This commit is contained in:
Franco Colmenarez 2023-01-31 13:29:20 -05:00
commit 4d1c0b9865
4 changed files with 389 additions and 0 deletions

389
README.md Normal file
View File

@ -0,0 +1,389 @@
# Opsec
How to improve your *Operations Security*.
This guide aims to give you pieces of advice that you can follow to reduce the [attack surface](https://en.wikipedia.org/wiki/Attack_surface), as in, reducing the chances of possibly getting affected by a malicious actor (in reguards of your digital life).
## Important notes
* **I'm not a security expert**. Learning about security is hard. All the information foun here was sourced from lots of investigations on my own. I have always been concerned about privacy and security, so I'm constantly learning about how to improve my opsec. Don't take for granted everything mentioned here, as always, do your own research. We are open for any feedback to improve this guide.
* **Evaluate your [Threat Model](https://en.wikipedia.org/wiki/Threat_model)**. Improving your opsec comes at a cost. A lot of the times, you have to sacrifice some convenience to improve your digital security.
* **Do your own research**. As I mentioned before, don't take for granted whatever anyone tells you about security. You will find different opinions from different people, experts and non experts.
* **This article isn't about web servers security**. DevSecOps is a completely different beast and should belong on a different article. However, there's one mention about programming languages in this article.
## Phishing
[Phishing](https://en.wikipedia.org/wiki/Phishing) is perhaps the most effective and easy way to hack someone.
It's one of the methods of hacking that takes the most amounts of victims every year.
Criminals are always getting more and more creative and coming up with new phishing methods that can be really sneaky sometimes. Some of them are still pretty obvious, but some others can be very sneaky.
### Recommendations
- Investigate about different phishing methods used, so that you can improve your "phishing detection skills"
- Use your common sense, sometimes phishing can be quite obvious.
- Keep an eye open, some other phishing can be not as obvious.
- Use and ad blocker such as [uBlockOrigin](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) (may not have all features on chromium based browsers due to [Manifest V3](https://developer.chrome.com/docs/extensions/mv3/intro/)). You can also use the [Brave Browser]() which comes with an adblocker built in.
- Some relatives of yours may struggle to detect fake stuff when browsing the web. Be patient with them and teach them to spot them.
## Passwords
Reusing passwords is a bad idea for obvious reasons. Websites get hacked [all the time](https://haveibeenpwned.com/). Some sites don't even hash your passwords in their database and are stored in plain text.
Even if the password is hashed in the database, hashed passwords are still susceptible to [password cracking](https://hashcat.net/hashcat/).
That being said, **you must use a different password for every online account**.
Our brains are not designed for remembering different passwords, nor they are good at generating secure passwords.
Don't store them on physical paper, or in an excel/word/plain text document. Doing this isn't very practical anyway compared to available alternatives. The issue with these two approaches is that your passwords are not protected by encryption, an so, anyone with access to the passwords file (or the physical paper) now has access to all of your accounts.
Use the right tool for the job: an actual [Password Manager](https://en.wikipedia.org/wiki/Password_manager).
Recommended ones can be [KeePassXC](https://keepassxc.org/) for desktop computers and [KeePassDX](https://www.keepassdx.com/) for mobile devices. But you can use the one that you like the most and you know it's secure.
Here are the reasons why you would like to use a KeePass based password manager:
1. They are usually free (as in freedom) and open source software. You can audit the code yourself and make sure that it mets proper encryption and security standards.
2. They are offline. The advantage of this is that you are reducing the attack surface by not exposing your password database to the Internet or a cloud (aka: someone else's computer). The catch is that it's less convenient yo sync your passwords accross devices. Although, you can use syncing tools for this such as [Syncthing](https://syncthing.net/) or a personal cloud.
3. They are lightweight, they don't take that much of your system resources.
4. There are many KeePass clients that you can use, so your password database is very portable.
[Bitwarden](https://bitwarden.com/) is also fine to use if you prefer the better UI/UX. You can optionally self-host it for better security.
