/os/ - Online Security

News, techniques and methods for computer network security.


New Reply on thread #357
X
Max 20 files0 B total
[New Reply]

[Index] [Catalog] [Banners] [Logs]
Posting mode: Reply [Return]


My feeling is that if you're super serious you should generate your keys on an air-gapped computer and sneaker net the messages to a networked computer using floppy disks.  No USB should touch your air gapped machine.  Read the decrypts on the air-gapped machine with a curtain over your monitor.

Why not USB? I believe "BadUSB" kind of attack (that may happen with specially crafted hardware only) can be mitigated by forbidding/whitelisting USB hardware that is not Mass Storage device.

Some people only use a read only LiveCD session on a laptop without a hard drive and randomly going to places with free wireless internet. Other people don't trust in virtualization and sandboxing. There's a manual way of making your own sandboxing with a few commands without using firejail. Some think that Tails is compromised and that Whonix is crap because VMs are crap even with KVM. A few does what Stallman does in using other people's computers with their permission to view some proprietary stuff.

Run your servers headless with no gui.  Try to segregate your services/servers onto different computers, with customized firewalls.  Only load the minimum number of packages to get the job done.


Run minimal, if there is a zero day for one service say apache, but you also host your mail using postfix, depending on the severity of the exploit, your loose your mail security as well.

If your server doesn't need a package to do its job, don't install it.  Run minimal for the same reason as above.  Once the attacker gets in they'll have more tools to work with the more you install.

Run postfix and dovecot on one server, and httpd on another shut off port 25 143 on the apache server, and depending on your use case shut off port 80, input on the mail server, etc.  Run with the minimum number of ports open for each service to operate. 

I'm not an expert but these are just feelings about it.  I'm not rich enough to host all of my services on different computers but if you are you should.

 >>/405/
That's why every sane program on Linux drops root privileges after binding to wanted network interfaces and such.

Local attacker could just download wanted code or use scripting. And I doubt tools attacker would want to bring is X11 apps.

iptables is great.

There is "owner" module that allows controlling OUTPUT traffic on per user or per group basis. And if you use separate users for every service running just like you should, you can control every service with iptables. For example permit traffic going to internet for tor daemon user and permit only localhost traffic for everything else.

Tails already uses similar iptables setup.



Start thinking about older hardware and compartmentalization of different tasks onto different hardware units. If you're doing something that doesn't need speed (writing and sending email, text browsing, low impact web/mail servers) use older hardware, if it needs speed (rendering, gaming, 1080p streaming video, number crunching,) then use something modern but only for that task (and for nothing else).   

Also assume that you're being keylogged if you're connected to the internet on a modern operating system (including linux and bsd) on a modern hardware machine (Anything >2005). Just operate as if that is true and weigh the implications of your typing and mouse clicks accordingly in your actions online and "Offline". 

Also get an airgap for anything that you wouldn't want to share publicly with your boss, spouse, grandmother, neigbour or law enforcement.  Make sure you do volume encryption or full disk encryption if you have sensitive data on the airgap.  I consider personal financial information ( like taxes, income, planning, purchases, etc) to be in this category that requires an airgap.  Anything to do with planning, inventory or income sources ( what books you have in your personal library, how many "things you own", un-booked travel plans etc...), part time revenue etc, stock picking and purchasing plans, business plans, business ideas etc.  Do all of that on an airgap. Mainly I'm thinking of personal spreadsheets, and personal text documents, digital photography and personal digital collections (music, pictures, videos, pdfs, etc). Also be sparing in what you share about this information in conversation with other people. Stick to the weather and sports teams. 

Also start thinking about low tech ( pen and pad, mechanical typewriters, rotary dial telephones, mechanical locks) to confound some of the more obvious possible entry points for government or criminal hackers to peer into your residence. Keep your blinds up in your study and maybe tinfoil the windows in your 'study'.  Also no cellphones. No smart phones. No Alexea, No Siri, No Google Home, no remote home security (don't be a retard).  Buy books and things second hand and try to pay in cash (second hand book stores and electronic recyclers).  

Making small todo lists should go in a non online hand writen journal, if its sensitive,then put the journal book in a fireproof mechanical safe inside your study, and shred/burn the contents when it is no longer required to keep track of the information.  Low tech can beat high tech in the spy game. You loose convienience but you'll gain personal privacy.   Just some ideas, feel free to contribute.

