Tuesday, 10 June 2014

Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.

Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them, without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could use to gain access to your unencrypted data.


Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04 LTS(Trusty), and all commands and patches work on it for the author. The author accepts no liability when it comes to these commands/patches being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with filenames encrypted. This can be checked using the command `ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of its counterparts like IcedTea, etc. installed.


When you're told to run the program 'Nano', you can use vim,vi,emacs, etc. Nano is purely the text editor that I use. To exit out of Nano, you press control-x.






FireWire attacks

Firewire has for awhile been known to allow attackers to gain access to a computer's Physical memor[RAM], and enable the attacker to grab the encryption key used for devices that are mounted.
The most obvious method of defeating this attack is by not compiling the kernel with any firewire modules included, but for the sake of this article, I'll include methods of mitigation. After all, some Ubuntu users probably wouldn't be able to compile their own kernel every update.

To mitigate the risks with firewire, we will disable them in a blacklist file in modprobe.d.

1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano /etc/modprobe.d/blacklist-firewire.conf'
2. Remove the contents(or comment everything out) and replace it with the following:
# Prevent automatic loading of firewire module(s).

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394

blacklist firewire-ohci
blacklist firewire-sbp2
blacklist firewire-core
blacklist firewire-net
blacklist firewire-serial

# Prevent manual loading of firewire module(s).

install ohchi1394 false
install sbp2 false
install dv1394 false
install raw1394 false
install video1394 false

install firewire-ohci false
install firewire-sbp2 false
install firewire-core false
install firewire-net false
install firewire-serial false

This will 1. blacklist all the firewire modules from starting at boot, and 2. prevent loading of firewire through forceful techniques.

After doing this, you must run `sudo update-initramfs -k all -u' for it to take effect on next boot.





Hardening Firefox

 

The abilities of web-browsers are not only astounding, but also extremely vulnerable. With 0-day exploits being found for nearly everything, the bad guys are always looking for ways to exploit your browser.
Methods used to exploit browsers are usually split up into two parts: exploiting the actual browser, and exploiting addon(such as Adblock and Acrobat Reader).


Using the method I describe should mitigate most, if not all techniques involved in the exploitation of Firefox, and addons used.


Most services when installed create a user for themselves, where they cannot escape from without some sort of local root kernel exploit. Unlike services, firefox is normally run at the same permissions as the user running it, which entails an attacker to be able to gain the same permissions of the user. With access, an attacker could record the keystrokes of the user, and wait until they run 'sudo' to gain root access(or, god forbid, somebody has nopasswd enabled on their account.)

By creating a user specifically for firefox, we lock it into its own folder where it [shouldn't be able to] escape.



First off, we want to create our new user called 'firefox'.

1. Run 'sudo adduser --system --quiet --shell /bin/false --group --disabled-password --disabled-login firefox' in the terminal.



The commandline(and all references to) 'firefox' is a link to /usr/bin/firefox, which is just a launcher script, so we can move that to something like 'firefox-start'.

2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal.

Now we want to recreate the firefox file, and make it execute as our 'firefox' user, with all of the parameters that it normally would.
To do this, we must make a script to be run when using the command 'firefox'.


We have two options here. We either make a very simple script to run Firefox as the 'firefox' user, or we use some X11 trickery.

The problem with the first, is that an experienced hacker could control all X11 activity. Including logging keystrokes, injecting keystrokes, taking screenshots, etc.

The problem with the second, is that extensions such as XRANDR will not work. Another highly problematic downside is that you cannot copy-and-paste from your browser into another application. You can copy-and-paste from other applications into the browser, but not the other way around. This makes it incredibly difficult if you want to copy, for example, a quote from Wikipedia into an email.

Due to not having a solution to this, I've decided to show you how to do both.

-----

Vulnerable Method


This method gives the reader a very easy way of doing things, and is probably OK for the average user.

Open up /usr/bin/firefox, which should now be an empty file, and place a script in it so it will run firefox was the user 'firefox'.
3[.1]. sudo nano /usr/bin/firefox
And enter the script:
#!/bin/bash
sudo -H -u firefox "/usr/bin/firefox-start" "$@"

The -H flag is used to tell the system that we want to set our home directory to /home/firefox/. -u is used to tell the system that we want to run the program as the user 'firefox', and the last two flags tell the system to run /usr/bin/firefox-start(the REAL firefox script) with the flags $@, which means it will run with whatever /usr/bin/firefox was run with.