If your love using the terminal and CLI tools, you can try the Unix standard password manager [Pass](https://wiki.archlinux.org/title/Pass)
[1Password](https://1password.com/) is also fine. At the time of writing this article, 1Password haven't had any security incident or data breach. You may not like the fact that it's closed-source.
The password manager that is hard to recommend and **you should avoid using**, is [LastPass](https://www.lastpass.com/). [LastPass has a record of security incidents](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/).
Remember, even though your passwords are *in theory* protected by encryption, and these data breach risks are prevented by encryption, keep in mind that **you must use a strong master password yo mitigate these issues**. Your password database contains a lot of sensitive information. If this is a concern for you, consider using offline passwords managers. As mentioned before, you can reduce the attack surface by not exposing your passwords to a cloud or online service that *is not under your control*.
**Important note**: The whole purpose of using a password manager is **letting your password manager generate secure and random passwords for you** (Don't just create passwords yourself by combining your second name + your birthdate or similar methods).
Some websites have [very dumb rules](https://github.com/duffn/dumb-password-rules) on the allowed characters for the password field, so parametrize the password generator of your password manager as you need.
![Password Manager](assets/keepassxc.png "Password Manager")
It can take quite a bit of time to replace the passwords of all of your accounts, but it's worth the time.
## Multi-factor authentication
[Multi Factor Authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) prevents an attacker from accessing an account if the password gets compromised.
A fun fact about MFA that many people don't know, most of multi-factor codes that you receive on your phone (except SMS), are actually [Time Based One Time Passwords](https://www.rfc-editor.org/rfc/rfc6238), which is a standard that generates codes based on the time, and it doesn't require any Internet connection, preventing man in the middle attacks.
That being said, most of the times (not always), you don't really need an specific app to have your OTPs configured, it only needs to support the above mentioned TOPT RFC 6238 standard. You can use [Aegis](https://getaegis.app/) For Android or [Raivo OTP](https://raivo-otp.com/). These are open source alternatives, but you can use the one that you like and trust the most. [Avoid using Authy](https://youtu.be/iXSyxm9jmmo?t=1146).
**Don't use SMS for MFA**. Sadly, this is not always possible as some service still require SMS for MFA. But keep in mind that [SMS is a completely broken protocol](https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80) that shouldn't be used anymore. Also, [Your phone number is succeptible to SIM Swap attacks](https://en.wikipedia.org/wiki/SIM_swap_scam). This is how Jack Dorsey (ex Twitter CEO) got hacked.
## Security Questions
![Security Questions](assets/security-questions.png "Security Questions")
**Don't be honest answering security questions**.
Security Questions are basically these basic questions about you (ie: "Whats your favorite food?", "Where did you study for the first time?", etc) that you can answer in case you forgot your password and you don't have any other way to recover it.
This may sound convenient, but this is extremely succeptible to [Social Engineering](https://en.wikipedia.org/wiki/Social_engineering_(security)) attacks.
For example, if you were honest answering a security question, let's say that it was "What's the name of your grandma?", an attacker can gather information about you or your relatives and very easily reset your password.
This is a broken system because you shouldn't forget your passwords if you are using a Password Manager.
Some services (specially bank accounts) still require you to answer security questions. In these cases, As mentioned, *Don't be honest when answering security questions*. Put fake data in the answers. You can generate random passphrases with your Password Manager for this.
## VPNs
[VPNs](https://en.wikipedia.org/wiki/Virtual_private_network) can be useful for privacy *in some cases*, but they don't help much for security.
An over-simplified diagram about VPNs would look something like this:
![VPNs](assets/vpns.png "VPNs")
Most websites already protect the data with the HTTPS protocol. A VPN can prevent man-in-the-middle from sniffing a site's data if you visit a non HTTPS site, but once the requests leaves the VPN servers, the data is no longer encrypted by the VPN protocol, so you should avoid visiting those sites anyway.