 >>/1163/

A note about the rotary telephone recommendation.  Assume that your conversations on the telephone network are being recorded every time that you use the phone.  Using electro-mechanical devices over phones with microprocessors / digital controllers is simply to remove a hacking vector whereby a hacker can bug your entire house reversing the phone from a communication tool into a surveillance device.  Stick to lawful non personal, business and fact relaying only conversations over the telephone, (ordering takeout, calling the government, job interviews, etc). 

If you can, get a tape deck answering machine.  Most of the modern digital answering machines allow (key code) remote playback.  Get a tape deck and a cassette for phone messages with a physical control (play stop and rewind buttons) (mechanical requires physical access). Don't use a "digital mail box" at the phone company to store your messages.

Don't ever respond to telephone surveys, (Phishing attempts) just tell them no thank you I'm not interested , and hang up, and do this politely (say thank you, have a great day and hang up).

For better effect also disconnect any phones from your work study where you have your computers. And when doing sensitive things also disconnect your speakers from your desktop (Power off button or remove the input cord to your soundcard and power cord from the wall).   Don't use WIFI anywhere, unless you're in a bind.  Keep all your tcp/ip connections wired and firewalled.   Don't use wireless 2.4GHz phones either. Don't give the party van more remote info to collect or ways to penetrate your residence remotely.

Personal and sensitive communications should be made face to face, or signaled using gpg or through other encrypted communications methods.  Make sure the person you're talking to isn't a retard carrying a cellphone in their jacket pocket, and make sure to ask them about this before you start your conversations, and if they have a cellphone tell them to turn it off and remove the battery before you start your conversation.

copied from:
 >>/b/17546/

BASIC SECURITY TIPS UPDATED

(1) Don't use social media [Avoid Facebook/Myspace/Twitter/Snapchat/etc.] (no brainer) Tell your friends to just hang out with you face-to-face instead of using social media.
(2) Forward secrecy (keep your mouth shut about any personal info if you don't want to expose yourself)
(3) Use a cheap private VPN (w/ no IP logging policy) and Tor browser! You can also use an OS like Whonix or Tails to spoof your MAC address in extreme cases.
(4) Always disconnect your internet (physically) when you are not going to use it! Make sure bluetooth and WiFi is physically disabled/disconnected. Don't keep your modem online all the time! If you do, you are asking to be hacked!
(5) Use an old "flipper" phone. AKA a jitterbug. Cover up any camera if has one. Jitterbugs are basic cellphones for people with disability problems / senior citizens! Just a bare basic cell phone where you can take out the battery. Has no internet platform. Any kind of device that has a camera you might want to consider covering up because they can easily be hacked to spy on and identify you remotely.
(6) Flock to flea markets, garage sales, thrift shops to buy older electronics! Do not by 'smart' or 'green' appliances! Learn how to maintain and fix older products/utilities too! All IoT (Internet of Things) tech can be used to spy on you, avoid IoT and 'home automation' technologies! Trojan horses, all of them.
(7) Never put your real name or personal info into your computer, always use FAKE names / aliases.
(8) Use cash whenever possible. Credit Card and other digital transactions can be tracked and directly linked to you. Cash could be tracked back to you too, but it is much harder and takes a lot of effort and human resources for governments to do.
(9) No OS is safe. Just exclude as much personal information you can from your Operating System. Make sure its disconnected offline when not being used! Make sure bluetooth and WiFi is also physically disabled/disconnected when not in use. If you use a "hot spot" which I do NOT recommend, at least turn it off and put it inside a little faraday cage bag when not being used (to prevent more sophisticated remote tampering).

