[TUTORIAL] Basic Computer Security [10]
So by now we know how to obtain and verify open source software, now in this article I am going to give a few tips how to use them, using them safely and responsibly.
Read the previous episodes to know what I am talking about:
- 1) Hardware Selection & Proper Usage 1
- 2) Hardware Selection & Proper Usage 2
- 3) Kernel Defense 1
- 4) Kernel Defense 2
- 5) Kernel Defense 3
- 6) User Space & Device Driver Security
- 7) Switching to Open Source Applications
- 8) Anti-Virus Philosophy
- 9) Getting & Verifying Applications
Biggest Attack Surface – The Web
So if we are normal computer users, possibly not running servers on our computer, and using the computer just for normal activity, then really the biggest threat comes from the internet, obviously, but more specifically from the web.
This means that the internet browser is the biggest window that could potentially let malware through. This ranges from javascript/flash/html5 based exploits or malware to malicious e-mail attachments. It all comes over from the web browser.
- So we must use an open source browser, as explained in episode 7, and since the biggest and most vetted one is Firefox, we will use Firefox only.
- We must tune Firefox up a little bit since it’s default configuration is not safe!
(source: The Mozilla Foundation CC BY 3.0 or MPL 2, via Wikimedia Commons)
Mozzilla Firefox
So grab Firefox, in most Linux Distros it’s installed by default and use only that to browse the web. Now FF by default is not safe, it is really configured for no privacy and barely any security, especially by having tons of useless things enabled by default that could be potential attack vectors.
So FF must be configured, by installing a few extensions that block or filter javascript, enforce HTTPS on websites and change the configuration parameters to more privacy & security oriented ones:
So after you have done everything described in the article above, your FF should theoretically be safe, just make sure you update the user.js file whenever a new version comes out.
pyllyukko’s user.js file is very neat, it blocks and disables all useless stuff, especially since Firefox has been adding allegedly questionable things into it like Cliqz, that are opt-out not opt-in.
The public is outraged, since that feature is enabled by default, but don’t worry it can be disabled. On other browsers you have trackers enabled by default with no opt-out possibility. At least in Firefox it’s voluntary, but still not very ethical to have it enabled by default, since most people will have no idea how to disable it, or that the alleged tracking feature even exists.
So make sure you check for a new user.js file frequently so that stuff like that will be opted out there, usually these parameters disable these questionable features:
user_pref("toolkit.telemetry.enabled", false);
user_pref("toolkit.telemetry.unified", false);
user_pref("experiments.supported", false);
user_pref("experiments.enabled", false);
Other than that Firefox has been working on sandboxing itself, basically having the application as isolated from the kernel as much as possible (couple that with additional Kernel Defenses detailed in episode 3,4,5), that will make it very very safe.
It would be the first browser that will be both open source and sandboxed, so the days of javascript vulnerabilities would be numbered, in theory at least. But until then using NoScript and uBlockOrigin would still be a good idea, they have their utility in additional filtering anyway.
Weak Passwords
The other, perhaps even bigger problem is that people use weak passwords. Now for the ROOT/ADMIN password you must use a very strong password since this password gives access to the kernel itself, so compromizing that compromizes the entire computer and everything on it, so the ROOT password is the ring of power that controls all other rings.
I really recommend using a password with and entropy >100 bits. Allegedly Governments can crack any password below 100 bits by 2017. Not to mention Bitcoin itself is the biggest supercomputer out there so we must benchmark everything against that. If the public has that much computing power, rest assured Governments probably have something of similar scale too.
I would use a password of 128 bits, since that is how much security a spent Bitcoin address provides, your ROOT password should be safe then.
There is a lot of confusion how to create a strong password, like people like this guy wrote an article, which is total nonsense (I responded to him), and leads people into a false sense of security:
I’m sorry but @bewhy’s article is a horrible advice, instead you must generate passwords like this:
- https://steemit.com/security/@profitgenerator/what-is-a-safe-password-or-private-key
- https://steemit.com/security/@profitgenerator/passwords-and-dices-tutorial-to-create-secure-passwords
- https://steemit.com/security/@profitgenerator/how-strong-is-your-password
Application Passwords
So that is for the ROOT password, and for application/website passwords just use a password manager:
I’d recommend KeepassXC, it’s open-source, free, and very easy to use. And above all, it keeps all your passwords local!!!
Most password managers send your passwords out to be stored in a central server. I don’t have to tell you why that is a horrible idea when all servers get hacked constantly:
So KeepassXC is local, and safe and open-source. The best password manager in my opinion.
But again I’d only use it for application/website passwords, I don’t think it’s a good idea to store your ROOT password in it, I’d just have that written down on a piece of paper instead or memorized.
