How secure is my openSUSE system, really?

I listen to people talk, I read on the subject often. Those that are in the industry do tell me how easy it is for “agencies” to remotely access your phone and computer to snoop or gather information. So, now I am forced to wonder… I have felt pretty secure on my Linux machine(s). I monitor logs frequently to see if there is any questionable activity but I am now forced to wonder. Can my webcam or microphone be remotely activated on my [openSUSE] machine without my knowledge? Are they that good? Can I be comfortable in the security of my machine?

On a related note, how secure is my Android phone? Mine is rooted with my choice in ROM image but I am not convinced that it is all that secure.

Thoughts? Case studies or experiences?

Cheers!
-Nathan

> Thoughts?

don’t do, say, write, watch, or listen to anything you wouldn’t want
everyone in the world to know you did, said, wrote, watched or heard.

then, it is does not matter who has kracked which of your
electrogizmos (as long as you never feed any of those with your
credit card numbers, bank/savings/broker account access codes, etc
etc etc etc)…

otherwise, the only computer/phone/game device that is 100% secure is
the one inside a locked and sound proofed vault, with no connectivity
to any network, not powered by any source, and never booted.


dd

if you are not doing anythng illegal - I guess you don’t have anything to worry about?

On Thu, 13 Jun 2013 14:16:01 +0000, futureboy wrote:

> I listen to people talk, I read on the subject often. Those that are in
> the industry do tell me how easy it is for “agencies” to remotely access
> your phone and computer to snoop or gather information. So, now I am
> forced to wonder… I have felt pretty secure on my Linux machine(s). I
> monitor logs frequently to see if there is any questionable activity but
> I am now forced to wonder. Can my webcam or microphone be remotely
> activated on my [openSUSE] machine without my knowledge? Are they that
> good? Can I be comfortable in the security of my machine?
>
> On a related note, how secure is my Android phone? Mine is rooted with
> my choice in ROM image but I am not convinced that it is all that
> secure.
>
> Thoughts? Case studies or experiences?

Security isn’t entirely about the OS in use, but about how it is used and
the practices put in place.

So the questions that I’d ask in exchange for your questions start with
these: What are your personal security practices? Do you run with no
firewall? Or do you run with a firewall that’s properly configured to
only allow services in that you’ve specifically set up?

Do you only visit known reliable websites, or do you spend a lot of time
surfing “warez” sites? Do you only install software from reliable
sources, and how do you determine that those sources are reliable?

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I do have a properly configured firewall. Nothing is needlessly run, I’m not worried about any of my activities that I conduct on this computer, I don’t do illegal things and I don’t go to questionable sites. I don’t install software from any sources that would be considered suspect. I am generally a bit paranoid about these things. I do keep a lot of information about me on my computer. I realize that a system that is never connected is a secure one but than again, if I never leave my home I am never at risk of getting sick; neither of which are an option. So, beyond all the pretty standard smart actions to be taken, how can I be sure that my system won’t be compromised? I do understand that when I communicate across the Internet there is always a chance that someone is recording and collecting packets, got it, that doesn’t concern me as much as the idea of a directed attack or weaknesses in software that would be leaking information or providing a hole in my security. I read the security notices and accept all updates to ensure that my system is hardened. I do not run AppArmor. Is that worth the overhead and setup?

On 06/13/2013 07:16 PM, futureboy wrote:
> I do not run AppArmor. Is that
> worth the overhead and setup?

i took the default install of AppArmor and have not spent one minute
changing the setup…that may mean it is not worth anything…on
the other hand, with my other ‘standard’ security practices i have
not been compromised…yet.

to more directly answer you question (than i did earlier), the
security or your system is more dependent on your security practices
than on the security of openSUSE itself (i think that is also what
Jim is saying)… but, if you want to just look at openSUSE, i’d say
that a default install with default settings is pretty good security
from the gitgo…probably better than any non-*nix-like operating
system you can buy…

if you match the system with good practices you really have a pretty
strong system.


dd

On 2013-06-13 18:06, RichardET wrote:
>
> if you are not doing anythng illegal - I guess you don’t have anything
> to worry about?

Wrong.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-06-13 16:16, futureboy wrote:>

> Can my webcam or microphone be remotely
> activated on my [openSUSE] machine without my knowledge?

I don’t think so. Perhaps in Windows, knowing of a suitable exploit in
advance. You have to get shell access somehow.

With a browser… Google Talk needs a plugin to pick up the camera, and
you have to install that one first. You can do many things with applets
and things.

There are hardware things that would work in Linux: a dongle connected
to your keyboard, it would capture your passwords. That’s why banks ask
you to key the pass with a mouse in the screen.

