lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <539C84C6.2030100@gmail.com>
Date: Sun, 15 Jun 2014 03:22:14 +1000
From: Joshua Rogers <megamansec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.


      Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.


    Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators
such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them,
without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could
use to gain access to your unencrypted data.


Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04
LTS(Trusty), and all commands and patches work on it for the author. The
author accepts no liability when it comes to these commands/patches
being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with
filenames encrypted. This can be checked using the command
`ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of
its counterparts like IcedTea, etc. installed.


When you're told to run the program 'Nano', you can use vim,vi,emacs,
etc. Nano is purely the text editor that I use. To exit out of Nano, you
press control-x.






      FireWire attacks


Firewire has for awhile been known to allow attackers to gain access to
a computer's Physical memor[RAM], and enable the attacker to grab the
encryption key used for devices that are mounted.
The most obvious method of defeating this attack is by not compiling the
kernel with any firewire modules included, but for the sake of this
article, I'll include methods of mitigation. After all, some Ubuntu
users probably wouldn't be able to compile their own kernel every update.

To mitigate the risks with firewire, we will disable them in a blacklist
file in modprobe.d.

1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano
/etc/modprobe.d/blacklist-firewire.conf'
2. Remove the contents(or comment everything out) and replace it with
the following:
?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
	
|# Prevent automatic loading of firewire module(s).|
 
|blacklist ohci1394|
|blacklist sbp2|
|blacklist dv1394|
|blacklist raw1394|
|blacklist video1394|
 
|blacklist firewire-ohci|
|blacklist firewire-sbp2|
|blacklist firewire-core|
|blacklist firewire-net|
|blacklist firewire-serial|
 
|# Prevent manual loading of firewire module(s).|
 
|install ohchi1394 false|
|install sbp2 false|
|install dv1394 false|
|install raw1394 false|
|install video1394 false|
 
|install firewire-ohci false|
|install firewire-sbp2 false|
|install firewire-core false|
|install firewire-net false|
|install firewire-serial false|


This will 1. blacklist all the firewire modules from starting at boot,
and 2. prevent loading of firewire through forceful techniques.

After doing this, you *must* run `sudo update-initramfs -k all -u' for
it to take effect on next boot.





      Hardening Firefox


       

The abilities of web-browsers are not only astounding, but also
extremely vulnerable. With 0-day exploits being found for nearly
everything, the bad guys are always looking for ways to exploit your
browser.
Methods used to exploit browsers are usually split up into two parts:
exploiting the actual browser, and exploiting addon(such as Adblock and
Acrobat Reader).


Using the method I describe should mitigate most, if not all techniques
involved in the exploitation of Firefox, and addons used.


Most services when installed create a user for themselves, where they
cannot escape from without some sort of local root kernel exploit.
Unlike services, firefox is normally run at the same permissions as the
user running it, which entails an attacker to be able to gain the same
permissions of the user. With access, an attacker could record the
keystrokes of the user, and wait until they run 'sudo' to gain root
access(or, god forbid, somebody has nopasswd enabled on their account.)

By creating a user specifically for firefox, we lock it into its own
folder where it [shouldn't be able to] escape.



First off, we want to create our new user called 'firefox'.

1. Run 'sudo adduser --system --quiet --shell /bin/false --group
--disabled-password --disabled-login firefox' in the terminal.



The commandline(and all references to) 'firefox' is a link to
/usr/bin/firefox, which is just a launcher script, so we can move that
to something like 'firefox-start'.

2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal.

Now we want to recreate the firefox file, and make it execute as our
'firefox' user, with all of the parameters that it normally would.
To do this, we must make a script to be run when using the command
'firefox'.


We have two options here. We either make a very simple script to run
Firefox as the 'firefox' user, or we use some X11 trickery.

The problem with the first, is that an experienced hacker could control
*all* X11 activity. Including logging keystrokes, injecting keystrokes,
taking screenshots, etc.

The problem with the second, is that extensions such as XRANDR will not
work. Another highly problematic downside is that you cannot
copy-and-paste from your browser into another application. You can
copy-and-paste from other applications into the browser, but not the
other way around. This makes it incredibly difficult if you want to
copy, for example, a quote from Wikipedia into an email.