We need to allow the 'firefox' user to access X, so we go to "System -> Preferences -> Startup Applications" and add a new startup program.
The name and comment is irrelevant, but the command should be this:
xhost +SI:localuser:firefox



-----

'Paranoid' Method

This method, as stated above, stops the user from copy-and-pasting from the browser into a different program. It is much more safe, and is considered secure.




3[.2]. Run `sudo nano /usr/bin/firefox', and put in..

#!/bin/bash

xa="/home/firefox/.Xauthority"

exec newgrp firefox <<-EOF

 if [ -e "$xa" ]; then
  if [ ! -r "$xa" ]; then
   rm -f "$xa"
  elif [ ! -w "$xa" ]; then
   mv "$xa" "$xa.tmp" && cp "$xa.tmp" "$xa" && rm -f "$xa.tmp" && chmod 660 "$xa"
  fi
 fi &&
 xauth -q -i -f "$xa" generate "$DISPLAY" . "untrusted" && chmod g+rw "$xa" &&
 sudo -H -u firefox XAUTHORITY="$xa" "/usr/bin/firefox-start" "$@"

EOF

This script will run every time you open up firefox.

Now we need to make the file executable.

[4]. Run `sudo chmod +x /usr/bin/firefox'.

 As you can see in the script, it relies on the usage of the 'newgrp' program being able to access the 'firefox' group. To do this, you must add yourself into the 'firefox' group.

[5]. Run `sudo useradd -a -G firefox $USER'.
This will add you into the group of 'firefox'.
You will now need to reboot to make this come into effect.


To allow changes to be made by groups, you must run a chmod command on the user folder.
[6]. Run `chmod -R g+rwxs ~firefox'

This allows anybody in the 'firefox' group is make changes in the /home/firefox/ directory.

-----


Now you can run 'firefox', and it'll run the browser as the user 'firefox', not as your user. Yay! We got most likely the hardest part finished.

Audio


I, like many of you probably do, like to play music in my browser. Whether it be through HTML5, or Flash. But since our new user 'firefox' isn't part of the 'audio' group, we must add ourselves to it.

[?]. Run `sudo usermod -a -G audio firefox'
Now with another reboot(or logout), audio should be able to be played.


Finally, due to multiple users using PULSE(your account, and then flash in the 'firefox' user), we have to set up 'firefox' to use a slave server, and your real user as the master.


First of all, we want to copy the default pulseaudio settings to your home directory.

[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/default.pa ~/.pulse/'

Now edit it.

[?]. Run `nano ~/.pulse/default.pa'
Add to the bottom of the file: "load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1" and save.

And that's it. Firefox will automatically use use that as a master server, thus becoming a slave.

There are probably security implications to do with this, but they would be minor.(At most, listening to microphone, which I doubt anyways)



Addons

 Although mostly un-important, it might interest some people to install some addons in Firefox to enhance your browsing privacy.

These include:

Adblock Edge - Basically AdBlock without the whitelisted ads. Removes ads & unwanted elements on webpages. Recommend using https://www.fanboy.co.nz/ in conjunction too.
HTTPS-Everywhere - Trys to use HTTPS/SSL on webpages known to work with them.
BetterPrivacy - Handles long-term, non-HTTP cookies such as flash cookies.(In options, make sure 'Always ask' is unchecked.)
User Agent Switcher - Makes it possible for you to change your User-Agent to something else. Download http://techpatterns.com/downloads/firefox/useragentswitcher.xml and import it through the application in Firefox(Edit User-Agents).
Smart Referer - Only sets referrer if staying on the same page.

In the page "about:addons"(type it into your URL-bar), go to "Plugins", and make sure everything is set to "Ask to Activate".

In the page "about:config"(type it into your URL-bar), set geo.enabled to false(double click on it if it's true), set network.dns.disablePrefetch to true, set network.websocket.enabled to false,





MAC-Address

Although not necessarily a security risk, your MAC Address may be used for tracking, and later identification.

