Linux Security Good Practice

Some people say that hackers like to attack Windows/Mac system. The reason is because there are a lot of user of those. Is it true? I think it is not.
Each computer is prone to be attacked once you start to use it. In this case, if you are using Linux, you also need to keep good practice to protect your computer.

These are some good proctice to keep your Linux system safe.
a. Keep your system up-to-date
b. Only install software from trusted sources
c. Use strong password and always change it regularly
d. Disable all services that you are not using
e. Backup your data/system regularly
f. Do not use root account to access your machine. You can use sudo utility to act as root temporaly

[Book Review] Don’t Get Pwned! How to protect your child online

Where real safe online begins? Do you have any answer for this?

If we look back ten years ago and we compare with we have now days, we see that there is a big leap regarding how we get information. Everyday, we step into digital world that you might not imagine ten years ago.
You starts and end your day using smart devices that help you to work and enjoy your day. You are (almost) connected 24 hours with digital world. It does not see how old you are. Everybody, pre-school kids, teenager, adult and senior people are connected to online environment.
The question now is how you know about real identity that you access/talk to. They are hidden by a Profile. You may not know exactly who he/she is. It can be a ‘predator’ who want to prey on someone especially children.

Then, the question on top becomes important to answer to protect yourself and your family. It starts with the parents. Yeah.. you.. Mom and Dad. Why?
By right it is simple, Mom and Dad are a role model for a family. You teach what real love, respect, honest and trust to your children. So, your children will not be mislead by false version of those.
It is your responsibility to build confident, trust and respect because a confident child is naturally less of a target for predators.

I can say that this book is a guideline for parents to protect their family. I agree with the authors that building relationship is important. How to make your children trust and are able to talk you about his/her issues when he/she is online.
This book teach the parents how to teach their children to use internet safely. The authors also give a good explanation about chat rooms, instant messaging, social networking and some tips to avoid sexual predators.

I recommend you to read this book so that you can get benefit from the authors’ experiences.

 

How do Big Names want to control and track you?

When smart phone was booming 5 or 6 years ago, there were two big names became more and more popular. The choices were iOS or Android. Even till now, those are still major players in this industry. Both are controlled by Apple and Goolge respectively where you might not know that they (secretly) have ‘power’ to monitor your activities.

At that time, I still chose Nokia phone which was still running using 2G. I just needed to call and send SMS only. Now, I have been using Android phone for about 7 months. It is due to my job requirements. However, I still miss my old Nokia phone where not much secrets stored.

Recently, I read news that making me feel that my old phone was the best choice. First, Google introduce My Activity (https://myactivity.google.com/). This product reveals that Google knows everything about you. Your activities on internet is tracked, it shows a searchable history of pretty much everything you do online, including previously visited websites, voice searches, searched things and places, watched Netflix programs, places you search using Google Map and all activities you did on each of its product. Those activities are tracked not only when you surf using desktop. It also includes what you do using your Android phone. The purpose of stored all activities is to target relevant ads to Google users and to improve its service. You would be surprised that you can see what you did two or (even) three years ago. My Activity covers almost Goolge products, such as Ads, Search, Android, Play, Chrome, YouTube, Video Search, Image Search, Maps, News, Now, Books, Developers, Finance, Help, and Shopping. The good thing is Google allow you to remove your history records. You can even suspend web and application activity tracking for My Activity, but that could impact the features like auto complete suggestions.

Second one is a news about a patent to allow Apple disabling iPhone cameras (https://www.theguardian.com/technology/2016/jun/30/apple-iphone-camera-disable-remote-sensors-patent). The patent shows that Apple may allow iPhone cameras to be disabled through special infrared sensors, giving the example of a concert venue. One side, it is very good  because smart phone (sometimes) make a nuisance at concert or worship places (for example). The other side is about Apple (and third parties) has power to access your ‘secret’ in your smart phone.

Now, the thing that we have to think is how safe our personal data is. Let’s say Google and Apple make their systems always send something to central or accept any command… are you ok with this? If not… is there any other OS available in market that you can use? 

For me… my personal view.. i still need them. However, i  ‘manage’ what i do (search, watch and listen) and not open/store confidential files. I am also not interested to do mobile banking and payment using smart phone.  At least, this is what i can do now.

What about you?  The choice is yours…

Hackers are attacking SWIFT

Hackers are attacking the backbone of the world financial system, SWIFT. There are three cases reported so far. The total around $ 100 million had been transferred. How did it work?

