Risk Management

An attempt to keep yourself secure online and off can be confusing and tedious but it is necessary. Keeping a secure platform is a process of patience, and through thoughtful planning and auditing, you can create a full risk report. When it comes down to the bare bones of security, most find it is not about the tools you use. It begins with understanding of the systems you use and the unique threats you face and how you can counter those threats. The process of threat modeling and risk management in computer security, is a finding a potential event that could undermine your efforts to defend your system. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.

Here is a breakdown of a threat model or how to take audit and assess your risks. To start let us look at a basic What/Who/How flow.

  • What do I have that is worth protecting?
  • Who do I want to protect it from?
  • How likely is it that I will need to protect it?
  • How bad are the consequences if I fail?
  • How much trouble am I willing to go through to prevent these consequences?
  • Once completed you can gauge what kind of security you are going to need. The purpose of this is to create a necessary amount of security based on the amount of risk. High Risk, High Security.
  • What do I want to protect?
  • Who do I want to protect it from?
  • How bad are the consequences if I fail?
  • How likely is it that I will need to protect it?
  • How much trouble am I willing to go through to try to prevent potential consequences?
  • Keep in mind your model can change as your situation changes. Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it is still relevant to your situation.
  • Security Hardening

    BIOS Security

  • Coreboot https://www.coreboot.org/
  • Libreboot https://libreboot.org
  • Pre-Compiled Libreboot ROMS https://mirror.math.princeton.edu/pub/libreboot/
  • Virtual Private Networks https://openvpn.net/ https://torguard.net/
  • WebRTC Detection https://ipleak.net/
  • File-system Encryption

    File-system stacked level encryption

  • eCryptfs https://launchpad.net/ecryptfs
  • It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel key-ring. This solution is widely used, as the basis for Ubuntu's Encrypted Home Directory, naively within Googles ChromeOS, and transparently embedded in several network attached storage (NAS) devices.

  • EncFS http://www.arg0.net/encfs
  • It provides an encrypted file-system in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the file-system interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

    Block device level encryption

  • Loop-AES https://sourceforge.net/projects/loop-aes/
  • Fast and transparent file system and swap encryption package for Linux. No source code changes to Linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
  • VeraCrypt https://www.veracrypt.fr/en/Home.html
  • It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase.
  • dm-crypt+LUKS https://gitlab.com/cryptsetup/cryptsetup
  • dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

    RAM Disk

  • https://www.techrepublic.com/article/how-to-use-a-ramdisk-on-linux/
  • https://www.howtoforge.com/storing-files-directories-in-memory-with-tmpfs
  • Mal-ware Detection

  • ClamAV Daily Scans (Debian/Ubuntu)
  • Install Clamav and a tool to send email notifications apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx

    Be sure that the virus definition will be updated with service ClamAV-freshclam start

    To do a manual update of the virus definitions freshclam -v

    Malware/Rootkit Protection

  • chkrootkit - Linux Rootkit Scanner apt-get install chkrootkit
  • Lynis - Universal Security Auditing Tool and Rootkit Scanner https://cisofy.com/download/lynis/
  • Firewall Security

    IP Tables

  • https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linuxfirewall/
  • https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-a-basic-iptablesfirewall-on-centos-6
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-usingiptables-on-ubuntu-14-04
  • UFW (Debian/Ubuntu)

  • UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. sudo apt-get install ufw
  • Using IPv6 with UFW sudo nano /etc/default/ufw
  • Then make sure the value of "IPV6" is to equal "yes" Check UFW Status and Rules sudo ufw status verbose
  • Set Up Default Policies

  • sudo ufw default deny incoming
  • sudo ufw default allow outgoing
  • Enable UFW sudo ufw enable
  • Security Modules

    App Armor

  • https://help.ubuntu.com/lts/serverguide/apparmor.html
  • https://wiki.archlinux.org/index.php/AppArmor
  • https://debian-handbook.info/browse/stable/sect.apparmor.html
  • SELinux

  • https://wiki.centos.org/HowTos/SELinux
  • https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-oncentos-7-part-1-basic-concepts
  • https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-oncentos-7-part-2-files-and-processes
  • https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-oncentos-7-part-3-users
  • Misc

  • Disable USB Storage https://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/
  • Spectre / Meltdown Check

  • https://github.com/speed47/spectre-meltdown-checker
  • https://www.cyberciti.biz/faq/patch-spectre-vulnerability-cve-2017-5753-cve-20175715-linux
  • Generate Random Passwords Using Terminal and md5 SHA to hash the date, runs through base64, and then outputs the top 32 characters

  • date +%s | sha256sum | base64 | head -c 32 ; echo
  • Uses the built-in /dev/urandom feature, and filters out only characters that you would normally use in a password. Then it outputs the top 32

  • < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;
  • This one works a lot like the other urandom one, but just does the work in reverse.

