Re: [tor-relays] New relay operator. Basic security practices? - tor-relays

4 Mar 2015

      This email ( link to the blog post ) was powted a while ago on the Full Disclosure mailing list. Some of the advice only applies to Desktop computers, but I find it's still a very good read in the general case.
-- 
Justicerage 

???----- Original Message ----- 
????From: "Joshua Rogers" megamansec@gmail.com 
To: fulldisclosure@seclists.org 
Sent: Saturday, June 14, 2014 7:22:14 PM 
Subject: [FD] Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys. 

?????Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys. 

Securing your Ubuntu Desktop OS from intruders 

Recently I have become interested in securing my laptop from predators 
such as hackers, thieves, and law enforcement. 
To do this, I've explored various programs to run; and how to run them, 
without interrupting usability by the average user. 

In this blog we'll be running through vectors of attacks that one could 
use to gain access to your unencrypted data. 

Before starting, the following must be known: 

1. The author of this article is currently running Ubuntu 14.04 
LTS(Trusty), and all commands and patches work on it for the author. The 
author accepts no liability when it comes to these commands/patches 
being run by other users; this is purely informational. 
2. It is assumed Full-Disk-Encryption is being used. 
3. It is assumed your $HOME directory is encrypted using ecryptfs, with 
filenames encrypted. This can be checked using the command 
`ecryptfs-verify -h -e' 
4. It is assumed you do not have the evil program called Java, or any of 
its counterparts like IcedTea, etc. installed. 

When you're told to run the program 'Nano', you can use vim,vi,emacs, 
etc. Nano is purely the text editor that I use. To exit out of Nano, you 
press control-x. 

FireWire attacks 

Firewire has for awhile been known to allow attackers to gain access to 
a computer's Physical memor[RAM], and enable the attacker to grab the 
encryption key used for devices that are mounted. 
The most obvious method of defeating this attack is by not compiling the 
kernel with any firewire modules included, but for the sake of this 
article, I'll include methods of mitigation. After all, some Ubuntu 
users probably wouldn't be able to compile their own kernel every update. 

To mitigate the risks with firewire, we will disable them in a blacklist 
file in modprobe.d. 

1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano 
/etc/modprobe.d/blacklist-firewire.conf' 
2. Remove the contents(or comment everything out) and replace it with 
the following: 
? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 

|# Prevent automatic loading of firewire module(s).| 

|blacklist ohci1394| 
|blacklist sbp2| 
|blacklist dv1394| 
|blacklist raw1394| 
|blacklist video1394| 

|blacklist firewire-ohci| 
|blacklist firewire-sbp2| 
|blacklist firewire-core| 
|blacklist firewire-net| 
|blacklist firewire-serial| 

|# Prevent manual loading of firewire module(s).| 

|install ohchi1394 false| 
|install sbp2 false| 
|install dv1394 false| 
|install raw1394 false| 
|install video1394 false| 

|install firewire-ohci false| 
|install firewire-sbp2 false| 
|install firewire-core false| 
|install firewire-net false| 
|install firewire-serial false| 

This will 1. blacklist all the firewire modules from starting at boot, 
and 2. prevent loading of firewire through forceful techniques. 

After doing this, you *must* run `sudo update-initramfs -k all -u' for 
it to take effect on next boot. 

Hardening Firefox 

The abilities of web-browsers are not only astounding, but also 
extremely vulnerable. With 0-day exploits being found for nearly 
everything, the bad guys are always looking for ways to exploit your 
browser. 
Methods used to exploit browsers are usually split up into two parts: 
exploiting the actual browser, and exploiting addon(such as Adblock and 
Acrobat Reader). 

Using the method I describe should mitigate most, if not all techniques 
involved in the exploitation of Firefox, and addons used. 

Most services when installed create a user for themselves, where they 
cannot escape from without some sort of local root kernel exploit. 
Unlike services, firefox is normally run at the same permissions as the 
user running it, which entails an attacker to be able to gain the same 
permissions of the user. With access, an attacker could record the 
keystrokes of the user, and wait until they run 'sudo' to gain root 
access(or, god forbid, somebody has nopasswd enabled on their account.) 

By creating a user specifically for firefox, we lock it into its own 
folder where it [shouldn't be able to] escape. 

First off, we want to create our new user called 'firefox'. 

1. Run 'sudo adduser --system --quiet --shell /bin/false --group 
--disabled-password --disabled-login firefox' in the terminal. 

