Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: How does my security model sound?

  1. #1
    Join Date
    Nov 2012
    Beans
    10

    How does my security model sound?

    Hi, I was just wondering if you all could give me some feedback about my security model on my laptop.

    I work for a company where I handle clients personal information, and I travel a lot. I need Windows to run some software that I need on the job, and it does not run in Wine. I also have to connect to public Wi-Fi's a lot so I like to use Ubuntu for that.

    Here is how my laptop is setup:

    1) On the Hard Drive I have dual booted Windows Vista and Ubuntu 12.04

    2) I use Lubuntu on a flash drive to handle clients data, email others, and handle some online banking

    I was wondering if that sounds secure to you?

    I am not really worried about someone stealing the flash drive because I always unplug it and keep it in my pocket when I am not using it.

    I also had some questions, I never boot into Windows or Ubuntu with the flash drive plugged in, but I do insert the flash drive when the computer is turned off, is there a possibility that a Windows virus could some how steal data off of it while the laptop is turned off or booting?

    And I have heard about AppArmour and Firewalls for Linux, I don't have any of that installed (unless it comes by default), should I worry about it?

    Thank you for your feedback!

    P.S I am not very good with computers so keep it simple!

  2. #2
    Join Date
    Sep 2006
    Beans
    7,227
    Distro
    Lubuntu Development Release

    Use a VM with snapshots

    Better to run the legacy system from a virtual machine such as Virtualbox. That way every time you start it up, you can begin from a known clean snapshot.

  3. #3
    Join Date
    Nov 2012
    Beans
    10

    Re: Use a VM with snapshots

    Quote Originally Posted by Lars Noodén View Post
    Better to run the legacy system from a virtual machine such as Virtualbox. That way every time you start it up, you can begin from a known clean snapshot.
    I don't use Virtual Box.

  4. #4
    Join Date
    Sep 2006
    Beans
    7,227
    Distro
    Lubuntu Development Release

    snapshots

    Right. But it would be time to start using a VM. There are other options besides Virtualbox. One is qemu, but VB is better. Your dual boot system will gather cruft and suffer from the infamous "bitrot" that goes along with that brand of OS. If you make a clean install with all the patches, then you can take a snapshot which will permanently save that fresh state. Then every time you start up from that snapshot, you are starting from that clean image. It's an arrangement that's hard to beat.

  5. #5
    Join Date
    Nov 2012
    Beans
    10

    Re: snapshots

    Quote Originally Posted by Lars Noodén View Post
    Right. But it would be time to start using a VM. There are other options besides Virtualbox. One is qemu, but VB is better. Your dual boot system will gather cruft and suffer from the infamous "bitrot" that goes along with that brand of OS. If you make a clean install with all the patches, then you can take a snapshot which will permanently save that fresh state. Then every time you start up from that snapshot, you are starting from that clean image. It's an arrangement that's hard to beat.
    I tried Virtual Box before and I didn't like it, it was pretty slow and jerky so I like dual boot better. My whole setup works fine to be honest, I don't really want to change it. But I was just wondering if it was secure. Mainly I wanted to have an answer to this question:

    I never boot into Windows or Ubuntu with the flash drive plugged in, but I do insert the flash drive when the computer is turned off, is there a possibility that a Windows virus could some how steal data off of it while the laptop is turned off or booting?

  6. #6
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How does my security model sound?

    Windows malware won't run if Windows isn't running. If the system is powered off then nothing will be running at all, including the USB drivers that would tell the system that a USB device is plugged in.

    If there is personal/sensitive info on the USB stick you may want to consider encrypting it.

  7. #7
    Join Date
    Jan 2008
    Beans
    7,749

    Re: How does my security model sound?

    Is Lubuntu installed to the USB with all security upgrades up-to-date, or is it a "Live" USB?

  8. #8
    Join Date
    Sep 2011
    Beans
    1,531

    Re: How does my security model sound?

