Security

Every since happening upon https://www.youtube.com/watch?v=cOkX2KQxkQI through a class I’m taking on crypto and cybercrime (torpig was discussed), I’ve been tracking krebsonsecurity.com - and just finshsed “Worm” and “Cuckoo’s Egg” - so to heck with Windows. I think there should be a “Security Forum” on forums.opensuse.org.

rkhunter (from Opensuse 13.1x64 Repo)

linux-l8th:/home/patti # rkhunter -c
 Rootkit Hunter version 1.4.2 ]                                                                                   
                                                                                                                   
Checking system commands...                                                                                       
                                                                                                                  
  Performing 'strings' command checks                                                                             
    Checking 'strings' command                                OK ]                                               
                                                                                                                  
  Performing 'shared libraries' checks                                                                            
    Checking for preloading variables                         None found ]                                       
    Checking for preloaded libraries                          None found ]                                       
    Checking LD_LIBRARY_PATH variable                         Not found ]                                        
                                                                                                                  
  Performing file properties checks                                                                               
    Checking for prerequisites                                Warning ]                                          
    /usr/bin/awk                                              OK ]                                               
    /usr/bin/basename                                         OK ]                                               
    /usr/bin/cat                                              OK ]                                               
    /usr/bin/chattr                                           OK ]                                                
    /usr/bin/chkconfig                                        Warning ]                                           
    /usr/bin/chmod                                            OK ]
    /usr/bin/runcon                                           OK ]
    /usr/bin/sed                                              OK ]
    /usr/bin/sh                                               OK ]
    /usr/bin/sha1sum                                          OK ]
    /usr/bin/sha224sum                                        OK ]
    /usr/bin/sha256sum                                        OK ]
    /usr/bin/sha384sum                                        OK ]
    /usr/bin/sha512sum                                        OK ]
    /usr/bin/users                                            OK ]
    /usr/bin/vmstat                                           OK ]
    /usr/bin/w                                                OK ]
    /usr/bin/watch                                            OK ]
    /usr/bin/wc                                               OK ]
    /usr/bin/wget                                             OK ]
    /usr/bin/whatis                                           OK ]
    /usr/bin/whereis                                          OK ]
    /usr/bin/which                                            OK ]
    /usr/bin/who                                              OK ]
    /usr/bin/whoami                                           OK ]
    /usr/bin/gawk                                             OK ]
    /usr/bin/tcsh                                             OK ]
    /usr/bin/mailx                                            OK ]
    /usr/bin/systemctl                                        OK ]
    /sbin/checkproc                                           OK ]
    /sbin/chkconfig                                           OK ]
    /sbin/depmod                                              OK ]
    /sbin/fsck                                                OK ]
    /sbin/ifconfig                                            OK ]
    /sbin/ifdown                                              OK ]
    /sbin/ifstatus                                            OK ]
    /sbin/ifup                                                Warning ]
    /sbin/init                                                OK ]
      /bin/sed                                                  OK ]
    /bin/sh                                                   OK ]
    /bin/sort                                                 OK ]
    /bin/stat                                                 OK ]
    /bin/su                                                   OK ]
    /bin/touch                                                OK ]
    /bin/uname                                                OK ]
    /bin/gawk                                                 OK ]
    /bin/tcsh                                                 OK ]
    /bin/systemd                                              OK ]
    /bin/systemctl                                            OK ]
    /usr/lib/systemd/systemd                                  OK ]
    /etc/rkhunter.conf                                        OK ]