Due to not having a solution to this, I've decided to show you how to do
both.

-----


      Vulnerable Method


This method gives the reader a very easy way of doing things, and is
probably OK for the average user.

Open up /usr/bin/firefox, which should now be an empty file, and place a
script in it so it will run firefox was the user 'firefox'.
3[.1]. sudo nano /usr/bin/firefox
And enter the script:
?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
2
	
|#!/bin/bash|
|sudo -H -u firefox ||"/usr/bin/firefox-start"| |"$@"|


The -H flag is used to tell the system that we want to set our home
directory to /home/firefox/. -u is used to tell the system that we want
to run the program as the user 'firefox', and the last two flags tell
the system to run /usr/bin/firefox-start(the REAL firefox script) with
the flags $@, which means it will run with whatever /usr/bin/firefox was
run with.

We need to allow the 'firefox' user to access X, so we go to "System ->
Preferences -> Startup Applications" and add a new startup program.
The name and comment is irrelevant, but the command should be this:
?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
	
|xhost +SI:localuser:firefox|




-----


      'Paranoid' Method

This method, as stated above, stops the user from copy-and-pasting from
the browser into a different program. It is much more safe, and is
considered secure.




3[.2]. Run `sudo nano /usr/bin/firefox', and put in..

?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
	
|#!/bin/bash|
 
|xa=||"/home/firefox/.Xauthority"|
 
|exec| |newgrp firefox <<-EOF|
 
| ||if| |[ -e ||"$xa"| |]; then|
|  ||if| |[ ! -r ||"$xa"| |]; then|
|   ||rm -f ||"$xa"|
|  ||elif [ ! -w ||"$xa"| |]; then|
|   ||mv ||"$xa"| |"$xa.tmp"| |&& cp ||"$xa.tmp"| |"$xa"| |&& rm -f
||"$xa.tmp"| |&& ||chmod| |660 ||"$xa"|
|  ||fi|
| ||fi &&|
| ||xauth -q -i -f ||"$xa"| |generate ||"$DISPLAY"| |. ||"untrusted"|
|&& ||chmod| |g+rw ||"$xa"| |&&|
| ||sudo -H -u firefox XAUTHORITY=||"$xa"| |"/usr/bin/firefox-start"| |"$@"|
 
|EOF|


This script will run every time you open up firefox.

Now we need to make the file executable.

[4]. Run `sudo chmod +x /usr/bin/firefox'.

 As you can see in the script, it relies on the usage of the 'newgrp'
program being able to access the 'firefox' group. To do this, you must
add yourself into the 'firefox' group.

[5]. Run `sudo useradd -a -G firefox $USER'.
This will add you into the group of 'firefox'.
You will now need to reboot to make this come into effect.


To allow changes to be made by groups, you must run a chmod command on
the user folder.
[6]. Run `chmod -R g+rwxs ~firefox'

This allows anybody in the 'firefox' group is make changes in the
/home/firefox/ directory.

-----


Now you can run 'firefox', and it'll run the browser as the user
'firefox', not as your user. Yay! We got most likely the hardest part
finished.


        Audio


I, like many of you probably do, like to play music in my browser.
Whether it be through HTML5, or Flash. But since our new user 'firefox'
isn't part of the 'audio' group, we must add ourselves to it.

[?]. Run `sudo usermod -a -G audio firefox'
Now with another reboot(or logout), audio should be able to be played.


Finally, due to multiple users using PULSE(your account, and then flash
in the 'firefox' user), we have to set up 'firefox' to use a slave
server, and your real user as the master.


First of all, we want to copy the default pulseaudio settings to your
home directory.

[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/default.pa ~/.pulse/'

Now edit it.

[?]. Run `nano ~/.pulse/default.pa'
Add to the bottom of the file: "load-module module-native-protocol-tcp
auth-ip-acl=127.0.0.1" and save.

And that's it. Firefox will automatically use use that as a master
server, thus becoming a slave.

