Securing home networks and IoT for family at holiday time

Many people head home to family at some point over the holiday season, whether that be like today for Thanksgiving in the US, Christian Christmas at the end of December or one of the many and varied holidays. During that time most people that are technical will be asked to help fix or setup various computer or internet related devices that family members that are not so technical have acquired or broken since the last time they ventured home. For me it use to be the regular upgrade/replacement of the Virus Scan and anti malware software. These days it tends to be patching of phones and tablets and all sorts of other devices.

So what can the average technical person do to help minimise risks to family members, or stop them from being part of a large botnet sometime in the future, without making the technology hard or even impossible for family to use, or to minimise the calls throughout the year.

Router

The first port of call should always be the router. Often these just get stuffed in the corner, on a bookshelf or somewhere out of site and forgotten. From a security point of view they are the most important, they are the thing that primarily protects everything else as they’re the ingress/egress point of the network. So what to do and change on these devices:

  • Upgrade the firmware to the latest supported version, and configure it to auto-upgrade if it’s an option. If the last firmware is ancient consider moving to a third party firmware like LEDE Project or an OpenWRT dirivative. Worst case scenario throw it away and give them a new one as their present.
  • Change the admin password.
  • Change the SSID and set a reasonable password.
  • Ensure that the admin interface isn’t available on the WAN link, do a port scan.
  • Turn off port forwarding and UPnP on the router.
  • Switch it to OpenDNS (208.67.222.222 208.67.220.220), Google Public DNS (8.8.8.8 4.4.4.4), the new Quad9, or even better a combination of them so if one service goes down or disappears their internet will still work.

Phones and Tablets

Ensure the phone is set to auto install new OS firmware releases, also ensure that apps are set to auto update and that if the provider, such as Google Play, has a malware scan option in their App store ensure that’s turned on so it’ll clean up any apps that are discovered to be problematic.

TVs, Bluerays and other Media Players

It’s surprising the number of these devices that have network connections and never get updated. In some cases the network functionality is rarely, if ever used, I know I’ve pretty much disconnected all Blu-ray players from networks, turned off the wireless if it has it, and not ever had a complaint. Often it’s better to replace some of old network media devices with ones that are actively maintained such as Google Chromecast, Amazon Fire, Roku etc. It’s also worth checking if any of these devices have the ability to connect to via ad-hoc means and disable that to limit connections to only those that are on the standard home network.

Various IoT devices

IoT devices should generally, if at all possible, be isolated on their own network. This is easy if as part of securing the router you moved it to LEDE or something similar above, and configure it to have a strict deny-by-default policy. Check the existing network for devices that are connected to it. In some cases there may have been a device connected to it some time ago that have long been forgotten about and are no longer in use, or the manufacturer has ceased to exist and they’re just a compromise waiting to happen masquerading as an expensive paperweight. Those that are in use might not be using the IoT/network functionality, if so turn the network off. Those that remain obviously ensure they’re running the latest firmware, set for auto update, and if possible move them to the IoT network. In some cases it might be possible or better to replace connected lighting if it’s some terrible WiFi/Bluetooth globe with something like the IKEA TRÅDFRI system as it has reasonable security, is of good quality and is affordable. Also don’t forget to check for things like doorbells, locks, cameras and other such devices.

Conslusion

Securing the router and associated DNS is by far and large the most important thing to do, it will help mitigate/protect most of the other problems that loom on the inside. But disconnecting, throwing away, replacement of old devices is sometimes the easiest way to fix them too, or else isolating them.

Let me know what else people do, and what I missed.

Useful commands for manipulating PDFs on Fedora (any linux really)

So it’s not much of a secret that the Red Hat expenses system is truly terrible. Not a well known is the EMEA accounts team still require what I call “Arts and Crafts sessions” (all receipts attached to bits of paper and scanned as a whole) even though there’s no legal requirement for paper receipts to be provided any more in the UK/Ireland/EU!

Anyway the system regularly routes the emailed PDFs to /dev/null for no apparent reason and then you have to scratch your head and try and work out what’s wrong.

Size: this is the regular issue, basically if the PDF is larger than a few Mb it barfs. Thankfully ghostscript comes to the rescue here.

gs -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -sOutputFile=new_file.pdf original_file.pdf

The -dPDFSETTINGS setting has a few options:

  • /screen selects low-resolution output and hence the lowest file-size.
  • /ebook selects medium-resolution output with a medium file-size.
  • /printer uses high-resolution option which is mainly used for printing PDFs.
  • /prepress) similar to /printer but gives you the largest files.