First, hacker intercepts banking security system to install malware. Once it has been installed and run, it started to gain access to SWIFT messaging network. Using valid SWIFT credential of a back employee, hacker modified transaction detail to transferred monies to hacker’s destination accounts around the world.

Reference : http://thehackernews.com/2016/05/swift-banking-hack.html

Protecting Against Privilege Escalation

When we talk about system security, we are talking the main components of our environment. Our data and files reside on some systems. Because of that, security of those is important to be maintained. Threat and Vulnerability are inherent to all systems. They are everywhere. One of those is privilege escalation.

Privilege escalation is an exploitation of vulnerability when someone gain privileges other than what originally intended for him. This means that he is able to access the system using other accounts for his benefit. There are two types of it, vertical and horizontal.
 
Vertical Privilege Escalation
This happens when an attacker uses a vulnerability in the system to gain privileges above what is intended for him. This could be damaging the system or stealing information.
 
Horizontal Privilege Escalation
This happens when an attacker uses a vulnerability in the system to gain privileges of another user who has the same privilege as him. For example, John and Liz both are users under financial departments. Both have access to payment data. John may attempt to gain Liz access so that he can amend some payment data but the system logs Liz as the one who do it.
 
How to protect our system from Privilege Escalation
The most common vulnerabilities that can lead to this are Cross-site Scripting (XSS), Improper Cookie handling and weak passwords. These are protection we have to do:

Validate inputs

System creates, maintains, and destroys cookie properly

Avoid to use weak password

Implementing a rule to force user to use complex or strong password and set password age limits

Implementing separation of privilege principle. It is dividing a system into smaller parts and each of those parts has specific duties to perform.

Implementing least of privilege principle. This suggests that software modules or processes only have rights to perform the actions intended to be done by that module or process.

Design Authorization or Access Control System

Authorization and Authentication mostly come in pair. Layered upon authentication, authorization is a process to confirm that an authenticated entity has the needed rights and privileges to access and perform actions on resources. It is Access Control job to carry out authorization policy. There are three main access control model used today.

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

 
Each has its own advantages and disadvantages. Some organizations may choose and use multiple access control models that fits to their particular systems or environment.

Before we discuss more detail about those, we need to identify the Subject and Object first. Subject is an entity that is requesting access and Object is resource that Subject will act upon. Subject can be a human user or a system process.

Discretionary Access Control (DAC)

DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource. He/She has right to decide who can access and what level of privileges or rights is given. Usually, it is implemented using Access Control Lists (ACL). The relationship between the individuals (subjects) and the resources (objects) is direct and the mapping of individuals to resources by the owner is what constitutes the ACLs. This method can be integrated with Role-Based Access Control. In this case, we map between user’s roles (as Subject) and resources.

This is an example for Access Control List from Windows.

 

Mandatory Access Control (MAC)

MAC is based on hierarchical model. Access to objects is restricted to subjects based on the sensitivity of the information contained in the objects. The sensitivity is represented by a level and label. All users are assigned a clearance level and all objects are assigned a security label. In this case, access is determined based on matching a subject’s clearance level with the object’s sensitivity level.

For example, we have data and its categories are top secret, secret, confidential, internal and public. We also have clearance levels are chief department, manager, supervisor and ordinary users. A manager has rights to access all data with secret category and below. Chief department has rights to access all available data. And ordinary users can only access internal and public data.

In this model, access is controlled by the administrator and it can be quite cumbersome to manage. An administrator can quickly become overwhelmed as the systems grow more complex. It is disadvantage to MAC model.

Role-Based Access Control (RBAC)

So far, it is common model I used in my systems. Access is given based on roles instead of individual user. And those role are managed by the administrator. The administrator determine all available roles within his organization and then map those to job functions and tasks.

What this mainly provides is that the resource is not directly mapped to the Subject but only to the role. Since individuals can change over time, while roles generally don’t, Subject can be easily assigned to or revoked from roles.

[Book Review] Windows Security Essentials

Every asset in an organization always has risk. That is my first mind set when starting to read this book. The challenge is to minimize the risk and maintain its level to a level where we can handle it. One way to minimize risk is implementing security controls. It should be applied as a holistic security. Holistic security covers people, processes and technology elements where our systems or applications are. It also include physical place where our hardware are placed.

