From 9d568f3215f3e17ee727fe48e2afa1e0555b49ff Mon Sep 17 00:00:00 2001 From: Franco Colmenarez Date: Tue, 31 Jan 2023 22:18:52 -0500 Subject: [PATCH] Fix more typos and add more info --- README.md | 60 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 220c12a..f862e2c 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ Some services (especially bank accounts) still require you to answer security qu ## VPNs [VPNs](https://en.wikipedia.org/wiki/Virtual_private_network) can be useful for privacy *in some cases*, but they don't help much for security. -Most websites already protect the data with the HTTPS protocol. A VPN can prevent man-in-the-middle from sniffing a site's data if you visit a non-HTTPS site, but once the requests leave the VPN servers, the data is no longer encrypted by the VPN protocol, so you should avoid visiting those sites anyway. +Most websites already protect the data with the HTTPS protocol. Web browsers also support an HTTPS-only mode. A VPN can prevent man-in-the-middle from sniffing a site's data if you visit a non-HTTPS site, but once the requests leave the VPN servers, the data is no longer encrypted by the VPN protocol, so you should avoid visiting those sites anyway. Also, [many VPNs have lied about their no-log policies](https://torrentfreak.com/ipvanish-no-logging-vpn-led-homeland-security-to-comcast-user-180505/). Don't think that this is only an issue with free VPNs and that it doesn't happen with paid ones. Just because you gave money to a VPN provider isn't any warranty that they are not going to give your data to someone else anyway. There's no way to know if a VPN is collecting data about you, either intentionally or not. @@ -161,7 +161,7 @@ Perhaps the most secure Android experience that you can have (or in smartphones You can read a more detailed explanation [here](https://madaidans-insecurities.github.io/android.html) about how Android users tend to worsen the security of their devices. ## Desktop operating systems -Desktop operating systems were not designed with security in mind and they are usually more vulnerable than other operating systems. Here are some things that you can do to improve the security of desktop operating systems. +Desktop operating systems were not designed with security in mind and they are usually more vulnerable than other operating systems. Here are a couple of recommendations for Desktop operating systems: * Lock the screen if you have to leave it turned on. On Windows, you can do this with `Ctrl + L`. @@ -179,7 +179,7 @@ Here's how to enable disk encryption on different desktop operating systems: 3. If you have Bitlocker enabled, you will see a lock icon on your `C:` drive under the "This PC" menu. - **MacOS**: Any modern Apple desktop device supports hardware-based encryption. Make sure to enable [FireVault](https://support.apple.com/en-us/HT208344). - **Linux**: Linux users have many different disk encryption options. Here are a few alternatives: - - Installing Pop!_OS, which gives you the option of encrypting the disk during installation. + - Installing [Pop!_OS](https://pop.system76.com/), which gives you the option of encrypting the disk during installation. - Some installers allow you to encrypt the home folder. You can also encrypt an existing Home folder: https://wiki.archlinux.org/title/ECryptfs#Encrypting_a_home_directory - Partition the drive yourself with dm-crypt and encrypted boot partition: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) - Other disk encryption alternatives: https://wiki.archlinux.org/title/Data-at-rest_encryption#Available_methods @@ -202,17 +202,19 @@ If you use a modern Apple desktop device, you can read this article and skip the Here are some tips for Windows and Linux users: -- **Windows**: If you got a brand new laptop with Windows 10 or Windows 11, more than likely you already have Secure Boot and TPM enabled. Just remember that you need to protect the BIOS settings. +- **Windows**: If you got a brand new laptop with Windows 10 or Windows 11, more than likely you already have Secure Boot and TPM enabled. Just remember that you need to protect the BIOS settings with a password. - **Linux**: Linux users will have a hard time trying to get Secure Boot to even start up, not to mention all the struggles that you will have trying to make it effective. - A recommendation is to install your Linux distribution with the above mentioned dm-crypt encrypted boot scheme and read this article: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader - to evaluate the possible methods to enable Secure Boot for Linux. + The reason why it is so hard to use Linux with Secure Boot is that motherboard manufacturers use Microsoft's signing keys by default (because most people are going to install Windows anyway), which are obviously not compatible with most Linux distributions. + + A recommendation is to install your Linux distribution with the above mentioned dm-crypt encrypted boot scheme and read this article: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader + to evaluate the possible methods to enable Secure Boot for Linux. + You can upload your own keys to your motherboard as mentioned in this guide: https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot - But you can potentially brick your motherboard if you don't know what you are doing. - Effective TPM under Linux is even more complicated. You can know more about it here: https://wiki.archlinux.org/title/Trusted_Platform_Module - but my recommendation is; don't even bother trying to use it. Just use full disk encryption + secure boot and set a password for your BIOS and pray that an attacker doesn't find a way around it. This isn't bulletproof against - evil maid attacks but it's better than nothing. + but you can potentially