Security For The Paranoid User

Risk Management

An attempt to keep yourself secure online and off can be confusing and tedious but it is necessary. Keeping a secure platform is a process of patience, and through thoughtful planning and auditing, you can create a full risk report. When it comes down to the bare bones of security, most find it is not about the tools you use. It begins with understanding of the systems you use and the unique threats you face and how you can counter those threats. The process of threat modeling and risk management in computer security, is a finding a potential event that could undermine your efforts to defend your system. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.

Here is a breakdown of a threat model or how to take audit and assess your risks. To start let us look at a basic What/Who/How flow.

Security Hardening

BIOS Security

File-system Encryption

File-system stacked level encryption

Block device level encryption

RAM Disk

Mal-ware Detection

Malware/Rootkit Protection

Firewall Security

Security Modules

Misc


An Introduction to BIOS and BIOS Security

The Basics

The Basic Input Output System is a pivotal set of stored on selected chips on the motherboard. This an intermediary between a computers hardware and BIOS, the PCs operating system would have no way control of, the hardware routines in a System, which is chip and in turn the BIOS acts as its operating system. Without the to communicate with, or take each motherboard and manufacturer utilizes a different BIOS and this can cause trouble for those looking to tinker with and fully involve themselves in every aspect of their system. A fair warning that changing a systems BIOS settings without foresight can cause your system to malfunction. If this were to happen then a BIOS reset will need to be done to return to the factory settings. Many office level manufacturers like Dell limit the options available to the user in the BIOS. Most systems on boot briefly display a message describing how you can enter the program where BIOS settings are adjusted. On most systems the F1, F2, F11 or F12 will allow you to enter the setup menu.

Security Basics

The security section of the BIOS is used to keep unauthorized people from making any changes to the BIOS.

Keeping your BIOS Secure and Ethical

A 100% Libre or in the case of Coreboot 99% Libre BIOS. As mentioned previously that when using Libre software, you in return become more Secure and Ethical. Because as the name implies Libre allows you to be free. So lets start with the Why? Many manufacturers and in turn users use non-free boot firmware. Which even if they use a FSF approved GNU/Linux operating system. A Non-free BIOS/UEFI firmware will often contain back-doors to your system that can allow government bodies and potential hackers into your system such as the Spectre and Meltdown exploits via the Intel Management Engine. It can also be slow, have bugs, and you are left to the mercy of the developers, which in many cases will not correct any problems that occur and only release a brief disclaimer after the bugs have been found and widely abused.

In contrast, Libreboot, for example is fully free software, where anyone can contribute or inspect their code to correct any and all underlying issues. Libre/Core are faster in boot time, more secure than their proprietary contemporaries and more reliable than the non-free firmware. Like standard BIOS options, Libre/Core offer many advanced features, like encrypted boot. Libre/Core De-blob and release custom patches to all open-source projects most listed on their home sites.

Now I will be from this point using Libreboot due to it being sponsored by the FSF and due to the wonderful amount of documentation on their site. Supported devices for Libreboot can be found here. https://libreboot.org/docs/hardware/

I will mainly however be listing the Laptops from their site, as in my opinion Laptops are best means of being secure online due to their portability and affordability. I would recommend checking each model out on Ebay so you can see how cheap these devices can be, many range from $50.00 to $200.00 pending on condition and hardware options.

And though I dislike all Apple devices due to their own ethics, a couple are also supported.

Further reading if this is the path for you can be found here https://libreboot.org/

Secure Browsing

Big brother is here and it is nothing new. Browser fingerprinting has been around without any of is ever noticing since the 20-aughts. Java-Script, Browser Identifiers, Internet Protocol Addresses, Even down to Time-Zone and Font choices. This canvas of data can be collected by both individual sites you visit or 3 letter Orgs with the means to blanket many sites to make mitigation tactics less useful to those would be Paranoids like You and Me. This huge advertising scheme to allows parent companies to create a digital copy of you, a 1 dimensional clone that is only your wants, likes, and dislikes. Purging everything that is unprofitable, making a you that is for sale and will be sold.