To do this, we use an interesting program called macchanger.
Macchanger, created by "Alvaro Lopez Ortega", is a program that quickly and easily spoofs your mac address.

Although a new and updated version of macchanger exists on Github, we'll be using the repository's version.

We actually need to install macchange. To do so:
1. Run `sudo apt-get install macchanger'



Although originally I wanted to set up a script to change the mac address every time you connected to a wireless network, I encountered a problem. The default network manager in Ubuntu, NetworkManager, deprecated pre-up, and post-down. The developers have said that they will not be bringing it back either. Interestingly, many of the commenters on the invalid bug-report page also inquire the removal, as they also were trying to use macchanger.

By creating an init script, we can make the program 'macchanger' run on boot.


1. Run `sudo nano /etc/init.d/changemac', and insert the following:

#!/bin/bash


# Disable the network devices
ifconfig eth0 down
ifconfig wlan0 down


# Spoof the mac addresses
/usr/bin/macchanger -a eth0
/usr/bin/macchanger -a wlan0


# Re-enable the devices
ifconfig eth0 up
ifconfig wlan0 up


exit 0


Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac').
This script will, on boot, take down wlan0 and eth0, change their mac-addresses, and then bring them back up. If need be, edit eth0 and wlan0 for your respective names on your system.

We now must actually the script run on boot. This can be done by running 'update-rc.d'.
2. Run `sudo update-rc.d changemac defaults 10'

On each reboot, your mac address should change, without any implications in regard to connectivity.



Anti-Viruses

It's commonly said by in-experienced users of all distributions that Linux cannot get viruses(Mac users also say this). But in reality, they can get viruses, but it's rare.
As described here, many Linux Trojans/Viruses/Worms have been made, but with little success. Although there is little chance of actually getting one, it's considered a good gesture to others, for you to scan for viruses. -- "If you are going to trade files in a Windows world, you'll need to scan those files for viruses. You won't get infected, but you may help infect someone else."
i.e; You may forward an email through your email that contains a windows virus.

Some Windows viruses can also be run through Wine.

  
We'll be using ClamAV, an open-source anti-virus program.
We first have to install it.

1. Run `sudo apt-get install clamav clamtk clamav-daemon'

Once finished installing, we must update our 'AntiVirus definitions'.
  
2. Run `sudo freshclam'
This may take awhile.


ClamAV can be run in three ways: Manually in the terminal, manually through a GUI, or as a daemon.

I'm going to run it as a GUI.
It can be run as a GUI by opening the terminal and typing running `clamtk'.


When you open clamtk, you're showed options in regard to how you want to run ClamAV. It's very simple and needs no explanation. You can set up an automatic schedule for scanning in Advanced->Scheduler.


Originally, I wanted to make it so that Firefox would scan all downloaded files using ClamAV. I found the addon Fireclam which is a Firefox mod that scans downloaded files through ClamAV, and gives you a warning if it returns anything.  
The problem with it, is that on download, Firefox freezes for 3-5 seconds while the scan is actually going on. This is a huge inconvenience and to me makes it unusable. I'm keeping it up here purely to show that it exists. ClamAV can also be set-up with Thunderbird.



Note: ClamAV does _not_ delete any files. That's up to you. It purely notifies you to the existence. 



DNSCrypt

Something a lot of people don't realize is that DNS is completely unencrypted.
We're going to add encryption which will prevent spying.
To do this, we're going to use OpenDNS's DNSCrypt.

So, we want to download the current version, dnscrypt-proxy-1.4.0.
1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt'

2. Run `sudo apt-get update'

3. Run  `software-properties-gtk', go to "Other Software", and tick the source-code option for shnatsel/dnscrypt.


Now we want to confirm that the ppa is actually secure. To do this..

4. Run `sudo apt-get source --download-only dnscrypt-proxy'
Generate a SHA256 signature for the source.
5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2'
Pull the official signature from the DNSCrypt website.
6. Run `dig +short +dnssec TXT dnscrypt-proxy-1.4.0.tar.bz2.download.dnscrypt.org'


Now compare the results. If they're the same, you're ready to go.


Now actually installing, and setting everything up.
7. Run `sudo apt-get install dnscrypt-proxy'

8. Run `nm-connection-editor', and edit your connection. Go to IPv4 Settings and select 'Automatic (DHCP) addresses only' for the "Method". In the DNS servers, set it to:
127.0.0.2

This will make it so that by default, 127.0.0.2 is used for DNS.

