2013/8/11 <linuxnutster@xxxxxxxxxxxx>
On 08/10/2013 11:55 AM, Alchemist wrote:
..2013/8/10 <linuxnutster@xxxxxxxxxxxx <mailto:linuxnutster@videotron.ca>>
I was just reading about this new malware threat. I'm not clear on
how exactly this thing can get installed on a Linux system. Would it
require 100% social engineering? I installed Fedora on my elderly
mother's last two laptops so she can do her banking without being
paranoid about keyloggers, trojans, etc... She is a news hound, so
it's only a matter of time before she comes flying at me demanding
reassurances.
--
Mini gude how Fedora can protect You:
1. Use only official repos/strict package signing, no untrusted package
sources.
2. Update browser scope threats, Iced-Tea, Flash-plugin. (whole system,
whuh!)
3. Better create two browser profiles, one for everyday usage with
Iced-Tea disabled, other one ONLY for internet-banking with Iced-Tea
enabled, and tell your mother about the value of such security solution.
4. Disable autorun
http://blogs.iss.net/archive/papers/ShmooCon2011-USB_Autorun_attacks_against_Linux.pdf
5. Use SELinux shield:
# setsebool -P allow_execstack=0
# setsebool -P allow_execheap=0
# setsebool -P allow_execmod=0 (may break some buggy apps)
6. Set umask 077 in ~/.bashrc (and if needed ~/.gnomerc) to locally or
globally(/etc/profile,/etc/bashrc) prevent new planted executables of
being execuded. Of course if only system is not for multiuser, and there
is no need for binary execution ~/
7. HoT runs without root, so primary impact will be taking over control
of user evironment. Protect important config files from modification, by
setting chattr +i.(remove when needed)
.bashrc
.bash_profile
.bash_logout
.pam_environment
.xinitrc
.gnomerc
.config/autostart/*
and so on
8. Configure firewall, but this is different story, as I know from
experience, this is difficult to fit any user browsing desires. But it's
worth a try :)
An excellent turorial, thanks! Does HOT rely completely on social engineering or can it penetrate easily via other means? Bearing in mind that we only use offical repos...
Yes, as this is still the most effective way nowadays (for Windows, Android too), but as we understand social engineering as a wide range of techniques(see SET), you may be ready to tell your mother, not to enter root password, when PackageKit will ask for it- on malicious unsigned RPM received with Skype or by clickjacking for example. Or even give her limited sudo rigts if needed, and keep root password only to yourself. Don't forget about browser exploit packs, it is only a matter of time until they will put it browser exploits, but here properly configured SELinux comes into play. Stay safe.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org