There are probably security implications to do with this, but they would
be minor.(At most, listening to microphone, which I doubt anyways)



        Addons

 Although mostly un-important, it might interest some people to install
some addons in Firefox to enhance your browsing privacy.

These include:

Adblock Edge
<https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/> -
Basically AdBlock without the whitelisted ads. Removes ads & unwanted
elements on webpages. Recommend using https://www.fanboy.co.nz/
<https://www.fanboy.co.nz/>in conjunction too.
HTTPS-Everywhere <https://www.eff.org/https-everywhere> - Trys to use
HTTPS/SSL on webpages known to work with them.
BetterPrivacy
<https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/> -
Handles long-term, non-HTTP cookies such as flash cookies.(In options,
make sure 'Always ask' is unchecked.)
User Agent Switcher
<https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/> -
Makes it possible for you to change your User-Agent to something else.
Download http://techpatterns.com/downloads/firefox/useragentswitcher.xml
and import it through the application in Firefox(Edit User-Agents).
Smart Referer<https://www.blogger.com/> - Only sets referrer if staying
on the same page.

In the page "about:addons"(type it into your URL-bar), go to "Plugins",
and make sure everything is set to "Ask to Activate".

In the page "about:config"(type it into your URL-bar), set geo.enabled
to false(double click on it if it's true), set
network.dns.disablePrefetch to true, set network.websocket.enabled to
false,





      MAC-Address


Although not necessarily a security risk, your MAC Address may be used
for tracking, and later identification.

To do this, we use an interesting program called macchanger
<https://github.com/alobbs/macchanger>.
Macchanger, created by "Alvaro Lopez Ortega
<https://github.com/alobbs>", is a program that quickly and easily
spoofs your mac address.

Although a new and updated version of macchanger exists on Github, we'll
be using the repository's version.

We actually need to install macchange. To do so:
1. Run `sudo apt-get install macchanger'



Although originally I wanted to set up a script to change the mac
address every time you connected to a wireless network, I encountered a
problem. The default network manager in Ubuntu, NetworkManager,
deprecated pre-up, and post-down. The developers have said that
<https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/336736>
they will not be bringing it back either. Interestingly, many of the
commenters on the invalid bug-report page also inquire the removal, as
they also were trying to use macchanger.

By creating an init script, we can make the program 'macchanger' run on
boot.


1. Run `sudo nano /etc/init.d/changemac', and insert the following:

?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
	
|#!/bin/bash|
 
 
|# Disable the network devices|
|ifconfig eth0 down|
|ifconfig wlan0 down|
 
 
|# Spoof the mac addresses|
|/usr/bin/macchanger -a eth0|
|/usr/bin/macchanger -a wlan0|
 
 
|# Re-enable the devices|
|ifconfig eth0 up|
|ifconfig wlan0 up|
 
 
|exit| |0|



Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac').
This script will, on boot, take down wlan0 and eth0, change their
mac-addresses, and then bring them back up. If need be, edit eth0 and
wlan0 for your respective names on your system.

We now must actually the script run on boot. This can be done by running
'update-rc.d'.
2. Run `sudo update-rc.d changemac defaults 10'

On each reboot, your mac address should change, without any implications
in regard to connectivity.



      Anti-Viruses

It's commonly said by in-experienced users of all distributions that
Linux cannot get viruses(Mac users also say this). But in reality, they
can get viruses, but it's rare.
As described here <https://help.ubuntu.com/community/Linuxvirus>, many
Linux Trojans/Viruses/Worms have been made, but with little success.
Although there is little chance of actually getting one, it's considered
a good gesture to others, for you to scan for viruses. -- "If you are
going to trade files in a Windows world, you'll need to scan those files
for viruses. You won't get infected, but you may help infect someone else."
i.e; You may forward an email through your email that contains a windows
virus.

Some Windows viruses can also be run through Wine.

  
We'll be using ClamAV, an open-source anti-virus program.
We first have to install it.

1. Run `sudo apt-get install clamav clamtk clamav-daemon'

Once finished installing, we must update our 'AntiVirus definitions'.
  