Also, [many VPNs have lied about their no-log policies](https://torrentfreak.com/ipvanish-no-logging-vpn-led-homeland-security-to-comcast-user-180505/). Don't think that this is only an issue with free VPNs and that it doesn't happen with paid ones. Just because you gave money to a VPN provider isn't any warantee that they are not going to give your data to someone else anyway. There's no way to know if a VPN is collecting data about you, either intentionally or not.
There are legitimate uses for VPNs, for example, if an organization has internal services that shouldn't be accesible to the public, the organization can host an internal VPN to make IP whitelisting much easier. This was actually the intended use of VPNs when they were created.
If you don't trust your network or your ISP, a VPN can prevent your network provider or your ISP from knowing what websites you are visiting, but keep in mind that you are essentially moving the problem from one place to another, now you have to trust on your VPN provider.
### What is a VPN useful for?
* Hosting an organization's internal services that shouldn't be accesible by the public. A VPN hosted by the organization can make IP whitelisting easier.
* Prevent your network provider or ISP from knowing what websites do you visit.
* Access blocked content.
Recommended video about VPNs:
- https://youtu.be/BE33daPiaYQ
## Web Browsers
Any modern browser should be fine regarding security. If you are concerned about privacy, you can read [this article](https://www.unixsheikh.com/articles/choose-your-browser-carefully.html).
### Recommendations
- Use [multiple profiles](https://www.chromium.org/developers/creating-and-using-profiles/), for example, one for your personal stuff and another one for work related stuff.
- Disable JavaScript JIT. [Many security vulnerabilities are JIT bugs](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/). Note: You may notice that your browser is a bit slower after disabling JIT. It's also hard to disable JIT on some browsers.
## IoT devices
[IoT devices](https://en.wikipedia.org/wiki/Internet_of_things), such as your Smart TV, Smart Fridge, Smart Watch, or "Smart Anything" (even smart lightbulbs), are usually built with very poor security standards and [they get hacked all the time](https://finance.yahoo.com/news/hackers-breach-thousands-security-cameras-213219424.html).
The more devices you have connected to the Internet, the more you increase the attack surface.
If some of these devices get hacked, it may not affect *you* directly, but a very common use case of hacking IoT devices is using them for a botnet of [DDoS attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
## Home Routers / Modems
Update your router's admin password. Not the Wi-Fi password. The router admin password.
A lot of routers have vary basic admin username and passwords by default, like "admin / admin", or "admin / admin1". Some of them have a random string in a sticker that you can find in the router itself but those can still be a bit predictible sometimes. Some ISP companies assign the same password to a lot of the routers that they distribute, and you can find them online.
So, for example, you could go to someone else's house who you know uses a specific ISP, search on the web the common admin passwords for that specific ISP, login, and do all kinds of things, like throttling the connection (just to troll), or checking all of the visited websites in the history.
Or, even worse, **someone with admin access to your router could upload an infected firmware** that can do all kinds of malicious things that you can imagine without you noticing anything.
### Recommendations
If you can, and if you ISP allows you to, change the admin password of your router. You can use your password manager for this and generate a random passowrd.
Even better, if you can, build your own custom router. Apart from security, there are lots of other advantages of customizing your own router. If you build your own custom router, you are no longer under your ISP's arbitrary restrictions or bad security practices. Your router can be as secure as you want.
If you are interested in buiding your own custom router, check these two videos:
* [Should You Build Your Own Router?](https://youtu.be/Yq9NtTS90AE)
* [DO NOT Build Your Own Router! Get This $50 Thin Client Instead...](https://youtu.be/uAxe2pAUY50)
## Smartphones
Modern mobile operating often have plenty of security features. However, some smartphone users (specially Android ones) tend to worsen their security with some bad practices. Here are some general recommendations:
- Avoid [Rooting (Android)](https://en.wikipedia.org/wiki/Rooting_(Android)) or [Jailbreak (iOS)](https://en.wikipedia.org/wiki/IOS_jailbreaking) your device.
