08:02:23 <bkm> #startmeeting Desktop security 08:02:23 <zodbot> Meeting started Wed Aug 3 08:02:23 2016 UTC. The chair is bkm. Information about MeetBot at http://wiki.debian.org/MeetBot. 08:02:23 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 08:02:23 <zodbot> The meeting name has been set to 'desktop_security' 08:02:39 <bkm> speaker: Michael Scherer 08:07:02 <bkm> #topic introduction 08:07:23 <bkm> From France, sysadmin 08:08:07 <bkm> #topic survey 08:08:18 <bkm> People working for banks 3 08:09:04 <bkm> About 6 people working where need good computer security 08:09:12 <bkm> #topic back to basics 08:10:07 <bkm> Availability, Confidentiality, Integrity 08:10:22 <bkm> Mostly 2 types of attackers 08:10:44 <bkm> 1) automated/low skill such as brute force 08:11:11 <bkm> 2) APT - advanced persistent threat 08:11:50 <bkm> Techniques also applicable to laptop 08:12:21 <bkm> OS choice - possibility of checking code in open software 08:13:06 <bkm> suggestions - Use supported software 08:13:15 <bkm> use a recent distribution 08:13:28 <bkm> do not use random repository 08:13:52 <bkm> Check the build system 08:14:25 <bkm> Encrypt your disk 08:14:45 <bkm> Suggest LUKS and full disk encryption 08:15:16 <bkm> truecrypt not well maintained, but wide useability 08:15:27 <bkm> veracrypt also possible 08:16:20 <bkm> #topic Coldboot attack 08:16:53 <bkm> allows someone access to memory 08:17:06 <bkm> #topic evilmaid attack 08:17:39 <bkm> can easily download code for this 08:17:51 <bkm> use secureboot to protect from this 08:18:26 <bkm> Can also use TPM 08:18:51 <bkm> Antievil maid - TPM with one time password 08:19:13 <bkm> Not so easy to use, but being worked on 08:19:34 <bkm> #topic Firewire DMA 08:19:48 <bkm> Use inception to test this 08:20:01 <bkm> Let him know if it works on Fedora 08:20:33 <bkm> #topic Alternate approaches 08:20:47 <bkm> Bootloader on a stick 08:20:55 <bkm> Self encrypted stick 08:21:21 <bkm> A little easier to do this on gentoo 08:21:33 <bkm> Fingerprint reader is not a security device 08:21:50 <bkm> Password better 08:22:19 <bkm> Do not put plug random devices into computer 08:22:49 <bkm> May have filesystem or USB stack bugs 08:23:17 <bkm> Take a look at USB guard 08:23:33 <bkm> Hardware security is depressing 08:23:51 <bkm> Take a look at Qubes OS 08:24:09 <bkm> #topic review basics 08:24:14 <bkm> strong password 08:24:29 <bkm> take human factors into account as well 08:24:37 <bkm> use a password manager 08:25:24 <bkm> Do not keep data on the laptop 08:25:40 <bkm> Separate users for different purposes 08:26:00 <bkm> Helpful to use separate computers 08:26:17 <bkm> Prevent remote exploits - have a firewall 08:26:27 <bkm> Disable what you do not need 08:26:41 <bkm> Do not listen on the network 08:27:02 <bkm> Use VM or vagrant if computer powerful enough 08:27:18 <bkm> Watch container talk as well 08:27:23 <bkm> VM better than container 08:27:38 <bkm> Virus scanners tend to be quite dangerous for linux 08:28:22 <bkm> #topic IP6 and shodan 08:28:54 <bkm> Shodan doing scanning of internet 08:29:18 <bkm> IP6 addresses can be easily found 08:29:48 <bkm> enigma 6 conference keynote interesting 08:30:09 <bkm> TAO NSA talk 08:30:47 <bkm> Phishing - do not open random attachments 08:31:15 <bkm> Open office better security updates than libre office 08:31:26 <bkm> Use