Safe Browsing With OpenSUSE

What spurred this post was a phone call the other day from my credit card company: someone had obtained that credit card number and had tried to make a bunch of bogus purchases with it. Fortunately, all were declined (I have account protection on that card), but it reminded me again of how vulnerable we all are to identify theft.

In this particular case, I’m not sure that a crooked motel employee didn’t use the number, but I thought I’d share some safe browsing tips while they’re on my mind.

  1. Get some form of account protection. There are dozens of plans, some great, some worthless, some dirt cheap and some relatively expensive. I’m not going to recommend one here because they vary from one region to the next.

  2. Never, ever, ever browse with Windows at a WiFi hotspot. You’re just begging for trouble. Windows is well-known and WEP, WAP and WAP2 can all be cracked. The cracker doesn’t even need to be in the Starbucks or motel with you: he might be outside in his car with a laptop.

  3. Even with secured Linux, don’t ever do sensitive transactions (banking, etc.) on a wireless network. Use a wired connection.

  4. If you’re really paranoid like I am, create a separate account on your Suse machine at home that is only ever used for financial transations. Here’s how I do it:

a. - Yast -> Security and Users -> Users and Groups. Create a new user and give it a good, strong password.

b. - KMenu -> System -> File Manager (Super User Mode), find that new directory (in “/home/[newusername]”) and eliminate all read/write permissions for anyone other than “[newusername].” You don’t even want anyone else looking in that directory. Simply right click on the folder [newusername] and set the permissions to deny for everyone but that user.

c. - It’s no fun browsing without Flash nowadays, so you can leave it enabled for your regular user account. But for this one, if you’re using FireFox, download an addon such as FlashBlock to prevent it from running. If you bank or credit card company requires Flash to use their site, write them a nasty email and change banks. :slight_smile:

Now you’ll log out of your regular account, and log into this new user account, for all critical financial transations. As soon as you’re done, log out of the new account and go back to your older, regular account. Use the regular account for all browsing EXCEPT financial or personal transactions. Don’t ever mix the two.

Another idea, somewhat advanced (and even more paranoid), is to install VirtualBox (available in the Build repositories) and actually create a separate VM with OpenSUSE in it just for sensitive browsing. Take a snapshot before you ever start browsing. That’s your “known good gold standard.”

After each session in the VM, blow out the VM and restore from that known-good snapshot. I don’t do this, to be honest, but some people swear by it. Even if you were to get a nasty worm in that VM, once you blow it out and restore from the snapshot, the worm is gone.

You should also always run the Suse firewall. Don’t ever disable it. All of these tips are for a single user at home, but if you’re on a larger network with several machines, get help from a knowledgeable friend (or post a request here), if need be. You’ll need to be selective in what you allow and refuse.

If anyone else has tips, I’m all ears.

Thank you for the ideas. They strike me as being very good advice. Although I do not know if I am ready to implement all of them :stuck_out_tongue: it is great to have this listing for reference.

You ARE paranoid :wink:

If you would handle big amounts of money over the Internet…you should be too. The amount of fraudulent activities on web-banking is ever growing. And I think about more the 80% of the worms, Trojans ans so on are taken as “drive by”. That is you are looking at a web-page and your browser has a security flaw, your user account may be compromises. If you are Windows probably everything may be compromised. But you are smart, using Linux. So…you open a dedicated user account. I think this is more then sensed. BTW, did you repair by hand the security flaw in Adobe Acrobat Reader? A lot of people did not, and up to today a security fix was not available. Makes weeks of exposure. Well, better be “paranoid” a bit when it comes to home-banking /e banking. IMHO a good thread and initiative.

Good post, but there are a couple of things that caught my attention:

I agree on not using windows (under any circumstances), but where did you get that WPA2 can be cracked? As far as I know, WEP can be EASILY cracked, WPA can only be brute-force attacked and WPA2 is still safe. Can you post a link?

I would say, never do sensitive transactions on not secured HTTP connections (always use HTTPS). When using HTTPS on a cracked wi-fi, how would someone read the encrypted data that passes through the intertubes?

This only works if your normal user account has been compromised via ssh. If you are not running sshd or you have carefully configured it, then you should be fine. If you insist on having a separate account for banking, then you have to disable ssh access for that user. If you don’t, what’s the purpose of a separate account?

If you want to protect yourself from being attacked by someone that has gained physical control of your computer, then separate accounts will not help. Encrypting your whole disk may be the only solution.

