the biggest problems aren't the gear or its software, but clicking on "phishing" emails. If you click on what you *thought* was an email from your bank or your internet service provider, you will be in big trouble. This is how the Democratic National Committee was hacked -- it wasn't due to any HW/SW vulnerability.
The other problem with individual home networks these days is that it takes only *one* vulnerable device to be hacked for someone to gain a foothold into your home network. After that, the hacked device can bang away incessantly 24x7 until it finds additional vulnerabilities. For example, a "smart" TV, a "smart" speaker, a "smart" home security camera, a "smart" thermostat, a "smart" fitness device, etc., can all be hacked. If any of these devices ask for your wifi password, simply use Nancy Reagan's rule: "just say no". If you have kids, or kids want to use your wifi, consider getting a separate wifi router that is used *only* for guests; they just aren't that expensive anymore (I purchased one for $35 new that works just fine, but it isn't Apple).
There is one excellent rule for home routers: disable "plug-and-play" (UPnP), and don't allow any other devices -- e.g., game consoles -- to turn it back on. UPnP has been involved in too many vulnerabilities.
Make sure that you use "WPA2" for your wifi passwords, and use relatively long WPA2 passwords. So-called "WEP" is totally broken & can be hacked in mere minutes. WPA3 will be even better when it finally comes out, as it provides for better protection against brute force attacks by someone in your neighborhood, or in a parked van.
You might consider changing your DNS provider to Google (8.8.8.8), rather than relying on your own ISP's DNS service. While this gives Google access to every DNS lookup, Google is probably less likely to give you a fraudulent IP address from such a lookup. You can change the DNS server not only in your browser(s), but also in your computer, and in your router.
Another rule that may be difficult for many people to agree to: turn off "SMB" file access on your home network. The Microsoft "SMB" protocols have been an infinite source of vulnerabilities.
Another rule: completely remove Adobe Flash from every device that you own. It has also been a nightmare of vulnerabilities.
Tor is just fine; I use it every day for general browsing. Because of the Tor Project's paranoia, they've done a lot to try to keep someone from the internet from messing up your machine(s). However, I wouldn't use Tor for accessing your bank accounts, because that would force your traffic to go overseas and back, and eliminates the possibility that your bank's own routing safeguards will protect you.
There have been a number of articles on using VPN's (Virtual Private Networks). If you choose to go this route(!), make sure that you trust your VPN provider implicitly, because 1) they can see (and potentially manipulate) everything; and 2) you've now made it impossible for many other safeguards to operate -- e.g., firewalls.
You should find out your own current IP address (there are a number of web sites that will tell you what it is just now; it can change from day to day or even hour to hour). Then run a *port scan* against your own IP address. If *any port is open*, then you should find out what it is and close it. Unless you are running your own web site or email server, you shouldn't have any ports open onto the main internet.
At 07:09 PM 9/9/2018, Dan Asimov wrote:
I've had at least two computer breaches in the past two years, and further reason to suspect my internet setup is not secure.
So I wonder if math-fun folks who know about such things can suggest to me how to set up a (relatively!) secure home internet from scratch.
I'm a Mac shop, so will need Apple-compatible stuff.
My concerns include the following:
1) I'd like the router security to be reasonably unbreakable;
I'm not sure how to achieve this.
2) I'd like my own internet use to be private and reasonably un-break-in-able;
This would involve at least some security software; I've used MacScan in the past without evident problems; I don't trust Norton or McAfee.
Maybe it also would require the Tor browser or something like it? I've avoided this so far because I don't want to find myself on some gov't watchlist just because I use it.
3) I would also like to be protected from someone in a windowless van down the street, containing special equipment, eavesdropping on my internet use.
Humor me for a moment no matter how unlikely you may think this scenario.
Is there a not-too-expensive way to reasonably protect oneself from that kind of eavesdropping? (Or at least a way to catch and have prosecuted the perpetrators?)
All helpful comments will be much appreciated!
