Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: Safe Browsing With OpenSUSE

  1. #1
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Safe Browsing With OpenSUSE

    What spurred this post was a phone call the other day from my credit card company: someone had obtained that credit card number and had tried to make a bunch of bogus purchases with it. Fortunately, all were declined (I have account protection on that card), but it reminded me again of how vulnerable we all are to identify theft.

    In this particular case, I'm not sure that a crooked motel employee didn't use the number, but I thought I'd share some safe browsing tips while they're on my mind.

    1. Get some form of account protection. There are dozens of plans, some great, some worthless, some dirt cheap and some relatively expensive. I'm not going to recommend one here because they vary from one region to the next.

    2. Never, ever, ever browse with Windows at a WiFi hotspot. You're just begging for trouble. Windows is well-known and WEP, WAP and WAP2 can all be cracked. The cracker doesn't even need to be in the Starbucks or motel with you: he might be outside in his car with a laptop.

    3. Even with secured Linux, don't ever do sensitive transactions (banking, etc.) on a wireless network. Use a wired connection.

    4. If you're really paranoid like I am, create a separate account on your Suse machine at home that is only ever used for financial transations. Here's how I do it:

    a. - Yast -> Security and Users -> Users and Groups. Create a new user and give it a good, strong password.

    b. - KMenu -> System -> File Manager (Super User Mode), find that new directory (in "/home/[newusername]") and eliminate all read/write permissions for anyone other than "[newusername]." You don't even want anyone else looking in that directory. Simply right click on the folder [newusername] and set the permissions to deny for everyone but that user.

    c. - It's no fun browsing without Flash nowadays, so you can leave it enabled for your regular user account. But for this one, if you're using FireFox, download an addon such as FlashBlock to prevent it from running. If you bank or credit card company requires Flash to use their site, write them a nasty email and change banks.

    Now you'll log out of your regular account, and log into this new user account, for all critical financial transations. As soon as you're done, log out of the new account and go back to your older, regular account. Use the regular account for all browsing EXCEPT financial or personal transactions. Don't ever mix the two.

    Another idea, somewhat advanced (and even more paranoid), is to install VirtualBox (available in the Build repositories) and actually create a separate VM with OpenSUSE in it just for sensitive browsing. Take a snapshot before you ever start browsing. That's your "known good gold standard."

    After each session in the VM, blow out the VM and restore from that known-good snapshot. I don't do this, to be honest, but some people swear by it. Even if you were to get a nasty worm in that VM, once you blow it out and restore from the snapshot, the worm is gone.

    You should also always run the Suse firewall. Don't ever disable it. All of these tips are for a single user at home, but if you're on a larger network with several machines, get help from a knowledgeable friend (or post a request here), if need be. You'll need to be selective in what you allow and refuse.

    If anyone else has tips, I'm all ears.
    Last edited by smpoole7; 09-Jan-2010 at 11:37. Reason: Added comment about permission

  2. #2

    Default Re: Safe Browsing With OpenSUSE

    Thank you for the ideas. They strike me as being very good advice. Although I do not know if I am ready to implement all of them it is great to have this listing for reference.

  3. #3
    Join Date
    Dec 2008
    Location
    Sydney, Australia
    Posts
    1,020

    Default Re: Safe Browsing With OpenSUSE

    You ARE paranoid ;-)
    Günter

    Desk: Leap 42.2, KDE 5, Intel i3, 8Gb, Kingston 64Gb SSD, 2 SATA.
    Lap: Thinkpad T430, Tumbleweed, Intel i5, 8Gb, SSD.

