Raspberry Pi bakes in tighter security
The people behind the Raspberry Pi, the cheap and cheerful computer that powers countless homebrew projects from smart doorbells to tweeting catflaps, have released a security update to the customised operating system based on Linux to thwart would-be malware-bearing attackers.
As they say on their blog, they usually don’t announce updates to Raspbian, but the concern over the rise of IoT-based botnets such as Mirai means they’ve tightened up their “intensely relaxed” approach to security. So with the updated version, SSH will be disabled by default and they’ve added a clear warning about changing the default password.
It’s all made admirably clear on the Raspberry Pi blog, and, in a fuss-free way, shuts down a feature designed to make things easy for the newbie in a way that’s easy to understand and wonderfully transparent.
Net neutrality fears as Trump names advisers
Fears about the future of net neutrality are heating up as Donald Trump’s presidential transition team fills out. Trump had already sparked concerns by appointing Jerry Eisenach, a former consultant for Verizon and a noted critic of net neutrality, and former Sprint lobbyist Mark Jamison, who has argued in the past about the necessity of having the FCC.
Now Trump has added Roslyn Layton to his team of advisers to guide Trump on telecoms policy. Layton is also a noted opponent of net neutrality, having said in the past that the FCC “should focus on other matters” than net neutrality.
With all three thus far announced having lined up against the principle, things are looking concerning for net neutrality in the US.
Bid to delay Rule 41 fails
So much for that bid to delay Rule 41 in the US Senate: despite attempts by Democratic Senator Ron Wyden to delay the changes, they take effect today.
That means that judges can issue warrants if someone has been using anonymizing technology to conceal the location of their device or for an investigation into a network of hacked or infected computers, such as a botnet.
Magistrate judges could only order searches within the jurisdiction of their court, which is typically limited to a few counties. Now judges can order the hacking of a suspect’s device regardless of where they are.
Speaking from the Senate floor, Wyden said the changes to Rule 41 amounted to “one of the biggest mistakes in surveillance policy in years”.
Catch up with all of today’s stories on Naked Security
Alan Robertson
Raspberry PI’s are great for education, projects, tinkerers and dedicated tasks but they are a liability on the network. Use a separate network for IoT devices with a different subnet and appropriate router firewall rules otherwise expect a visit from Shodan…. Segregation works!
Raspi Config is the easiest way to change the default password: sudo raspi-config (lots of other useful settings here too, like disabling SSH in the advanced options).
Additionally you probably would want to disable the Root account:
sudo nano /etc/ssh/sshd_config
Find “PermitRootLogin” and set it to no
To force password use with the PI:
cd /etc
sudo visudo
locate line:
pi All=(ALL) NOPASSWD: ALL
and change to comment
#pi ALL=(ALL) NOPASSWD: ALL
Updating to the latest apps & OS is a good idea:
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo rpi-update && sudo reboot
Install UFW:
sudo apt-get install ufw
sudo ufw default deny
sudo ufw enable (reboot afterwards)
If you are not using most ports and only want DNS, http, https, NTP (i.e Browse the web) then this will prevent outbound connections on other ports (caution – may stop other software from working!!):
sudo ufw deny out 1:52/tcp
sudo ufw deny out 1:52/udp
sudo ufw deny out 54:79/tcp
sudo ufw deny out 54:79/udp
sudo ufw deny out 81:122/tcp
sudo ufw deny out 81:122/udp
sudo ufw deny out 124:442/tcp
sudo ufw deny out 124:442/udp
sudo ufw deny out 444:65535/tcp
sudo ufw deny out 444:65535/udp
If you are using SSH then it would be best to change the keys from the default image:
cd /etc/ssh
sudo rm ssh_host_*
sudo dpkg-reconfigure openssh-server
cd /home/pi/.ssh
rm known_hosts
Chromium works well on Raspbian – as usual check the settings and install the appropriate extensions to protect your privacy. Thoroughly recommend the latest Pixel version of Raspbian, oh and then there’s Ubuntu Mate, slightly slower but looks gorgeous.
R-Pi’s rock!!
Tom
I own five rPi’s and use two at work. I noticed the new release yesterday when I reinstalled the OS on one at work. I run most of them headless.