  • tr -cd [:alnum:] < /dev/urandom | fold -w30 | head -n1
  • Filters using the strings command, which outputs printable strings from a file, which in this case is the urandom feature.

  • strings /dev/urandom | grep -o [[:alnum:]] | head -n 30 | tr -d \n; echo
  • Here is an even simpler version of the urandom one.

  • < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c6
  • This one uses the dd command.

  • dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev
  • The easiest way to make a password from the command line

  • date | md5sum
  • Secure Delete and Test Recovery https://github.com/gordonrs/thc-secure-delete https://github.com/cgsecurity/testdisk
  • Anonymity Network https://www.torproject.org/
  • Email Encryption https://www.openpgp.org/software/
  • An Introduction to BIOS and BIOS Security

    The Basics

    The Basic Input Output System is a pivotal set of stored on selected chips on the motherboard. This an intermediary between a computers hardware and BIOS, the PCs operating system would have no way control of, the hardware routines in a System, which is chip and in turn the BIOS acts as its operating system. Without the to communicate with, or take each motherboard and manufacturer utilizes a different BIOS and this can cause trouble for those looking to tinker with and fully involve themselves in every aspect of their system. A fair warning that changing a systems BIOS settings without foresight can cause your system to malfunction. If this were to happen then a BIOS reset will need to be done to return to the factory settings. Many office level manufacturers like Dell limit the options available to the user in the BIOS. Most systems on boot briefly display a message describing how you can enter the program where BIOS settings are adjusted. On most systems the F1, F2, F11 or F12 will allow you to enter the setup menu.

    Security Basics

    The security section of the BIOS is used to keep unauthorized people from making any changes to the BIOS.

  • Security Option - This feature lets you password-protect the BIOS. It can also be set to require a password for the PC to boot up.
  • Supervisor Password - A Supervisor Password, a password will be required to enter the BIOS after you choose setup.
  • Set User Password - A password assigned to users is required to boot the PC, and if a Supervisor Password has also been selected, permits the user to only adjust the date and time in the BIOS.
  • Keeping your BIOS Secure and Ethical

    A 100% Libre or in the case of Coreboot 99% Libre BIOS. As mentioned previously that when using Libre software, you in return become more Secure and Ethical. Because as the name implies Libre allows you to be free. So lets start with the Why? Many manufacturers and in turn users use non-free boot firmware. Which even if they use a FSF approved GNU/Linux operating system. A Non-free BIOS/UEFI firmware will often contain back-doors to your system that can allow government bodies and potential hackers into your system such as the Spectre and Meltdown exploits via the Intel Management Engine. It can also be slow, have bugs, and you are left to the mercy of the developers, which in many cases will not correct any problems that occur and only release a brief disclaimer after the bugs have been found and widely abused.

    In contrast, Libreboot, for example is fully free software, where anyone can contribute or inspect their code to correct any and all underlying issues. Libre/Core are faster in boot time, more secure than their proprietary contemporaries and more reliable than the non-free firmware. Like standard BIOS options, Libre/Core offer many advanced features, like encrypted boot. Libre/Core De-blob and release custom patches to all open-source projects most listed on their home sites.

    Now I will be from this point using Libreboot due to it being sponsored by the FSF and due to the wonderful amount of documentation on their site. Supported devices for Libreboot can be found here. https://libreboot.org/docs/hardware/

    I will mainly however be listing the Laptops from their site, as in my opinion Laptops are best means of being secure online due to their portability and affordability. I would recommend checking each model out on Ebay so you can see how cheap these devices can be, many range from $50.00 to $200.00 pending on condition and hardware options.