  4. #4
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default Re: Safe Browsing With OpenSUSE

    Quote Originally Posted by gminnerup View Post
    You ARE paranoid ;-)
    If you would handle big amounts of money over the Internet....you should be too. The amount of fraudulent activities on web-banking is ever growing. And I think about more the 80% of the worms, Trojans ans so on are taken as "drive by". That is you are looking at a web-page and your browser has a security flaw, your user account may be compromises. If you are Windows probably everything may be compromised. But you are smart, using Linux. So.....you open a dedicated user account. I think this is more then sensed. BTW, did you repair by hand the security flaw in Adobe Acrobat Reader? A lot of people did not, and up to today a security fix was not available. Makes weeks of exposure. Well, better be "paranoid" a bit when it comes to home-banking /e banking. IMHO a good thread and initiative.
    Just "clicking away" security warnings about a change in repo signature ? Not able to control?
    Then please vote for
    https://features.opensuse.org/312047
    openSUSE should have an efficient web of trust.

  5. #5
    Join Date
    Jun 2008
    Location
    Canada
    Posts
    62

    Default Re: Safe Browsing With OpenSUSE

    Good post, but there are a couple of things that caught my attention:

    Quote Originally Posted by smpoole7 View Post
    2. Never, ever, ever browse with Windows at a WiFi hotspot. You're just begging for trouble. Windows is well-known and WEP, WAP and WAP2 can all be cracked.
    I agree on not using windows (under any circumstances), but where did you get that WPA2 can be cracked? As far as I know, WEP can be EASILY cracked, WPA can only be brute-force attacked and WPA2 is still safe. Can you post a link?

    Quote Originally Posted by smpoole7 View Post
    3. Even with secured Linux, don't ever do sensitive transactions (banking, etc.) on a wireless network. Use a wired connection.
    I would say, never do sensitive transactions on not secured HTTP connections (always use HTTPS). When using HTTPS on a cracked wi-fi, how would someone read the encrypted data that passes through the intertubes?

    Quote Originally Posted by smpoole7 View Post
    4. If you're really paranoid like I am, create a separate account on your Suse machine at home that is only ever used for financial transations.
    This only works if your normal user account has been compromised via ssh. If you are not running sshd or you have carefully configured it, then you should be fine. If you insist on having a separate account for banking, then you have to disable ssh access for that user. If you don't, what's the purpose of a separate account?

    If you want to protect yourself from being attacked by someone that has gained physical control of your computer, then separate accounts will not help. Encrypting your whole disk may be the only solution.
    "All truths wait in all things,
    They neither hasten their own delivery nor resist it" -- Walt Whitman

  6. #6
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Safe Browsing With OpenSUSE

    Quote Originally Posted by TioDuke View Post
    Good post, but there are a couple of things that caught my attention:



    I agree on not using windows (under any circumstances), but where did you get that WPA2 can be cracked? As far as I know, WEP can be EASILY cracked, WPA can only be brute-force attacked and WPA2 is still safe. Can you post a link?
    WiFi is no longer a viable secure connection - SC Magazine UK

    This was almost a, "Let Me Google That For You." But I won't pick on you. Here's the thing, and take this lesson away from it: just because something is secure NOW doesn't mean that it'll be secure NEXT YEAR. You apparently read somewhere when WPA/WPA2 were introduced that they were "secure," but it was only a matter of time before they were cracked.

    Mitigation: a really, really good password causes the brute force attack to take a lot longer. But (as this article points out) using a separate, dedicated processor just to do the brute force WILL succeed eventually. If the password isn't especially strong, it won't take long at all.

    I would say, never do sensitive transactions on not secured HTTP connections (always use HTTPS). When using HTTPS on a cracked wi-fi, how would someone read the encrypted data that passes through the intertubes?
    It would be harder, but it would still be possible. The problem is that there are parts of every transaction that can be predicted. If the bad guy IS in the Starbucks with you, he might be watching to see that you've browsed to Wachovia Bank to check your account. He knows the basic layout of that page, and can "seed" his cracking algorithms with that. He takes a snapshot of your transaction and then cracks it at his leisure elsewhere.

    This only works if your normal user account has been compromised via ssh ...
    I don't understand your point here, so I won't respond to it. SSH is not the only way to compromise a user's account.

    The real danger at present (and this will change in time, as these things do) seems to be that you might browse to a Website that uses Flash to install something that will monitor keystrokes and/or passphrases, sending a report to a Bad Guy over the Internet. SSH isn't even involved.