 >>/b/17546/
(10) Always bleach you browser cache / cookies / web logs! 35x gutmann style! (Bleachbit, Ccleaner, etc.)
(11) Browser Security: Use Noscript Security Suite add-on. Noscript is a must: make sure to block all global scripts, wipe the whitelist in Noscript and re-configure the whitelist that best fits your browser habits. IPFlood is also a useful add-on to obfuscate IP GET requests. You should use Random Agent Spoofer (or Blender) to spoof your browser & OS metadata while you surf the web, making it a lot more difficult to track your activity. Tin Foil is another great security addon. Also, make sure WebGL and WebRTC are disabled in about:config (research how to disable those, there are tutorials out there).
(12) Its best to have two computers, rather than just one. For example, have one just for banking / legit LEGAL purposes. Have another one (completely separated) just for private or illegal activity. Make sure you don't put any personal info in the private computer.
(13) Use encryption and strong passwords! Write them down on a piece of paper or memorize them. DO NOT store passwords on a computer file. That is a big no-no! Try easy to remember long sentences for passwords, and combine all the words together. The more characters used, the harder it is for hackers to break the passwords.
(14) Have separate email accounts for each kind of activity (legal or not, don't matter).
(15) Make sure you physically disconnect your web cam or cover it up with black electrical tape. Most laptops these days come with web cams attached above or below the monitor. Make sure the camera cannot be used to identify you or spy on you in any way. (Yes, webcams can be hacked / remotely hijacked to spy on you!)
(16) Avoid new "Smart TVs" (they spy on you too)! If you have a newer TV, make sure you cover up or unplug the camera and microphone. Or keep it offline and disconnected from the cable box when not in use. You could cancel cable and just rip DVDs of your favorite movies and shows instead, using them on an offline TV set.
(17) Avoid all new digitized vehicles. They can easily be hacked, used to spy on you and even be remotely hijacked by criminal entities/governments!
(18) Never allow another person to use your computer. Make sure you routinely backup important files to a flashdrive or DVD and store that data offline. Also make sure you have a backup copy of the OS you use as well as backups of the software you use. If you ever have problems with your OS someday, just wipe your partitioned OS, and then re-partition the OS again yourself from scratch. Do not allow others to 'fix' your computer, they could easily steal information from your OS you might not want them knowing about. Geek Squad works with the FBI and other agencies to steal data from their customers, do not trust them to fix or repair your computer.
(19) Any photos you take with modern cameras contain EXIF metadata that contain GPS coordinates among other data used to identify the owner of the photo. If you store your modern photos online, people will be able to identify you. Don't do it! I repeat: do not post modern photos online unless you want to be identified! (I have been told PNG formats do not store any metadata, so photos converted to PNG might be safe).

Test your online privacy and learn more: https://www.privacytools.io/

I might as well add this report to this OPSEC thread: https://archive.fo/bBjkm

Do not allow any electronic made after 2018 into your home and you better have some backup older electronics which don't have cameras and hidden mics. The Wall Street Journal just rubbed it in our face that this is going to become the norm very soon as they will be embedding tiny microphones in almost every single thing they can get away with. So anything digital beyond 2018: don't buy it.

And do avoid things like Echo, Siri and other crap created by the big tech monopolies. Make it clear to your family, relatives and friends you won't allow this around your presence (or at least in your own residence). It is all up to us to wake others up about how they are stealing our data and selling it all over the world and if we allow it we are stupid as a bunch of rocks.

 >>/b/17546/

I agree cook your own food. Buy from the local farmer's market, or from the grocery store.  Cook your own food in your own house. Don't order in.  As you mentioned its easy to poison you once they know your pattern. You call for take out and they intercept the delivery or have someone planted there to poison your pizza.  

I just meant to say don't do crime or talk about crime or personal things on the phone, no phone sex, no dirty talk, just innocuous facts, and lawful business. "Hey are we low on milk? Yeah OK I'll pick some up, bye."  Nothing about money, politics, drugs, crime, or sex.  It's all being recorded digitally and stored, and if you become a "Person of Interest" they go through it and pin point all the incriminating stuff to use on you for blackmail, coercion, criminal indictment, front running etc. 

Its too bad that they removed all of the public pay phones...If there were no cameras in the area you had a small level of anonymity (very small).  We're going to have to look to an encrypted VOIP by tcp solution for a "Secure Line".  Even then don't trust it too much.

 >>/1248/
> Use an OS like TAILS or Whonix to spoof your MAC address
Any BSD/Linux machine can do this with GNU macchanger [1].
I don't know how Tails or Whonix does Mac spoofing but I'd imagine they use the same thing. 

1: https://directory.fsf.org/wiki/Macchanger (note: hasn't been updated in 4 years)

Currently using Icecat 60.2.0 ESR. It comes with by far the best addon I've ever used on any web browser called Searxes' Third-party Request Blocker. I just use that instead of NoScript. Icecat as a web browser has a couple of issues, one of them being the same issue that the Tor browser has. I only install uBlock Origin, CanvasBlocker (enable expert mode to see what I mean), and Greasemonkey. I don't even use a user.js file because I generally trust Icecat. I cannot emphasize enough on how good the addon is. This is still not fully available for most distros but it is available for some.