  • ASUS Chromebook C201
  • Lenovo ThinkPad X60/X60s
  • Lenovo ThinkPad X60 Tablet
  • Lenovo ThinkPad T60
  • Lenovo ThinkPad x200
  • Lenovo ThinkPad R400
  • Lenovo ThinkPad T400
  • Lenovo ThinkPad T500
  • Lenovo ThinkPad W500
  • And though I dislike all Apple devices due to their own ethics, a couple are also supported.

  • Apple MacBook1,1
  • Apple MacBook2,1
  • Further reading if this is the path for you can be found here https://libreboot.org/

  • https://en.wikipedia.org/wiki/Libreboot
  • https://www.coreboot.org/
  • https://en.wikipedia.org/wiki/Coreboot
  • Secure Browsing

    Big brother is here and it is nothing new. Browser fingerprinting has been around without any of is ever noticing since the 20-aughts. Java-Script, Browser Identifiers, Internet Protocol Addresses, Even down to Time-Zone and Font choices. This canvas of data can be collected by both individual sites you visit or 3 letter Orgs with the means to blanket many sites to make mitigation tactics less useful to those would be Paranoids like You and Me. This huge advertising scheme to allows parent companies to create a digital copy of you, a 1 dimensional clone that is only your wants, likes, and dislikes. Purging everything that is unprofitable, making a you that is for sale and will be sold.

    With the research done by the Electronic Frontier Foundation https://panopticlick.eff.org/static/browser-uniqueness.pdf

    They have provided much of the information I use today to provide a list of Identifier Mitigation, I will also add some general good practices and System options. Step by Step, lets go by layers. Starting from the bottom. Your browsing habits and work our way up to your system.

    Cookies

    Cookies are small packets of text files that are stored on your computer, these packets contain certain data that may give websites information to improve the user experience or to remember previous sessions allowing you to pick up where you left off. Every time you visit a website, your browser will download cookies if allowed.You can disallow cookies via your browser settings. Either by clocking 3rd party cookies (Everything beside the home site) or all cookies. I recommend all cookies though this may cause some issues on most high traffic sites.

    Java Script and HTML5

    I am placing these two together due to the nature of both JS and HTML5. HTML5 is the coding language used to build websites, a platform much like Java Script. It is the core fundamentals of every website and this allowed unique identifiers to be placed on the user from the site. In HTML5 , there is an element which is called Canvas, canvas discerns certain data, such as the font, font size and active background information like screen size based on the browser of the user. This information serves as the unique fingerprint of every visitor. These can be blocked via the browser settings, you can follow the following to disable JS on most major browsers.

  • https://www.thewindowsclub.com/disable-javascript-chrome-ie-firefox-opera
  • IP Address

    The easiest to track and sometimes the most difficult to stop depending on your country and device. The "Internet Protocol Address" part refers to a unique number that gets linked to all online activity you do like a return address on a letter youd send out. A letter gets send asking for information and then gets returned with said information. Disguising your IP can be done in several ways, unfortunately nothing can be done via your browser settings. Using a VPN or Virtual Private Network this is widely considered the best option though I have to disagree due to the amount of VPNs available and many of them are absolute garbage. Here however are some fairly...fair VPNs

  • https://libreswan.org/
  • http://www.infradead.org/openconnect/
  • https://openvpn.net/
  • Using Tor, now I plan on going into a more in depth methodology of Tor. Here is a quick snippet. "The Tor Browser is a free software program that you download onto your computer that conceals your IP via Entry Nodes and Exit Nodes. These nodes are kinda like playing Telephone. You open with you IP, and as it goes through the Nodes, all with their own IP, by the time it reaches the Exit Node, in theory and somewhat in practice, your IP should be completely hidden. This process is layered with encryption, which means your data is obscured by security and privacy protection." More can be found here. https://www.torproject.org/

    Meat-Space, your offline self and Geo-tracking

    Geo-tracking, put simply is your location. Use an Open Wifi network like in a Coffee Shop or your Local Library and not your home. Living off grid when it comes to Internet is frightening for most including myself. But this is an excellent option as an IP address does not travel with you. So if you simply go to a coffee shop, library or hotel and use their Wi-Fi, you will temporarily hide your usual IP address. You will be using their networks IP address for as long as you are online on their network. Using all of these in conjunction can keep you secure, private, and safe from our advertising overlords. For further reading and a list of resources I used for this post check these sites out here. https://panopticlick.eff.org/