[Press <ENTER> to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                  Not found ]
    ADM Worm                                                  Not found ]
    AjaKit Rootkit                                            Not found ]
    Adore Rootkit                                             Not found ]
    aPa Kit                                                   Not found ]
    Apache Worm                                               Not found ]
    Ambient (ark) Rootkit                                     Not found ]
    Balaur Rootkit                                            Not found ]
    BeastKit Rootkit                                          Not found ]
    beX2 Rootkit                                              Not found ]
    BOBKit Rootkit                                            Not found ]
    cb Rootkit                                                Not found ]
    CiNIK Worm (Slapper.B variant)                            Not found ]
    Danny-Boy's Abuse Kit                                     Not found ]
    Devil RootKit                                             Not found ]
    Dica-Kit Rootkit                                          Not found ]
    Dreams Rootkit                                            Not found ]
    Duarawkz Rootkit                                          Not found ]
    Enye LKM                                                  Not found ]
    Flea Linux Rootkit                                        Not found ]
    Fu Rootkit                                                Not found ]
    ****`it Rootkit                                           Not found ]
    GasKit Rootkit                                            Not found ]
    Heroin LKM                                                Not found ]
    HjC Kit                                                   Not found ]
    ignoKit Rootkit                                           Not found ]
    IntoXonia-NG Rootkit                                      Not found ]
    Irix Rootkit                                              Not found ]
    Jynx Rootkit                                              Not found ]
    KBeast Rootkit                                            Not found ]
    Kitko Rootkit                                             Not found ]
    Knark Rootkit                                             Not found ]
    ld-linuxv.so Rootkit                                      Not found ]
    Li0n Worm                                                 Not found ]
    Lockit / LJK2 Rootkit                                     Not found ]
    Mood-NT Rootkit                                           Not found ]
    MRK Rootkit                                               Not found ]
    Ni0 Rootkit                                               Not found ]
    Ohhara Rootkit                                            Not found ]
    Optic Kit (Tux) Worm                                      Not found ]
    Oz Rootkit                                                Not found ]
    Phalanx Rootkit                                           Not found ]
    Phalanx2 Rootkit                                          Not found ]
    Phalanx2 Rootkit (extended tests)                         Not found ]
    Portacelo Rootkit                                         Not found ]
    R3dstorm Toolkit                                          Not found ]
    RH-Sharpe's Rootkit                                       Not found ]
    RSHA's Rootkit                                            Not found ]
    Scalper Worm                                              Not found ]
    Sebek LKM                                                 Not found ]
    Shutdown Rootkit                                          Not found ]
    SHV4 Rootkit                                              Not found ]
    trNkit Rootkit                                            Not found ]
    Trojanit Kit                                              Not found ]
    Tuxtendo Rootkit                                          Not found ]
    URK Rootkit                                               Not found ]
    Vampire Rootkit                                           Not found ]
    VcKit Rootkit                                             Not found ]
    Volc Rootkit                                              Not found ]
    Xzibit Rootkit                                            Not found ]
    zaRwT.KiT Rootkit                                         Not found ]
    ZK Rootkit                                                Not found ]

[Press &lt;ENTER&gt; to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                           OK ]
    Checking for possible rootkit files and directories       None found ]
    Checking for possible rootkit strings                     None found ]

  Performing malware checks
    Checking running processes for suspicious files           None found ]
    Checking for login backdoors                              None found ]
    Checking for suspicious directories                       None found ]
    Checking for sniffer log files                            None found ]
    Suspicious Shared Memory segments                         None found ]
  Performing trojan specific checks
    Checking for enabled xinetd services                      None found ]

  Performing Linux specific checks
    Checking loaded kernel modules                            OK ]
    Checking kernel module names                              OK ]

[Press &lt;ENTER&gt; to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                               None found ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                       None found ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                              Found ]
    Checking for system startup files                         Found ]
    Checking system startup files for malware                 None found ]

  Performing group and account checks
    Checking for passwd file                                  Found ]
    Checking for root equivalent (UID 0) accounts             None found ]
    Checking for passwordless accounts                        None found ]
    Checking for passwd file changes                          None found ]
    Checking for group file changes                           None found ]
    Checking root account shell history files                 OK ]

  Performing system configuration file checks
    Checking for an SSH configuration file                    Found ]
    Checking if SSH root access is allowed                    Warning ]
    Checking if SSH protocol v1 is allowed                    Warning ]
    Checking for a running system logging daemon              Found ]
    Checking for a system logging configuration file          Found ]
    Checking if syslog remote logging is allowed              Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                   Warning ]
    Checking for hidden files and directories                 Warning ]

[Press &lt;ENTER&gt; to continue]


Checking application versions...