Cross-posting copy-pasta from  >>/b/19022/

"I've covered this in an old OPSEC thread and I think I'll report this password tip copypasta because it is a very good security tip (the two anons were originally from 8chan/n/): 
PASSWORD SECURITY TIPS 
Anon #1 posts following: Now As far as passwords go, here is how I do it: I'll give you an example by posting a supposed password: donotletthefedsseethisaccount887756 

As you can tell, this passowrd has 35 characters total. This is A LOT of characters but also easy to memorize too, for example, its easy to remember the phrase; "do not let the feds see this account" ; and added to that phrase is a code (which you can also memorize easily) 887756. Once you come up with a phrase you can memorize it, then attach a code number you can easily remember right after it. This will make your password very difficult for hackers or spies to brute force using 'dictionary attacks' by adding random entropy at the end of the phrase (via the random code). This 'password' would be unbelievably hard to crack if it were not a fake and had I not posted it. Use your tinfoil hats, paranoia can be your best friend.

Anon #2 responds to Anon #1: It is better not to do letter/number type strings camel casing and special characters as well. Pass phrases are easier to remember but mixing it up makes it exponentially harder to brute. Though your example is secure enough a minor change can make a large difference in your password scheme. Also a lot of programs cut you off at 16 (or even fewer) characters so casing/ascii helps. 

Ex: donotletthefedsseethisaccount887756 would average 10^66 tries. Just moving the numbers and adding casing/one special character you get: Do8Not8Let7The7Feds5See6This@ccount which bumps it up to 10^84 and is just as easy to remember."

 >>/1328/

While I think this is good, for memorization, I use 25-40 character random ascii passwords using /dev/urandom or 
passgen.sh.  I write these down in a notebook that I keep in a small safe in my computer room/ study.  I 
also add random characters inserted into the computer generated password. Some of these passwords are memorized 
and not written down anywhere. For example the codes I use for user login and for cryptsetup and gpg are 
memorized, while the codes for github, protonmail, and other online services are written down in a notebook that I keep in a safe.  I use different passwords for every distinct online service.     

Ultimately I would want a system as follows:  2 factor authentication, Factor 1 would be a 20-30 character 
memorized passphrase number combination as mentioned above in  >>/1328/ or using random memorized ASCII like I currently do.  Factor 2 would be a 3.5" floppy disk with 1.44MB of random ASCII characters generated using OpenBSD on a Sun Sparc or DEC Alpha air-gap computer, with read only permissions and a hash, and the write protect toggle on.  You would boot 
your computer using both the disk key with the non-guessable ,random passphrase and with the memorized code.   
You would keep the key in a safe in your study when not in use or on your person 24/7.  Preferably you would 
need both keys to open the encrypted computer.   The memorized passphrase would allow you to boot to the point 
where you need another key to decrypt the entire volume.  This second stage uses a non dictionary, anti-brute 
force password consisting of 1.44MB of random ASCII, that can't be guessed or memorized, stored on a floppy disk 
for rapid destruction by neodymium magnet, mechanical shredding, and burning with a lighter.  Once the volume is unlocked the computer should instruct you to remove the disk from the drive and stow it away, so that the OS never gets to or has the chance to read the contents of the disk once authenticated.      

Getting password one requires drugging and tricking you into verbally revealing it (torture, false promises, truth serum 
etc).  

Getting password two requires breaking into your residence and obtaining the disk before destruction by either 
cracking the safe where you store it while you're sleeping or away, or by taking it off of your person before you have a chance to demagnetize, shred, and burn it, (all of which could be done in 10-20 seconds if practiced). 

Getting into the computer requires both passwords, and password two can't be memorized ( but could be copied, but not 
without your knowledge) So if password two is destroyed password one can't open the computer, and if you and password one are captured , you can still attempt to  withhold password 1. 

You could probably also try to do this with a CD ROM or DVD ROM disk.  Rapid destruction will be more challenging although possible (Cross shredder with a grinder and some gasoline; this might take 1 min -2 min ) . 

Someone should write a mod or patch for LUKS that enables this system to be deployed.

 >>/1323/
Have you used uMatrix before?
Very similar idea to this 3P blocker except you can specify what type of content you want blocked. I.e. XHR, JavaScript, iframes, CSS, fonts, etc.
I swear by it. It's very useful, the interface takes a little to get used to but once you do you can work very efficiently with it.

nice try grandpa
are you aiming for privacy, anonymity, security? VMs are unreliable from a paranoid security standpoint due to complexity, nevertheless if they provide anonymity, it may be worth it against larger foes that can compromise security with their access to exploits. Similarly with Tor Browser Bundle, sometimes it is better to blend in rather than to obscure your identity. a hoodie will be less conspicuous than a facemask.
 >>/1249/
> don't post modern photos except PNGs because of exif
you can strip exif data using 'exiftool' and other solutions. I have heard stories about cameras having hidden codes (and more likely, repeatable and detectable design flaws) that can be used to identify the module, but that's real rumor oojie boojie
> avoid all digitized vehicles
avoid vehicles especially with push-button ignition, vehicles with a disabled wireless unlocking mechanism would be preferable but there are vehicles with an option to disable the keyless wireless fob.   