Dan
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com https://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
Also, if I remember correctly, the default Mac config allows people to ssh directly into root if they know your password. Disable this so that (at the very least) the attacker needs to simultaneously guess the ordered pair (username, password). There was recently a vulnerability where they could ssh into root *without* a password; disabling the ssh-into-root would mean that a putative attacker would need physical access to your keyboard in order to exploit it. Also, if you install homebrew (for free) you can then install rkhunter (for free). This is basically a non-invasive open-source malware detector: less sophisticated than AV software, but without the privacy concerns Henry mentions. It also only runs when you instruct it to do so, and generally only takes 10 minutes. -- APG.
Sent: Monday, September 10, 2018 at 8:01 AM From: "Simon Plouffe" <simon.plouffe@gmail.com> To: math-fun@mailman.xmission.com Subject: Re: [math-fun] Secure internet (OT)
If you have a modem, you probably can access it through the 192.168.1.1 gateway (or similar address), one good thing to do is to change the default password of that device to something else than 'admin' and 'admin', by doing that, nobody can acces your IP number easily.
(also mentioned by Henry Baker) change the wifi access to WPA2 and a strong password,
best regards,
Simon Plouffe
Le 2018-09-10 à 06:48, Henry Baker a écrit :
Hi Dan:
If you have reasonably current Apple gear, and *if it is configured properly* (the default configuration for Apple gear is "usually" pretty good), and if you use reasonable passwords, then you should be reasonably secure.
If you have Apple gear that is so old that it is no longer receiving updates, then get new gear that is, because so many vulnerabilities have been found just in the past year or so, that firmware updates are mandatory.
Apple is better than most other vendors at trying to keep their customers "reasonably" secure.
An antivirus (AV) program is a government surveillance expert's dream: if you hand it a "definition" file, it is a shopping list of files the AV program is constantly pawing through your system trying to find. So the easiest way for a hacker to find something on your computer is to hack the AV program and ask *it* to look for the stuff. AV programs also tend to get the highest access "privileges", so once they've been compromised, you're toast.
Nowadays, the biggest problems aren't the gear or its software, but clicking on "phishing" emails. If you click on what you *thought* was an email from your bank or your internet service provider, you will be in big trouble. This is how the Democratic National Committee was hacked -- it wasn't due to any HW/SW vulnerability.
The other problem with individual home networks these days is that it takes only *one* vulnerable device to be hacked for someone to gain a foothold into your home network. After that, the hacked device can bang away incessantly 24x7 until it finds additional vulnerabilities. For example, a "smart" TV, a "smart" speaker, a "smart" home security camera, a "smart" thermostat, a "smart" fitness device, etc., can all be hacked. If any of these devices ask for your wifi password, simply use Nancy Reagan's rule: "just say no". If you have kids, or kids want to use your wifi, consider getting a separate wifi router that is used *only* for guests; they just aren't that expensive anymore (I purchased one for $35 new that works just fine, but it isn't Apple).
There is one excellent rule for home routers: disable "plug-and-play" (UPnP), and don't allow any other devices -- e.g., game consoles -- to turn it back on. UPnP has been involved in too many vulnerabilities.
Make sure that you use "WPA2" for your wifi passwords, and use relatively long WPA2 passwords. So-called "WEP" is totally broken & can be hacked in mere minutes. WPA3 will be even better when it finally comes out, as it provides for better protection against brute force attacks by someone in your neighborhood, or in a parked van.
You might consider changing your DNS provider to Google (8.8.8.8), rather than relying on your own ISP's DNS service. While this gives Google access to every DNS lookup, Google is probably less likely to give you a fraudulent IP address from such a lookup. You can change the DNS server not only in your browser(s), but also in your computer, and in your router.
Another rule that may be difficult for many people to agree to: turn off "SMB" file access on your home network. The Microsoft "SMB" protocols have been an infinite source of vulnerabilities.