The reason why you don't want to do this because you are increasing the chances of privilege escalation from a potential attacker by reducing the
[principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
Also, in the case of Android, rooting your device usually requires to disable the bootloader, and thus, disabling [verified boot](https://source.android.com/security/verifiedboot/).
- Install apps from trusted sources, and, install only apps that you trust, don't just install any random app that you find.
- Have a strong PIN code. It's recommended to use a 6 digit random generad PIN code.
- Uninstall apps that you don't really need to reduce the attack surface.
- Follow the *principle of least privilege* by giving apps only the permissions that they need at the moment.
- Keep your device up to date. This is usually more difficult for Android users.
- Use different [user profiles](https://grapheneos.org/features#improved-user-profiles), as in, avoid using the same profile for everything. For example, you can have a personal profile and a work profile. Same applies to web browsers on desktop.
- Avoid using [webviews](https://developer.android.com/develop/ui/views/layout/webapps/webview) in any app. A lot of apps, [specially TikTok, inject code to webviews to add spyware and keyloggers](https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/). Copy the link to your clipboard, then open up an actual browser instance and paste the link. Avoid opening links by clicking on them inside the app itself.
- Use face unlock only if you are sure that your device has the [proper hardware to support it](https://support.apple.com/en-us/HT208108), not just with a regular front camera. A lot of devices that "support" face unlock with just a normal front camera, are usually unlockable with a photo of the owner.
- Avoid Pattern Lock. Pattern Lock usually have fewer possible combinations. Also, fingerprint marks (even after cleaning the screen) are much more noticeable with Pattern Lock, compared to PIN codes.
- Reboot your smartphone frequently. This mitigates malware that can only live temporally on RAM and is not persisted thanks to Verified Boot.
### Android specific
Perhaps the most secure Android experience that you can have (or in smartphones in general for that matter), is using a Google Pixel with [GrapheneOS](https://grapheneos.org). GrapheneOS has a lot of features to make Android as secure as possible without sacrificing convenience. You can check the [GrapheneOS features](https://grapheneos.org/features) to understand why is it so secure compared to other Android ROMs, and also [why only Pixel phones are supported](https://grapheneos.org/faq#recommended-devices).
**Avoid using custom ROMs**. With the exception of GrapheneOS, other custom ROMs such as such as [LineageOS](https://lineageos.org/) usually worsen the security of your device by requiring to keep the bootloader unlocked, and so, disabling Verified Boot.
You can read a more detailed explanation [here](https://madaidans-insecurities.github.io/android.html) about who Android users tend to worsen the security of their devices.
## Desktop operating systems
Desktop operating systems were not designed with security in mind and they are usually more vulnerable than other operating systems. Here are some things that you can do to improve the security of desktop operating systems.
Here are a couple of recommendations for Desktop operating systems:
* Lock the screen if you have to leave it turned on. On Windows, you can do this with `Ctrl + L`.
* Avoid leaving your system unatended.
### Disk Encryption
[Disk Encryption](https://en.wikipedia.org/wiki/Disk_encryption) or [Data at Rest Encryption](https://wiki.archlinux.org/title/Data-at-rest_encryption) is a preventive measure to protect your data if your device (hard drive, SSD, etc) is no longer with you, either because you sold it, or because you lost it, or because it got stolen.
Even if you format your hard drive or SSD before giving it to someone else, [the data is still recoverable](https://en.wikipedia.org/wiki/Data_recovery).
You could perform a [Zero Filling](https://unix.stackexchange.com/questions/636677/filling-my-hard-drive-with-zeros) to your drive before giving it to someone else, but this takes a long time, can reduce the lifespan of your device and if it gets stolen you obviously won't be able to perform a zero-fill.
Here's how to enable disk encryption on different desktop operating systems:
- **Windows**: Enable [Bitlocker](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview).