    Checking version of GnuPG                                 OK ]
    Checking version of OpenSSL                               OK ]
    Checking version of PHP                                   OK ]
    Checking version of Procmail MTA                          OK ]
    Checking version of OpenSSH                               OK ]


System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 186
    Suspect files: 3

Rootkit checks...
    Rootkits checked : 379
    Possible rootkits: 0

Applications checks...
    Applications checked: 5
    Suspect applications: 0

The system checks took: 4 minutes and 51 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

linux-l8th:/home/patti # 

linux-l8th:/home/patti # chkrootkit
Searching for Suckit rootkit… Warning: /sbin/init INFECTED

linux-l8th:/home/patti # zypper lr
#  | Alias                                | Name                                 | Enabled | Refresh
---+--------------------------------------+--------------------------------------+---------+--------
 1 | KDE:Extra                            | KDE:Extra                            | Yes     | Yes    
 2 | home:NarkoZ:release                  | home:NarkoZ:release                  | Yes     | Yes    
 3 | home:frispete:acroread               | home:frispete:acroread               | No      | Yes    
 4 | openSUSE-13.1-1.10                   | openSUSE-13.1-1.10                   | No      | Yes    
 5 | packman.inode.at/suse/openSUSE_13.1/ | packman.inode.at/suse/openSUSE_13.1/ | Yes     | Yes    
 6 | repo-debug                           | openSUSE-13.1-Debug                  | No      | Yes    
 7 | repo-debug-update                    | openSUSE-13.1-Update-Debug           | No      | Yes    
 8 | repo-debug-update-non-oss            | openSUSE-13.1-Update-Debug-Non-Oss   | No      | Yes    
 9 | repo-non-oss                         | openSUSE-13.1-Non-Oss                | Yes     | Yes    
10 | repo-oss                             | openSUSE-13.1-Oss                    | Yes     | Yes    
11 | repo-source                          | openSUSE-13.1-Source                 | No      | Yes    
12 | repo-update                          | openSUSE-13.1-Update                 | Yes     | Yes    
13 | repo-update-non-oss                  | openSUSE-13.1-Update-Non-Oss         | Yes     | Yes    
14 | repositories/science/openSUSE_13.1/  | repositories/science/openSUSE_13.1/  | Yes     | Yes    
15 | security                             | security                             | Yes     | Yes    
16 | system:packagemanager                | system:packagemanager                | Yes     | Yes    
17 | videolan.org/pub/vlc/SuSE/13.1/      | videolan.org/pub/vlc/SuSE/13.1/      | No      | Yes    
linux-l8th:/home/patti # 

On 2014-11-08 04:16, PattiMichelle wrote:
> linux-l8th:/home/patti # chkrootkit
> Searching for Suckit rootkit… Warning: /sbin/init INFECTED

More often than not, they are false positives, because they don’t keep
exact track of openSUSE code.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

You might also, then, be interested in these:

https://www.us-cert.gov/ncas/tips

Current Activity and Alerts subheadings here also include Linux threats:
Cybersecurity Alerts & Advisories | CISA

http://www.securityfocus.com/bid/70137 is an example of what you can keep track of through this feed:
http://www.securityfocus.com/rss/vulnerabilities.xml

There is Naked Security at Sophos, also a feed:
Naked Security – Sophos News

The Falcon’s View is also quite interesting and educational. Feed is at:
The Falcon's View

There is also Lenny Zeltser:
http://blog.zeltser.com/

And, for Privacy concerns, this is our National Privacy Commissioner, some of these items are also germaine to you. Also, you possibly have an equivalent of a National Privacy Commissioner as well as a State Privacy Commissioner. (We have the National and Province Privacy Commissioners.)
http://www.priv.gc.ca/media/nr-c/2014/an_141016_e.asp

And, for Security, Privacy, Net Neutrality, Wireless, and various related issues, the Governments, Law-Makers, and Law-Breakers (not just Canadian, you will find Obama-blasts and EU concerns also in here) are taken to task by renowned Dr. Michael Geist, a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law.

The feeds at Dr. Geist’s site are fascinating enough all by themselves.

Have fun.

hi PattiMichelle

interesting thread, thanks

did you run cmd rkhunter --propupd

before running cmd rkhunter -c

on this pc all files checks came back OK ] afterwards

cheers

Wow - thanks for the links. That is a LOT of copy to keep track of. Just finished Krebb’s book Spam Nation. It looks like the online community is definitely in for the ride of its life in the next 5 - 10 years. I’m wondering when the first big Linux botnet will appear? Currently (according to krebbs) something like half of all email traffic is “spam” (the definition of that term has changed a lot in the last 30 years, but most rapidly since torpig and ***). I’ve put private routers between every machine I have and LAN/WAN/Internet. Still, that isn’t a bulletproof strategy.

