Wikileak documents show Governments couldn`t penetrate Comodo Internet Security

Since some home UTM such as Sophos supports VPN, I think you can make up VPN server in home network and connect it by mobile from anywhere, and use it as a security gateway.

 

I just get the feeling though that noone_particular's setup is probably better than what Linux could offer him right now. Better to trust a devil you know (and spent years working on) than a whole new system.

But on the subject of just learning new stuff to tinker with, nah, you can't go wrong with learning on the open source type of stuff. You'd be stunting your growth to never try to pick up some of it. Till you do, or till you're ready, again, the system you know inside and out is going to be the one to bank on.

 

Well indeed it might be - if a person could get it all to work with distro X without spending their rest of their life on it. Seriously, I've been around over many years, and I've found this simply too much work for "trivial" things. Yes, I could get it to work, but even getting basic Apparmor profiles to work on popular browsers requires tuning a low-level config file. By contrast, with all the deficiencies of its OS, Sandboxie (which I kind-of see as an equivalent though not exactly) - does a lot without any config, and repays fairly simple configuration changes.

I think what I'm saying is that I want a distro that has GRSecurity/PAX and Apparmor for all main apps built in - ideally with configurations provided by the app developers, plus a front-end to tweak to personal requirements. It's interesting that Android is going down the RBAC (SELinux) path faster than the main desktop distros.

In the meantime, I rely more on disposable/snapshotable VMs.

 

Yes, me too.

I also have a machine with no installed drives, just a 2.5" drive dock. I'm using a bunch of 120 GB SSDs, rather like Zip drives. Some are project-focused. Others are for impromptu use, at various security/risk levels. All are FDE, of course.

 

OKay, this is going to be a bit long of a reply because I got so many responese.

@mirimir - I have never used PFSense or any UTM in a VM. I have always used physical hardware for it. There shouldn't be any real issue security wise. Performance may suffer though. I run my PFSense box on an old computer that had dual nics. Any old hardware with two ethernet ports (or one usb ethernet adaptor) will work fine. I am going to buy a rackmount unit soon though.


@Noon_particular - It's actually super easy to configure a basic GRSecurity kernel now. All you have to do is be able to read, follow directions and use autoconfig This works well on most "vanilla" distros (Debian/Arch/Fedora). The autoconfig will ask you a few basic questions and you are done. If you are worried about compatibility then choose "performance" over security when asked. GRSecurity works perfectly with any other MAC too. Use Apparmor if you are familiar with it, or SeLinux. I will admit RBAC is hard to get a grasp on but a basic GRSec kernel is pretty easy these days.

As for a firewall, if all you want is local then try out something like douaneapp. I did a basic google search and found 3 or 4 application specific firewalls for Linux. I reccomend a UTM because most personal routers do not get updated. Your perimeter should be protected from attacks. If you router is compromised the attacker can get access to your entire network. Something like PFSense is updated often and you can protect your self with more then just a firewall (IDS/IPS, Network AV, web filtering, etc.).

with parent-child you are for something like Defense+ on windows? Like when firefox wants to launch a PDF reader a window will pop-up and ask if you want to allow it?


@142395 - HIDS are good. I recommend OSSEC and connecting it back to an OSSIM so you can store logs in one place, very useful if you have multiple computers on a network. The AV part, I was referring to windows. AV's are basically useless these days, it takes no effort to bypass/avoid detection. This is why I say run it on your UTM. The AV will at least grab what it can detect there before it even hits your computer. This also will mean no performance hit on your computer. On linux you are right, the last line of defense is the MAC (apparmor/selinux).

GRSecurity has a Deny-New-USB setting. It can be enabled at run time via sysctl or at boot in the kernel. The later is more secure but only devices plugged in during boot are allowed, once they are unpluged and plugged back in they are disabled until reboot. So this setting does block ANY USB. HID, Storage, etc. Doesn't mater.

@deBoetie - Again (I said this above) GRSecurity is as easy as being able to read and apply the patch. The AutoConfig makes it a breeze on most distros. Debian I find is the easiest. Arch and fedora don't take much work either. Ubuntu I have never tried. Usually it takes 20 minutes to get a kernel compiled and running on debian. Most of that time is spent waiting for it to compile. RBAC is the hardest part to learn, and you don't have to use it. RBAC works along side any other MAC (Apparmor/SeLinux/etc) or you can just use the MAC and not even touch RBAC. RBAC is hard to learn as it is a very HIGH security system. So I understand most people will skip that part.

Sandboxie is good, if you want a good UI for apparmor look at OpenSUSE they have a great UI for it.

