desktop_security
LOGS
08:02:23 <bkm> #startmeeting Desktop security
08:02:23 <zodbot> Meeting started Wed Aug  3 08:02:23 2016 UTC.  The chair is bkm. Information about MeetBot at http://wiki.debian.org/MeetBot.
08:02:23 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
08:02:23 <zodbot> The meeting name has been set to 'desktop_security'
08:02:39 <bkm> speaker: Michael Scherer
08:07:02 <bkm> #topic introduction
08:07:23 <bkm> From France, sysadmin
08:08:07 <bkm> #topic survey
08:08:18 <bkm> People working for banks 3
08:09:04 <bkm> About 6 people working where need good computer security
08:09:12 <bkm> #topic back to basics
08:10:07 <bkm> Availability, Confidentiality, Integrity
08:10:22 <bkm> Mostly 2 types of attackers
08:10:44 <bkm> 1) automated/low skill such as brute force
08:11:11 <bkm> 2) APT - advanced persistent threat
08:11:50 <bkm> Techniques also applicable to laptop
08:12:21 <bkm> OS choice - possibility of checking code in open software
08:13:06 <bkm> suggestions - Use supported software
08:13:15 <bkm> use a recent distribution
08:13:28 <bkm> do not use random repository
08:13:52 <bkm> Check the build system
08:14:25 <bkm> Encrypt your disk
08:14:45 <bkm> Suggest LUKS and full disk encryption
08:15:16 <bkm> truecrypt not well maintained, but wide useability
08:15:27 <bkm> veracrypt also possible
08:16:20 <bkm> #topic Coldboot attack
08:16:53 <bkm> allows someone access to memory
08:17:06 <bkm> #topic evilmaid attack
08:17:39 <bkm> can easily download code for this
08:17:51 <bkm> use secureboot to protect from this
08:18:26 <bkm> Can also use TPM
08:18:51 <bkm> Antievil maid - TPM with one time password
08:19:13 <bkm> Not so easy to use, but being worked on
08:19:34 <bkm> #topic Firewire DMA
08:19:48 <bkm> Use inception to test this
08:20:01 <bkm> Let him know if it works on Fedora
08:20:33 <bkm> #topic Alternate approaches
08:20:47 <bkm> Bootloader on a stick
08:20:55 <bkm> Self encrypted stick
08:21:21 <bkm> A little easier to do this on gentoo
08:21:33 <bkm> Fingerprint reader is not a security device
08:21:50 <bkm> Password better
08:22:19 <bkm> Do not put plug random devices into computer
08:22:49 <bkm> May have filesystem or USB stack bugs
08:23:17 <bkm> Take a look at USB guard
08:23:33 <bkm> Hardware security is depressing
08:23:51 <bkm> Take a look at Qubes OS
08:24:09 <bkm> #topic review basics
08:24:14 <bkm> strong password
08:24:29 <bkm> take human factors into account as well
08:24:37 <bkm> use a password manager
08:25:24 <bkm> Do not keep data on the laptop
08:25:40 <bkm> Separate users for different purposes
08:26:00 <bkm> Helpful to use separate computers
08:26:17 <bkm> Prevent remote exploits - have a firewall
08:26:27 <bkm> Disable what you do not need
08:26:41 <bkm> Do not listen on the network
08:27:02 <bkm> Use VM or vagrant if computer powerful enough
08:27:18 <bkm> Watch container talk as well
08:27:23 <bkm> VM better than container
08:27:38 <bkm> Virus scanners tend to be quite dangerous for linux
08:28:22 <bkm> #topic IP6 and shodan
08:28:54 <bkm> Shodan doing scanning of internet
08:29:18 <bkm> IP6 addresses can be easily found
08:29:48 <bkm> enigma 6 conference keynote interesting
08:30:09 <bkm> TAO NSA talk
08:30:47 <bkm> Phishing - do not open random attachments
08:31:15 <bkm> Open office better security updates than libre office