    If you want to protect yourself from being attacked by someone that has gained physical control ...
    Correct. I was talking about *Safe Browsing*, whence the title. If someone has physical access or physical control of your computer, then all bets are off.

  7. #7
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Safe Browsing With OpenSUSE

    By the way, one other thing needs to be mentioned ... most public WiFi hotspots aren't even secured. Only a maniac browses to their bank at those places, whether using Linux, Mac or Windows.

    More on the HTTPS thing mentioned by TioDuke: HTTPS is certainly more secure than plain-text HTTP, but it can also be cracked. I'm not a huge fan of anonymous, negotiated peer-to-peer secure connections, anyway. Unless both sides have agreed to a secret, strong password in advance, it can be cracked fairly easily (as was proved some years ago when someone cracked PGP, which is similar in concept).

    Whence my suggestions in the original post. You can check the weather, the news and other sites at a wireless spot (if you're at a motel, as I also mentioned, that's probably all that's available). But don't ever, ever browse to your bank, not even if the motel (atypically) has a strong password with WAP2. It's just not worth the risk.

    Just my opinion, and also need to clarify that my suggestions above about creating a separate account just for secure browsing are meant to protect the average user from Web-based attacks more than anything else.

  8. #8
    Join Date
    Jun 2008
    Location
    Canada
    Posts
    62

    Default Re: Safe Browsing With OpenSUSE

    Quote Originally Posted by smpoole7 View Post
    WiFi is no longer a viable secure connection - SC Magazine UK

    This was almost a, "Let Me Google That For You." But I won't pick on you. Here's the thing, and take this lesson away from it: just because something is secure NOW doesn't mean that it'll be secure NEXT YEAR. You apparently read somewhere when WPA/WPA2 were introduced that they were "secure," but it was only a matter of time before they were cracked.

    Mitigation: a really, really good password causes the brute force attack to take a lot longer. But (as this article points out) using a separate, dedicated processor just to do the brute force WILL succeed eventually. If the password isn't especially strong, it won't take long at all.
    I have read the article but frankly there aren't much explanations in there: just some vendor company claiming they have achieved more processing power that may allow to brute-force WPA2. It says "publicity" all over the place. I would be more worried of of a botnet's processing power.

    As you said, weak passfrases are easy to brute force. But that does not make the algorithm invalid, just the use someone makes of it. The problem with WEP is that the passfrase can be calculated provided you recollect some data and with WPA that it indeed does help the brute-force attacker. WPA2-CCMP is the most secure you can get nowadays as it is uses AES (256, I think): secure enough, in my opinion.

    Quote Originally Posted by smpoole7 View Post
    It would be harder, but it would still be possible. The problem is that there are parts of every transaction that can be predicted. If the bad guy IS in the Starbucks with you, he might be watching to see that you've browsed to Wachovia Bank to check your account. He knows the basic layout of that page, and can "seed" his cracking algorithms with that. He takes a snapshot of your transaction and then cracks it at his leisure elsewhere.
    Honestly, I don't understand what you are saying here. Do you mean MIT attacks?

    Quote Originally Posted by smpoole7 View Post
    I don't understand your point here, so I won't respond to it. SSH is not the only way to compromise a user's account.
    I'll try to be clearer. What I was trying to say is that account separation can be used as a means of differentiating ssh access for different 'roles'. I don't see how it can help with secure browsing as either account could be susceptible to attacking. Account separation won't help on the "physical level", as you agreed. One may, as you say, enable flash for an account and disallow it for the other, but IMO a better way would be to use something like NoScript that will selectably block flash and other unpleasantries while you browse.