brick your motherboard if you don't know what you are doing. + + Effective TPM under Linux is even more complicated. You can know more about it here: https://wiki.archlinux.org/title/Trusted_Platform_Module, but it's recommended to not even bother trying to use it. Just use full disk encryption + secure boot and set a password for your BIOS and pray that an attacker doesn't find a way around it. This isn't bulletproof against evil maid attacks but it's better than nothing. Remember, evaluate your threat model before considering investing your time doing these practices. For example, if someone breaks into your house, unless you are targeted and they want to specifically get a piece of data from you without using violence, they are probably just going to steal the whole computer and sell it to someone else. In that case, your data is protected by disk encryption. @@ -223,7 +225,13 @@ Android and iOS have sandboxing features by default for every app that you insta * **Windows** users can use can use the [Windows Sandbox](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) utility to run untrusted programs. * **MacOS** users already have their applications sandboxed if they were installed from the App Store: https://developer.apple.com/documentation/security/app_sandbox -* **Linux** users have different options: https://wiki.archlinux.org/title/Security#Sandboxing_applications. **Avoid using Firejail**. Firejail runs as root and it increases the potential risk of privilege escalation. The recommended sandboxing utility for Linux is [Bubblewrap](https://github.com/containers/bubblewrap). The catch is that Bubblewrap is not very friendly to use, but it's far more secure and granular compared to other alternatives. A friendlier alternative is using [Flatpaks](https://wiki.archlinux.org/title/Flatpak) which uses Bubblewrap underneath, and you can control the permissions of your applications with [Flatseal](https://github.com/tchx84/Flatseal). [There](https://hanako.codeberg.page/), [are](https://flatkill.org/), [criticisms](https://flatkill.org/2020/) against Flatpak's sandboxing features. However, using Flatpak + Flatseal is still far better than the traditional way of installing packages on Linux which doesn't have any sandboxing at all. +* **Linux** users have different options: https://wiki.archlinux.org/title/Security#Sandboxing_applications. + + **Avoid using Firejail**. Firejail runs as root and it increases the potential risk of privilege escalation. + + The recommended sandboxing utility for Linux is [Bubblewrap](https://github.com/containers/bubblewrap). The catch is that Bubblewrap is not very friendly to use, but it's far more secure and granular compared to other alternatives. + + A friendlier alternative is using [Flatpaks](https://wiki.archlinux.org/title/Flatpak) which uses Bubblewrap underneath, and you can control the permissions of your applications with [Flatseal](https://github.com/tchx84/Flatseal). [There](https://hanako.codeberg.page/), [are](https://flatkill.org/), [criticisms](https://flatkill.org/2020/) against Flatpak's sandboxing features. However, using Flatpak + Flatseal is still far better than the traditional way of installing packages on Linux which doesn't have any sandboxing at all. ### Pirating software Hackers who take their time to crack programs, don't usually do it for free, sometimes you are the product. @@ -245,13 +253,13 @@ Electron isn't inherently insecure by itself. In fact, Electron has [sandboxing However, if you run an Electron app instead of the Web equivalent, you are running such software with higher privileges on your system. For example, an Electron app is able to read your whole home folder (if not properly sandboxed with another tool), and even use zero-day exploits to scale privileges, such as [Pwnkit](https://github.com/arthepsy/CVE-2021-4034) (Note: Pwnkit has already been patched, the point is to reduce the possibility of privilege escalation). -On the other hand, the Web equivalent is sandboxed within the browser's sandbox, and thus, they are more secure than using the Electron equivalent. +On the other hand, the Web equivalent is sandboxed within the actual browser's environment, therefore, they are a bit more secure than using the Electron equivalent. -Also, many developers don't regularly update the Electron version of their apps, and as such, they use an old version of Chromium and Electron that doesn't have the latest security patches. +Also, many developers don't regularly update the Electron version of their apps, so many Electron apps are using an old version of Chromium and Electron that doesn't have the latest security patches. For example at the time of writing this article, **Discord uses Chromium version 91, and Electron version 13**. Whereas the latest stable Chromium version is 109, and the latest stable Electron release is 22. You can prove this by yourself by using [this method](https://stackoverflow.com/a/75089818). -Electron apps that can be used within a browser: +Electron apps that can be used within a web browser: - Slack - Discord - Figma @@ -264,10 +272,15 @@ And many others. Another advantage of using the web equivalent of your apps is that you can save a bit more RAM because each app is using the same browser instance. ### Windows specific -- Enable password for admin privileges -- Avoid using activation tools such as KMSPico. The reason why is explained below under the "Pirating software" section. You can find legitimate Windows activation keys for very cheap. Also, a lot of motherboards nowadays come with an OEM key preinstalled (UEFI). +- Enable password for admin privileges. + + You can achieve this by hitting `Windows Key + R`, typing `secpol.msc`, then click on "Enter" or "OK", On the left panel, click