Lastly, I am not saying this is the way for everyone. My comment is mostly about APTs and highly targeted attacks. You can build a VERY secure system, but ONLY if you want to. Remember the only secure system is the one YOU understand. So if you are a Windows Guru and don't know linux then Windows is going to be more secure as you know how to lock it down. This works vice-versa as well.

 

@x942
For someone who has never messed with a linux kernel, none of that is simple. Regarding the network firewall, I do have a perimeter firewall, Smoothwall. The PCs and the VOIP modem are behind it on 2 separate LANs with no traffic between LANs allowed. There are no routers or wireless devices on either LAN.

This refers strictly to the software firewalls installed on individual PCs. On several occasions I've asked about a firewall for linux that would be similar to Kerio 2.1.5 in abilities. The answers I've received run between "It's not needed" or ""write one yourself", neither of which is much of an answer. IMO, tight control over internet traffic to/from individual applications and system components is necessary no matter what operating system is used. On this system for instance, all browser traffic including DNS is proxied through Proxomitron. There's no exceptions. There's 2 firewall rules for the browser. The first allows outbound traffic to 127.0.0.1, port 8080, the port Proxomitron listens on. The next rules blocks all other outbound traffic from the browser and alerts me if any is attempted. Not long ago, Kerio blocked and alerted me to the browser attempting to connect directly to a DNS server in spite of its being configured otherwise. I realize that this appears to be a browser proxy setting issue and that it should be fixed at the browser. That said, browsers will always have exploitable problems. In this instance, the firewall doesn't fix the problem, but it did mitigate it by making the bypass impossible. Will the available firewalls for linux prevent such a bypass?

I'm thinking of something like SSM. Never used Defense+ and have no idea of how similar it may be. Regarding parent-child, the example you give assumes that the user will be asked. Perhaps you remember this PDF exploit. Yes, this specific exploit was for Windows software. If that had been linux or cross-platform software, what in linux would have interrupted the sequence of events that made the exploit work? On Windows with SSM, there were several points at which the exploit could be defeated, starting with each applications ability to launch another and pass data to it. Yes, the best solution is fixing the vulnerability, but I'm looking for something more proactive that can deal with it before it's patched. With potential adversaries now including governments and 3-letter agencies, such exploits could remain unfixed for a long time. On Windows, I've found that a tightly configured classic HIPS will defeat a lot of exploits, even when the initial intrusion succeeds. If I'm understanding you correctly, the only way to get an equivalent level of control is to compile the components into the kernel, then deal with a bunch of configuration files.

 

That is why I said the best security is the system you know. The point I was making was, as the original article was talking about Government attacks and someone commented saying Linux is probably just as vulnerable, that Linux can be made insanely secure with just a little work. I am not saying that Linux is more secure for you, I am saying it can be setup to be more secure against targeted attacks. I don't know of any other OS that allows this type of flexibility. IF you are willing to put in the work, you can make Linux extremely secure.

You can do this in Linux with IPTables or even with gUFW if you want a GUI. I also posted another program up top that had the ability to ask if you wanted to allow or deny traffic. So yes. There are apps that do this on linux. But why not do this at your perimeter instead? If you have malware on your computer it is already compromised and could just disable or open a port on the firewall. If the firewall is a separate device it can't do this. I have never used Proxomitron but I am sure there is a way to implement the exact setup in Linux or at the smoothwall layer. From what I read about the software it sounds like you could use any webfilter and setup a transparent proxy to force all traffic through it.

A comparable HIDS would be OSSEC. You can tie this in to a server for storing a viewing logs in a WebUI or keep it local. It will alert you if anything changes that shouldn't and much more. The exploit you show if ran on a modern Linux OS could have been stopped in a few ways, a well configured MAC (Apparmor or SeLinux) would have done just as well as SSM or any other HIDS. The issue with these security measures is simple. If the kernel is compromised (kernel exploit) so is the HIDS/MAC. Once you have a kernel exploit you can basically bypass a MAC or HIDS like SSM easily. That is where GRSecurity and PaX come in (and to a lesser extent EMET on windows). Hardening the kernel not only prevent the exploit before it can even take effect, but it also re-enforces the protections that a MAC gives you. A MAC or HIDS is only one layer, a good layer, but a layer that is completely broken once a kernel exploit is used. Preventing/Mitigating exploits is the way to go. If you have a Zero Day that works on Linux for example, and try to run it on a GRSec kernel it will fail to run. That Zero day that you had? To get it to work against this kernel you are going to have to invest a ton of more time and money to find a bypass.