sandboxes 08:31:59 <bkm> Use VM or Selinux-sandbox 08:32:14 <bkm> Firejail also available 08:32:23 <bkm> Docker not made for security 08:32:40 <bkm> Can use selinux on desktop 08:32:58 <bkm> MCS policy 08:33:22 <bkm> Contained user - requires much extra work 08:33:50 <bkm> Look at flatpack previously XDG-apps 08:34:22 <bkm> #topic browser security 08:34:32 <bkm> chrome vs firefox 08:34:53 <bkm> Used firefox more 08:35:00 <bkm> do not use flash 08:35:18 <bkm> block java by default 08:35:48 <bkm> block multimedia content - at least from autoplaying 08:36:14 <bkm> Many issues with WebGL and direct 3D access 08:36:37 <bkm> Similar issues for WebRTC and network access 08:36:52 <bkm> Use a masterpassword 08:37:01 <bkm> use https everywhere 08:37:29 <bkm> use noscript - many websites won't work, but protected 08:38:03 <bkm> use cert patrol to authenticate accessing correct website 08:38:36 <bkm> Filter CA 08:38:53 <bkm> Also look at rowhammer.js 08:38:59 <bkm> #topic privacy 08:39:22 <bkm> Tracking on the web 08:39:30 <bkm> exploits in adverts 08:39:51 <bkm> precise targeting, eg using twitter 08:40:30 <bkm> Adblock if have enough memory 08:40:46 <bkm> cookiemonster also worth using 08:41:04 <bkm> Can also try tor/tails when browsing the web 08:41:26 <bkm> Some issues since history forgotten 08:41:38 <bkm> #topic local attacks 08:41:42 <bkm> use screen saver 08:41:48 <bkm> lock on idle 08:42:29 <bkm> do not forget tty 08:42:42 <bkm> use bash variable TMOUT for timeout 08:43:06 <bkm> use sudo security - credentials should expire after some time 08:43:13 <bkm> disable ptrace 08:43:40 <bkm> can use YAMA module to disable 08:43:59 <bkm> #topic SSH security 08:44:07 <bkm> put a password on the key 08:44:18 <bkm> use sshagent to not type in key all the time 08:44:23 <bkm> do not use sshagent 08:44:31 <bkm> #delete 08:44:39 <bkm> do not use sshagent forwarding 08:44:52 <bkm> use a different key for each device 08:45:00 <bkm> change key on regular basis 08:45:16 <bkm> automate key changing if can do this 08:45:33 <bkm> store key on smartcard 08:46:01 <bkm> Can use yubikey 08:46:20 <bkm> can also store on TPM, eg using simple-tpm-pk11 08:47:25 <bkm> confused deputy issue - someone else using your credentials 08:47:33 <bkm> audit, audit and audit again 08:47:42 <bkm> store audit on a different server 08:47:57 <bkm> make it hard or slow to clean or delete logs 08:48:05 <bkm> using machine learning on events 08:48:39 <bkm> #topic data 08:48:43 <bkm> make backups 08:48:47 <bkm> encrypt data 08:49:30 <bkm> using an intrusion detection system such as bro or snort 08:49:47 <bkm> try aide or tripwire 08:49:56 <bkm> use a readonly filesystem, 08:50:01 <bkm> try ostree 08:50:08 <bkm> use logwatch on laptop 08:50:22 <bkm> do not run sshd on laptop if need to, use logwatch 08:50:26 <bkm> #conclusion 08:50:37 <bkm> Thanks for attending 08:50:43 <bkm> #topic questions 08:50:53 <bkm> Thoughts on password manager? 08:51:16 <bkm> Cannot recommend a password manager, but suggests FOSS software that is local 08:52:06 <bkm> Use trusted components, eg git and gpg 08:52:26 <bkm> Progress in this area still needed, in particular for usability 08:53:27 <bkm> look at systemd 08:54:02 <bkm> contact by irc misc@irc or misc@redhat.com or misc@zarb.org 08:54:11 <bkm> no twitter, facebook or linkedin 08:54:19 <bkm> #endmeeting