Another rule: completely remove Adobe Flash from every device that you own. It has also been a nightmare of vulnerabilities.
Tor is just fine; I use it every day for general browsing. Because of the Tor Project's paranoia, they've done a lot to try to keep someone from the internet from messing up your machine(s). However, I wouldn't use Tor for accessing your bank accounts, because that would force your traffic to go overseas and back, and eliminates the possibility that your bank's own routing safeguards will protect you.
There have been a number of articles on using VPN's (Virtual Private Networks). If you choose to go this route(!), make sure that you trust your VPN provider implicitly, because 1) they can see (and potentially manipulate) everything; and 2) you've now made it impossible for many other safeguards to operate -- e.g., firewalls.
You should find out your own current IP address (there are a number of web sites that will tell you what it is just now; it can change from day to day or even hour to hour). Then run a *port scan* against your own IP address. If *any port is open*, then you should find out what it is and close it. Unless you are running your own web site or email server, you shouldn't have any ports open onto the main internet.
At 07:09 PM 9/9/2018, Dan Asimov wrote:
I've had at least two computer breaches in the past two years, and further reason to suspect my internet setup is not secure.
So I wonder if math-fun folks who know about such things can suggest to me how to set up a (relatively!) secure home internet from scratch.
I'm a Mac shop, so will need Apple-compatible stuff.
My concerns include the following:
1) I'd like the router security to be reasonably unbreakable;
I'm not sure how to achieve this.
2) I'd like my own internet use to be private and reasonably un-break-in-able;
This would involve at least some security software; I've used MacScan in the past without evident problems; I don't trust Norton or McAfee.
Maybe it also would require the Tor browser or something like it? I've avoided this so far because I don't want to find myself on some gov't watchlist just because I use it.
3) I would also like to be protected from someone in a windowless van down the street, containing special equipment, eavesdropping on my internet use.
Humor me for a moment no matter how unlikely you may think this scenario.
Is there a not-too-expensive way to reasonably protect oneself from that kind of eavesdropping? (Or at least a way to catch and have prosecuted the perpetrators?)
All helpful comments will be much appreciated!
Dan
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com https://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com https://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
One last thing, and perhaps the most important of all: Turn off Javascript as much as possible. The Tor Browser uses NoScript, which was recently found to have a 0-day bug, but Javascript w/o NoScript is even worse! Javascript itself is a dumpster fire of really sereious 0-day vulnerabilities -- e.g., "RowHammer", "Spectre", etc. Suppose you're a medieval castle, with impregnable walls and a deep, wide moat. But if you buy Google's insistence on putting everything into Javascript, you provide every besieging army with water, food, fuel -- every convenience they need to continue to attack your castle. But that's precisely what Javascript does -- it provides your besieging criminal and nationstate attackers an hospitable facility from which to throw incessant attacks. And by all means, insist that your government open up the sewers and other hidden entrances to your castle to enable even more attacks from *inside* thanks to these govt-sponsored "back doors". At 09:48 PM 9/9/2018, Henry Baker wrote:
Hi Dan:
If you have reasonably current Apple gear, and *if it is configured properly* (the default configuration for Apple gear is "usually" pretty good), and if you use reasonable passwords, then you should be reasonably secure.
If you have Apple gear that is so old that it is no longer receiving updates, then get new gear that is, because so many vulnerabilities have been found just in the past year or so, that firmware updates are mandatory.
Apple is better than most other vendors at trying to keep their customers "reasonably" secure.
An antivirus (AV) program is a government surveillance expert's dream: if you hand it a "definition" file, it is a shopping list of files the AV program is constantly pawing through your system trying to find. So the easiest way for a hacker to find something on your computer is to hack the AV program and ask *it* to look for the stuff. AV programs also tend to get the highest access "privileges", so once they've been compromised, you're toast.