 >>/1248/
> don't use social media
endchan is social media
> use a cheap private vpn
use someone else's vpn, don't leave a paper trail of payment leading to your credit card
> do not buy green appliances
enjoy getting vanned because your electricity company can tell when you're browsing the internet via the smart meter. green is just a color, but energy efficient appliances are easier to run off battery power and/or solar power sources.
 >>/1167/
> responding to phishing attempts at all
phishers may record a clipping of your voice to bypass automated vocal analysis software, which is luckily not commonplace, but nevertheless, do not give them information if possible
 >>/1306/
OpenBSD has a MAC randomiser inbuilt by default, isn't that a standard OS feature?
 >>/1328/
your password might have high entropy for a bruteforcing machine, but you're still relying on english grammar, which can be boiled down to rules no matter how complex they are
I would recommend creating a password using the FSF diceware list instead, as the words make less sense as a group, while still providing entropy


I'm not an expert but I have an IQ over 9000.
How I might attack a password.
A. List attack
I will get a list of "common passwords" derived from compromised user password list (the user account you made in ten seconds, 5 month ago because some Jew webpage made you).
> "12345678" and "nopassword".
B. low entropy Brute force of the password list
Common passwords with one character variance, common passwords with 2 character variance.
> 1234s6789, Nopassword1
The site made you add a symbol and a number, I'm so scared.

It's only if you got this far that any real effort has to be made, honestly if you're not special I will just give up and find a stupider person.

C. dictionary attack
Instead of guessing gibberish I will use whole words.
Long passwords are often made up of whole words and at this point I know your password is fairly long.
There are far more words in any given language than characters (this BTFO's Chinese users incidentally).
Many common phrases will already have been covered in A. "common passwords"
I start to assume things like "If there's a 'Q', the following character is 'u'"
The way this works technically a word and a phrase based attack aren't really separate 
> hitlerdidnothingwrong
> therighttobeararmsshallnotbeinfrienged 

If this didn't work you're a CHAD with a password like 
zgn$%w5jkgkn994 written under your mouse pad like my Grandma.

That's when we get into hash collisions, pre-computed hash values, hoping other elements (like servers storing plaintext password outputs) makes our life easier


 >>/1727/

I just finished installing Gentoo with btrfs on LVM on LUKS and spent 15 hrs configuring the kernel parameters to get iptables working with endwall.sh .  I have to add some more stuff for IPv6 to make it fully compatible with endwall.sh.

Here is my layout:

http://nguipxnkrp3qrzrlduhsatpcpwehnblzmlkc5ifiumxq4z5jlh4lwvid.onion/content/gentoo/layout.txt

sda is full disk encrypted OpenBSD 6.9, sdb is encrypted with unencrypted boot for Gentoo Linux.

Here is my current working kernel config:
http://nguipxnkrp3qrzrlduhsatpcpwehnblzmlkc5ifiumxq4z5jlh4lwvid.onion/content/gentoo/kernel_config.txt

you can copy this to /usr/src/linux/ and then overwrite .config , and run 

$ su
# cd /usr/src/linux
# cp kernel_config.txt .config
# make -j4 && make -j4 modules_install.
# make install
# genkernel --lvm --btrfs --luks --microcode --firmware --bootloader=grub2 --install --kernel-config="/usr/src/linux/.config" initramfs

Which will build the kernel and the initramfs.  This works with encrypted lvm with btrfs.  changing parameters in menuconfig

change parameters with

# make menuconfig 

and recompile and install the kernel and initramfs.  Works for me so far.

Gentoo is a time suck, and there is no way I would know anything useful about Linux or UNIX system administration and security if I had started with it.  I think a good progression is Debian > Arch > Parabola > OpenBSD > Gentoo > MS DOS + compile what you need manually.


Post(s) action:


Moderation Help
Scope:
Duration: Days

Ban Type:


27 replies | 2 file
New Reply on thread #357
Max 20 files0 B total