Due to a bug(?) in apparmor, you must run the following commands:

9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain /etc/apparmor.d/usr.sbin.dnscrypt-proxy'

Now to setup dnscrypt, and make it start on startup.

10. Run `sudo nano /etc/init.d/dnscrypt' and put in:
#!/bin/sh
# This is for the file /etc/init.d/dnscrypt
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description:       Launch the dnscrypt to communicate with OpenDNS
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo "Starting dnscrypt"
    dnscrypt-proxy -u nobody -R opendns --local-port=53 --local-address=127.0.0.2 --daemonize 
}

dnscrypt_stop()
{
    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "$DAEMON" > /dev/null
}

case "$1" in
    start)
   dnscrypt_start
   ;;
  stop)
   dnscrypt_stop
  ;;
  restart|force-reload)
   dnscrypt_stop
  dnscrypt_start
   ;;
    *)
   echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
   exit 1
   ;;
esac

exit 0


11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d dnscrypt defaults'.

Finally, we must edit /etc/default/dnscrypt-proxy.

12. Run `sudo nano /etc/default/dnscrypt-proxy'
Make sure that the "local-address" is set to "127.0.0.2:53", "resolvconf" is set to "on", and "user" is set to "nobody",

And then reboot.


Now you'll be resolving with encryption. You can confirm you're using it correctly by going to http://www.opendns.com/welcome/.

You can also run `sudo tcpdump -i any -n -A 208.67.220.220', which will display the ASCII output of the packets going in/out of port 443(since it uses port 443, not 53). You can then run `dig debug.opendns.com' in another terminal, and you should see encrypted text through tcpdump.

Make sure that /nonexistent exists, and is chowned to nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent')



 

Evil-Maid Attacks

I won't be covering prevention of evil-maid attacks in this post due to the limitation of what one can actually do to prevent against an evil-maid attack. However, one example of what you can do is moving the boot partition in Ubuntu to a secure USB stick. A guide on how to do this can be found here.

But in reality, if somebody is able to tamper with your computer while it's not in your possession, they could install a hardware keylogger to get your encryption key.



ColdBoot Attacks

Again, I won't be covering much when it comes to coldboot attacks.
Most computers these days use DDR3 ram, which as far as I can find, aren't vulnerable to coldboot attacks. I will however give recommendations to stop the theoretical attack.


1. Set an Administrator password for the BIOS.
Although this wouldn't help if an attacker were to take the ram out of your system, and put it into theirs then dump it, it will delay how long it takes for the ram to be dumped.

2. Turn off Quickboot/Fastboot in your BIOS.
Not all computers support this, but some do. By turning off Quickboot/Fastboot, your system will 'check' the memory on boot, thus overwriting everything.










Unrelated



File Removal

As most readers will know, deleting files through usual methods(and the command `rm') only remove the "links" to the files contents on the harddrive. To remove files securely, you can use the program BleachBit
You can install it by running `sudo apt-get install bleachbit'. 
To securely delete a file, run `bleachbit -s file.txt'. It can also be used on directories.

Once of the problems with 'secure file removal', is that it only 'securely'(?) deletes the current contents of files. If the file has been edited at all, then reminisce of it may still exist.

Credit: BleachBit

This diagram explains it well; using secure removal tools, only the green blocks would be removed. The red blocks are old versions of the files. 
To deal with this, and delete all un-used disk space, you can use BleachBit as a cleaner.
To do this, you can run `sudo bleachbit  -o -c system.free_disk_space'. NOTE: This will take a long time to use your harddrive. It creates a file with random data that fills up the harddrive, then deletes it. If you're using an SSD, _DO NOT_ use this.

Bleachbit can also be used for other things. you can view them by running `bleachbit --gui'.










With all of these security measures implemented, I am confident that my computer is fairly secure from external, and remote hackers. It's much more of a hobbyist thing. If you really need good secure, use Tails. After all, one could always torture you for access.

I've personally done everything that is shown in this blog, as well as participate in 'good practise', such as shutting down my computer when I'm not using it.

No comments:

Post a Comment