WiFi is no longer a viable secure connection - SC Magazine UK

This was almost a, “Let Me Google That For You.” But I won’t pick on you. Here’s the thing, and take this lesson away from it: just because something is secure NOW doesn’t mean that it’ll be secure NEXT YEAR. You apparently read somewhere when WPA/WPA2 were introduced that they were “secure,” but it was only a matter of time before they were cracked.

Mitigation: a really, really good password causes the brute force attack to take a lot longer. But (as this article points out) using a separate, dedicated processor just to do the brute force WILL succeed eventually. If the password isn’t especially strong, it won’t take long at all.

I would say, never do sensitive transactions on not secured HTTP connections (always use HTTPS). When using HTTPS on a cracked wi-fi, how would someone read the encrypted data that passes through the intertubes?

It would be harder, but it would still be possible. The problem is that there are parts of every transaction that can be predicted. If the bad guy IS in the Starbucks with you, he might be watching to see that you’ve browsed to Wachovia Bank to check your account. He knows the basic layout of that page, and can “seed” his cracking algorithms with that. He takes a snapshot of your transaction and then cracks it at his leisure elsewhere.

This only works if your normal user account has been compromised via ssh …

I don’t understand your point here, so I won’t respond to it. SSH is not the only way to compromise a user’s account.

The real danger at present (and this will change in time, as these things do) seems to be that you might browse to a Website that uses Flash to install something that will monitor keystrokes and/or passphrases, sending a report to a Bad Guy over the Internet. SSH isn’t even involved.

If you want to protect yourself from being attacked by someone that has gained physical control …

Correct. I was talking about Safe Browsing, whence the title. If someone has physical access or physical control of your computer, then all bets are off. :slight_smile:

By the way, one other thing needs to be mentioned … most public WiFi hotspots aren’t even secured. Only a maniac browses to their bank at those places, whether using Linux, Mac or Windows.

More on the HTTPS thing mentioned by TioDuke: HTTPS is certainly more secure than plain-text HTTP, but it can also be cracked. I’m not a huge fan of anonymous, negotiated peer-to-peer secure connections, anyway. Unless both sides have agreed to a secret, strong password in advance, it can be cracked fairly easily (as was proved some years ago when someone cracked PGP, which is similar in concept).

Whence my suggestions in the original post. You can check the weather, the news and other sites at a wireless spot (if you’re at a motel, as I also mentioned, that’s probably all that’s available). But don’t ever, ever browse to your bank, not even if the motel (atypically) has a strong password with WAP2. It’s just not worth the risk.

Just my opinion, and also need to clarify that my suggestions above about creating a separate account just for secure browsing are meant to protect the average user from Web-based attacks more than anything else.

I have read the article but frankly there aren’t much explanations in there: just some vendor company claiming they have achieved more processing power that may allow to brute-force WPA2. It says “publicity” all over the place. I would be more worried of of a botnet’s processing power.

As you said, weak passfrases are easy to brute force. But that does not make the algorithm invalid, just the use someone makes of it. The problem with WEP is that the passfrase can be calculated provided you recollect some data and with WPA that it indeed does help the brute-force attacker. WPA2-CCMP is the most secure you can get nowadays as it is uses AES (256, I think): secure enough, in my opinion.

Honestly, I don’t understand what you are saying here. Do you mean MIT attacks?

I’ll try to be clearer. What I was trying to say is that account separation can be used as a means of differentiating ssh access for different ‘roles’. I don’t see how it can help with secure browsing as either account could be susceptible to attacking. Account separation won’t help on the “physical level”, as you agreed. One may, as you say, enable flash for an account and disallow it for the other, but IMO a better way would be to use something like NoScript that will selectably block flash and other unpleasantries while you browse.

BTW, are you sure Flash is able to install anything in your computer? I mean, isn’t it sandboxed so that it has no access to writing to disk or other system ressources? If not, it should.

My point was, if you Google “wap2 cracking” or something like that, you’ll see that (a), it can be cracked, (b), it has been cracked many times, and (c), the length of time to crack is related to the strength of the password. That link I provided was just one of many.

I’ll try to be clearer. What I was trying to say is that account separation can be used as a means of differentiating ssh access for different ‘roles’. I don’t see how it can help with secure browsing as either account could be susceptible to attacking.

The issue is “secure browsing.” The idea behind using a separate account, with flash and other similar add-ons disabled, is that even if your main account gets compromised, your secure user won’t be.