1. Go to Control Panel > System and Security > BitLocker Drive Encryption
2. Click on "Turn on BitLocker"
3. If you have bitlocker enabled, you will see a lock icon on your `C:` drive under the "This PC" menu.
- **MacOS**: Any modern Apple desktop device supports hardware based encryption. Make sure to enable [FireVault](https://support.apple.com/en-us/HT208344).
- **Linux**: Linux users have many different disk encryption options. Here are a few alternatives:
- Installing Pop!_OS, which gives you the option of encrypting the disk during installation.
- Some installers allow you encrypt the home folder. You can also encrypt an existing Home folder: https://wiki.archlinux.org/title/ECryptfs#Encrypting_a_home_directory
- Partition the drive yourself with dm-crypt and encrypted boot partition: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)
- Other disk encryption alternatives: https://wiki.archlinux.org/title/Data-at-rest_encryption#Available_methods
### Secure boot
[Secure Boot](https://en.wikipedia.org/wiki/Hardware_restriction#Secure_boot) and [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)
are technologies that allow you to mitigate [Evil Maid Attacks](https://en.wikipedia.org/wiki/Evil_maid_attack).
**Warnings**: Before messing around with BIOS settings, keep these things in mind:
* **Evaluate your threat model** before changing BIOS settings. You may mess something up if you don't know what you are doing.
* Do this only with your *own* device. Or devices that you know you are allowed to modify BIOS settings.
* You *may* void your warranty by modifying BIOS settings (or by reinstalling an OS). This is not always the case and it's pretty rare to void the warranty just by modifying software settings, but it's still a possibility.
* **Secure Boot and TPM are only effective if you protect the BIOS settings with a password**. Otherwise, an attacker can just disable it.
If you use a modern Apple desktop device, you can read this article and skip the rest of this section: https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web
**Note for Apple users**: If you set a firmware password for your Mac device (Macbook, Mac Mini, etc), please remember to remove that password if you are not going to use that device anymore. [We already have enough e-waste](https://youtu.be/MWWVmWIXn0w).
Here are some tips for Windows and Linux users:
- **Windows**: If you got a brand new laptop with Windows 10 or Windows 11, more than likely you already have Secure Boot and TPM enabled. Just remember that you need to protect the BIOS settings.
- **Linux**: Linux users will have a hard time trying to get Secure Boot to even start up, not to mention all the struggles that you will have trying to make it effective.
My recommendation is to install your Linux distribution with the above mentioned dm-crypt encrypted bood scheme and reading this article: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader
to evaluate the possible methods to enable Secure Boot for Linux.
The reason why it is so hard to use Linux with Secure Boot, is because motherboard manufacturers use Microsoft's signing keys by default (because most people are going
to install Windows anyway), which are obviously not compatible with most Linux distributions.
You can upload your own keys to your motherboard as mentioned in this guide: https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
But you can potentially brick your motherboard if you don't know what you are doing.
Effective TPM under Linux is even more complicated. You can know more about it here: https://wiki.archlinux.org/title/Trusted_Platform_Module
but my recommendation is; don't even bother trying to use it. Just use full disk encryption + secure boot and set a password for your BIOS and pray that an attacker doesn't find a way around it. This isn't bulletproof against
evil maid attacks but it's better than nothing.
Remember, evaluate your threat model before considering investing your time doing these practices. For example, if someone breaks into your house, unless you are targeted and they want to specifically get a piece of data from you without using violence, they are probably just going to steal the whole computer and sell it to someone else. In which case, your data is protected by disk encryption.
### App Sandboxing
[App Sandboxing](https://source.android.com/docs/security/app-sandbox) is a security feature that provides an isolated runtime environment that limits the the available resources of your system to the program.
Android and iOS have sandboxing features by default for every app that you install. Desktop operating systems are lacking in this reguard.
* **Windows** users can use can use the [Windows Sandbox](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) utility to run untrusted programs.