  • http://uniquemachine.org/
  • https://en.wikipedia.org/wiki/Device_fingerprint
  • https://w3c.github.io/fingerprinting-guidance/
  • https://wiki.mozilla.org/Fingerprinting
  • Private Search Engines

    Though many browsers have the ability for a Private Browsing mode or Incognito Mode, those only protect you from saving cookies and history. However the browser and search engine method still can track you. However your privacy can be improved with the implementation of Private Search Engines, the search engines that do not store your queries or track your steps on the Internet. With plenty of options available and each using their own unique algorithms and search options it may be hard to sort through them all to get the most secure and private options for us Paranoids. Though keep in mind this list is for function over form. They may not look great but they certainly are functional. Lets start with some Libre Options. Libre is the term for Truly Free Software as in GNU-Libre or Free as in Freedom.

    YaCy https://yacy.net/en/index.html Is a Libre engine that anyone can build a search portal for their private network or to the Internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. YaCy is fully decentralized and Peer-to-Peer, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. YaCy is true freedom when it comes to your searches.

    SearX https://searx.me Is a Libre Internet meta engine which aggregates results from more than 70 search services. When using SearX you are neither tracked nor profiled. You can also use Public Instances or Private Instances of SearX allowing you personal Paranoia to take hold and establish your own private network of SearX.

  • Installation guides can be found here. https://github.com/asciimoo/searx/wiki/Searx-instances
  • https://asciimoo.github.io/searx/dev/install/installation.html#installation
  • Though on a centralized platform you can use SearX over Tor for online anonymity. If you are not a huge fan of tinkering and compiling you can also check out these more user friendly options.

    Duck Duck Go https://duckduckgo.com/ Probably one of the most well known and most full featured engines available today. Available for major platforms like Firefox, Android, IOS, and more https://duckduckgo.com/app DDG is Quick and Simple.

    Start Page https://www.startpage.com/ If you can not beat em, use em Start Page pays Google to use their results and in return Start Page removes all trackers and logs. What comes about is the in their own words Worlds best and most private search engine. This is great if you do not want to abandon Google result just yet and still want a full features Search Engine.

    Now if these are still are not Wizard enough for you and you NEED to go full ArchMage you can also try some of these Tor options as well. These are the Onion URLs

  • SearX http://searchb5a7tmimez.onion/
  • Duck Duck Go https://3g2upl4pq6kufc4m.onion/
  • And a odd one...

  • Not Evil the anti-Google parody http://hss3uro2hsxfogfq.onion/
  • Feel free to try these over Google or your other preferred tracking option.

    Live Persistence and You

    A secure method of maintaining a full system that is both portable and encrypted. Usually, on a live CD or Live USB key, all modifications are discarded when you reboot. Which is great if you save all your work to a separate hard-drive. The persistence allows you to keep your preferences and data even after reboot. GNU/Linux has this option available for all Live medium distributions. Today I will be showcasing some of my personal favorite distributions to use Live-Persistence with. First off allow me to ramble about the benefits of the why.

  • Portability - The ability to keep a full system available to you is a benefit when your laptop or desktop is not available to you. Or you want to keep a minimal setup and have the need to use public work-spaces such as a public library.
  • Security - With having your system on a portable hard-drive such as a USB Key. This give you some immunity to most hardware based attacks on your system and depending on your personal use protection against network attacks. Due to your files being reset on exit this prevents RATS and other malicious software to be installed on your GNU/Linux system. To add onto this you can also encrypt your system to prevent writing permissions on boot. This creates a fall-back method that allows you to continue to work without the fear of possibly losing your drive and having your files compromised.
  • Some excellent distributions to start using a encrypted live system with are as follows. (Note I am trying to exempt any distro that runs the systemd init system due to security issues of a monolithic system like systemd.)