The commandline(and all references to) 'firefox' is a link to 
/usr/bin/firefox, which is just a launcher script, so we can move that 
to something like 'firefox-start'. 

2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal. 

Now we want to recreate the firefox file, and make it execute as our 
'firefox' user, with all of the parameters that it normally would. 
To do this, we must make a script to be run when using the command 
'firefox'. 

We have two options here. We either make a very simple script to run 
Firefox as the 'firefox' user, or we use some X11 trickery. 

The problem with the first, is that an experienced hacker could control 
*all* X11 activity. Including logging keystrokes, injecting keystrokes, 
taking screenshots, etc. 

The problem with the second, is that extensions such as XRANDR will not 
work. Another highly problematic downside is that you cannot 
copy-and-paste from your browser into another application. You can 
copy-and-paste from other applications into the browser, but not the 
other way around. This makes it incredibly difficult if you want to 
copy, for example, a quote from Wikipedia into an email. 

Due to not having a solution to this, I've decided to show you how to do 
both. 

----- 

Vulnerable Method 

This method gives the reader a very easy way of doing things, and is 
probably OK for the average user. 

Open up /usr/bin/firefox, which should now be an empty file, and place a 
script in it so it will run firefox was the user 'firefox'. 
3[.1]. sudo nano /usr/bin/firefox 
And enter the script: 
? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 
2 

|#!/bin/bash| 
|sudo -H -u firefox ||"/usr/bin/firefox-start"| |"$@"| 

The -H flag is used to tell the system that we want to set our home 
directory to /home/firefox/. -u is used to tell the system that we want 
to run the program as the user 'firefox', and the last two flags tell 
the system to run /usr/bin/firefox-start(the REAL firefox script) with 
the flags $@, which means it will run with whatever /usr/bin/firefox was 
run with. 

We need to allow the 'firefox' user to access X, so we go to "System -> 
Preferences -> Startup Applications" and add a new startup program. 
The name and comment is irrelevant, but the command should be this: 
? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 

|xhost +SI:localuser:firefox| 

----- 

'Paranoid' Method 

This method, as stated above, stops the user from copy-and-pasting from 
the browser into a different program. It is much more safe, and is 
considered secure. 

3[.2]. Run `sudo nano /usr/bin/firefox', and put in.. 

? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 

|#!/bin/bash| 

|xa=||"/home/firefox/.Xauthority"| 

|exec| |newgrp firefox <<-EOF| 

| ||if| |[ -e ||"$xa"| |]; then| 
| ||if| |[ ! -r ||"$xa"| |]; then| 
| ||rm -f ||"$xa"| 
| ||elif [ ! -w ||"$xa"| |]; then| 
| ||mv ||"$xa"| |"$xa.tmp"| |&& cp ||"$xa.tmp"| |"$xa"| |&& rm -f 
||"$xa.tmp"| |&& ||chmod| |660 ||"$xa"| 
| ||fi| 
| ||fi &&| 
| ||xauth -q -i -f ||"$xa"| |generate ||"$DISPLAY"| |. ||"untrusted"| 
|&& ||chmod| |g+rw ||"$xa"| |&&| 
| ||sudo -H -u firefox XAUTHORITY=||"$xa"| |"/usr/bin/firefox-start"| |"$@"| 

|EOF| 

This script will run every time you open up firefox. 

Now we need to make the file executable. 

[4]. Run `sudo chmod +x /usr/bin/firefox'. 

As you can see in the script, it relies on the usage of the 'newgrp' 
program being able to access the 'firefox' group. To do this, you must 
add yourself into the 'firefox' group. 

[5]. Run `sudo useradd -a -G firefox $USER'. 
This will add you into the group of 'firefox'. 
You will now need to reboot to make this come into effect. 

To allow changes to be made by groups, you must run a chmod command on 
the user folder. 
[6]. Run `chmod -R g+rwxs ~firefox' 

This allows anybody in the 'firefox' group is make changes in the 
/home/firefox/ directory. 

----- 

Now you can run 'firefox', and it'll run the browser as the user 
'firefox', not as your user. Yay! We got most likely the hardest part 
finished. 

Audio 

I, like many of you probably do, like to play music in my browser. 
Whether it be through HTML5, or Flash. But since our new user 'firefox' 
isn't part of the 'audio' group, we must add ourselves to it. 

[?]. Run `sudo usermod -a -G audio firefox' 
Now with another reboot(or logout), audio should be able to be played. 