* **MacOS** users already have their applications sandboxed if they were installed from the App Store: https://developer.apple.com/documentation/security/app_sandbox
* **Linux** users have different options: https://wiki.archlinux.org/title/Security#Sandboxing_applications. **Avoid using Firejail**. Firejail runs as root and it increases the potential risk of privilege escalation. The recommended sandboxing utility for Linux is [Bubblewrap](https://github.com/containers/bubblewrap). The catch is that Bubblewrap is not very friendly to use, but it's far more secure and granular compared to other alternatives. A friendlier alternative is using [Flatpaks](https://wiki.archlinux.org/title/Flatpak) which use Bubblewrap underneed, and you can control the permissions of your applications with [Flatseal](https://github.com/tchx84/Flatseal). [There](https://hanako.codeberg.page/), [are](https://flatkill.org/), [criticisms](https://flatkill.org/2020/) against Flatpak's sandboxing features. However, using Flatpak + Flatseal is still far better than the traditional way of installing packages on Linux which doesn't have any sandboxing at all.
### Pirating software
Hackers who take their time to crack programs, don't usually do it for for free, sometimes you are the product.
There are many examples of this, but the most recent and most popular one is the case of TLauncher, a Minecraft 3rd party launcher that allows
you to play Java Minecraft for free.
It was discovered that this launcher contains very sneaky malware:
- https://app.any.run/tasks/f63f7ab4-8b5f-4776-b1cc-39f972652ff6/
- https://app.any.run/tasks/46243169-ae8f-4c71-bdc1-3325b4420bea/
- https://www.filescan.io/uploads/63a82ccd898959f356c5dde7/reports/c332902d-8a80-4d3c-85f8-0cca305f8baf/overview
- https://tria.ge/221225-m6n5jabd67/behavioral1
Remember, **this can happen with any software downloaded from an untrusted source**, but this is more common with pirated software. For example, when you pirate a videogame, or a Photoshop license, or an Office license, etc. At first nothing appears to happen and you may think that your PC wasn't infected, but it's probably running malware in the background. Your antivirus usually is not able to detect it either because some malware can be very sneaky, and also, usually these "cracks" require you to execute them as Administrator. If a malware is able to run as admin, now it can do anything to the system, like disabling your antivirus.
If for some reason you want to run pirated software and reduce the risk of doing so, you can do it inside of a virtual machine, although this is less convenient.
### Electron Apps
Electron isn't inherently insecure by itelf. In fact, Electron has [sandboxing features](https://www.electronjs.org/docs/latest/tutorial/sandbox).
However, if you run an Electron app instead of the Web equivalent, you are running such software with higher privileges on your system. For example, an Electron app is able yo read your whole home folder (if not properly sandboxed with another tool), and even use zero-day exploits to escale privileges, such as [Pwnkit](https://github.com/arthepsy/CVE-2021-4034) (Note: Pwnkit has already been patch, the point is to reduce the possibility of privilege escalation).
On the other hand, the Web equivalent is sandboxed within the browser's sandbox, and thus, they are more secure than using the Electron equivalent.
Also, many developers don't regularly update the Electron version of their apps, and as such, they use an old version of Chromium and Electron that doesn't have the latest security patches.
For example at the time of writing this article, **Discord uses Chromium version 91, and Electron version 13**. Whereas the latest stable Chromium version is 109, and the latest stable Electron release is 22. You can prove this by yourself by using [this method](https://stackoverflow.com/a/75089818).
Electron apps that can be used within a browser:
- Slack
- Discord
- Figma
- Notion
- Element
- Whatsapp Web
- Zoom
And many others.
Another advantage of using the web equivalent of your apps, is that you can save a bit more RAM, because each app is using the same browser instance.
### Windows specific
- Enable password for admin privileges
- Avoid using activation tools such as KMSPico. The reason why is explained below under the "Pirating software" section. You can find legitimate Windows activation keys for very cheap. Also, a lot of motherboards nowadays come with an OEM key preinstalled (UEFI).