Email credentials seem to be key. Change password(s) to as long as possible. My mom and dad were adults when Social Security Numbers came into existence, now they are absolutely key to our daily lives, like Driver’s Licenses. Email credentials are key in this way.

This was a good class:
Malicious Software and its Underground Economy: Two Sides to Every Story
by Dr Lorenzo Cavallarohttps://class.coursera.org/malsoftware-002

Probably somewhere around 1998, though it was small compared to what we see today.

Back then, linux was the target of choice. Since that time, linux has been greatly hardened and Windows has become the target.

Hmm, you need to give the warning before giving that advice:

first, for a bit of background, from the man page.

–propupd {filename | directory | package name},…]
One of the checks rkhunter performs is to compare various current file properties of various commands, against those it has previously stored. This command option causes rkhunter to update
its data file of stored values with the current values.

          If the filename option is used, then it must either be a full pathname, or a plain file name (for example, 'awk'). When used, then only the entry in the file properties  database  for  that
          file will be updated. If the directory option is used, then only those files listed in the database that are in the given directory will be updated. Similarly, if the package name option is
          used, then only those files in the database which are part of the specified package will be updated. The package name must be the base part  of  the  name,  no  version  numbers  should  be
          included  -  for  example,  'coreutils'. Package names will, of course, only be stored in the file properties database if a package manager is being used. If a package name is the same as a
          file name - for example, 'file' could refer to the 'file' command or to the RPM 'file' package (which contains the 'file' command) - the package name will be used.  If no specific option is
          given, then the entire database is updated.

          **WARNING:  It  is  the users responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has
          caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.**

So, for this part of the rkhunter check, it *only *checks that the package is unchanged from the reference run, and running with the --propupd switch once a package has been corrupted (deliberately or accidentally) renders this part of the check useless, because in this case, what you will be doing is checking that the package is still corrupted, and this will probably not be what you think you are doing, so the apparent pass on this part of the testing will be giving you a false sense of confidence.

For me, the only totally sensible use of this option is to run with --propupd immediately after installation and before you have connected to the 'net at all (so, before there has been any chance for the bad guys to get at it), and, if basic commands are to be changed due to deliberate changes (ie, bug fixes from standard repos), to re-run to update the database (although this needs care).

This may well not be what most people do, but it is what is necessary to extract the full value out of this test.

You are very welcome.

You might even run across some articles written by me in those links.

Just finished Krebb’s book Spam Nation.

Yes, he is quite the prolific resource.

It looks like the online community is definitely in for the ride of its life in the next 5 - 10 years.

Actually, it has been quite a bumpy ride all along, and no sign that it will ever get any better.

Currently (according to krebbs) something like half of all email traffic is “spam” (the definition of that term has changed a lot in the last 30 years, but most rapidly since torpig and ***).

Quite frankly, I think he has understated the amount of spam traffic there really is.

I’ve put private routers between every machine I have and LAN/WAN/Internet. Still, that isn’t a bulletproof strategy.

That is a good move. Keep in mind, there is no bullteproof strategy. You just need to stay on your toes and take as many proactive measures as you can.

Just be aware that rkhunter (and other similar) are limited by what they are configured to check.
If you are <really> paranoid or need to protect yourself from rootkits, exploits can be hidden in many places including firmware.

But, until someone starts sounding alarms about something they’ve discovered I wouldn’t personally go out of my way putting up those kinds of defenses.

Security is not absolute, you need to decide what you are willing to do against certain types of threats, and understand what kinds of exploits you are most likely exposed to. Trying to do more may move beyond personal capability or cost too much in time or money.

If you intend to further your education in this area, I’d recommend you become familiar with tools. I highly recommend the Kali pentest suite, created by a group of developers who used to work for BackTrack.

IMO,
TSU

Agreed.

… and, still, the best defence of all is a solid backup routine (hit by a rootkit today? Yesterday’s or Last Week’s backup – rootkit gone) and staying alert.

I guess I’m <really> paranoid, then. I expect there are rk’s (backdoors) in MS and in recent hardware coming out of SE Asia. It’s what I would do if I ran the world, I guess, and they are making all the hardware. And they are organized and making $billions. It really sounds to me like gangland Chicago all over again, but on the internet and worldwide.