Nowadays, the biggest problems aren't the gear or its software, but clicking on "phishing" emails. If you click on what you *thought* was an email from your bank or your internet service provider, you will be in big trouble. This is how the Democratic National Committee was hacked -- it wasn't due to any HW/SW vulnerability.
The other problem with individual home networks these days is that it takes only *one* vulnerable device to be hacked for someone to gain a foothold into your home network. After that, the hacked device can bang away incessantly 24x7 until it finds additional vulnerabilities. For example, a "smart" TV, a "smart" speaker, a "smart" home security camera, a "smart" thermostat, a "smart" fitness device, etc., can all be hacked. If any of these devices ask for your wifi password, simply use Nancy Reagan's rule: "just say no". If you have kids, or kids want to use your wifi, consider getting a separate wifi router that is used *only* for guests; they just aren't that expensive anymore (I purchased one for $35 new that works just fine, but it isn't Apple).
There is one excellent rule for home routers: disable "plug-and-play" (UPnP), and don't allow any other devices -- e.g., game consoles -- to turn it back on. UPnP has been involved in too many vulnerabilities.
Make sure that you use "WPA2" for your wifi passwords, and use relatively long WPA2 passwords. So-called "WEP" is totally broken & can be hacked in mere minutes. WPA3 will be even better when it finally comes out, as it provides for better protection against brute force attacks by someone in your neighborhood, or in a parked van.
You might consider changing your DNS provider to Google (8.8.8.8), rather than relying on your own ISP's DNS service. While this gives Google access to every DNS lookup, Google is probably less likely to give you a fraudulent IP address from such a lookup. You can change the DNS server not only in your browser(s), but also in your computer, and in your router.
Another rule that may be difficult for many people to agree to: turn off "SMB" file access on your home network. The Microsoft "SMB" protocols have been an infinite source of vulnerabilities.
Another rule: completely remove Adobe Flash from every device that you own. It has also been a nightmare of vulnerabilities.
Tor is just fine; I use it every day for general browsing. Because of the Tor Project's paranoia, they've done a lot to try to keep someone from the internet from messing up your machine(s). However, I wouldn't use Tor for accessing your bank accounts, because that would force your traffic to go overseas and back, and eliminates the possibility that your bank's own routing safeguards will protect you.
There have been a number of articles on using VPN's (Virtual Private Networks). If you choose to go this route(!), make sure that you trust your VPN provider implicitly, because 1) they can see (and potentially manipulate) everything; and 2) you've now made it impossible for many other safeguards to operate -- e.g., firewalls.
You should find out your own current IP address (there are a number of web sites that will tell you what it is just now; it can change from day to day or even hour to hour). Then run a *port scan* against your own IP address. If *any port is open*, then you should find out what it is and close it. Unless you are running your own web site or email server, you shouldn't have any ports open onto the main internet.
At 07:09 PM 9/9/2018, Dan Asimov wrote:
I've had at least two computer breaches in the past two years, and further reason to suspect my internet setup is not secure.
So I wonder if math-fun folks who know about such things can suggest to me how to set up a (relatively!) secure home internet from scratch.
I'm a Mac shop, so will need Apple-compatible stuff.
My concerns include the following:
1) I'd like the router security to be reasonably unbreakable;
I'm not sure how to achieve this.
2) I'd like my own internet use to be private and reasonably un-break-in-able;
This would involve at least some security software; I've used MacScan in the past without evident problems; I don't trust Norton or McAfee.
Maybe it also would require the Tor browser or something like it? I've avoided this so far because I don't want to find myself on some gov't watchlist just because I use it.
3) I would also like to be protected from someone in a windowless van down the street, containing special equipment, eavesdropping on my internet use.
Humor me for a moment no matter how unlikely you may think this scenario.
Is there a not-too-expensive way to reasonably protect oneself from that kind of eavesdropping? (Or at least a way to catch and have prosecuted the perpetrators?)
All helpful comments will be much appreciated!
Dan
participants (3)
-
Adam P. Goucher -
Henry Baker -
Simon Plouffe