- Use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) to run untrusted programs.
- Enable Bitlocker
- If you want do download a Windows ISO, Download it from the [Microsoft's official website](https://www.microsoft.com/en-us/software-download/windows11) directly, not from any other source, that way you make sure that the ISO hasn't been tampered with.
- Avoid using Windows 8.1 or lower. these systems [are no longer supported by Microsoft](https://support.microsoft.com/en-us/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93) and they are vulnerable. Consider upgrading to Windows 10 or higher.
### Linux (desktop) specific
Despite the typical belief, Linux is perhaps the least secure desktop operating system compared to Windows 10/11 or MacOS.
The technical reasons why are explained [here](https://madaidans-insecurities.github.io/linux.html).
Here are some tips on how you can improve Linux Desktop security:
- Use [Wayland](https://wiki.archlinux.org/title/Wayland) instead of [Xorg/X11](https://wiki.archlinux.org/title/Xorg). Xorg is a very ancient program with really ancient code, designed under a really ancient protocol (X11). Linux sandboxing is flawed mostly because of possible sandbox escapes through X11. The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland development is improving with time.
- Use [Pipewire](https://wiki.archlinux.org/title/PipeWire) instead of [Pulseaudio](https://wiki.archlinux.org/title/PulseAudio). Pipewire provides better sandboxing and security features. Most Linux distribution are starting to ship Pipewire instead of Pulseaudio.
- Use [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc). This is a bit more extreme and it's not recommended if you don't know what you are doing, as some programs may break.
- Use [doas](https://github.com/slicer69/doas) instead of Sudo. Sudo have had [security vulnerabilities](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt) that took years to patch. Sudo is a really big program, and doas is much smaller in comparison. Doas has less features than Sudo, but for desktop usage, Doas is usually more than enough.
- [Avoid using SystemD](https://suckless.org/sucks/systemd/). Although this can be hard for most people due to compatibility issues with other init systems.
- Use the sandboxing utilities mentioned on the App Sandboxing section
## Wireless devices
Wireless devices can be more convenient because cables can be annoying for some people. However, because you no longer need physical access to hijack the communication between devices, the attack surface is increased because someone nearby can be exploiting a vulnerability on your devices.
[Bluetooth has always been unsecure](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth) and you should avoid using it if you can.
Wi-fi is much mure secure compared to other wireless technologies, but the advantage of using a wired connection instead (ie: an Ethernet cable), is that it's not only more secure, the connection will also be more stable.
Examples of wireless technology being unsecure:
- [BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution](https://www.youtube.com/watch?v=qPYrLRausSw)
- [CVE-2019-13052 LOGITacker: Demo live decryption of Unifying keyboard after sniffed pairing](https://youtu.be/GRJ7i2J_Y80)
- Tesla cars: https://trifinite.org/stuff/project_tempa/
## Social media
Social media is inherently succeptible to social engineering attacks and you should avoid using it.
There are some things that you can do to improve your privacy and prevent attackers from gathering personal information about you:
- Don't just accept any friend requests or follow requests. This is just common sense.
- Configure your social media in such a way that your posts are only visible for the people that you trust.
- If you wanna make post public posts, be careful with personal information that you may be making public.
However, keep in mind that there are still many pitfalls when it comes to privacy when using social media.
## Chat applications
Perhaps the most secure and privacy respecting chat application that you can use is [Signal](https://www.signal.org/).