Then there are humans.

Time ago I met a group of youngsters, no longer teenagers, that
routinely hacked their girlfriends computers with software to open
backdoors to them, for spying the girls, reading their email, etc. In
that group there was only a girl, and she was not present in this
conversation: I do not know if the girls do the same things to their
boyfriends.

This was not done remotely: they took their chance when doing
maintenance on those computers.

This is of course illegal, highly unethical, and absolutely wrong way to
go about in a relationship!

But then, they were using software that’s is easily available on
Internet. For Windows, dunno about Linux.

> On a related note, how secure is my Android phone? Mine is rooted with
> my choice in ROM image but I am not convinced that it is all that
> secure.

Good question.

I’m very hesitant to use it on open wifi spots.

Whatsapp is a very nice thing, but… we know they capture our messages.
Me living on Spain, it irks me that Mr Obama is saving my messages
routinely and perhaps reading them - as I’m not a USA citizen, he
doesn’t need a court order.

I said whatsapp, which is assumed to be private but is not. But all big
email providers (google…) are “hacked” for routine surveillance…

The only private electronic communication is that sent encrypted end to
end without the supplier intervention. And doing it may arouse the
authorities attention to you!

On 2013-06-13 19:16, futureboy wrote:

> So, beyond all the pretty standard smart actions to be
> taken, how can I be sure that my system won’t be compromised?

I don’t think we can be (absolutely) sure.

> I do
> understand that when I communicate across the Internet there is always a
> chance that someone is recording and collecting packets, got it,

And some one does, automatically. It is all over in the news about now.

> that
> doesn’t concern me as much as the idea of a directed attack or
> weaknesses in software that would be leaking information or providing a
> hole in my security. I read the security notices and accept all updates
> to ensure that my system is hardened.

The problem are the security holes that have not been found yet. It is a
war out there. Given enough money and “intelligent” chaps, they may find
a manner.

> I do not run AppArmor. Is that worth the overhead and setup?

I don’t know, but I use it. At least it should be used on any service
opened to the outside.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I’m not much interested in discussing the ethical or political perspectives of all this because I don’t want to cause a flame war or anything. I am most interested in protecting my data.

I do appreciate your insight. What do you do to ensure that your system hasn’t been compromised? Outside of photos, I keep nothing on my phone that is “precious” to me.

Outside of what I read and see on the news, what really tipped me to ask the question was this page:
https://en.opensuse.org/SDB:Skype#Privacy_and_security

I don’t leave Skype active but reading this tells me that I SHOULD have AppArmor installed and running to keep this application “Jailed.” This, combined with other posts here has me convinced I need to further harden my system.

I do appreciate the input.

So what if the US government captures your communications - again , if you are not communicating with terrorists, then you have nothing to worry about.

On 06/13/2013 09:36 PM, futureboy wrote:
> Outside of photos, I keep nothing on my
> phone that is “precious” to me.

are you running openSUSE on your phone?


dd

It sounds like you are practicing good security.

On Thu, 13 Jun 2013 17:16:03 +0000, futureboy wrote:

> So,
> beyond all the pretty standard smart actions to be taken, how can I be
> sure that my system won’t be compromised?

A guarantee? There is none. From what you describe, it sounds like
you’re unlikely to be compromised, but it’s never about the last exploit,
it’s always about the next one.

AppArmor could help, because it looks at behaviours, but even with the
wizard in YaST it’s not something for the faint-hearted. You can as
easily configure behaviours that break your system (have done it myself)
as configure to protect yourself.

Keep an eye on the logs, keep an eye on accesses to your system, don’t
configure port forwarding on your router to connect to your machine
unless you’re absolutely sure what you’re doing, and you’ll probably be
OK.

I’ve been in the IT field since the late 80’s, and have been using
computers since the early 80’s. I have a lot of experience in managing
corporate systems, but my home systems (the ones exposed to the outside
world, that is) have occasionally been compromised. It hasn’t been
Linux, it’s been applications running on top of it - easily compromised
portal software (PHP-Nuke, for instance, or old versions of B2Evolution,
or old versions of Mediawiki even). If you set something like that up,
you have to be prepared to keep it managed and current, just like the
rest of the system. I set stuff up on occasion to look at and then
forget that I’ve set it up. Not on production boxes, but I have a server
here at home that I do a lot of testing with, and I’ve had to take
additional steps to secure it because of bot attacks.