(Unless your “main” account is “root,” but anyone who browses as root deserves what happens to them. :slight_smile: )

BTW, are you sure Flash is able to install anything in your computer? I mean, isn’t it sandboxed so that it has no access to writing to disk or other system ressources? If not, it should.

You’re surprising me again. Are you unaware of the security holes that have been found in Flash? Google that one, too. The problem is that it takes Adobe quite some time to address these holes when they’re found, so you’re exposed for quite some time.

Whence my suggestions: Just killing the wireless, unplugging the RJ45 from your computer and refusing to browse the Internet at all would obviously be the safest thing, but that’s hardly appealing (or even practical, nowadays). But if you set up a separate user account just for critical, sensitive browsing, protect that account as I outlined above, then if you main account should be compromised, you at least have one additional layer of protection.

The idea is that a cracker might use Flash (or something else) to install a keylogger, for example. OK, if that logger is only in your main user account, then the Bad Guy™ would be able to see your password(s) for this forum, for example. That would be ugly. But he wouldn’t be able to keylog you entering the password on your banking account, because that’s a separate user that lives in a protected directory.

The other point is that this is relatively easy to do – both on your end, with the separate user account (criminally easy), in fact, and on the other side of the aisle, it’s relatively easy for the attacker.

This is not theoretical. If you’re a cracker, especially if you hang out at the Bad Guy Websites, you can easily download the scripts and tools to do the cracking. You don’t even have to be a skilled programmer. So my argument is, why not? What’s the harm in setting up that second account?

(Or better yet, as I also suggested, setting a completely separate Virtual Machine just for secure browsing?)

OK, I wanted to make sure I wasn’t sharing anything that wasn’t already known before I posted this … hey, I’m a bright guy with a devious mind, but I don’t think I’m the smartest guy on the Internet. Sure enough, the Bad Guys already know this trick.

Dood: you keep talking about how secure WPA2-(whatever) is. The “(whatever)” is on purpose; I don’t care if you’re using a custom 4096-bit cipher. I know how I’d do it, and like I said, I wanted to make sure that I wasn’t giving away anything, but again, the Bad Guys not only know about this, they already have the stuff to do it.

Here you go: you simply take a high-powered access point close to the area that you want to scam. Steal (using easy-downloaded tools) enough info about the wireless internet to “fake” the real network. Turn on your high-powered transmitter and wait a few minutes. Your signal will “Swamp” the normal signal, so they’re accessing YOU now, instead of the legit access point(!). When people try to log in (or log back in), you can present them with a login page that asks for the password (or log keystrokes, or whatever).

Presto, chango, you have the password to that wireless network. Turn off your high-powered access point, people inside shake their heads and say, “the wireless must be glitching today,” reconnect, and continue browsing … and meanwhile, you’re on the network, sniffing like a bloodhound.

It pays, too – a bunch of yuppies at a Starbucks might have pretty big bank accounts. :slight_smile:

Dood: do some Google searches. That’s all I’m saying. If you’re convinced that WPA2 with TSL/SSL is enough to protect you, have right at it. When someone eventually digs into your bank account and you go, “wha! Wha’ happen???” … don’t say you weren’t warned. :slight_smile:

Some good points there, thanks for that :).

New “banking” account created ;).

First of all a clarification: I am not trying to nitpick on what you say. In fact, I got really interested on your post and I wanted to discuss it further: just as we both are doing right now. I just wanted to say this because sometimes it is hard to communicate one’s intentions when posting on forums.

I know of them as I normally follow security news. However, I am only aware of “remote code execution” flaws, but not about malware installation on the victim’s computer. Heck, I am almost certain the decent browsers (Opera, FF) sandbox active content (javascript, Flash) so that they are unable to install/write something on disk. In theory, remote code execution (via buffer overruns or what-not) could be able to listen on keystrokes, but I seriously doubt someone would be able to create such a payload that would be both able to listen and retransmit the information and be small enough to fit.

How does this work on a encrypted network, seriously? You need to know the key in order for the clients to be able to connect to you. On unsecured wi-fi connections OK, but encrypted networks?

PS: As I said at the beginning, I am really enjoying this exchange. Thanks.

What about THIS for example. No malware with flash???
See as well AVIRA Press Center - Security flaw in Adobe Flash Player
And all recent: Adobe Flash Security Model Permits Malware – InformationWeek

Honestly I have a bit a feeling of “troll alert” as this cannot be unknown to you.
And about serious browsers:
Addons: Adobe Flash Security Model Permits Malware – InformationWeek
Firefox: read WHAT has been fixed recently: Security Advisories for Firefox 3.5

I think he did state very valid problems in his thread. And I do not get the point of your “exchange” right now. If you state things like “I am almost certain” then we would like to know why. Are you a pro of security? Is it your job? Did you do extensive research on the problem? What about posting your information sources together with your statements (since you are almost sure you will have some…)

Thanks. I couldn’t remember the details a while ago, but I remember when that one was announced. Do you realize that this means you could pick up malware just by going to YouTube???!?

