As operating systems go there are preferences worth reviewing, and features worth noting within the world of Linux. Many of my readers use Linux for the same reasons I do, and one of those reasons is security.
How secure is Linux?
Compared to BSD it’s not particularly secure or insecure. It has clear advantages for most users when compared to Windows, and is arguably more secure than a Mac – due in part to the ways most hackers actually compromise an operating system. (Not that this indicates the likelihood of such an attack is necessarily higher strictly due to use.)
When we talk about Linux being more secure, it generally has something to do with how few viruses actually work against Linux. It isn’t true that none do, though it is entirely true that over 99.9% of traditional viruses and most malware in general have literally no effect on any Unix or Linux type environment due to the privelege escalation required to actually compromise such a system.
But does that mean it’s really more secure?
During the installation of most Linux based operating systems, there comes a part where you are offered an opportunity to encrypt certain folders or even partitions; i.e. the home folder, the root folder, etc. This might seem like a sure fire way to prevent anyone from compromising a system but it actually isn’t necessarily more than a slight improvement and an extra step while logging on. The AES type encryption used isn’t different than the kind encrypting your password, which is generally located in /etc/shadow.
What does increase the security of a Linux system is an option to make certain files unchangeable.
I’m copying a bit from the link above here for quicker implementation’s sake.
Protecting important files
You can protect important files such as:
- /etc/group and more
sudo su (followed by password at prompt)
chattr +i /etc/shadow <— This snippet makes it impossible to delete or change your password – it should be followed immediately with chattr +i /etc/group and optionally chattr +i /etc/passwd
The link of course get’s far more involved with Chattr but you get the general idea. Optionally you can get install AES Crypt.
Optionally if you are handy with Python you can use Pycrypto.
By itself Linux has advantages regarding firewall simplicity, integrity checking, and even experienced admins will admit that ssh-ing into a Linux machine with a reverse shell is no guarantee of anything provided the user has even a passing familiarity with their system. Setting an approved ssh key for a remote desktop often requires specialized x session configurations. <— Not easy to do remotely.
That means that really aside from seeing that the machine is there, even within one’s own network connecting and affecting are not guaranteed. While telnet, ssh, and rdp connections are almost as easy as using ftp to upload a file to a server, “Taking control of someone’s computer” is a bit trickier. (VNC passwords should of course not be the same as root passwords FYI.)
The most common exploits are still browser based and socially engineered, which means someone is more likely to defraud someone out of your passwords for websites and that doesn’t really change based on your operating system preference. Google’s Chrome OS has done a great job trying to idiot proof their browsers.
Linux can be zipped up tighter than anyone would guess, and depending on one’s browser configuration they could be relatively safe. The same can be done to some degree on any OS, the more obscure the less likely to be targeted directly.
It eventually boils down to things like encryption, RSA standards use a public key and a private key to make really big prime numbers or semiprime numbers that are very difficult to decrypt due to the many possibile combinations of numbers that those huge numbers might actually consist of.
9×9 = 81 so you could reasonably determine that 81 might represent 9×9…
On the other hand the number below is just an example of the number one might be stuck trying to decrypt to get at someone’s credit card information. What two numbers was it made of?
RSA-100 = 15226050279225333605356183781326374297180681149613 80688657908494580122963258952897654000350692006139
This isn’t just a deterrent, it’s what makes your information more secure. Linux keygeneration can be done manually of course as indicated here.
That can be coupled with literally dozens of other methods to make secure connection between two Linux machines very secure. An article from digital ocean talks about that in greater detail here.
Out of the box even samba is only as secure as your configuration allows… But if you just keep a picture of a trollface in your shares folder and it gets hacked who really won?
The truth is that when properly motivated nothing is bulletproof. Setting a bios password is thwarted by popping out the battery, changing it to allow a usb to boot could allow someone to peruse your system from a live environment, or even to email themselves copies of your files. So using online storage might be almost a healthy level of paranoia if you think someone is motivated enough to snoop on your system.
Worse yet, simply taking someone’s hard drive out and popping it into another machine isn’t necessary, provided the attacker knows how to rig an external hard drive connection wire. That might be a reason to encrypt those home folders. (Just don’t leave the password on the same machine.)
Does the standard “hacker” know how to do all of this stuff? Probably, but most attacks really do start with lower tech approaches. Shoulder surfing, garbage sorting, social engineering… At the end of the day you just have to make it harder than it’s worth to get anything you value out of your digital world. Save things on external storage and hide it, or just don’t have anything more valuable than your links to my website.
#Cheers and I’ll do more articles like this in the near future.