That’s what I mean by “no guarantees”. It depends on what you do and how
seriously you take it. I don’t take my test box as seriously as I
should, and it gets compromised occasionally, and I know what I’m doing.
I just get lazy. :slight_smile:

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Thu, 13 Jun 2013 19:41:01 +0000, dd wrote:

> On 06/13/2013 09:36 PM, futureboy wrote:
>> Outside of photos, I keep nothing on my phone that is “precious” to me.
>
> are you running openSUSE on your phone?

He said he runs Android on his phone, and openSUSE on his desktop.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 6/13/2013 1:28 PM, Carlos E. R. wrote:
> Whatsapp is a very nice thing, but… we know they capture our messages.
> Me living on Spain, it irks me that Mr Obama is saving my messages
> routinely and perhaps reading them - as I’m not a USA citizen, he
> doesn’t need a court order.

I think it is safe to assume that there are a number of intelligence agencies around the world, either acting alone or in consort
with other intelligence agencies, are monitoring your electronic communications. The activities of the USA in this regard have
been a fairly open secret for some years.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Staying inside a locked and sound proofed vault, with no connectivity to any network, not powered by any source, and never booted, sounds like a brain which does not mix with the rest of humanity.

Even this most secure system, the one between our ears, is known to leak information… usually in the worst possible places :slight_smile:

On 06/14/2013 07:16 AM, paulparker wrote:
> Staying inside a locked and sound proofed vault, with no connectivity to
> any network, not powered by any source, and never booted, sounds like a
> brain which does not mix with the rest of humanity.

i didn’t write that the user had to stay in that environment…only
that those are the environmental conditions required for an
electro-gizmo to meet the OP’s “be comfortable in the security of my
machine” goal…

any other environment is sure to lead to some level of
‘uncomfortable’ and therefor auto-prompting mitigating actions to
increase security…

none of those actions would require the user to walk into the vault
and close the door behind . . .

on the other hand, sometime extreme security measures are needed.
for example, i have worked from terminals inside an armed guard
secured vault from which no radio frequency emanation
(http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf)
could escape, nor electromagnetic pulse
(http://en.wikipedia.org/wiki/Nuclear_electromagnetic_pulse)
could enter…and 100% positive physical access control to all
keyboards/screens/etc was the 24x7x365 rule.


dd

I am likening computer security much like home security. I have quality locks, in the knob and dead bolt, a dog, motion sensors tied to lights and I tend not to have anything that is really worth steeling in view of any windows of the house. Can someone break into my home? Certainly. Depends on what level of force they would like to use. If I am inside the house when it happens, they will be confronted with a measure of force. My house is most certainly not secured like a military base, not practical and would only invite more interest. I just want to be able to know that if someone attempts to access my machine, I know that they are. I am pretty confident that I would be notified based on the logs I monitor. I think it would be practical to have some kind of daemon intrusively tell me that something may be happening (like a motion sensor). What do you use besides log monitoring to notify you of suspicious activity?

On 2013-06-13 21:36, futureboy wrote:

> I do appreciate your insight. What do you do to ensure that your
> system hasn’t been compromised? Outside of photos, I keep nothing on my
> phone that is “precious” to me.

In Spain, for example, to order a bank transaction from my desktop
computer, I get a short message on my cellular with a one time pin. The
goverment tax agency sends another SMS with the pin to retrieve my
pre-filled tax form (and which is lost on a bricked Nokia that I dare
not recycle)

>
> Outside of what I read and see on the news, what really tipped me to
> ask the question was this page:
> https://en.opensuse.org/SDB:Skype#Privacy_and_security
>
> I don’t leave Skype active but reading this tells me that I SHOULD have
> AppArmor installed and running to keep this application “Jailed.” This,
> combined with other posts here has me convinced I need to further harden
> my system.

Good idea. I’ll have a look at it.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-06-13 21:46, RichardET wrote:
> So what if the US government captures your communications - again , if
> you are not communicating with terrorists, then you have nothing to
> worry about.

Yes, I do. It is not my goverment, nor my country. I can’t go to court
about my violated privacy. It hurts me feelings.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-06-14 06:21, PV wrote:
> On 6/13/2013 1:28 PM, Carlos E. R. wrote:
>> Whatsapp is a very nice thing, but… we know they capture our messages.
>> Me living on Spain, it irks me that Mr Obama is saving my messages
>> routinely and perhaps reading them - as I’m not a USA citizen, he
>> doesn’t need a court order.
>
> I think it is safe to assume that there are a number of intelligence
> agencies around the world, either acting alone or in consort with other
> intelligence agencies, are monitoring your electronic communications.
> The activities of the USA in this regard have been a fairly open secret
> for some years.

I know, I’m not that naive :slight_smile:

But monitoring in advance at such a large scale, can not be done by
every country.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)