    BTW, are you sure Flash is able to install anything in your computer? I mean, isn't it sandboxed so that it has no access to writing to disk or other system ressources? If not, it should.
    "All truths wait in all things,
    They neither hasten their own delivery nor resist it" -- Walt Whitman

  9. #9
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Safe Browsing With OpenSUSE

    Quote Originally Posted by TioDuke View Post
    I have read the article but frankly there aren't much explanations in there
    My point was, if you Google "wap2 cracking" or something like that, you'll see that (a), it can be cracked, (b), it has been cracked many times, and (c), the length of time to crack is related to the strength of the password. That link I provided was just one of many.

    I'll try to be clearer. What I was trying to say is that account separation can be used as a means of differentiating ssh access for different 'roles'. I don't see how it can help with secure browsing as either account could be susceptible to attacking.
    The issue is "secure browsing." The idea behind using a separate account, with flash and other similar add-ons disabled, is that even if your main account gets compromised, your secure user won't be.

    (Unless your "main" account is "root," but anyone who browses as root deserves what happens to them. )

    BTW, are you sure Flash is able to install anything in your computer? I mean, isn't it sandboxed so that it has no access to writing to disk or other system ressources? If not, it should.
    You're surprising me again. Are you unaware of the security holes that have been found in Flash? Google that one, too. The problem is that it takes Adobe quite some time to address these holes when they're found, so you're exposed for quite some time.

    Whence my suggestions: Just killing the wireless, unplugging the RJ45 from your computer and refusing to browse the Internet at all would obviously be the safest thing, but that's hardly appealing (or even practical, nowadays). But if you set up a separate user account *just for* critical, sensitive browsing, protect that account as I outlined above, then if you main account should be compromised, you at least have one additional layer of protection.

    The idea is that a cracker might use Flash (or something else) to install a keylogger, for example. OK, if that logger is only in your main user account, then the Bad Guy(tm) would be able to see your password(s) for this forum, for example. That would be ugly. But he wouldn't be able to keylog you entering the password on your banking account, because that's a separate user that lives in a protected directory.

    The other point is that this is relatively easy to do -- both on your end, with the separate user account (criminally easy), in fact, and on the other side of the aisle, it's relatively easy for the attacker.

    This is not theoretical. If you're a cracker, especially if you hang out at the Bad Guy Websites, you can easily download the scripts and tools to do the cracking. You don't even have to be a skilled programmer. So my argument is, why not? What's the harm in setting up that second account?

    (Or better yet, as I also suggested, setting a completely separate Virtual Machine just for secure browsing?)

  10. #10
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Safe Browsing With OpenSUSE

    OK, I wanted to make sure I wasn't sharing anything that wasn't already known before I posted this ... hey, I'm a bright guy with a devious mind, but I don't think I'm the smartest guy on the Internet. Sure enough, the Bad Guys already know this trick.

    Dood: you keep talking about how secure WPA2-(whatever) is. The "(whatever)" is on purpose; I don't care if you're using a custom 4096-bit cipher. I know how I'd do it, and like I said, I wanted to make sure that I wasn't giving away anything, but again, the Bad Guys not only know about this, they already have the stuff to do it.

    Here you go: you simply take a high-powered access point close to the area that you want to scam. Steal (using easy-downloaded tools) enough info about the wireless internet to "fake" the real network. Turn on your high-powered transmitter and wait a few minutes. Your signal will "Swamp" the normal signal, so they're accessing YOU now, instead of the legit access point(!). When people try to log in (or log back in), you can present them with a login page that asks for the password (or log keystrokes, or whatever).

    Presto, chango, you have the password to that wireless network. Turn off your high-powered access point, people inside shake their heads and say, "the wireless must be glitching today," reconnect, and continue browsing ... and meanwhile, you're on the network, sniffing like a bloodhound.

    It pays, too -- a bunch of yuppies at a Starbucks might have pretty big bank accounts.

    Dood: do some Google searches. That's all I'm saying. If you're convinced that WPA2 with TSL/SSL is enough to protect you, have right at it. When someone eventually digs into your bank account and you go, "wha! Wha' happen???" ... don't say you weren't warned.
    Last edited by smpoole7; 13-Jan-2010 at 10:48. Reason: I'm done now ...

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •