How to fully secure and harden a Ubuntu 20.04 laptop?

[bhubunt]

Be careful using USB: https://www.reuters.com/article/us-c...0G00K420140731 This has been a known issue for years. USB devices can contain their own driver and self-install that driver with root privileges and no user knowledge.

Hi TheFu, Thanks for this extremely helpful article about how hackers can put code on your USB stick, which you then infect your laptop with. The article says the firmware can be infected? Here's my follow-up question: can you then subsequently get rid of the malicious code by reinstalling Ubuntu?

Another related problem: I am using a USB stick to (re)install Ubuntu, so what else should I use, if I don't want to go online? Are you suggesting one should not install Ubuntu using a stick?

And another question about potentially infected USB sticks:
suppose there's malicious code on a USB stick yet the stick also contains docs that I really need. If I copy the docs one by one on another stick using a computer that is not mine, do I then avoid transfering the code to the new stick or is the whole thing hopeless to begin with? Sorry if this sounds like an uniformed question. I am still learning...

And if there is malicious code on a stick, can you detect it by running the stick through a very basic mal-ware program or would you need something more sophisticated? And can windows computers that have, say McAfee, detect such code on a stick even if the code might be intended for a Ubuntu laptop?

[TheFu]

Yes, the laptop has microphone and speakers. Are you suggesting it's best to have those removed if you want a totally secure off-line laptop?

Thanks so much for the reply.

I think you are missing the point. There isn't any things that is "totally secure". There are just ways to make a system less hack-able, up to a point. The amount of effort involved depends completely on the attackers. It doesn't make sense to spend effort and lose convenience if the attacker is a 10 yr old.

If the attacker is a govt with unlimited resources, don't use Ubuntu. Don't use i86-64 or amd64. Use an odd OS with odd hardware. For most things that really need to be secure and off line, a computer from 2008 that never became popular would be more secure - provided it is 100% offline and portable.

You have to leave a computer alone at some point. Shower? Sleep?

If you are worried about being killed due to the content on the computer, then that's where you need to engage someone professional for all the tiny things. Us posting here leaves out all the detailed stuff you need to do. How you do something is often more important than checking the box and enabling that security feature. HDD encryption with a password of 123456 isn't very secure. Neither is using your first and last name with L33T characters. Some 2FA is required. There are lots of hardware tokens that work offline. I know that yubikey supports challenge-response passphrases. I use that.

Have you seen the movie Citizenfour? Do you know WHY he only used a computer hidden under the bed covers? There are multiple reasons. There are books written on this and reading about 5 of those will help much more than us throwing out 2 paragraph answers. The WHY and the HOW matter.

[bhubunt]

Have you seen the movie Citizenfour?

Hi TheFu, yes, I saw the movie when it came out. I am trying to learn basic technical security steps and all of the answers I have received so far have been very helpful.

[TheFu]

Hi TheFu, yes, I saw the movie when it came out. I am trying to learn basic technical security steps and all of the answers I have received so far have been very helpful.

I fear you are trying to jump to the end of the book, without reading the introduction and basics first.
Are you good at networking?
Are you good at C programming? Almost all computer OSes today are based on C.
Do you understand that bugs exist and there are probably 50K bugs in every non-trivial OS out there?
No matter how much any document says, or claims, there are bugs and they can be from nuisance to critical levels.

You haven't said who the attacker is. Who is it?

[Impavidus]

Yes, the laptop has microphone and speakers. Are you suggesting it's best to have those removed if you want a totally secure off-line laptop?

Thanks so much for the reply.

There's a reason why I wrote "slightly joking". Theoretically, an attacker can keep a link to your computer alive via the microphone and the speakers once there's some malware on your computer that supports communication via that channel. Some proof-of-concept malware for that has been written. So if you want absolute security, you have to close off that channel. But I'm not aware of any real attacks that worked like that.

The point is, you have to find a balance between security and convenience. Absolute security will make your computer unusable. You can put your computer in a sound-proofed safe, where only you have physical access, working as a Faraday cage, with no networking or even power cable going in (power it using a dumb car battery), but that will be unusable.

So think about it. Who might want to attack you? Someone with vast resources, like the US/Chinese/Russian government, or the boy next door? Is this attacker targeting you specifically, or is he just looking for any random person with a poorly secured computer? In the latter case, if you make sure your computer is better secured than that of most people, the attacker will give up and look for easier targets.

[bhubunt]

Are you good at networking?
Are you good at C programming? Almost all computer OSes today are based on C.

No, I am a newbie, have no knowledge of coding or programming but am trying to learn how to best protect my Ubuntu laptop. It's my hope to learn coding at a later point. But I definitely appreciate all the tips I have received so far.

[bhubunt]

There's a reason why I wrote "slightly joking".

Got it. It was more of a theoretical question on my part as I don't plan to have the speakers and such removed. I'm actually looking for more hands-on technical tips and command lines, like the ones I got at the beginning of this thread.

As I indicated, some of the manuals on Ubuntu I have tried to read are a bit too technical for my level, which is why I appreciate the tailored answers you guys provide on this platform pitched at my level and that of other newbies reading this thread...

[T6&sfpER35%]

How to fully secure and harden a Ubuntu 20.04 laptop?

or any pc...
unplug at the mains and leave it at that

[bhubunt]

or any laptop ...
unplug at the mains and leave it at that

I know this is supposed to be a joke but, unless I am mistaken, unplugging a computer to secure it is not enough, as it can still be activated remotely if the battery is still operative.

A good laptop to have is one from which you can remove the battery.

This based on my reading...

[TheFu]

No, I am a newbie, have no knowledge of coding or programming but am trying to learn how to best protect my Ubuntu laptop. It's my hope to learn coding at a later point. But I definitely appreciate all the tips I have received so far.

For almost all normal people, running Ubuntu, staying patched, not being stupid online and having automatic, periodic (daily/weekly), off-line backups is sufficient security. It is extremely unlikely you'd ever hacked doing those things.

Now, because it is a laptop, there are other risks. Every time it connects to a foreign wifi network, that's a risk.
Every USB device (mouse, keyboard, storage, penlight, whatever) is connected, there is a chance of having "bad stuff" placed/installed on the system.
For example, I was running an InstallFest at a local University - it was the first one and about 20 people came. I'd brought a USB flash drive with 5-10 different, popular, flavors of Linux and we passed that flash drive around the huge conference table so everyone could copy the .ISO files they wanted to their system. About 15 people used the flash drive ... and when I got it back, it had 3 viruses on it. My flash drive had never been connected to Windows - ever. That's the risk of a student environment. Passing things around is just like COVID and can lead to becoming infected.

Don't connect USB stuff that you don't know where it came from or who could have altered it. There is always a risk, so we can only mitigate the risks by ... not sharing USB devices with random people. Knowing how security conscious the other person actually is. And we getting a new flash drive, I prefer going to a real store where they sell real hardware and randomly pulling the flash device from the stock myself. That makes it nearly impossible for someone trying to use USB storage as an attack vector from gaining access. Too many random aspects for them to know my plans and plant modified storage.

AV software is only 50% effective. It can never replace a smart user. As said before, there isn't a checkbox. There is a security process and the attacker matters for what is actually needed for defense. There are lots and lots of different attacks on computers and against Linux. There are common things routinely done which address 99% of those, so we don't really need to worry too much, unless our computer is actually a target by a specific attacker. Then it becomes about specifics of everything involved in your use of technology. Brand and model of smart phone, OS being run, which router and router software, wifi, bluetooth uses. Do you live alone? Does **anyone** else have access to the location that they can modify the router or other network equipment? Is there a maid? Look up "evil maid attack".

Being completely paranoid isn't effective use of our time. Knowing and properly assessing the risks is useful. That takes years of experience and understanding what happens below the GUI. How networks really work, how routing works. How poor security is for all RF connectivity compared to wired security. (about 100-10000x worse).

There is an entire attack method around CPU and RAM issues that has only been know the last 5-10 yrs. "Row hammer" and the AMD/Intel CPU bugs. These take a more sophisticated attacker ... not your 8 yr old. Honestly, I don't worry about any of these attack methods. They seem to be less about accessing information than corrupting data.

There's always something to know and learn. I can promise that will be the situation 50 years from now too.

For basic security, there are sticky threads at the top of the Ubuntu Security sub-formum. Read those. Start there.