08:02:23 #startmeeting Desktop security 08:02:23 Meeting started Wed Aug 3 08:02:23 2016 UTC. The chair is bkm. Information about MeetBot at http://wiki.debian.org/MeetBot. 08:02:23 Useful Commands: #action #agreed #halp #info #idea #link #topic. 08:02:23 The meeting name has been set to 'desktop_security' 08:02:39 speaker: Michael Scherer 08:07:02 #topic introduction 08:07:23 From France, sysadmin 08:08:07 #topic survey 08:08:18 People working for banks 3 08:09:04 About 6 people working where need good computer security 08:09:12 #topic back to basics 08:10:07 Availability, Confidentiality, Integrity 08:10:22 Mostly 2 types of attackers 08:10:44 1) automated/low skill such as brute force 08:11:11 2) APT - advanced persistent threat 08:11:50 Techniques also applicable to laptop 08:12:21 OS choice - possibility of checking code in open software 08:13:06 suggestions - Use supported software 08:13:15 use a recent distribution 08:13:28 do not use random repository 08:13:52 Check the build system 08:14:25 Encrypt your disk 08:14:45 Suggest LUKS and full disk encryption 08:15:16 truecrypt not well maintained, but wide useability 08:15:27 veracrypt also possible 08:16:20 #topic Coldboot attack 08:16:53 allows someone access to memory 08:17:06 #topic evilmaid attack 08:17:39 can easily download code for this 08:17:51 use secureboot to protect from this 08:18:26 Can also use TPM 08:18:51 Antievil maid - TPM with one time password 08:19:13 Not so easy to use, but being worked on 08:19:34 #topic Firewire DMA 08:19:48 Use inception to test this 08:20:01 Let him know if it works on Fedora 08:20:33 #topic Alternate approaches 08:20:47 Bootloader on a stick 08:20:55 Self encrypted stick 08:21:21 A little easier to do this on gentoo 08:21:33 Fingerprint reader is not a security device 08:21:50 Password better 08:22:19 Do not put plug random devices into computer 08:22:49 May have filesystem or USB stack bugs 08:23:17 Take a look at USB guard 08:23:33 Hardware security is depressing 08:23:51 Take a look at Qubes OS 08:24:09 #topic review basics 08:24:14 strong password 08:24:29 take human factors into account as well 08:24:37 use a password manager 08:25:24 Do not keep data on the laptop 08:25:40 Separate users for different purposes 08:26:00 Helpful to use separate computers 08:26:17 Prevent remote exploits - have a firewall 08:26:27 Disable what you do not need 08:26:41 Do not listen on the network 08:27:02 Use VM or vagrant if computer powerful enough 08:27:18 Watch container talk as well 08:27:23 VM better than container 08:27:38 Virus scanners tend to be quite dangerous for linux 08:28:22 #topic IP6 and shodan 08:28:54 Shodan doing scanning of internet 08:29:18 IP6 addresses can be easily found 08:29:48 enigma 6 conference keynote interesting 08:30:09 TAO NSA talk 08:30:47 Phishing - do not open random attachments 08:31:15 Open office better security updates than libre office 08:31:26 Use sandboxes 08:31:59 Use VM or Selinux-sandbox 08:32:14 Firejail also available 08:32:23 Docker not made for security 08:32:40 Can use selinux on desktop 08:32:58 MCS policy 08:33:22 Contained user - requires much extra work 08:33:50 Look at flatpack previously XDG-apps 08:34:22 #topic browser security 08:34:32 chrome vs firefox 08:34:53 Used firefox more 08:35:00 do not use flash 08:35:18 block java by default 08:35:48 block multimedia content - at least from autoplaying 08:36:14 Many issues with WebGL and direct 3D access 08:36:37 Similar issues for WebRTC and network access 08:36:52 Use a masterpassword 08:37:01 use https everywhere 08:37:29 use noscript - many websites won't work, but protected 08:38:03 use cert patrol to authenticate accessing correct website 08:38:36 Filter CA 08:38:53 Also look at rowhammer.js 08:38:59 #topic privacy 08:39:22 Tracking on the web 08:39:30 exploits in adverts 08:39:51 precise targeting, eg using twitter 08:40:30 Adblock if have enough memory 08:40:46 cookiemonster also worth using 08:41:04 Can also try tor/tails when browsing the web 08:41:26 Some issues since history forgotten 08:41:38 #topic local attacks 08:41:42 use screen saver 08:41:48 lock on idle 08:42:29 do not forget tty 08:42:42 use bash variable TMOUT for timeout 08:43:06 use sudo security - credentials should expire after some time 08:43:13 disable ptrace 08:43:40 can use YAMA module to disable 08:43:59 #topic SSH security 08:44:07 put a password on the key 08:44:18 use sshagent to not type in key all the time 08:44:23 do not use sshagent 08:44:31 #delete 08:44:39 do not use sshagent forwarding 08:44:52 use a different key for each device 08:45:00 change key on regular basis 08:45:16 automate key changing if can do this 08:45:33 store key on smartcard 08:46:01 Can use yubikey 08:46:20 can also store on TPM, eg using simple-tpm-pk11 08:47:25 confused deputy issue - someone else using your credentials 08:47:33 audit, audit and audit again 08:47:42 store audit on a different server 08:47:57 make it hard or slow to clean or delete logs 08:48:05 using machine learning on events 08:48:39 #topic data 08:48:43 make backups 08:48:47 encrypt data 08:49:30 using an intrusion detection system such as bro or snort 08:49:47 try aide or tripwire 08:49:56 use a readonly filesystem, 08:50:01 try ostree 08:50:08 use logwatch on laptop 08:50:22 do not run sshd on laptop if need to, use logwatch 08:50:26 #conclusion 08:50:37 Thanks for attending 08:50:43 #topic questions 08:50:53 Thoughts on password manager? 08:51:16 Cannot recommend a password manager, but suggests FOSS software that is local 08:52:06 Use trusted components, eg git and gpg 08:52:26 Progress in this area still needed, in particular for usability 08:53:27 look at systemd 08:54:02 contact by irc misc@irc or misc@redhat.com or misc@zarb.org 08:54:11 no twitter, facebook or linkedin 08:54:19 #endmeeting