Here's a comparison between different chat alternatives:
| | |
--- |--- |
|Open Source server and client, but centranized server, requires phone number|[Signal](https://www.signal.org/)|
|Federated/decentralized (sometimes not e2e encrypted due to federation issues)|[Matrix](https://matrix.org/), [XMPP](https://xmpp.org/)|
|Serverless|[GNU/Jami](https://jami.net/), [Tox](https://tox.chat/), [Session](https://getsession.org/), [Briar](https://briarproject.org/)|
|E2E encrypted but still proprietary|iMessage, Whatsapp|
|Open Source client, but proprietary servers and not E2E encrypted by default|Telegram|
|Proprietary and not E2E encrypted|Discord, Slack, Facebook Messenger, Instagram, TikTok, etc|
|Hahaha|SMS|
## Cloud storage
Cloud services are very convenient, but [they could be succeptible to security incidents](https://mega-awry.io/). You have to trust your cloud provider with the security of your files. If you want to upload to the cloud and you don't want the file to be readable by your cloud provider (or a potential attacker), encrypt your files with a random generated password before uploading them to the cloud. You can use [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) or [Cha Cha 20](https://en.wikipedia.org/wiki/ChaCha20-Poly1305) or the encryption method of your preference.
On Unix like systems, you can run this command to encrypt a file with AES-256:
```
gpg --symmetric --no-symkey-cache --cipher-algo AES256 your-file
```
## Ransomware
Any operating system is vulnerable to this (Android, iOS, Windows, Mac, Linux, etc)
Getting infected by a [Ransomware](https://en.wikipedia.org/wiki/Ransomware) is not just a matter of how, but when.
Some ransomwares are so sphisticated that [they can even detect backup drives and encrypt that as well](https://security.stackexchange.com/questions/56084/are-backups-really-secure).
One recommendation can be making regular backups of your important files on different devices, drives or clouds. Keep one backup on an external drive that is physically disconnected from any other device. Do backups within different time frames. For example, lets say that the ransomware takes one week to encrypt all your files. If you do daily backups, there's a chance that some of the files that you are backing up are already encrypted by the ransomware. So you can do a monthly backup + a separate weekly backup.
## Programming languages
If you can, use programs that were written in memory safe languages, such as [Rust](https://www.rust-lang.org/).
If you are a software developer yourself, consider using Rust for writing your programs. But if you can't, or you don't want to, consider learning about Rust's memory safety features and try to implement them in your programming language of preference.
For example, [the "null" value doesn't exist in Rust](https://doc.rust-lang.org/book/ch06-01-defining-an-enum.html#the-option-enum-and-its-advantages-over-null-values), an enum has to be used instead, forcing the developer to always handle a case when there's no value.
This isn't just Rust evangelism, it's just that [most of the security flaws come from memory unsafety issues](https://www.chromium.org/Home/chromium-security/memory-safety/),
Not just with Chromium, [but with all kinds of other programs as well](https://www.phoronix.com/news/IBM-Possible-Rust-GRUB).
Note: There are all kinds of security flaws that can happen with any programming language, even with Rust. This section is about memory safety specifically.
Other recommendations:
- Have good validations in your software, never trust user input.
- SQL Injections, or any sort of code injection (XSS)
- Keep your SSH keys safe
# Conclusion
Don't blindly trust whatever anyone tells you about security. No piece of technology is bullet proof, anything can be vulnerable, even people themselves with social engineering attacks.
General recommendations:
- Evaluate your threat model. Just because you *could* get hacked, doesn't necessarely mean that you *will* get hacked. This guide is mostly just attack surface reduction.
- Use Wireshark to monitor the network traffic of your devices or programs.
- Try pentesting on your own. For example, you can use Hashcat to test how secure your passwords are.
- This is just scratching the surface. Do your own research. Learn about security yourself.
- Recommended site: https://security.stackexchange.com/
# Recommended videos
- Online Privacy & Security 101: How to actually protect yourself?: https://youtu.be/qZE45J-MIUg (English)
- Evil Maid attack on Encrypted Boot: https://youtu.be/5HCZXWfIk5Y (English)
- How your device gets hacked: https://youtu.be/8C7ouESJyfM (Spanish)
- Your iPhone is as (in)secure as your Windows: https://youtu.be/DbqkBAjId_U (Spanish, old video and very outdated, but still worth watching)

BIN
assets/keepassxc.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 211 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 245 KiB

BIN
assets/vpns.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 540 KiB