2. Run `sudo freshclam'
This may take awhile.


ClamAV can be run in three ways:Manually in the terminal, manually
through a GUI, or as a daemon.

I'm going to run it as a GUI.
It can be run as a GUI by opening the terminal and typing running `clamtk'.


When you open clamtk, you're showed options in regard to how you want to
run ClamAV. It's very simple and needs no explanation. You can set up an
automatic schedule for scanning in Advanced->Scheduler.


Originally, I wanted to make it so that Firefox would scan all
downloaded files using ClamAV. I found the addon Fireclam
<https://addons.mozilla.org/en-US/firefox/addon/fireclam/> which is a
Firefox mod that scans downloaded files through ClamAV, and gives you a
warning if it returns anything.  
The problem with it, is that on download, Firefox freezes for 3-5
seconds while the scan is actually going on. This is a huge
inconvenience and to me makes it unusable. I'm keeping it up here purely
to show that it exists. ClamAV can also be set-up with Thunderbird.



*Note: ClamAV does _not_ delete any files. That's up to you. It purely
notifies you to the existence.** *



      DNSCrypt

Something a lot of people don't realize is that DNS is completely
unencrypted.
We're going to add encryption which will prevent spying.
To do this, we're going to use OpenDNS's
<http://www.opendns.com/about/innovations/dnscrypt/>DNSCrypt
<http://dnscrypt.org/>.

So, we want to download the current version, dnscrypt-proxy-1.4.0
<http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2>.
1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt'

2. Run `sudo apt-get update'

3. Run  `software-properties-gtk', go to "Other Software", and tick the
source-code option for shnatsel/dnscrypt.


Now we want to confirm that the ppa is actually secure. To do this..

4. Run `sudo apt-get source --download-only dnscrypt-proxy'
Generate a SHA256 signature for the source.
5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2'
Pull the official signature from the DNSCrypt website.
6. Run `dig +short +dnssec TXT
dnscrypt-proxy-1.4.0.tar.bz2.download.dnscrypt.org'


Now compare the results. If they're the same, you're ready to go.


Now actually installing, and setting everything up.
7. Run `sudo apt-get install dnscrypt-proxy'

8. Run `nm-connection-editor', and edit your connection. Go to IPv4
Settings and select 'Automatic (DHCP) addresses only' for the "Method".
In the DNS servers, set it to:
127.0.0.2

This will make it so that by default, 127.0.0.2 is used for DNS.

Due to a bug(?) in apparmor, you must run the following commands:

9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain
/etc/apparmor.d/usr.sbin.dnscrypt-proxy'

Now to setup dnscrypt, and make it start on startup.

10. Run `sudo nano /etc/init.d/dnscrypt' and put in:
?
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
	
|#!/bin/sh|
|# This is ||for| |the file /etc/init.d/dnscrypt|
|### BEGIN INIT INFO|
|# Provides:          dnscrypt|
|# Required-Start:    ||$all|
|# Required-Stop:     ||$all|
|# Default-Start:     2 3 4 5|
|# Default-Stop:      0 1 6|
|# Short-Description: DNSCrypt ||for| |OpenDNS|
|# Description:       Launch the dnscrypt to communicate with OpenDNS|
|### ||END| |INIT INFO|
|DAEMON=||"/usr/sbin/dnscrypt-proxy"|
|NAME=||"dnscrypt"|
 
|dnscrypt_start()|
|{|
|    ||echo| |"Starting dnscrypt"|
|    ||dnscrypt-proxy -u nobody -R opendns --local-port=53
--local-address=127.0.0.2 --daemonize |
|}|
 
|dnscrypt_stop()|
|{|
|    ||echo| |"Stopping dnscrypt"|
|    ||start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3
--||exec| |"$DAEMON"| |> /dev/null|
|}|
 
|case| |"$1"| |in|
|    ||start)|
|   ||dnscrypt_start|
|   ||;;|
|  ||stop)|
|   ||dnscrypt_stop|
|  ||;;|
|  ||restart|force-reload)|
|   ||dnscrypt_stop|
|  ||dnscrypt_start|
|   ||;;|
|    ||*)|
|   ||echo| |"Usage: /etc/init.d/$NAME
{start|stop|restart|force-reload}"| |>&2|
|   ||exit| |1|
|   ||;;|
|esac|
 
|exit| |0|



11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d
dnscrypt defaults'.

