The idea was to write a short guide to help you make your home computers more secure.
It's definitely a step in the right direction to protect your network/pc/wallets from unauthorized access. OVERVIEW (clickable)
WLAN NETWORK Starting with the (for me) most important part, because at the same time also the most critical one.
- Disable WPSBasically there are
two different possibilities how to establish a connection via WPS.
PIN: To establish a connection you have to enter an 8-digit PIN.
The router does not check the 8-digit PIN all at once, instead it will check the first four digits and then the last four.
Reaver, for example, offers a very simple way to launch a brute force attack on the WPS pin.
Attention: The WPS Pin function is enabled by default on many Router models.Push- Button:This is a much safer version, as a physical button on the router has to be pressed and the connection can only be established for a matter of minutes.
- Change Wifi Password and Admin PasswordA Netgear router default (WiFi) password is composed as follows:
adjective + noun + 3 digitsShouldn't be too difficult to fnd using a Dictionary + Hashcat with GPU.
You can find an overview of WiFi password standards on the following website:
https://forums.hak5.org/topic/39403-table-of-wifi-password-standards/Please also change the default admin password as soon as possible!
If you cannot memorize your default password, you can find it for example here:
https://default-password.info/- Do NOT(!) hide your networkThe SSID (the name) of your network is sent as a broadcast to be detected by other devices.
Suppressing the SSID broadcast is NOT a security feature!What happens if you disable the SSID Broadcast:Now the clients have to actively search for the trusted networks by sending a broadcast of the trusted SSID.
Attackers can now use this SSID information to impersonate the client as a trusted AP.
Even Windows board tools are able to display the hidden networks (wlan show networks mode=bssid).
The SSID itself is relatively easy to find out with Kali Linux and airmon-ng.
- Only use WPA or WPA2 (Important!!)- Do NOT filter MAC addresses (optional)Filtering MAC addresses is generally NOT considered a security feature and is more of a network administration feature.
All an attacker needs to do is monitor the traffic and examine a data packet.
However, this filter offers no disadvantage in terms of safety and can therefore still be configured at will.
PASSWORDS- Use an offline password managerPlease do not use any browser extensions!
My recommendation: KeePass
Hint: KeePass can also be used in combination with a yubikey.
Here is the official tutorial: https://www.yubico.com/why-yubico/for-individuals/password-managers/keepass/?s=2 FACTOR AUTHENTICATIONIn addition to passwords it is recommended to activate 2FA (wherever possible).
The Google Authenticator is probably the most popular tool available.
My recommendation: Authy
Authy provides the ability to backup all Authenticator accounts and grant access to multiple devices.
The backup is stored encrypted in the cloud.
Anyone who has ever migrated their Google Authenticator to a new smartphone will probably appreciate the advantage provided by this solution.
However, the backup function does not have to be activated here.
(Everyone has to decide for themselves if they would like to use the backup function.)
Hardware authentication via
FidoU2F is even more secure!
My recommendation: Buy a yubikey!
How this works with a ledger you can read in another thread of mine: [Howto] Use Ledger Nano as Security KeyMAIL ADRESS- Is your mail address part of a data leak?Simply navigate to
https://haveibeenpwned.com/, enter your e-mail address and click on the "pwned?" button on the right.
It will automatically check if the email address and associated accounts are compromised.
- Choose the right providerMy recommendation: ProtonMail
- Phishing MailsThese mails are used by malicious actors to steal personal data or money.
Here are some common methods:- You have wonYou are the winner of a contest, lottery or similar, in order to receive the amount should first pay a fee or accrued taxes.
- Mails asking you to reset your password- Sextortion SCAMHere the perpetrator claims to be in possession of a webcam record of you visiting a porn site.
Often there is also a password attached that has been linked to your email address in the past.
This is mostly from a data leak. (please refer to: Is your mail address part of a data leak?)
Hint: Generally use a separate password for each service and use a password manager.
USE VPNFor additional protection, it is recommended to use a VPN service that does not log private data.
This is especially recommended if you are not in your own home network.
My recommendation: AirVPN (native client also for LINUX!!) or NordVPN