on "Local Policies" > "Security Options". Double click on "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode", and under the "Local Security Setting" section, select "Prompt for credentials" and persist the changes by clicking on "Apply" and "OK". This prevents privilege escalation from an attacker if you leave the screen unlocked (it can also prevent some [Rubber Ducky](https://docs.hak5.org/hak5-usb-rubber-ducky/) attacks). + + If you find this inconvenient, you can revert it by following the same steps but selecting "Prompt for consent" instead. + +- Avoid using activation tools such as KMSPico. The reason why is explained below under the "Pirating software" section. You can find legitimate Windows activation keys for very cheap. Also, a lot of motherboards and laptops nowadays already come with an OEM key preinstalled ([UEFI](https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/boot-and-uefi)). - Use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) to run untrusted programs. -- Enable Bitlocker +- Enable [Bitlocker](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) (how to do so is explained in the "Disk Encryption" section). - If you want to download a Windows ISO, Download it from [Microsoft's official website](https://www.microsoft.com/en-us/software-download/windows11) directly, not from any other source, that way you make sure that the ISO hasn't been tampered with. - Avoid using Windows 8.1 or lower. these systems [are no longer supported by Microsoft](https://support.microsoft.com/en-us/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93) and they are vulnerable. Consider upgrading to Windows 10 or higher. - [Enable filename extensions](https://support.microsoft.com/en-us/windows/common-file-name-extensions-in-windows-da4a4430-8e76-89c5-59f7-1cdbbc75cb01) to be aware of what kind of programs you are double clicking on. @@ -289,7 +302,7 @@ Here are some tips on how you can improve Linux Desktop security: ## Wireless devices -Wireless devices can be more convenient because cables can be annoying for some people. However, because you no longer need physical access to hijack the communication between devices, the attack surface is increased because someone nearby can be exploiting a vulnerability on your devices. +Wireless devices can be very convenient to use because cables can be annoying for some people. However, because you no longer need physical access to hijack the communication between devices, the attack surface is increased because someone nearby can be exploiting a vulnerability on your devices. [Bluetooth has always been insecure](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth) and you should avoid using it if you can. @@ -338,8 +351,7 @@ gpg --symmetric --no-symkey-cache --cipher-algo AES256 your-file ``` ## Ransomware -Any operating system is vulnerable to this (Android, iOS, Windows, Mac, Linux, etc) -Getting infected by a [Ransomware](https://en.wikipedia.org/wiki/Ransomware) is not just a matter of how, but when. +Any operating system is vulnerable to this (Android, iOS, Windows, Mac, Linux, etc). Getting infected by a [Ransomware](https://en.wikipedia.org/wiki/Ransomware) is not just a matter of how, but when. Some ransomware can be so sophisticated that [they can even detect backup drives and encrypt that as well](https://security.stackexchange.com/questions/56084/are-backups-really-secure). @@ -352,8 +364,7 @@ If you are a software developer yourself, consider using Rust for writing your p For example, [the "null" value doesn't exist in Rust](https://doc.rust-lang.org/book/ch06-01-defining-an-enum.html#the-option-enum-and-its-advantages-over-null-values), an enum has to be used instead, forcing the developer to always handle a case when there's no value. -This isn't just Rust evangelism, it's just that [most of the security flaws come from memory unsafety issues](https://www.chromium.org/Home/chromium-security/memory-safety/), -Not just with Chromium, [but with all kinds of other programs as well](https://www.phoronix.com/news/IBM-Possible-Rust-GRUB). +This isn't just Rust evangelism, it's just that [most of the security flaws come from memory unsafety issues](https://www.chromium.org/Home/chromium-security/memory-safety/), not just with Chromium, [but with all kinds of other programs as well](https://www.phoronix.com/news/IBM-Possible-Rust-GRUB). Note: There are all kinds of security flaws that can happen with any programming language, even with Rust. This section is about memory safety specifically. @@ -368,7 +379,7 @@ Don't blindly trust whatever anyone tells you about security. No piece of techno General recommendations: - Evaluate your threat model. Just because you *could* get hacked, doesn't necessarily mean that you *will* get hacked. This guide is mostly just attack surface reduction. -- Use Wireshark to monitor the network traffic of your devices or programs. +- You can use Wireshark to audit the network traffic of your devices or programs. - Try pentesting on your own. For example, you can use Hashcat to test how secure your passwords are. - This is just scratching the surface. Do your own research. Learn about security yourself. - Recommended site: https://security.stackexchange.com/ @@ -376,6 +387,5 @@ General recommendations: # Recommended videos - Online Privacy & Security 101: How to actually protect yourself?: https://youtu.be/qZE45J-MIUg (English) - Evil Maid attack on Encrypted Boot: https://youtu.be/5HCZXWfIk5Y (English) - - How your device gets hacked: https://youtu.be/8C7ouESJyfM (Spanish) + - How your device gets hacked: https://youtu.be/8C7ouESJyfM (English) - Your iPhone is as (in)secure as your Windows: https://youtu.be/DbqkBAjId_U (Spanish, old video and very outdated, but still worth watching) -