Too many pages: Airline bookings are the great ones here, they add pages of adds to a one page receipt. Two pages are either to “print” just the page you need, or use oowriter (Libre Office Writer) to open it, delete the pages and export as PDF again.

Multiple PDFs: In theory the system can handle multiple docs. My millage has varied a LOT here. Easy fix comes from the poppler-utils package:

pdfunite doc-1.pdf doc-2.pdf doc-3.pdf out-doc.pdf

PDF versions: I have found 1.4 be the most effective here. Ghostscript comes to the rescue again here:

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -dNOPAUSE -dQUIET -dBATCH -sOutputFile=output.pdf input.pdf

Adjust the level -dCompatibilityLevel to the version you need.

Standing desks

So around three months ago (yes, I must do a post on that too) I changed roles at Red Hat and moved from constantly travelling and being on customer sites to working from home. As a result I needed to setup a workspace that I could use day to day.

One thing I’ve always wanted to try is a standing desk. I have back problems, and generally not the best posture, so I thought that would be one way to be able to deal with at least the later, and potentially even the former. The main problem, until recently, is that decent standing desks tend to be very expensive and I didn’t want to needlessly go and spent a lot of extra money for something that would be used for a week and never again. So I decided I would start with a cheap height adjustable desk, which I needed to get anyway due to my height, and then use it as a the basis of a standing desk and then hack it from there. The initial combo I decided on after a lot of looking was the IKEA Galant Height Adjustable Desk at £49 and the IKEA Lack Side table at £8 plus delivery. I figured at less than £100 including delivery if it was terrible I wasn’t wasting a lot of money!

As it turns out it’s been much better than I ever expected it to be. I initially setup the desk to the height I would want when sitting. At a height of six foot three inches I’m not the shortest of people so when sitting I prefer a higher than average desk. Sitting the Lack table on top of the desk by chance also ended up also giving me the perfect standing height. Bonus! A few quid for some foam gym mats plus a decent height adjustable monitor (the most expensive bit by far!) and I was done! Well mostly, I still haven’t decided on a decent keyboard yet.

So how does it look? Well a little bit weird to be honest. How does it work? Better than I ever expected as I find I can happily stand at the desk for a full eight hour working day without too much issue and I’ve even done longer (hello Fedora beta release candidates!!) and my back feels better than it has in a long time! I was also trying to decide on a decent but reasonably priced office chair to buy but now I’m not going to bother. Interestingly IKEA has also just launched the BEKANT sit/stand desk which is reasonably priced and has electric motors for raise/lower. It’s likely I’ll end up getting one of these one day but for the moment my IKEA hack is working pretty well.

Cheap IKEA Standing Desk

Flock 2014 revisited

So having almost recovered from the lack of sleep that is one of the guarantees of conferences in general, but definitely a Fedora one, I thought I would reflect on a few bits. I’m not going to cover all the talks as a lot of people have done that and all the talks are on the Flock 2014 YouTube channel for your viewing pleasure.

As others have mentioned the venue was great, easy to get to and from for transport and the hotel. Huge kudos to the organisers of the event! An event such as this takes a lot of time and energy, and with the dust barely settled the Flock 2015 Bid process is already under way so if you’re interested in hosting 2015 in North America…

My State of ARM and aarch64 in Fedora went well, I enjoyed it and the room was packed with as many people standing as there were sitting 🙂 There was lots of good questions and interest, both in the talk, and in the hallway in general.

I went to numerous excellent talks, too many to count or remember and I’m looking forward to catching up on a number of talks I missed due to schedule conflicts, via the videos, when I get some spare time. Of course the other major part of the conference is the hall way track. There I had too many conversations to recall and caught up with numerous old friends, met a number of people I’d been dealing with online and had never met in person, and of course met a whole bunch of new friends too! It’s amazing how much can be achieved when talking to someone on the walk between conference rooms!

One of the other major things I enjoyed about Flock this year was the overall positivity of everything about the conference, whether it be people’s general attitude, the presentation titles and the presentations themselves or people in the Litre Pub 😉 . And of course being one of our values I have to mention that catching up with so many good friends is always the sugar on top of the cake!