Again, I am not say YOU should do this. I am just saying there are WAYS of doing this. I hope I am not coming across as attacking your opinion, you opinion is perfectly valid - and you are correct, if Windows is what you know than stick with it. Implement the security you understand. It is GOOD security. This is just an alternative, that points out some of the things you can do, and are lacking (Exploit Mitigation/Kernel Hardening). Things you may never need to worry about. Your threat model may be different than mine after all.

 

I think there's a misunderstanding on what and where Proxomitron is. It's a web filtering proxy that runs on the same PC as the browser. It's not the same as the filters on perimeter firewalls. It's designed for Windows but will run on linux via Wine. The best description I can think of would be that it's a separate freestanding application that's like NoScript but more powerful, and works with all web browsers (and other software) that can be proxied through it. This thread will give you an idea of its filtering abilities.

It is clear that linux is not a viable option for me at this time. Much of what you've posted regarding what's available for linux reads like a foreign language to me. It would take a lot more time and initiative than I have to get to the point that I understood it well enough to trust it.

 

@x942
Thanks for reply, I didn't know neither OSSEC and OSSIM. I agree about AV, so I said "I think most of them except last 2 (AA & iptables) are not effective against APT as well as Snort." though I could also add HIDS to exception.

Also thanks for clarifying about GRSec, now it's more facinating for me.

If state-sponsored attacker really have to do, then probably they will finally achieve this. However in almost all cases there're more vulnerable points, especially in human. If you really want to fight against such attack, you have to harden all levels & entry points. Focusing only on everything on PC/mobile and network is doomed to failure.

@noone_particular
So you want FW that recognise all apps on application basis w/out any exception. I don't know such solution but it seems what x942 posted (Douaneapp) do this?

As to HIPS, it seems currently only HIDS is avialble at least for home user. The difference is HIDS just warns, don't block (similar to Winparol), but well configured AA or SELinux will also block damage by most exploit in the last line.

I recommend Privoxy for Linux because it is still under development and native compatible to Linux (don't require wine), though rule format is different from Proxomitron.



I think the best benefit for choosing Linux is RBAC, strong MAC, and availability of kernel hardning patch (GRsec; PaX is also kernel patch but this is more for common exploit). Windows will never implement them (what? EBAC & integrity level? lol)

 

"IF you are willing to put in the work, you can make Linux extremely secure"

Well, I am willing to put in the work, it's more that I want it in productive areas. I'm really frustrated (and somewhat suspicious) that the kernel people are apparently complacent, and I simply don't buy the performance argument. After all, Google are implementing SELinux on Android.

The threat model and risk has obviously changed, while the community reaction has not apparently done so. Maybe I have to be patient and it will take 5 years or something.

 

What do you guys think about using FreeBSD or even better OpenBSD as a protection to Finfisher-type malware? Afaik, there's never been any of that sort of malware made for BSD, and likely very little of any malware has ever been written for BSD. I might be worried that the OS X version could possibly run due to the similarities between the systems but I doubt that it's at all likely without modification...

Beyond just the obscurity factor, BSD can be locked down very tight, with OpenBSD being probably the most secure OS there is out of the box

 

I've gone there at times

PC-BSD is easy to install and quite usable.
http://distrowatch.com/table.php?distribution=pcbsd

 

Tried that in VBox before, looked simpler to use even than Debian for me, but package management I would have to learn. I saw that it has built-in linux compatibility, which means that any linux program can run in it including spyware, defeating the entire purpose of going out of your way to use an obscure difficult OS. I guess one advantage is that there's probably fewer zero-days for it than Ubuntu/Debian...

 

Well, you could go with pure BSDs, but getting a non-Linux desktop would be nontrivial. Starting with OSX might be your best shot

 

After all the discussion regarding linux and "superior security", we see this.
From the article:

I stand by what I said in the first place. They can own linux just like they can own Windows.

 

And this article suggests there're many more potential vuln in Linux. I also remember Linux was easily broken out by Pwn2Own or such competition, not sure which competition was it though.

But I agree to opinion by x942 that Linux is highly costomizable and can be hardened extremely, the fact Windows have more security apps don't mean Windows can be more hardened, and as already been mentioned Linux allows custom kernel security, RBAC and strong MAC.

About BSD, maybe many of you remember this suspect.

 

Nobody is arguing that simply using Linux out of the box makes you impervious to gov't attack, and avoiding zero days is near impossible on any installed system. However, I think that you'd have a difficult time arguing that Windows can be locked down to the same extent that Linux can. SecureAPT alone makes tools like Finfly ISP largely irrelevant to linux users, show me something similar in Windows.

