Some Basic Linux Desktop Security and Opsec Guide
Desktop Linux Security Part 1:
I decided to write this guide for people who are very new at using Linux on their desktop or laptop, I wanted to make a guide to help you make better decisions when it comes to staying secure on the computer and operationally secure. This guide is especially aimed at crypto enthusiasts and users of the steemit blockchain. I am probably gonna spread this guide out over several
articles in order to make it easier to read, in bite size chunks. Instead of presenting you with one very long unreadable article.
If you are on steemit, chances are you own some crypto. Security should really be a priority for you, because people want to take your crypto from you. I've talked to some guys from Russia before on xmpp and the one guy literally told me that if you own bitcoin in Russia then you can expect a visit from the police, because it's pretty much illegal there. Your Linux machine should be locked down, encrypted and you should have encrypted backups. A good practice is to make regular encrypted backups and to keep them stored at different friends or family member's houses. Whether you are involved in anything illegal or not, you should always assume that someone from the government or even criminal organization can come for you and your crypto. Don't be like this though:(Security should be something that enables you, not something that keeps you from functioning.)
I've got your attention?
Ok now that I've got you paranoid, let's get into what you can do to stay safe. Btw security is very easy to preach, but to practice isn't that easy. This meme is so out of place here, but when I found it I couldn't resist to add it to this post:
In some countries like the UK, they have the kind of approach where if your hardrive is encrypted and the police raid your house, then if you don't hand over your passphrase, well then you are pretty much a terrorist. What type of approach should you take when it comes to encrypting your hardrive? There are too different approaches: you can either encrypt the entire hardrive (this means all partitions including the boot partition), this is a tough approach, because how is the operating system supposed to boot if the partition it should boot from is encrypted. When people talk about FDE (Full Disk Encryption) then they are talking about this type of thing. The software: "Truecrypt" had an option to encrypt Windows with full disk encryption, nobody trusts Truecrypt anymore and from what I understand the project has ended. Why would you want to encrypt the boot partition? Encryption does not merely serve the purpose of protect people from stealing or viewing your data, it also serves the purpose of protecting the authenticity of your data. In other words if the boot partition is encrypted then nobody can write to it.
Why would someone want to write to my boot partition?
Ever heard of an evil maid attack? This is a security.stackexchange.com question that discusses the matter:
https://security.stackexchange.com/questions/159173/what-exactly-is-an-evil-maid-attack
"The VeraCrypt bootloader (which takes your password and decrypts the encrypted volume or at least the next required part for booting) must itself be decrypted - if it were encrypted, it couldn't execute without something else to decrypt it - so it's a prime target for a place to put a software keylogger. Take an encrypted hard disk, attach it to another machine, replace the VeraCrypt bootloader with a compromised one that secretly saves the password, and put it back in the victim's machine. Next time the victim boots the computer, their hard disk password is logged for later retrieval. VeraCrypt attempts to detect this by computing a cryptographic fingerprint of the bootloader to see if it's been tampered with, although a skilled attacker could thwart this as well unless the machine is using a TPM or similar that checks the bootloader against a key which the attacker can't overwrite.". What all of this comes down to is that someone can write to a partition such as the /boot partition if it isn't encrypted. The above answer seems to be in the context of the vercrypt bootloader, but this type
of attack could also be executed on a computer running grub2 + cryptsetup. If the /boot partition isn't encrypted then we can write to it pretty much. I guess one solution for this
could be do boot off a read only medium, but at some point you are gonna want to write to the boot partition. What are some ways that you can prevent an evil maid attack?
Well it will be interesting to see what some people have to say in the comments about how to prevent this kind of attack.
What are some other kinds of things that you should worry about?
If the police or a criminal arrives at your house while your computer is running, then remember
that the encrypted drives are mounted as unencrypted. You might have a password on your computer to prevent them from getting into your account, but have you disabled the guest account on your distro? The best thing you can do if anyone suspicious arrives is to turn off your computer so that the drives will go back to being encrypted.
How do I defend myself?
So now I've helped you to understand the world is dangerous and that you should learn martial arts, now where
do you go and what do you need to do? Just kidding, but the internet is kind of like the analogy I just mentioned.
In penetration testing they talk about the red team and the blue team. The blue team refers to people
who are sysadmin administrators or developers that are security aware and that need to defend themselves and be aware
of the attacker's methodology. The red team refers to those that are the attackers, the people that plan on hacking your infrastructure or web application, a good red team member will also be very good as a blue team player and vice versa in my opinion. As a good system administrator you need to learn to think like an attacker, so that you can put yourself in their shoes, this will help you to know what kind of things to prioritize when it comes to security.
Something to take note of is that some people who are attackers prefer to attack computer users (this is generally referred to as a client side attack), where other attackers prefer to attack the server or web application(this is generally referred to as server attacks). This article mostly focuses on defending yourself from client side
attacks. Something to always remember is that physical access to your machine means that the machine is basically compromised, although a computer that is off and encrypted is pretty much safe while it is off.
Here is a guide that focuses on attack detection, which you might find helpful:
http://www.linuxtopia.org/online_books/linux_administrators_security_guide/10_Linux_Attack_Detection.html
Here is a very very old guide, but with some very good information on how to protect yourself:
https://web.archive.org/web/20130426003850/https://crunchbang.org/forums/viewtopic.php?id=24722
take in mind that some of this advice is old and outdated. This is why it is always important to stay up to date with what is going on in the infosec (information security) world.
I like to check these two sites
regularly to stay up to date with infosec:
https://reddit.com/r/netsec
http://reddit.com/r/netsecstudents
This guide is the first part of a series of posts and questions are welcome in the comments and I will try answer as best as I can. If you liked my article then please follow me or upvote.