  • AntiX/MX Linux https://antixlinux.com/ https://mxlinux.org/ AntiX is a fast, lightweight and easy-to-install Linux live CD distribution based on the Debian "Stable" branch. The goal of antiX is to provide a light, but fully functional and flexible free operating system for both newcomers and experienced users of Linux. 256 MB RAM is recommended minimum for antiX. The installer needs minimum 2.7 GB hard disk size. antiX can also be used as a fast-booting rescue CD, or run "live" on a USB stick, with or without persistent file storage. AntiX runs solely off window managers to allow a low dependency install and live environment. Though to some this may be a unwelcome change you can easily adapt after an hour of playing inside the system.
  • MX Linux, a desktop-oriented Linux distribution based on the Debian "Stable" branch, is a cooperative venture between the antiX and former MEPIS Linux communities. Using Xfce as the default desktop, which is familiar to those who prefer a traditional environment. It is a mid-weight operating system on install, about 1.5GB for the ISO. MX is designed to combine an elegant and efficient desktop with simple configuration, high stability, solid performance and medium-sized footprint. When I am out and away from the home I tend to lean toward MX-Linux for my travels due to the wide range of tools available and ease of use.
  • Kali Linux https://www.kali.org/ For security hobbyists and professionals this is a solid go-to tool for those interesting in penetration testing. Kali Linux (formerly known as BackTrack) is a Debian based distribution with a collection of security and forensics tools. It features timely security updates, support for the ARM architecture, a choice of four popular desktop environments, and seamless upgrades to newer versions. Designed to be booted from a live environment and removed after your work is done, you can maintain a collection of your own personal tools and updates, then save them on exit. Though I would recommend against using this distro as a daily driver due to it running in root as default.
  • Heads/Tails https://heads.dyne.org/ https://tails.boum.org/ These options are more for the paranoid security focused. Booted only from Live and encryption enabled. Heads is a privacy-focused Linux distribution designed to make it easy for users to access the Internet anonymously using the Tor network. Heads is based on Devuan and features only free (libre) software. The Linux kernel has had non-free blobs removed. This would be my recommended option to those who want to stay secure online in a red-team setting. The Amnesic Incognito Live System (Tails) is a Debian based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pr-configured with security in mind and with all traffic anonymous. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace. This is easiest to use out of the 2 due to your proprietary drivers being available on boot, making wireless interfaces available.
  • Forensic GNU/Linux Distributions

  • Kali Linux https://www.kali.org/ Kali Linux (formerly known as BackTrack) is a Debian-based distribution with a collection of security and forensics tools. It features timely security updates, support for the ARM architecture, a choice of four popular desktop environments, and seamless upgrades to newer versions. Due to documentation and community support this is the go to for most CTF games.
  • Parrot https://www.parrotsec.org/ Parrot (formerly Parrot Security OS) is a Debian-based, security-oriented distribution featuring a collection of utilities designed for penetration testing, computer forensics, reverse engineering, hacking, privacy, anonymity and cryptography. The product, developed by Frozen-box, comes with MATE as the default desktop environment. Made more for the daily user, can be used as a functional alternative to Kali.
  • Linux Kodachi https://www.digi77.com/linux-kodachi/ Linux Kodachi is a Debian-based distribution which can be run from a DVD or USB thumb drive. The distribution filters all network traffic through a VPN and the Tor network, obscuring the users network location. The distribution attempts to clean up after itself, removing traces of its use from the computer. Similar to Tails/Heads. Runs from memory on USB with persistence. Tools overlap with Kali and Parrot.
  • Black-Arch Linux https://blackarch.org/ BlackArch Linux is an Arch Linux-based distribution designed for penetration testers and security researchers. It is supplied as a live DVD image that comes with several lightweight window managers, including Fluxbox, Openbox, Awesome and spectrwm. It ships with over a thousand specialist tools for penetration testing and forensic analysis. This is the overkill distro for power-users. A 11GB install and live environment. The largest distro by far and more updates on boot. Be prepared to kill 24 hours before any CTF games. Use at your own risk, due to the volatility of Arch based installs, it may be prone to breakage.
  • Pentoo Linux https://www.pentoo.ch/ Pentoo is a Gentoo-based Linux live CD with a selection of applications and tools designed to perform penetration testing. This distro is the most kernel hardened in the list, making it by far the mostsecure for CTF games. However it is prone to bugs and is intended for terminal use without the need to GUIs. It is recommended for experience users and those who want an obscure distro compiled from source for their CTF games.