Honestly I have a bit a feeling of “troll alert” as this cannot be unknown to you …

Aw, let’s give him the benefit of the doubt. He certainly wouldn’t be the first person to assume that he’s safe, when he isn’t. Remember that people like you and I hang out here and in other fora where vulnerabilities are regularly reported and discussed. Sadly, a lot of people are still unaware of them.

The question is, how good is that “sandbox?” Speaking as someone who used to write security software back in the DOS era, you’d be surprised. A 100% effective, “sealed” sandbox would limit the user. (Ex: this is why a true Virtual Machine won’t allow you to directly access the host hard drive. It’s made that way on purpose – but a lot of people complain about this.)

Nowadays, of course, you add another fly in the ointment: DRM, copyright protection, etc., et. al. Paradoxically, these things which are supposed to protect the copyright owner from theft can also provide a vector for malware (because instead of simply displaying the file, there must be active code – at the very least, some Javascript – that asks for a password or some other key).

In theory, remote code execution (via buffer overruns or what-not) could be able to listen on keystrokes, but I seriously doubt someone would be able to create such a payload that would be both able to listen and retransmit the information and be small enough to fit.

Then once again, you need to do some google searches. Define “small enough.” With the average machine having 1 Gig of RAM nowadays, there’s plenty of room to hide a 30-50K block of malware. Once again, this isn’t theory: it has been demonstrated.

Shoot, it doesn’t even have to be installed malware: you can put together a “sniffer” that will actually allow you to capture keystrokes from stray emissions. :slight_smile:

How does this work on a encrypted network, seriously? You need to know the key in order for the clients to be able to connect to you. On unsecured wi-fi connections OK, but encrypted networks?

Well, since I’ve started, I’ll finish: people don’t like inconvenience, so they like network connection managers that automatically reconnect when the signal drops. OK, I bring in my high-powered access point: I don’t even have to know what’s going on. All I need do is pretend to be the access point on the right channel (trivially easy to determine). As my stronger signal “swamps” and “argues with” (for lack of a better term) the legitimate signal, your connection manager will probably retransmit the keys automatically! I simply grab the keys that way.

:slight_smile:

(Told you I was devious.)

(And again, if you think I’m being dramatic … here in Birmingham this past Christmas, the police issued a warning for people to NOT use those keyless entry transmitters on their cars in crowded parking lots while shopping. It seems that there were actually crooks who’d “capture” the keyless entry code with a simple receiver, then use the captured code to sneak into your car and rob the gifts while you were inside the Mall!! :slight_smile: )

Bottom lines:

  1. Avoid wireless whenever possible.

  2. If you have no choice, don’t do any sensitive transactions on that wireless connection.

  3. Creating a separate user account for sensitive transactions, with all Add-ons disabled (except perhaps for JavaScript, but I’d even enable that, if I could), just makes good sense. Use that account ONLY for browsing to your bank. Use your other, normal user account for all other browsing, with Flash and the other buzzers and bells enabled.

No one single step will make you 100% safe (anymore than a house with two alarm systems and three deadbolts on each door can is actually 100% guaranteed burglar-proof). But little things add up. You’re reducing the risk.

This is unfair, to say the least, and makes me really sad.

I passed through those and really failed to see the case of malware being installed by malicious flash. Just remote code execution using, most of the time, memory overruns. I did some research and did not found any case of malware being installed this way (yes the first link you posted talks about something of the sort, but then where’s the prove of concept?; without it, it’s just words).

Or maybe I am not that good at googling.

Thank you!

Good question for which I thought I had the answer, but I’ve just tried to research and came to no valuable results.

Back form the days I started using Opera (4-5 years ago) I had read somewhere that all javascript / flash was sandboxed so that it was not able to write to disk or even access local data. I assumed FF did the same, but then Google threw no results. So… it either changed (improbable) or I have always been mistaken. My bad.

I was refering to the payload injected using overrun techniques: they require for the attacker to carefully craft the smallest code that would do the job (most of the time you get no more than 1k, normally much less).

Thanks again. But it is still not clear enough.