(and I think Krebbs really said >80% of all internet traffic is now ‘spam’)

For someone like me, just getting a decent handle on things is very difficult. For instance, reading K’s stuff is what got me to basically drop MS. And change passwords. And be aware of what online ‘credentials’ actually are, as well as nuances of phishing-like things and what they can do to your installs (html inserts which grab info banks wouldn’t ask for).

I’m pretty sure I was hit by a CC replay attack a month or so ago. A CC purchase was submitted 2x, same day, same time, same number - and the bank paid it!! So not having to worry about my operating system is a big load off my mind.

It’s good that folks are talking about security now.

Well, it’s not clear to me how under OS13.1 I would know I got hit by a rootkit. Or an HTML script implanter.
chkrootkit and rkhunter are all I know about… how reliable are their results to the non-expert? They seem to go after known rk’s.

Could you say more about “backups?” (thinking my laptop here) Back in the day, that meant tar -czvf bakup.tgz /home/patti/* but I’m thinking you mean something more like MS’s RestorePoints… I used to like to use clonezilla, and ghost everything to a file, and I guess I still can as long as I use the same drive S/N’s, but that takes hours.

I do know there’s a “backup” utility in YaST, but I’ve never heard about it on here or tried it. “use dd…” was said by a bunch of folks…

Kerbs mostly focuses on MS - I’ll say it again, there should be a “Security” forum here on OS User Forums.

Patricia

As a potential example of why we need a Security forum here, I offer my scans just now…

linux-l8th:/home/patti # chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
...
linux-l8th:/home/patti # 
linux-l8th:/home/patti # rkhunter -c
 Rootkit Hunter version 1.4.2 ]
Checking system commands...
  Performing 'strings' command checks
    Checking 'strings' command                                OK ]
...
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found

  Performing file properties checks
    Checking for prerequisites                                Warning ]
    /home/patti/anaconda/bin/curl                             OK ]
    /usr/bin/awk                                              OK ]
    /usr/bin/basename                                         OK ]
    /usr/bin/cat                                              OK ]
    /usr/bin/chattr                                           OK ]
    /usr/bin/chkconfig                                        Warning ]
    /usr/bin/chmod                                            OK ]
...
    /usr/bin/last                                             OK ]
    /usr/bin/lastlog                                          OK ]
    /usr/bin/ldd                                              Warning ]
    /usr/bin/less                                             OK ]
    /usr/bin/logger                                           OK ]
    /usr/bin/ls                                               OK ]
...
    /sbin/depmod                                              OK ]
    /sbin/fsck                                                OK ]
    /sbin/ifconfig                                            OK ]
    /sbin/ifdown                                              OK ]
    /sbin/ifstatus                                            OK ]
    /sbin/ifup                                                Warning ]
    /sbin/init                                                OK ]
    /sbin/insmod                                              OK ]
    /sbin/ip                                                  OK ]
    /sbin/lsmod                                               OK ]
    /sbin/modinfo                                             OK ]
    /sbin/modprobe                                            OK ]
    /sbin/nologin                                             OK ]
    /sbin/rmmod                                               OK ]
...

  Performing system configuration file checks
    Checking for an SSH configuration file                    Found ]
    Checking if SSH root access is allowed                    Warning ]
    Checking if SSH protocol v1 is allowed                    Warning ]
    Checking for a running system logging daemon              Found ]
    Checking for a system logging configuration file          Found ]
    Checking if syslog remote logging is allowed              Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                   Warning ]
    Checking for hidden files and directories                 Warning ]

[Press <ENTER> to continue]

This is where education comes in.

Apps like rkhunter and chkrootkit are used to detect rootkits which hide by installing a file system the main OS cannot read (and therefor might not detect) on common storage. Since the hard drive is the easiest place to place hidden and possibly malicious files, many rootkits can be detected this way.

But, a computer is very complex and places where code can be deposited has greatly increased in capacity. This is the reason why UEFI has become important to securing the newer 64-bit PROMs that replaced the old, and limited BIOS chips. The new PROMs are large enough to support entire bootstrapped code (full mini OS).

And, there are other places like disk controllers, etc.
So, it becomes important to verify source and be careful what code is flashed into your PROMs.

It might even be theoretically possible to root a system remotely… After all, the only important part is what can get into memory… storage is important only for persistence.

