Here in the U.S., the holiday season is upon us. For many, this means visiting with friends and family we haven’t seen in a while, and since you’re reading this blog, chances are good that you’re already Family Tech Support. Today, I’d like to offer some specific advice on how you can make some headway on battening down the cyber-hatches of your loved ones’ home networks. Hitting just one or two of these will do your family a world of security good—and might even make next year’s visit free of malware cleanup.
Home routers are pretty amazing computing devices. They run cool on embedded memory, so they don’t have any fans, disk drives, or other moving parts. This makes them surprisingly resilient hunks of hardware, and most people hang onto them for years and years. Unfortunately, this means that most people are running very old hardware that sits near the perimeter of their network. Most old routers don’t offer any automatic updating, so as long as the bits trickle through, people don’t think about maintaining them.
This gives you a great opportunity to surprise your loved ones this season with a brand-new home router. You can pick one up for under $100 (or spend more if you, I don’t know, want to impress your father-in-law). Not only will it offer automatic firmware updates, but it will also support the more recent 802.11 WiFi standards, which can dramatically improve your family’s home networking experience. Hey, usability and security aren’t at odds for a change!
Of course, dropping in new hardware is pretty easy compared to what I’m going to say next: Get ready for a real fight when it comes to password management. Getting people to change their habits is super hard, but you’re in luck. This year, both Apple and Google have made your sales pitch for modern password management a lot easier, thanks to built-in support on Android and iOS. Finally, you can get your mobile platform and desktop platform singing the same tune when it comes to generating, storing, and securely sharing your passwords between devices.
Human-generated and human-stored passwords are pretty much the worst “feature” of modern secure computing, since no amount of fancy cryptography will shore up a weak password, so we really need to get on the ball with phasing this behavior out.
Public WiFi: Okay!
It’s not all bad news, though. As I discussed with Wired.com’s Brian Barrett earlier this month, I’m pretty confident that all public WiFi is now pretty much okay for normal day-to-day use. Malicious WiFi hotspots didn’t just evaporate overnight, of course, but instead, the whole internet is getting wise to modern encryption. These days, about the leakiest part of your internet session is your DNS profile (and it is pretty leaky), so a nearby malicious actor can peek in on what sites you’re looking at on your phone (as well as what ad networks are funding all your free mobile apps), but since most web traffic these days is encrypted, that’s about all they get. So, assuming you’re using TLS for your email and HTTPS for your browsing, you can let your friends and family know that their browsing in the local coffee shop or grocery store WiFi is pretty much as secure as doing it at home. Of course, this assumes your friends and family are NOT high-value targets for espionage. If they are, consider this cool food poison detection kit instead.
A hardware web browser
From my experience, the kids in my house spend approximately 92% of their internet time dorking around on YouTube or hanging out on Discord (often at the same time). The mobile story is a different matter, but when it comes to computers-with-keyboards, it seems like they don’t need much more than a web browser. So, consider gifting the kids this holiday season with a new(ish) Chromebook. Go back a revision or two, and you’re looking at a $50–$150 computing platform that has all the oomph a web browser typically needs along with the added bonus of being completely immune to Windows-based malware. It’s not impossible to get owned on these things, but Chromebooks are pretty much out of the game when it comes to drive-by malware.
As an added bonus, if you have some weird genetics that make your kids want to run a Linux desktop, you can have hours of fun trying all the different ways to install an alternative OS on these things. Note, your definition of “fun” may vary.
Have a happy holiday
Seriously, don’t let the doom, gloom, and FUD get you down over the holidays. Working in security can be a bummer sometimes, so be cognizant of your burnout-o-meter. Yes, everything is awful and broken all the time, but paradoxically, we do have some pretty amazing tech to keep us amused and alive.
As a security professional, your job is to be conscious about the security trade-offs other people make, but it shouldn’t get you down. Enjoy your friends and family, help them to be reasonably safe, and you’ll be fine. Take some time off, recharge, and get ready for the worst/best security year ever in just a few weeks!