Anyhow, I think that although Linux maybe can't be made perfect, the answer lies not in Windows, but in live CD's and to a lesser extent alternative Unix systems

 

Did you look at the list of victims?

Do you really think all these were using linux "out of the box", unhardened, with no extra security measures in place?

I made no such claim. I said, "I suspect that they can target and compromise linux almost as easily as they do Windows." The article confirms that they not only can compromise linux, but have been doing so all along. The linux community and developers have become too complacent, too self assured. They need to get off this attitude that everything can be solved at the kernel and take a good long look at the rest of the system, starting with the attack surface.

 

My take is that one can over-emphasise the difficulty of compromising Linux. What we know is that criminal malware is being industrialised, and state actors are extremely well resourced, so the difficulty - to them - is not all that important. Once someone's developed the exploit once, it's distributed to a lot of applications. If you couple that with Quantum and targeted attacks, of course you can be compromised.

I agree that Linux devs are complacent, or at least, are pursuing other agendas that the ones we are concerned with here. As usual, the quest for functionality and "looking good" is inevitably more interesting. And indeed, it pains me mightily that we are having to spend our valuable time on some of this basic graunch of securing systems where it could be far more baked-in (e.g. with Pax and RBAC). It's like the movies where the baddie runs off the cliff, and only some time later, looks down and then falls.

On a practical note, I am using an alternative to LiveCD which is kind-of more functional and offers some of the same security benefits. If you take a pendrive linux distro, you can open up the browser before visiting anywhere, and then remove the pendrive - the system runs in RAM and dies with the session. But if you want to update the distro or add software, then this can be done in a non-browsing session, and the results saved.

I do worry that malware could both exfiltrate data from the (normally laptop) idle HDD, and worse, write nasty rootkits to it. So I think that the machine you run LiveCD from should not have an HDD in it at all.

 

I don't know those victim have used strict MAC and other layered approach, but for sure, what OS they use is not the important factor to such state-sponsored attack, especially on endpoint.
The matter is more on people, policy, education, management, physical security, insider attack, network perimeter, and log analysis.
There're not much room to prevent such attack on endpoint security where it should be considered as last line.

Those ephemeral OSes are quite secure, but they have drawbacks other than convenience, i.e. we can't deploy strong security configuration permanently unless we mess in the OS burned in CD/USB, and there're still attack vector such as in-memory malware or BIOS rootkit.
VM with easy rollback address this somewhat, but again, hypervisor or VM itself can have serious vuln though I don't know actual attack except PoC.

 

Agree, I'm fond of the VM route too, but believe that unknown hypervisor attacks probably exist and will be available to the well-resourced. But for the sophisticated multi-chain set of hosts/VPNs/firewalls that are needed for some things, including with snapshot, it's the only practical way to do it.

The point about the ephemeral OSs for me is that, provided you use them for one purpose only in the session (for example, online banking and only going to that site), you're as safe as you're likely going to be. And at least with the pendrive approach you can have your system up-to-date and easily add software to it.

 

Except for physical intrusion & insider attack which are not easy to protect, seriously (in state-sponsored attack).

Ah, sorry I have only used Ubuntu on CD so I misunderstood, so you can save permanent changes to ephemeral OS in USB, though it also means attacker can make permanent change.
But as you explained, it makes good sense if one use it correctly.

 

Yes, the scope for the attacker is a limited window and would need to apply to the software update/distribution mechanism rather than the much more difficult (well, easier for the attacker!) general-purpose browsing/viewing problem.

I find it very easy to use correctly because it is physical - no configuration needed, I just take the pendrive out! And the update is a very deliberate thing where I do no browsing or anything else. It's quite similar to how I manage snapshots in VMs and sometimes want to update them, same kind of logical procedure.

 

That reminded me of a malware―can't remember its name though―spread via hacking official update (not about Opera, though it's also one case). I hope any repository have taken measure. In this case it's official legitimate update so sig check can't prevent that.

I meant use it only for specific purpose, otherwise will break the benefit.
But that's looks good!

 

That over-emphasizing is common with linux and is getting common when the security of current versions of Windows are discussed. People keep bring up the cost of an exploit. Cost means nothing to an adversary with nearly unlimited resources. The only ones cost hurts are the small fry who weren't much of a threat to start with. I find it interesting, and contradictory when only the cost aspect is mentioned. The proper analysis should be cost vs benefit. When the benefit is

the costs have been recovered many times over.