Bitcoin Forum
December 04, 2016, 06:44:16 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Security Audit recommendations for Win7/XP, OSX and Linux  (Read 792 times)
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 10, 2011, 05:18:51 AM
 #1

After browsing the subreddit and seeing a dude recommending security audits having been downvoted by everyone there. I decided to start running security audits on my toyboxen since here lately I've pissed several people off, who I'm sure as hell are the scumbag types. XD haha and I realized Hey! this shit is exactly what everyone else should be doing that isn't already.

You can recommend using linux or truecrypt or whatever else, but that shit is completely meaningless unless you know how to audit your security. Just because "insert random shit here" doesn't find anything it doesn't mean someone has access to your system. For instance microshafters have a hole just for them (and probably mil) in win7. So even if it seems* you are alone, it could just be a configuration allowing some fat dude neckbeard eating doritos watching you watch your pornz, and if you watch the really good shit, of course he is, and probably even telling his crew cut comrades! xD

So after this post, I hope that you guys can begin providing outlets, methods & software usage for security auditing.

Things like using netstat and what all that gibberish means, you don't have to make it easy, just usable enough with a concise description and some copy / pasting into consoles/terminals/prompts.

lot's of people require this info, to the point they don't even know it.
1480877056
Hero Member
*
Offline Offline

Posts: 1480877056

View Profile Personal Message (Offline)

Ignore
1480877056
Reply with quote  #2

1480877056
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480877056
Hero Member
*
Offline Offline

Posts: 1480877056

View Profile Personal Message (Offline)

Ignore
1480877056
Reply with quote  #2

1480877056
Report to moderator
1480877056
Hero Member
*
Offline Offline

Posts: 1480877056

View Profile Personal Message (Offline)

Ignore
1480877056
Reply with quote  #2

1480877056
Report to moderator
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 10, 2011, 05:33:03 PM
 #2

HAHAHAH, not one reply! xD
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
August 10, 2011, 06:05:12 PM
 #3

You can't do a security audit of the type you ask for on with modern computers. They are simply too complex. If your attacker has enough resources, they may be able to embed secret code in you network adapter that phones home for instructions upon seeing a specific 128 bit number. A second number immediately following can encode the address of the server to contact. Black-box testing is useless in this case because the search space is too large.

Some software, such as the L4 Microkernel has been formally proven to be correct (assuming the machine checker and compiler are correct).

For usable software, you may want to investigate OpenBSD. While not formally proven correct, they regularly audit the code for known security vulnerabilities. Be sure to read their Security Page for more information.

If you insist on using Windows/Linux/MacOS, be sure to use your computer as a limited user. I would avoid logging in as the administrative user even to install software. In windows, most software refuses to install under a limited user. The only time the administrative user should install software is if you want all users on the machine to use the same software.

For some software like Adobe Flash I have found the easiest way to install it is install it as the Administrative user, then manually disable the browser extensions as the administrative user. This is an error-prone process. For untrusted software that you don't know what it does, you should definitely install it as a limited user. If the software requires administrative access, you can install it on a test machine; virtual or not. At the risk of multiple personality disorder, you may want to create separate user accounts for different high-risk activities. One for playing flash videos/games, one for bitcoin, one for business, and one for personal use. This only improves security if all of those accounts are limited users. This implies that your "gaming" machine should be separate from your bitcoin machine: most games have DRM that requires administrative access to install (and sometimes even play).

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 10, 2011, 08:28:38 PM
 #4

You can't do a security audit of the type you ask for on with modern computers. They are simply too complex. If your attacker has enough resources, they may be able to embed secret code in you network adapter that phones home for instructions upon seeing a specific 128 bit number. A second number immediately following can encode the address of the server to contact. Black-box testing is useless in this case because the search space is too large.

Some software, such as the L4 Microkernel has been formally proven to be correct (assuming the machine checker and compiler are correct).

For usable software, you may want to investigate OpenBSD. While not formally proven correct, they regularly audit the code for known security vulnerabilities. Be sure to read their Security Page for more information.

If you insist on using Windows/Linux/MacOS, be sure to use your computer as a limited user. I would avoid logging in as the administrative user even to install software. In windows, most software refuses to install under a limited user. The only time the administrative user should install software is if you want all users on the machine to use the same software.

For some software like Adobe Flash I have found the easiest way to install it is install it as the Administrative user, then manually disable the browser extensions as the administrative user. This is an error-prone process. For untrusted software that you don't know what it does, you should definitely install it as a limited user. If the software requires administrative access, you can install it on a test machine; virtual or not. At the risk of multiple personality disorder, you may want to create separate user accounts for different high-risk activities. One for playing flash videos/games, one for bitcoin, one for business, and one for personal use. This only improves security if all of those accounts are limited users. This implies that your "gaming" machine should be separate from your bitcoin machine: most games have DRM that requires administrative access to install (and sometimes even play).


You Sir are a good man. Smiley

I enjoy the method you provide to disable and/or sanction certain software to different user accounts.
how do feel about disabling java? From my wanderings I have noticed very slight mention of it, however the slightest of mentioning were indeed ways of compromising systems through JVM.

What of scripts people can run on systems can anyone recommend anything?
Similar to OSX, how a user can fix system software problems through running AppleJack, or on several Linux systems where a person with limited knowledge can actually run a security audit with rootkit hunter?

I haven't seen anything beyond pocket protector talk on technet about security audits. Basically says security audits on windows is useless from what I can glean.
rotrott
Jr. Member
*
Offline Offline

Activity: 47



View Profile
August 11, 2011, 02:41:48 AM
 #5

Security is hard and never ending.  Be prepared to spend a lot of time securing a PC.  I've have spent weeks securing my linux servers.

I think other people have recommended booting from a thumb drive and _only_ doing bitcoin stuff on that instance.  Sounds valid to me.

I think checking out some of the BSDes isn't a bad idea.  Not many people use them, so some security through obscurity isn't always a bad thing.  Don't use what the majority of people are using.  Smiley

Otherwise here are some project to check out for the possible future of secure computing (at least from my research).  It's not for the faint of heart.

http://qubes-os.org/Home.html

http://genode.org/
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!