Finally, due to multiple users using PULSE(your account, and then flash 
in the 'firefox' user), we have to set up 'firefox' to use a slave 
server, and your real user as the master. 

First of all, we want to copy the default pulseaudio settings to your 
home directory. 

[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/default.pa ~/.pulse/' 

Now edit it. 

[?]. Run `nano ~/.pulse/default.pa' 
Add to the bottom of the file: "load-module module-native-protocol-tcp 
auth-ip-acl=127.0.0.1" and save. 

And that's it. Firefox will automatically use use that as a master 
server, thus becoming a slave. 

There are probably security implications to do with this, but they would 
be minor.(At most, listening to microphone, which I doubt anyways) 

Addons 

Although mostly un-important, it might interest some people to install 
some addons in Firefox to enhance your browsing privacy. 

These include: 

Adblock Edge 
https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/ - 
Basically AdBlock without the whitelisted ads. Removes ads & unwanted 
elements on webpages. Recommend using https://www.fanboy.co.nz/ 
https://www.fanboy.co.nz/in conjunction too. 
HTTPS-Everywhere https://www.eff.org/https-everywhere - Trys to use 
HTTPS/SSL on webpages known to work with them. 
BetterPrivacy 
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ - 
Handles long-term, non-HTTP cookies such as flash cookies.(In options, 
make sure 'Always ask' is unchecked.) 
User Agent Switcher 
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ - 
Makes it possible for you to change your User-Agent to something else. 
Download http://techpatterns.com/downloads/firefox/useragentswitcher.xml 
and import it through the application in Firefox(Edit User-Agents). 
Smart Refererhttps://www.blogger.com/ - Only sets referrer if staying 
on the same page. 

In the page "about:addons"(type it into your URL-bar), go to "Plugins", 
and make sure everything is set to "Ask to Activate". 

In the page "about:config"(type it into your URL-bar), set geo.enabled 
to false(double click on it if it's true), set 
network.dns.disablePrefetch to true, set network.websocket.enabled to 
false, 

MAC-Address 

Although not necessarily a security risk, your MAC Address may be used 
for tracking, and later identification. 

To do this, we use an interesting program called macchanger 
https://github.com/alobbs/macchanger. 
Macchanger, created by "Alvaro Lopez Ortega 
https://github.com/alobbs", is a program that quickly and easily 
spoofs your mac address. 

Although a new and updated version of macchanger exists on Github, we'll 
be using the repository's version. 

We actually need to install macchange. To do so: 
1. Run `sudo apt-get install macchanger' 

Although originally I wanted to set up a script to change the mac 
address every time you connected to a wireless network, I encountered a 
problem. The default network manager in Ubuntu, NetworkManager, 
deprecated pre-up, and post-down. The developers have said that 
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/336736 
they will not be bringing it back either. Interestingly, many of the 
commenters on the invalid bug-report page also inquire the removal, as 
they also were trying to use macchanger. 

By creating an init script, we can make the program 'macchanger' run on 
boot. 

1. Run `sudo nano /etc/init.d/changemac', and insert the following: 

? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 

|#!/bin/bash| 

|# Disable the network devices| 
|ifconfig eth0 down| 
|ifconfig wlan0 down| 

|# Spoof the mac addresses| 
|/usr/bin/macchanger -a eth0| 
|/usr/bin/macchanger -a wlan0| 

|# Re-enable the devices| 
|ifconfig eth0 up| 
|ifconfig wlan0 up| 

|exit| |0| 

Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac'). 
This script will, on boot, take down wlan0 and eth0, change their 
mac-addresses, and then bring them back up. If need be, edit eth0 and 
wlan0 for your respective names on your system. 

We now must actually the script run on boot. This can be done by running 
'update-rc.d'. 
2. Run `sudo update-rc.d changemac defaults 10' 

On each reboot, your mac address should change, without any implications 
in regard to connectivity. 

Anti-Viruses 

It's commonly said by in-experienced users of all distributions that 
Linux cannot get viruses(Mac users also say this). But in reality, they 
can get viruses, but it's rare. 
As described here https://help.ubuntu.com/community/Linuxvirus, many 
Linux Trojans/Viruses/Worms have been made, but with little success. 
Although there is little chance of actually getting one, it's considered 
a good gesture to others, for you to scan for viruses. -- "If you are 
going to trade files in a Windows world, you'll need to scan those files 
for viruses. You won't get infected, but you may help infect someone else." 
i.e; You may forward an email through your email that contains a windows 
virus. 