If you have system(s) running on Windows, you can read this book, Windows Security Essentials. This book covers the basic of security in a Microsoft environment. Some interesting topics in this book are

Understanding how risk and threat impact security principles

Recognizing malware in all its forms

Defending against social engineering attacks

Identifying the three aspects of user authentication

Securing access using NTFS permissions

Protecting clients, servers, and networks

Understanding encryption, certificates and PKIs

The one thing I like from this book is about understanding risk and hardening our system. It explaining from the basic with explanation that is easy to understand. I get more knowledge about NTFS and how to secure it with permissions.

[Book Review] Visual Quickstart Guide – Unix and Linux

I need to refresh my knowledge about basic commands in Linux. I browse some reference books but I do not want to read detailed information. So, I try to find some linux pocket books. I get ‘Visual Quickstart Guide – Unix and Linux (Fifth Edition)‘ by Deborah S. Ray and Eric J. Ray.

Overall, yeah.. it is not for advanced users or one who is looking detailed information. It lists only common commands that we can use in daily administration tasks. Those are:

How to work with Directories and Files (e.g. ls, mkdir, find, touch, tar, gzip, etc)

How to manipulate files and control their ownership and permissions

How to write basic scripts

How to edit files using vim and nano

How to sending and reading emails

How to access internet (e.g. using ssh, telnet, ftp, etc)

How to get information about the system

 
Beyond that, this book also provides references about commands, flags and arguments. Those can be used as your handy utilities when you do your tasks.

Common Unix/Linux directories

Common Unix/Linux directories and their contents.

Directory	Contents
/bin	Essential programs and commands for use by all users
/boot	Files used in booting the operating system
/dev	Device folder, such as alarm, cdrom, cpu, cdrw, etc.
/etc	System configuration files and global settings
/etc/sysconfig	Files that control the system configuration
/etc/X11	Configuration files for X Window System
/lib	Shared libraries
/home	Home directories for users
/lost+found	Recovering files which are not properly closed due to many reason such as power failure
/misc	This directory is used for automatically mounting directories on removable devices and remote directories
/mnt	The mount points for file systems mounted after the system is booted
/opt	Optional application software packages
/proc	Location of virtual file system
/root	Home directory for root user
/sbin	Essential system binaries
/tmp	Temporary files
/usr/bin	Commands and programs that are less central to basic Unix system functionality than those in /bin but still useful and often important
/usr/include	Standard include file and header files for C programs
/usr/lib	Libraries for installed packages
/usr/local	Most files and data that were developed or customized on the system
/usr/share	Shared data file
/var	Changeable data, including system logs, temporary data from programs, and user main storage

Is your password strong enough?

I have a problem to memorize especially password. I have to memorize many passwords for applications in the Internet. However, I believe that I am not the only one with this problem 🙂

How to memorize passwords?

I see comic above and understand that the most important thing is hard to crack and easy to remember. Those combinations are our goal. Let’s open this site, https://howsecureismypassword.net/. You may compare both passwords and will find the second one takes more time to be cracked. I do not know how that site calculate the strength of password but we can use to compare each password we enter.

Rule #1 : Length is important. Some advices suggest at least 12 characters. If you can go till the length of password field, it is better 🙂

Rule #2 : Use mixture of upper-case and lower cases, numbers and symbols.

Rule #3 : Not a single word and it is common word in any language. Are you not sure about it? Please go to OWASP SecList Project. That project has millions single common words that can be used to crack your password.

Rule #4 : Change regularly (e.g. every 6 months)

Rule #5 : Do not using password that you have used recently.

Rule #6 : Not your telephone numbers, username, your spouse’s or kid’s name and their birthdate, mother’s maiden name or anything that someone might associate with you.

Rule #7 : Do not use common substitution (e.g. 4 for a or 5 for s)

Rule #8 : Do not use one password for all accounts although it is quite strong enough.
Once it has been cracked, all your accounts are compromised.. sad..

Rule #9 : You may have your application service in your password (read my example below).

Let’s we try to apply those rules. I want to create a strong password for my Facebook account. I like to hear song especially 70’s, 80’s and 90’s songs… I take a song with title If from Bread. I take this password

Facebook If A Picture Paints A Thousand Words

Rule #1 : Yeah.. there are 45 characters (including spaces).
Rule #2 : Done. I have spaces and combination of upper-case and lower-case.
Rule #3 : Of course it is not single word.
Rule #6 : Do not use common substitution (e.g. 4 for a or 5 for s)
Rule #9 : I put Facebook 🙂 It makes my password strong as well.

When I try to use https://howsecureismypassword.net, I get 603 unvigintillion years to crack it using a desktop PC.

Now… after read this.. how strong is your password? The choice is yours…..