08:31:26 <bkm> Use sandboxes
08:31:59 <bkm> Use VM or Selinux-sandbox
08:32:14 <bkm> Firejail also available
08:32:23 <bkm> Docker not made for security
08:32:40 <bkm> Can use selinux on desktop
08:32:58 <bkm> MCS policy
08:33:22 <bkm> Contained user - requires much extra work
08:33:50 <bkm> Look at flatpack previously XDG-apps
08:34:22 <bkm> #topic browser security
08:34:32 <bkm> chrome vs firefox
08:34:53 <bkm> Used firefox more
08:35:00 <bkm> do not use flash
08:35:18 <bkm> block java by default
08:35:48 <bkm> block multimedia content - at least from autoplaying
08:36:14 <bkm> Many issues with WebGL and direct 3D access
08:36:37 <bkm> Similar issues for WebRTC and network access
08:36:52 <bkm> Use a masterpassword
08:37:01 <bkm> use https everywhere
08:37:29 <bkm> use noscript - many websites won't work, but protected
08:38:03 <bkm> use cert patrol to authenticate accessing correct website
08:38:36 <bkm> Filter CA
08:38:53 <bkm> Also look at rowhammer.js
08:38:59 <bkm> #topic privacy
08:39:22 <bkm> Tracking on the web
08:39:30 <bkm> exploits in adverts
08:39:51 <bkm> precise targeting, eg using twitter
08:40:30 <bkm> Adblock if have enough memory
08:40:46 <bkm> cookiemonster also worth using
08:41:04 <bkm> Can also try tor/tails when browsing the web
08:41:26 <bkm> Some issues since history forgotten
08:41:38 <bkm> #topic local attacks
08:41:42 <bkm> use screen saver
08:41:48 <bkm> lock on idle
08:42:29 <bkm> do not forget tty
08:42:42 <bkm> use bash variable TMOUT for timeout
08:43:06 <bkm> use sudo security - credentials should expire after some time
08:43:13 <bkm> disable ptrace
08:43:40 <bkm> can use YAMA module to disable
08:43:59 <bkm> #topic SSH security
08:44:07 <bkm> put a password on the key
08:44:18 <bkm> use sshagent to not type in key all the time
08:44:23 <bkm> do not use sshagent
08:44:31 <bkm> #delete
08:44:39 <bkm> do not use sshagent forwarding
08:44:52 <bkm> use a different key for each device
08:45:00 <bkm> change key on regular basis
08:45:16 <bkm> automate key changing if can do this
08:45:33 <bkm> store key on smartcard
08:46:01 <bkm> Can use yubikey
08:46:20 <bkm> can also store on TPM, eg using simple-tpm-pk11
08:47:25 <bkm> confused deputy issue - someone else using your credentials
08:47:33 <bkm> audit, audit and audit again
08:47:42 <bkm> store audit on a different server
08:47:57 <bkm> make it hard or slow to clean or delete logs
08:48:05 <bkm> using machine learning on events
08:48:39 <bkm> #topic data
08:48:43 <bkm> make backups
08:48:47 <bkm> encrypt data
08:49:30 <bkm> using an intrusion detection system such as bro or snort
08:49:47 <bkm> try aide or tripwire
08:49:56 <bkm> use a readonly filesystem,
08:50:01 <bkm> try ostree
08:50:08 <bkm> use logwatch on laptop
08:50:22 <bkm> do not run sshd on laptop if need to, use logwatch
08:50:26 <bkm> #conclusion
08:50:37 <bkm> Thanks for attending
08:50:43 <bkm> #topic questions
08:50:53 <bkm> Thoughts on password manager?
08:51:16 <bkm> Cannot recommend a password manager, but suggests FOSS software that is local
08:52:06 <bkm> Use trusted components, eg git and gpg
08:52:26 <bkm> Progress in this area still needed, in particular for usability
08:53:27 <bkm> look at systemd
08:54:02 <bkm> contact by irc misc@irc or misc@redhat.com or misc@zarb.org
08:54:11 <bkm> no twitter, facebook or linkedin
08:54:19 <bkm> #endmeeting