    Read the Basic Security Wiki. IMO it has reasonable security measures for someone such as yourself that apply specifically to Ubuntu, but a lot of it can also apply to Windows.

    I would expand on OpSecShellshock's advice and say encrypting the entire drive would be a good idea if you're handling clients' sensitive data.

  9. #9
    Join Date
    Jan 2008
    Beans
    7,749

    Re: How does my security model sound?

    +1; dropped/lost/stolen/found/planted USB flash drives are an actual real-world major vector of cybershennanigans.

  10. #10
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    1,273
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: How does my security model sound?

    You are asking a complex question where the answer is not definitive but spans a continuum of possibilities depending on how sensitive your data is and how paranoid you are.

    My own security setup (for my travelling laptop) is as follows:

    1. I encrypt a Private directory within my /home partition using a strong 128 bit random passphrase. All of my sensitive stuff is then placed there with only links pointing back to the locations where various apps expect to find them. This includes all of my keys, mail, browser history, etc. including the mail program itself after I discovered that it stashes mail backup files within its own directory structure rather than the mail database where you might expect them to reside. Many people choose to encrypt their entire /home partition, but I refrain from doing this because I want certain nonsensitive scripts to be able to run on a virgin system install prior to the system even being configured for decryption.
    2. I encrypt my swap partition.
    3. I connect in public wifi hotspots, hotels, etc. only through a certificate-based VPN (I use openVPN) back to my home VPN server. IPsec has holes and PPTP is a worse than no security at all because it gives the illusion of security while delivering none.
    4. I have a firewall with strong rules: all incoming ports denied and only specifically needed outgoing ports allowed.
    5. I have apparmor configured for my most at-risk apps. I have found that it's just too much work to configure it for every app I have, but I configure it for two of my three browsers, my mail client, cloud clients, etc. In short, for all apps that communicate or access resources outside of my computer.
    6. Cloud data is all totally non-sensitive stuff that I wouldn't give two hoots for the whole world to see.
    7. I use links2 for 90% of my surfing. It's missing practically all of the eye-candy, bells and whistles and other bloat that are now a given in mainstream browsers, but it can't accept cookies, and isn't capable of running any sort of script, whether java, flash or anything else. Its upside is that it's lightning-fast and super secure.
    8. My other two browsers are locked tight with Adblock, noscript, cookies disabled by default and privacy guard. I surf through openDNS which blocks the worst sites and I use Web of Trust. Notwithstanding all this, I am mindful of the fact that my biggest security exposure remains the browser.
    9. I will not install any program that does not come from the Ubuntu repository, and I don't attach any PPAs.
    10. Most of all, I refuse to use Windows on my travel laptop. It is installed only at home where I have the time and resources to deal with its inherent security flaws, bloat and crud.
    11. I understand and use very strong passwords for my most important sites/accounts that are impervious to a straight dictionary attack.
    12. I disable password login for all services such as ssh and only use preshared keys.
    13. Despite all these precautions, I harbour no illusions about the fact that a truly dedicated cracker could access all of my data with only moderate effort. Therefore, I refrain from doing or storing truly critical tasks/data on my travelling laptop.

    My spouse, children and friends think I am absurdly paranoid. For my part, I think them absurdly naive. It remains a matter of good-natured ribbing, but the consequences can be quite serious especially if you are dealing with client data. For what it's worth, your practice of storing your personal and client records on a USB drive gives me the willies. Don't DO things like that. But, hey, I'm absurdly paranoid, I'm told.

    BTW, all flavours of Ubuntu come with a firewall and apparmor already installed. However, they are disabled by default--you have to turn them on and/or configure them. Most users don't, which also gives me the willies.

    It's your choice how far you want to go with security. That's the nice thing about Linux: you have choices and the tools are already there and don't cost anything, except perhaps, some time and a sometimes steep learning curve. I'm a big proponent of tight security, but even I must admit that Linux is awfully secure right out of the box. Insanely better than Windows anyway.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •