Computer Security Introduction

From Kicksecure

Abstract-989922-640.jpg

Kicksecure ™ comes with many security features. Kicksecure ™ is Security Hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is an introduction to computer security.

Introduction[edit]

Kicksecure ™ first time users warning Before reviewing chapters in the Computer Security section, be sure to also read the Warning page.

Info Wiki entries in this section purposefully focus on:

  • General computing security information.
  • Host operating system security advice.
  • Preparatory steps before installing Kicksecure ™ using a Type I hypervisor (Kicksecure ™ for Qubes) or a Type II hypervisor like VirtualBox or KVM.

General Advice[edit]

Achieving greater security depends on how much time the user is willing to invest in Kicksecure ™ configuration. Security also rests upon the daily practices and procedures that have been adopted by the user, see Documentation.

Backups[edit]

Info It is important to store multiple, encrypted backups of sensitive data.

If the user does not possess at least two copies of the original data, then it should be considered lost. The reason is data on one medium might become inaccessible and beyond repair at any minute. In this case, the computer would not even detect the risk, so data recovery tools would not be of help either. [1]

Best practice recommendations:

  • Store the original, encrypted file on a medium like the internal hard drive.
  • Create a first encrypted backup: for example, on an external hard drive from manufacturer A.
  • Create a second encrypted backup: for example, on an external hard drive from manufacturer B.

For greater security and to protect from incidents like fire or theft, backups in separate physical locations are recommended. Additionally, backups can be stored on remote servers, but the user must be sure it is encrypted properly. [2]

Safer Upgrades[edit]

  • Kicksecure ™: If running VM instances are not shutdown, there is a cross-contamination risk for new machines being imported into the virtualizer. For example, this is possible if a powerful adversary has taken control over those VMs currently in use. This action is not required if the user intends to create a new virtual network for the machines being imported.
  • Kicksecure ™ for Qubes: Before upgrading Kicksecure ™ Templates, close as many open VMs as possible. Do not run VMs from different domains at the same time as upgrading.

File Storage Location[edit]

It is unsafe to store files directly in the root section of the home folder (like /home/user). [3] It is far better to use a sub-folder and store the file there, for example:

  • Non-ideal storage location: /home/user/some-document
  • Safer storage location: /home/user/my-documents/some-document

The following sub-folders in the home directory should also be avoided: [4]

  • ~/tmp
  • ~/Download
  • ~/Downloads
  • ~/download
  • ~/downloads
  • ~/Desktop

If files are downloaded to the ~/Downloads folder -- the only folder available if the Tor Browser AppArmor profile is enforced -- then move them elsewhere. A folder of your own choosing will keep its contents private from any confined application that is later (hypothetically) compromised.

Other folders that should also be avoided include: [5]

  • /media
  • /srv
  • /net

It is easy to choose folder names which are better than the default naming convention. As soon as a user prepends or appends a random number or string to a folder (such as my-), this makes it unlikely that AppArmor profiles or possibly other mandatory access control frameworks will allow access to these folders by default.

Another reason is that some commands such as sudo rm -rf /var/lib/apt/lists/* (sometimes useful in case of APT issues) are unsafe if a typo is made. If a space is added before the asterisk symbol ("*") by mistake then this would by default delete all files (except hidden files) in the user's current folder (often the home folder). (But not folders in that folder). [6]

Known Bugs[edit]

To learn about known bugs affecting all platforms, see here. Refer to the issue tracker for a list of all all open issues affecting Kicksecure ™.

Greater Security and Next Steps[edit]

After reading and applying relevant steps outlined in this section:

In all cases, users should follow the Post-installation Security Advice.

For greater security pre- and post-Kicksecure ™ installation, users should read the Documentation pages widely to learn more about potential threats and mitigations. For instance, users might like to consult the Design pages, and consider the recommendations outlined in the Basic Security Guide and Advanced Security Guide sections. Users with limited time can refer to the System Hardening Checklist.

Footnotes[edit]

  1. In such cases the user might get lucky with professional data recovery companies, but the usual cost is a few thousand dollars.
  2. That is, with a recommended encryption method and a suitably long passphrase.
  3. This is because AppArmor profiles (and possibly other mandatory access control frameworks) are often required to grant read access to the root home folder due to technical limitations.
  4. /etc/apparmor.d/abstractions/user-download
  5. /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
  6. Because deleting folders requires rm -r.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.