Would you be so kind to explain the technicalities here? Take for instance how a WPA2 client connects, where exactly this scheme is applied? I fail to understand how.

Thanks again.

I think it worth mentioning here that a Google of pwn2own 2007, 2008 and 2009 will be enlightening and educational. I’ve been a security paranoid for the last decade and half, ever since cleaning up the mess of my first virus (on a Mac!), and this contest educated, and scared, me. The pwnage was mostly thru javascript on FF and Opera, 2009 Win7 pwnage thru Flash.

This is unfair, to say the least, and makes me really sad.

Poor little star! I am so sorry. Will think about sending candies, swear. :cry:

I did some research and did not found any case of malware being installed this way (yes the first link you posted talks about something of the sort, but then where’s the prove of concept?; without it, it’s just words).

Well, yours too are just words, even without reference.

I am a bit surprised that even published references do not convince you.

Seriously, there is not only a proof of concept. At least for the pdf-javascript weakness there have been reportedly exploits. I will not google it up for you, these are communications of Adobe, go on their site (and therefore just words and not valuable?).
Or even this reference](Flash security vulnerability exploited in PDFs | Ars Technica) about the existing exploit Trojan.Pidief.G does say nothing. After all…
Note that this is not a “proof of concept”, this is already an existing exploit. There are however proof of concept pages findable on the web.

Hum, strange argumentation. Still, if these malware do not exist, why would adobe communicate them? Wish of commercial suicide? A hidden “conjure” for pushing FUD about save operating systems…? Tell me more about your thoughts.

Btw: what OS are you using right now? And do you use your PC for bank transactions?

Still this way of argumentation…I have this sense of “T” all the time… Has to be the weather! rotfl!

Won’t comment.

Flash on PDF exploit? Using Acrobat Reader? How does this one relate to “Safe Browsing” which is the subject of the thread?

I am on Linux and I do use my PC for online banking (but the PC is wired… go figure!).

What about you? Are you still running Ubuntu thru wubi?

Interesting. The thread (if you departure by the “content” and not by the title (what one should always do - or do you “judge a book by his cover”?) is about how to use the PC in a secure way to do financial operations minimizing risks. Do we agree on this?

Even if we leave apart this issue, it is very straightforward to use the “flash-function in pdf” for an attack, whilst browsing. You indicate a link that does lead to a prepared call for the pdf plugin and (ab)uses the flash function. No need to open the pdf. Call of the link will suffice. I have done a thread by the way, and asked whether we would be granted an update in the repos to 9.3 since 8.2 version will not be available for Linux. Since the original article pointed out the need of a separate user account (for maximizing safety and to avoid the risk userland may have been contaminated by exploit code), the reasons for such a choice are in the "day by day usage of this user identity for browsing purposes.
Do we agree both that this enters consistently in the definition of safe browsing?

I am astonished. Are you irritated? You shouldn’t my dear. I am glad you are on Linux, given the optimistic mentality, this is a very safe choice. :wink: Why should I use Ubuntu (never did) and why in all world through the windows installer…hum. This is however a comment that discharges you of the “T” accuse. A real one would never loose so fast temper and spirit. So you are real. This is very good news. Take it with spirit. I will not provoke you any more in this way. Promised.
Btw, a lot of people browse by here but are on other OS. So the question was more on what was your background.

I am on openSUSE 11.1, KDE3.5 and as browser using FF3.5.7 although occasionally I do appreciate to return to Opera. Just like the outfit and some of the gimmicks. I am using no-script with a very (maybe too) restrictive policy.
Currently I am avoiding bank affairs on PC when possible (because the web-presentations of European Banks - don’t know about Canada in general, but my Canadian bank two years ago, as long as I had an account there, wasn’t even able to send encrypted email - is hilariously unsafe in a number of cases. The main part of the problem are cross site scripting attacksthat are still possible. But let’s say the overall motivation is still greed and not user security).

Of course total security is a chimera, a lot depends also where people go surfing. If they ship around Chinese xxx-sites, warez distributors and similar, well, then the odds are good you will encounter problems. Still, bank sites are real honey-pots for hackers…and then, against a compromised website even a separate user account will not help you much.

A part of that, this summer thousands of visa cards where recalled by German banking institutes because of abuse. First only cards used during the summer in Spain. Then it turned out that all cards passed through the Spanish service provider where touched. So, one advice will be surely to always control the monthly balance statement of your card and go through one by one.

@smpool7
What do you think about ssh through vpn (openswan, not pptp of course). Safe enough on a public wifi in case of necessity?