And, this is also why it is so important for modern Linux to adopt systemd and why technologies that use Linux Containers and namespaces will become ever more important… They address a well known OS flaw that internal components are all too trusting. By implementing better internal security, it becomes harder for malicious code to be injected where detection is difficult.

TSU

Hi Tsu - working hard on educating myself. I think I spend a LOT more time than the most on this, but I also admit to a certain density.
I wonder how long before *nix is as vulnerable as MS and mac’s (nowadays) are?

If *nix can be successfully defended from international cybercrime, then I suspect it could be a “first” in the history of Western Civilization where an informally organized band was able to defend a large, complex society against a similarly large, organized attack.

Rank Distribution H.P.D*
1 Mint 2440<
2 Ubuntu 1829>
3 Debian 1593>
**4 openSUSE 1285<**
5 Mageia 1243=
6 Fedora 1187>
7 CentOS 1135>
8 Arch 1064<
9 elementary 897>
10 Zorin 886<

|
|

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

[TH=“class: phr1”][/TH]|||

Hi Tsu - thanks for the discussion. Sure - the above is known. But what isn’t clear, at least to ordinary folks, is what to do when things are detected. It takes a lot of insight to interpret impacts of a detection in some obscure system file…

But, a computer is very complex and places where code can be deposited has greatly increased in capacity. This is the reason why UEFI has become important to securing the newer 64-bit PROMs that replaced the old, and limited BIOS chips. The new PROMs are large enough to support entire bootstrapped code (full mini OS).

And, there are other places like disk controllers, etc.
So, it becomes important to verify source and be careful what code is flashed into your PROMs.

Well, now you’ve left the world most folks live in. We are stuck buying the hard drives and laptops that are available to the public. What is really, really good is that Linux seems to present a “closed system” in the sense that it boots and runs most hardware OOB. Windows always is downloading drivers, even just to boot and install. And every new piece of hardware wants another driver, signed or unsigned… Even signed drivers are dangerous nowadays. A massive service is done for us all by the driver folks in *nix - making sure our hardware will run. Also the folks who maintain repos. (I worry about when a repo will be pwned.)

Not true of all distros, tho - I couldn’t install Linux Mint on my latest laptop unless I chose failsafe mode. So some drivers are missing from that distro?

It might even be theoretically possible to root a system remotely… After all, the only important part is what can get into memory… storage is important only for persistence.

And, this is also why it is so important for modern Linux to adopt systemd and why technologies that use Linux Containers and namespaces will become ever more important… They address a well known OS flaw that internal components are all too trusting. By implementing better internal security, it becomes harder for malicious code to be injected where detection is difficult.

TSU

Besides pwned fpga’s and storage media (thumb drives) and active TCP attacks, how would they get into the kernel space? Well, I guess a hacked repo… Every time there is a repo issue, I worry…

The bottom like for most folks is that emails and passwords are the keys to our lives. This is why we need a cybersecurity forum here. Maybe it would help get the message out? I have to admit, it sure seemed like a pain to me to protect all my passwords before I took my first class in cybercrime.

I think we need a new crypto subsystem in OpenSUSE - the Public Key crypto subsystem is very powerful, but also complicated enough to be off-putting to mere mortals like myself. KWallet is pretty good, it seems to me, and also Firefox/Mozilla “master key” security. But currently there’s no easy way to quickly encrypt a local file or directory - the KDE PK utility, creating public keys - is still confusing to me after all these years, so I imagine a lot of folks (who hadn’t had math classes in PK crypto) would not be able to use it. And PK isn’t the type of crypto (neither are stream cyphers) you want for a file sitting on your HD; PK crypto was designed for secure communications (cypher/plaintext).

7zip is the only way I’ve found to do this easily, but the 7zip interface on *nix is cumbersome.

Thanks for letting me rant - I worry about this stuff… :\

Internal encryption isn’t necessary or desirable internally. It takes enormous effort to encrypt and decrypt, introducing latencies.

Instead, systemd implements the simple concept of namespaces which is sufficient… ie. modify the name of anything with a specific string which can be set or generated, and that can can be powerful enough to verify the source of connection. A hacked process may may not be able to discover this special string because it could be made unique in some way or in combination with something else. Namespacing is a very simple, lightweight and effective way to communicate, and borrows from heavier, more complex namespacing commonly used in coding today (typing, classes).