Finally, we must edit /etc/default/dnscrypt-proxy.

12. Run `sudo nano /etc/default/dnscrypt-proxy'
Make sure that the "local-address" is set to "127.0.0.2:53",
"resolvconf" is set to "on", and "user" is set to "nobody",

And then reboot.


Now you'll be resolving with encryption. You can confirm you're using it
correctly by going to http://www.opendns.com/welcome/.

You can also run `sudo tcpdump -i any -n -A 208.67.220.220', which will
display the ASCII output of the packets going in/out of port 443(since
it uses port 443, not 53). You can then run `dig debug.opendns.com' in
another terminal, and you should see encrypted text through tcpdump.

Make sure that /nonexistent exists, and is chowned to
nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent')



       


      *Evil-Maid Attacks***

I won't be covering prevention of evil-maid attacks in this post due to
the limitation of what one can actually do to prevent against an
evil-maid attack. However, one example of what you can do is moving the
boot partition in Ubuntu to a secure USB stick. A guide on how to do
this can be found here
<http://newspaint.wordpress.com/2013/11/30/moving-linux-boot-partition-to-usb-drive/>.

But in reality, if somebody is able to tamper with your computer while
it's not in your possession, they could install a hardware keylogger
<https://en.wikipedia.org/wiki/Hardware_keylogger> to get your
encryption key.



      ColdBoot Attacks

Again, I won't be covering much when it comes to coldboot attacks.
Most computers these days use DDR3 ram, which as far as I can find,
aren't vulnerable to coldboot attacks. I will however give
recommendations to stop the theoretical attack.


1. Set an Administrator password for the BIOS.
Although this wouldn't help if an attacker were to take the ram out of
your system, and put it into theirs then dump it, it will delay how long
it takes for the ram to be dumped.

2. Turn off Quickboot/Fastboot in your BIOS.
Not all computers support this, but some do. By turning off
Quickboot/Fastboot, your system will 'check' the memory on boot, thus
overwriting everything.
*
*
*
* *
* *
* *
* *
* *
* *
*


    Unrelated

*
*


      *File Removal*

As most readers will know, deleting files through usual methods(and the
command `rm') only remove the "links" to the files contents on the
harddrive. To remove files securely, you can use the program BleachBit
<http://bleachbit.sourceforge.net/>. 
You can install it by running `sudo apt-get install bleachbit'. 
To securely delete a file, run `bleachbit -s file.txt'. It can also be
used on directories.

Once of the problems with 'secure file removal', is that it only
'securely'(?) deletes the current contents of files. If the file has
been edited at all, then reminisce of it may still exist.

<http://4.bp.blogspot.com/-V5DA2D3vF0o/U5w-W2eH8VI/AAAAAAAAAJk/ty-v0Wgzmcc/s1600/file_shred_graphics.png>

Credit: BleachBit


This diagram explains it well; using secure removal tools, only the
green blocks would be removed. The red blocks are old versions of the
files. 
To deal with this, and delete all un-used disk space, you can use
BleachBit as a cleaner.
To do this, you can run `sudo bleachbit  -o -c system.free_disk_space'.
*NOTE:* This will take a long time to use your harddrive. It creates a
file with random data that fills up the harddrive, then deletes it. If
you're using an SSD, *_DO NOT_* use this.

Bleachbit can also be used for other things. you can view them by
running `bleachbit --gui'.










With all of these security measures implemented, I am confident that my
computer is fairly secure from external, and remote hackers. It's much
more of a hobbyist thing. If you really need good secure, use Tails
<https://tails.boum.org/>. After all, one could always torture you for
access. <https://xkcd.com/538/>

I've personally done everything that is shown in this blog, as well as
participate in 'good practise', such as shutting down my computer when
I'm not using it.




Full: Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.
<http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