Some Windows viruses can also be run through Wine. 

We'll be using ClamAV, an open-source anti-virus program. 
We first have to install it. 

1. Run `sudo apt-get install clamav clamtk clamav-daemon' 

Once finished installing, we must update our 'AntiVirus definitions'. 

2. Run `sudo freshclam' 
This may take awhile. 

ClamAV can be run in three ways:Manually in the terminal, manually 
through a GUI, or as a daemon. 

I'm going to run it as a GUI. 
It can be run as a GUI by opening the terminal and typing running `clamtk'. 

When you open clamtk, you're showed options in regard to how you want to 
run ClamAV. It's very simple and needs no explanation. You can set up an 
automatic schedule for scanning in Advanced->Scheduler. 

Originally, I wanted to make it so that Firefox would scan all 
downloaded files using ClamAV. I found the addon Fireclam 
https://addons.mozilla.org/en-US/firefox/addon/fireclam/ which is a 
Firefox mod that scans downloaded files through ClamAV, and gives you a 
warning if it returns anything. 
The problem with it, is that on download, Firefox freezes for 3-5 
seconds while the scan is actually going on. This is a huge 
inconvenience and to me makes it unusable. I'm keeping it up here purely 
to show that it exists. ClamAV can also be set-up with Thunderbird. 

*Note: ClamAV does _not_ delete any files. That's up to you. It purely 
notifies you to the existence.** * 

DNSCrypt 

Something a lot of people don't realize is that DNS is completely 
unencrypted. 
We're going to add encryption which will prevent spying. 
To do this, we're going to use OpenDNS's 
http://www.opendns.com/about/innovations/dnscrypt/DNSCrypt 
http://dnscrypt.org/. 

So, we want to download the current version, dnscrypt-proxy-1.4.0 
http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2. 
1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt' 

2. Run `sudo apt-get update' 

3. Run `software-properties-gtk', go to "Other Software", and tick the 
source-code option for shnatsel/dnscrypt. 

Now we want to confirm that the ppa is actually secure. To do this.. 

4. Run `sudo apt-get source --download-only dnscrypt-proxy' 
Generate a SHA256 signature for the source. 
5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2' 
Pull the official signature from the DNSCrypt website. 
6. Run `dig +short +dnssec TXT 
dnscrypt-proxy-1.4.0.tar.bz2.download.dnscrypt.org' 

Now compare the results. If they're the same, you're ready to go. 

Now actually installing, and setting everything up. 
7. Run `sudo apt-get install dnscrypt-proxy' 

8. Run `nm-connection-editor', and edit your connection. Go to IPv4 
Settings and select 'Automatic (DHCP) addresses only' for the "Method". 
In the DNS servers, set it to: 
127.0.0.2 

This will make it so that by default, 127.0.0.2 is used for DNS. 

Due to a bug(?) in apparmor, you must run the following commands: 

9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain 
/etc/apparmor.d/usr.sbin.dnscrypt-proxy' 

Now to setup dnscrypt, and make it start on startup. 

10. Run `sudo nano /etc/init.d/dnscrypt' and put in: 
? 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html# 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 

|#!/bin/sh| 
|# This is ||for| |the file /etc/init.d/dnscrypt| 
|### BEGIN INIT INFO| 
|# Provides: dnscrypt| 
|# Required-Start: ||$all| 
|# Required-Stop: ||$all| 
|# Default-Start: 2 3 4 5| 
|# Default-Stop: 0 1 6| 
|# Short-Description: DNSCrypt ||for| |OpenDNS| 
|# Description: Launch the dnscrypt to communicate with OpenDNS| 
|### ||END| |INIT INFO| 
|DAEMON=||"/usr/sbin/dnscrypt-proxy"| 
|NAME=||"dnscrypt"| 

|dnscrypt_start()| 
|{| 
| ||echo| |"Starting dnscrypt"| 
| ||dnscrypt-proxy -u nobody -R opendns --local-port=53 
--local-address=127.0.0.2 --daemonize | 
|}| 

|dnscrypt_stop()| 
|{| 
| ||echo| |"Stopping dnscrypt"| 
| ||start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 
--||exec| |"$DAEMON"| |> /dev/null| 
|}| 

|case| |"$1"| |in| 
| ||start)| 
| ||dnscrypt_start| 
| ||;;| 
| ||stop)| 
| ||dnscrypt_stop| 
| ||;;| 
| ||restart|force-reload)| 
| ||dnscrypt_stop| 
| ||dnscrypt_start| 
| ||;;| 
| ||*)| 
| ||echo| |"Usage: /etc/init.d/$NAME 
{start|stop|restart|force-reload}"| |>&2| 
| ||exit| |1| 
| ||;;| 
|esac| 

|exit| |0| 

11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d 
dnscrypt defaults'. 