Browsing the Web Safely
Well the last thing to keep in mind is the way you interact with the web. You have to keep in mind the allegory that I described in an earlier article, the web is like a jungle, and there are many dangerous things out there, so you’d behave as cautiously there as you would in a jungle. This means the following:
Don’t click on random/suspicious links
Unfortunately in Firefox link prefetching is enabled by default, so literally all links are pre-loaded on a page just by visiting the page. So if you are in a forum, and you open a thread, and 1 guy posts there a link to a malware, that malware may be downloaded automatically to your computer, in the background, just by looking at the page but not even opening the link, or moving the mouse cursor above the link but not clicking on it.
This is a huge problem, but luckily the user.js configuration mentioned earlier does disable this horrible security weakness.
If you have this disabled, then you must not click on the shady link anyway. It’s like in the jungle, don’t wander off alone, especially not to shady places.
So this means the following:
- Don’t go to porn sites, especially not to unknown ones hosted in 3rd world countries
- Don’t go to pirate torrent sites (you can get free and open-source software from the Debian repo anyway, why torrent closed-source crap anyway?)
- Don’t ever go to popup sites, or redirected websites
- Don’t click on shady ads that advertise you girls with big boobs, or the clickbait crap where they circle something with a red marker, or the ads that talk about making money or penis pills, these ads are most likely malicious or lead you to some scam site anyway. In fact you should block most or all ads anyway with uBlockOrigin
- Don’t go to hacking forums (not even white hat, why would you go into the wolf’s lair?)
- Don’t go to scam sites
- Don’t go to the dark-web
Don’t download or open anything
Don’t download anything other than the way described in episode 9. Certainly not binary executable files. And be careful with those shady e-mails, with shady e-mail attachments as well!
In fact just don’t download or open anything that has an unknown file format, so the only file formats that you should use from untrustworthy places are:
- Text: .txt, or any ASCII text file
- Image: .jpg/.jpeg, .bmp, .png, .gif
- Music: .mp3
- Video: .mp4 , .avi
- Spreadsheet: .csv (but not full files like .xls and be careful with .ods/.odt as well)
And that’s pretty much it, open any other file and you risk getting infected by an embedded malware. There are tons of malwares that spread through .pdf or office files:
- https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654
- https://www.wired.com/2017/04/security-news-week-microsoft-word-zero-day-left-folks-scrambling
- https://security.stackexchange.com/questions/64052/can-a-pdf-file-contain-a-virus
I will write in the next episode how to deal with other files like .PDF and office files safely!
Sources:
Excellent article, it is always interesting to recall the basics
This post was resteemed by @steemitrobot!
Good Luck!
The @steemitrobot users are a small but growing community.
Check out the other resteemed posts in steemitrobot's feed.
Some of them are truly great. Please upvote this comment for helping me grow.
Great article. Some nice reminders and some things I haven't thought about before. An additional security measure could be to run the browser in a sandbox using an application called firejail (available in the repos). I haven't tested ut myself yet, but it seems relevant to this article. I first read about it here: https://linuxconfig.org/protect-your-system-run-your-browser-in-firejail
What is the difference between firejail, apparmor and SElinux?
Apologies for the delayed reply. I had to do some research to properly answer your question. Some of the following is a bit more technical than my computer skill level is, so I might not be able to elaborate on further details. Anyways, here's a summary of what I found:
Firejail can apparently be used as an additional security layer on top of SELinux and AppArmor, as it sandboxes the applications in a different way. Here's the description of the software from the official project page:
A member of Wilders Security Forums, summerheat, compares apparmor and firejail like this (Mar 4, 2016):
Source
Regarding SELinux, I have no experience with it. From what I read at the project website and around internet forums, it seems quite difficult to get up and running. Not saying I wouldn't be up for the challenge at some point, but for the average user it would probaly be way too complicated.
Firejail on the other hand is readily available on most common distros, easy to install and pretty much effortless to use, once in place. Although it might not provide the extra protection of the hardened SELinux-kernel, it would still be better than only the default apparmor. Besides, it can be used on top of SELinux as well
I also found this in-depth review of firejail at Distrowatch interesting.
Thanks for detailed reply.
From what I heard SELinux is very hard to setup and many people complained about it's lack of proper documentation, plus considering it's author, I am not sure if it's wise to use it.
I haven't heard of Firejail before but I will have to look into it. I know Apparmor is available in debian and it can be enabled and configured but it might be hard to do, so I am not sure from where I can get some pre-made config files for it.
Other than that it looks like the MAC systems in Linux are still very new and not widely implemented, I wish they would integrate it better.
The Linux kernel is alrady lightyears ahead of others in terms of security and transparency, why not make it even better?