With the research done by the Electronic Frontier Foundation https://panopticlick.eff.org/static/browser-uniqueness.pdf

They have provided much of the information I use today to provide a list of Identifier Mitigation, I will also add some general good practices and System options. Step by Step, lets go by layers. Starting from the bottom. Your browsing habits and work our way up to your system.

Cookies

Cookies are small packets of text files that are stored on your computer, these packets contain certain data that may give websites information to improve the user experience or to remember previous sessions allowing you to pick up where you left off. Every time you visit a website, your browser will download cookies if allowed.You can disallow cookies via your browser settings. Either by clocking 3rd party cookies (Everything beside the home site) or all cookies. I recommend all cookies though this may cause some issues on most high traffic sites.

Java Script and HTML5

I am placing these two together due to the nature of both JS and HTML5. HTML5 is the coding language used to build websites, a platform much like Java Script. It is the core fundamentals of every website and this allowed unique identifiers to be placed on the user from the site. In HTML5 , there is an element which is called Canvas, canvas discerns certain data, such as the font, font size and active background information like screen size based on the browser of the user. This information serves as the unique fingerprint of every visitor. These can be blocked via the browser settings, you can follow the following to disable JS on most major browsers.

  • https://www.thewindowsclub.com/disable-javascript-chrome-ie-firefox-opera
  • IP Address

    The easiest to track and sometimes the most difficult to stop depending on your country and device. The "Internet Protocol Address" part refers to a unique number that gets linked to all online activity you do like a return address on a letter youd send out. A letter gets send asking for information and then gets returned with said information. Disguising your IP can be done in several ways, unfortunately nothing can be done via your browser settings. Using a VPN or Virtual Private Network this is widely considered the best option though I have to disagree due to the amount of VPNs available and many of them are absolute garbage. Here however are some fairly...fair VPNs

    Using Tor, now I plan on going into a more in depth methodology of Tor. Here is a quick snippet. "The Tor Browser is a free software program that you download onto your computer that conceals your IP via Entry Nodes and Exit Nodes. These nodes are kinda like playing Telephone. You open with you IP, and as it goes through the Nodes, all with their own IP, by the time it reaches the Exit Node, in theory and somewhat in practice, your IP should be completely hidden. This process is layered with encryption, which means your data is obscured by security and privacy protection." More can be found here. https://www.torproject.org/

    Meat-Space, your offline self and Geo-tracking

    Geo-tracking, put simply is your location. Use an Open Wifi network like in a Coffee Shop or your Local Library and not your home. Living off grid when it comes to Internet is frightening for most including myself. But this is an excellent option as an IP address does not travel with you. So if you simply go to a coffee shop, library or hotel and use their Wi-Fi, you will temporarily hide your usual IP address. You will be using their networks IP address for as long as you are online on their network. Using all of these in conjunction can keep you secure, private, and safe from our advertising overlords. For further reading and a list of resources I used for this post check these sites out here. https://panopticlick.eff.org/

    Private Search Engines

    Though many browsers have the ability for a Private Browsing mode or Incognito Mode, those only protect you from saving cookies and history. However the browser and search engine method still can track you. However your privacy can be improved with the implementation of Private Search Engines, the search engines that do not store your queries or track your steps on the Internet. With plenty of options available and each using their own unique algorithms and search options it may be hard to sort through them all to get the most secure and private options for us Paranoids. Though keep in mind this list is for function over form. They may not look great but they certainly are functional. Lets start with some Libre Options. Libre is the term for Truly Free Software as in GNU-Libre or Free as in Freedom.

    Feel free to try these over Google or your other preferred tracking option.

    Live Persistence and You

    A secure method of maintaining a full system that is both portable and encrypted. Usually, on a live CD or Live USB key, all modifications are discarded when you reboot. Which is great if you save all your work to a separate hard-drive. The persistence allows you to keep your preferences and data even after reboot. GNU/Linux has this option available for all Live medium distributions. Today I will be showcasing some of my personal favorite distributions to use Live-Persistence with. First off allow me to ramble about the benefits of the why.

    Some excellent distributions to start using a encrypted live system with are as follows. (Note I am trying to exempt any distro that runs the systemd init system due to security issues of a monolithic system like systemd.)

    Forensic GNU/Linux Distributions