Finally, we must edit /etc/default/dnscrypt-proxy. 

12. Run `sudo nano /etc/default/dnscrypt-proxy' 
Make sure that the "local-address" is set to "127.0.0.2:53", 
"resolvconf" is set to "on", and "user" is set to "nobody", 

And then reboot. 

Now you'll be resolving with encryption. You can confirm you're using it 
correctly by going to http://www.opendns.com/welcome/. 

You can also run `sudo tcpdump -i any -n -A 208.67.220.220', which will 
display the ASCII output of the packets going in/out of port 443(since 
it uses port 443, not 53). You can then run `dig debug.opendns.com' in 
another terminal, and you should see encrypted text through tcpdump. 

Make sure that /nonexistent exists, and is chowned to 
nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent') 

*Evil-Maid Attacks*** 

I won't be covering prevention of evil-maid attacks in this post due to 
the limitation of what one can actually do to prevent against an 
evil-maid attack. However, one example of what you can do is moving the 
boot partition in Ubuntu to a secure USB stick. A guide on how to do 
this can be found here 
http://newspaint.wordpress.com/2013/11/30/moving-linux-boot-partition-to-usb-drive/. 

But in reality, if somebody is able to tamper with your computer while 
it's not in your possession, they could install a hardware keylogger 
https://en.wikipedia.org/wiki/Hardware_keylogger to get your 
encryption key. 

ColdBoot Attacks 

Again, I won't be covering much when it comes to coldboot attacks. 
Most computers these days use DDR3 ram, which as far as I can find, 
aren't vulnerable to coldboot attacks. I will however give 
recommendations to stop the theoretical attack. 

1. Set an Administrator password for the BIOS. 
Although this wouldn't help if an attacker were to take the ram out of 
your system, and put it into theirs then dump it, it will delay how long 
it takes for the ram to be dumped. 

2. Turn off Quickboot/Fastboot in your BIOS. 
Not all computers support this, but some do. By turning off 
Quickboot/Fastboot, your system will 'check' the memory on boot, thus 
overwriting everything. 
* 
* 
* 
* * 
* * 
* * 
* * 
* * 
* * 
* 

Unrelated 

* 
* 

*File Removal* 

As most readers will know, deleting files through usual methods(and the 
command `rm') only remove the "links" to the files contents on the 
harddrive. To remove files securely, you can use the program BleachBit 
http://bleachbit.sourceforge.net/. 
You can install it by running `sudo apt-get install bleachbit'. 
To securely delete a file, run `bleachbit -s file.txt'. It can also be 
used on directories. 

Once of the problems with 'secure file removal', is that it only 
'securely'(?) deletes the current contents of files. If the file has 
been edited at all, then reminisce of it may still exist. 

http://4.bp.blogspot.com/-V5DA2D3vF0o/U5w-W2eH8VI/AAAAAAAAAJk/ty-v0Wgzmcc/s1600/file_shred_graphics.png 

Credit: BleachBit 

This diagram explains it well; using secure removal tools, only the 
green blocks would be removed. The red blocks are old versions of the 
files. 
To deal with this, and delete all un-used disk space, you can use 
BleachBit as a cleaner. 
To do this, you can run `sudo bleachbit -o -c system.free_disk_space'. 
*NOTE:* This will take a long time to use your harddrive. It creates a 
file with random data that fills up the harddrive, then deletes it. If 
you're using an SSD, *_DO NOT_* use this. 

Bleachbit can also be used for other things. you can view them by 
running `bleachbit --gui'. 

With all of these security measures implemented, I am confident that my 
computer is fairly secure from external, and remote hackers. It's much 
more of a hobbyist thing. If you really need good secure, use Tails 
https://tails.boum.org/. After all, one could always torture you for 
access. https://xkcd.com/538/ 

I've personally done everything that is shown in this blog, as well as 
participate in 'good practise', such as shutting down my computer when 
I'm not using it. 

Full: Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys. 
http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html 

_______________________________________________ 
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure 
Web Archives & RSS: http://seclists.org/fulldisclosure/ 