Firmware and drivers have always been recognized as a weak point but for whatever reason the people who write and manage such code have been obstinate about securing with certificates. Partly it could be the additional cost and effort, but those are obstacles which are easily addressed if the will was there.

“open” source and open architecture drivers have all the usual ramifications… open for all to inspect but how people actually have the skill and/or time and resources to look at extremely low level code? It’s the old question whether some one entity with much to lose should own the code or whether the world community can do it better.

Your thought about hacked repos is only one of many possible exploit vectors in today’s networked world.
Just this past month I railed at a very popular scientific framework for placing its entire repository of libraries and apps in a sub-directory of a logged in User (ie /home/User) instead of the usual places off root. They supposedly made the decision to do this because it enabled installing working apps in a Cloud machine without needing root access… And, I would reply… Yeah.

TSU

Well, yes, primarily: I am referring mostly to Image Backups, as you are apparently used to with Clonezilla. BTW: Clonezilla is my favourite imaging tool, it has never let me down.

However, I supplement the image Backups.

===

First, to begin with, I always set up a separate DATA partition, whether setting up Windows or Linux. The System partition is always a partition of its own. In the case of Linux, that would of course be the root (/) partition.

In Windows, I point all My Documents folders, Browser, and e-mail profiles to the DATA partition (or drive, in some cases), so System is kept as completely separate from Data as possible.

In Linux, of course, that is usually all in the /home partition. However, in Linux, I also create a 3rd separate directory for all DATA/Documents. Configs remain in the /home partition, but Firefox and Thunderbird profiles and the like, as well as all Data files, are kept in the DATA partition (or drive).

About once a month (more frequently, if I am doing a lot of Systems experimenting or major Systems work), I use Clonezilla to back up the entire HD to External Storage (not the “cloud”, mind you, my own Storage devices).

Once a week, I run all the latest Updates that I have chosen to permit, then back up only the System partition (again, the root partition in Linux) to its own Images. This takes a lot less time than Imaging the entire drive(s). With the separation mentioned above, this allows me to simply restore the System/root partition when anything goes wrong, in a very short time, and get right back up and running solid.

Using this method, you also have the ability to make a quick backup of the System partition before doing anything invasive.

As for the data:

I create periodic Images of the DATA partitions. How often depends upon the rate the Data changes on that particular machine, and the value of the Data.

In between, I keep all Data synchronized to External Storage using Unison. This is how I supplement the Imaging, and it comes in very handy. This way it is very easy & quick to recover a single file or group of files when necessary.

===

Of course, I keep rotating these various backups, in case I need to go farther back in time. Plus, every now and then, I choose “evergreen” backups that are kept on additional media (type of media depends on the individual needs of the backup).

As for something along the lines of Windows Restore Points, in Linux you can have a similar service using BTRFS.

One More Note: I always use the first compression option in Clonezilla. The difference in time is huge, where-as with the gigantic sizes of the newer storage devices, space is not such a premium anymore. And, of course, very long backups are started at night and left to run overnight, finished by morning in most cases.

===

There, lots more for you to muddle over.

Thanks for the wonderful discussion!! HAPPY NEW YEAR!!!

A stream cypher is just as secure as a block cypher as long as you don’t edit the stream cypher file once it’s been put on disk. The fact that the disk breaks the file into blocks permits attack - this was a big reason to develop block cyphers. The linux crypt function seems to be DES http://linux.die.net/man/3/crypt which is badly broken. Triple-DES is OK, but will probably be broken in a few years. I think glibc also has issues with its random number generator, which makes crypting weak, unless you can get it to use /dev/urandom. pgp seems to support all the best crypt standards, including Twofish, so:

**[FONT=fixedsys]gpg -c myfinancial.info.txt[/FONT]
**
Should be a perfectly good way to protect a master password list in a portable manner. Kwallet is less portable since it’s tied to the OS (can’t easily take it to windows). A 7zip-encrypted, read-only file seems to be the best way to keep a well-protected, portable master-password file.

Thoughts?

PS: Secure crypto cracking seems to be too difficult for the international cybercrime market - they’re mostly into simpler types of attackes these days (social engineering?) so a single master-password list carefully guarded is now being recommended. In the old days it was different…