HACK AND / Secure Desktops with Qubes: KYLE RANKIN Kyle Rankin is a Sr. Systems Administrator Compartments in the San Francisco Bay Area and the author Figuring out how to compartmentalize your of a number of books, desktop across VMs can be daunting, so I’ve including The Official provided an example of how I do it to help Ubuntu Server Book, Knoppix Hacks and you get started. Ubuntu Hacks. He is currently the president NEXT of the North Bay Linux PREVIOUS Users’ Group. Shawn Powers’ V V Dave Taylor’s The Open-Source Work the Shell Classroom THIS IS THE THIRD ARTICLES IN MY SERIES ABOUT QUBES. In the first two articles, I gave an overview about what Qubes is and described how to install it. One of the defining security features of Qubes is how it lets you compartmentalize your DIFFERENT DESKTOP ACTIVITIES INTO SEPARATE 6-S 4HE IDEA behind security by compartmentalization is that if one OF YOUR 6-S IS COMPROMISED THE DAMAGE IS LIMITED TO JUST THAT 6- 50 | June 2016 | http://www.linuxjournal.com LJ266-June2016.indd 50 5/18/16 12:58 PM HACK AND / 7HEN YOU FIRST START USING 1UBES YOU MAY NOT BE QUITE SURE HOW BEST TO DIVIDE UP ALL OF YOUR FILES AND ACTIVITIES INTO SEPARATE 6-S ) KNOW WHEN ) FIRST started using it, I found inspiration in Joanna Rutkowska’s (Qubes’ creator) paper on how she used Qubes (HTTPINVISIBLETHINGSLABCOMRESOURCES Software_compartmentalization_vs_physical_separation.pdf). In this article, ) DESCRIBE HOW ) ORGANIZE MY ACTIVITIES INTO 6-S ON MY PERSONAL COMPUTER Although I’m not saying my approach is perfect, and I certainly could secure things even further than I do, I at least will provide you one example you can use to get started. Summary of Qubes Concepts In my previous article, I elaborated on overall Qubes concepts like the DIFFERENT 6- TYPES TRUST LEVELS AND OTHER FEATURES BUT SINCE ) REFER TO those concepts in this article as well, here’s a brief summary. (If you want TO KNOW MORE READ MY COLUMN IN THE !PRIL AND -AY ISSUES 4HE FIRST CONCEPT TO UNDERSTAND WITH 1UBES IS THAT IT GROUPS 6-S INTO different categories based on their use. Here are the main categories of 6-S ) REFER TO IN THE REST OF THE ARTICLE Q $ISPOSABLE 6- THESE ALSO ARE REFERRED TO AS DISP6-S AND ARE DESIGNED FOR ONE TIME USE !LL DATA IN THEM IS ERASED WHEN THE application is closed. Q $OMAIN 6- THESE ALSO OFTEN ARE REFERRED TO AS APP6-S 4HEY ARE THE 6-S WHERE MOST APPLICATIONS ARE RUN AND WHERE USERS SPEND MOST of their time. Q 3ERVICE 6- SERVICE 6-S ARE SPLIT INTO SUBCATEGORIES OF NET6-S AND PROXY6-S 4HESE 6-S TYPICALLY RUN IN THE BACKGROUND AND PROVIDE YOUR APP6-S WITH SERVICES USUALLY NETWORK ACCESS Q 4EMPLATE 6- OTHER 6-S GET THEIR ROOT FILESYSTEM TEMPLATE FROM A 4EMPLATE 6- AND ONCE YOU SHUT THE APP6- OFF ANY CHANGES YOU MAY have made to that root filesystem are erased (only changes in /rw, USRLOCAL AND HOME PERSIST 'ENERALLY 4EMPLATE 6-S ARE LEFT POWERED off unless you are installing or updating software. 51 | June 2016 | http://www.linuxjournal.com LJ266-June2016.indd 51 5/18/16 12:58 PM HACK AND / 7HEN YOU CREATE NEW 6-S OF ANY TYPE YOU CAN ASSIGN THEM A COLOR based on your level of trust on a continuum from red (untrusted) to orange and yellow to green (somewhat more trusted) to blue and purple and grey (even more trusted) to black (ultimately trusted). The window BORDERS AND ICONS FOR A PARTICULAR 6- ARE COLORIZED BASED ON THEIR TRUST level, so you get visual cues that help prevent you from, for instance, PASTING TRUSTED PASSWORDS INTO AN UNTRUSTED 6- !LTHOUGH BY DEFAULT ALL NEW 1UBES 6-S YOU CREATE HAVE UNLIMITED network access, Qubes allows you to create firewall rules to restrict what A 6- CAN DO )F YOUR 6- DOESNT NEED NETWORK ACCESS SUCH AS FOR THE HIGHLY TRUSTED VAULT 6- YOU CAN USE TO STORE '0' KEYS AND PASSWORD vaults), you even can remove the network device completely. )N A DEFAULT INSTALL 1UBES PROVIDES A FEW APP6-S TO HELP YOU get started: Q UNTRUSTED APP6- RED Q PERSONAL APP6- YELLOW Q WORK APP6- GREEN Q VAULT APP6- BLACK 4HE IDEA IS FOR YOU TO PERFORM ANY GENERAL PURPOSE UNTRUSTED ACTIVITIES LIKE GENERAL 7EB BROWSING IN THE UNTRUSTED 6- AND NOT STORE ANY personal files there. Then you can perform more trusted activities LIKE CHECKING YOUR E MAIL OR ANY 7EB BROWSING THAT REQUIRES PERSONAL CREDENTIALS IN THE PERSONAL 6- 9OU CAN CHECK YOUR WORK E MAIL AND STORE YOUR WORK DOCUMENTS IN THE WORK 6- &INALLY YOU CAN STORE YOUR '0' keys and password manager files in the vault (which has no network at all). Although this is nice for getting started, as you can see, you may want to isolate your activities and files even further. 4HE INSTALLER ALSO CREATES A SYS NET SYS FIREWALL AND SYS WHONIX SERVICE 6- TO PROVIDE YOU WITH NETWORK ACCESS A FIREWALL FOR APP6-S AND A 4OR GATEWAY RESPECTIVELY 9OU ALSO OPTIONALLY CAN ENABLE A SYS USB SERVICE 6- THAT IS ASSIGNED ALL OF YOUR 53" CONTROLLERS TO PROTECT THE REST OF THE 52 | June 2016 | http://www.linuxjournal.com LJ266-June2016.indd 52 5/18/16 12:58 PM HACK AND / SYSTEM FROM 53" BASED ATTACKS My Personal Computer -Y PERSONAL COMPUTER IS A 0URISM ,IBREM AND MY GENERAL DESKTOP USE is pretty basic. Here’s my normal list of activities in order of risk: Q Web browsing. Q #HECKING E MAIL Q Chatting on IRC. Q 5SING MY $ PRINTER Q Writing articles. 'ENERALLY SPEAKING 7EB BROWSING AND E MAIL ARE THE RISKIEST ACTIVITIES I perform on my computer each day, as they can expose me to malicious file attachments and other compromises. On the other end, all I need to write articles is a text editor with no network access, so that’s a pretty SAFE ACTIVITY "ELOW ) LIST THE DIFFERENT APP6-S )VE CREATED BASED ON THIS TYPE OF USE ORDERED FROM LEAST TRUSTED TO MOST TRUSTED ) ALSO SHOW WHAT COLOR ) ASSIGNED THE 6- AND DESCRIBE HOW ) USE EACH APP6- dispVM—red: ) USE DISPOSABLE 6-S WHENEVER )M DOING SOMETHING PARTICULARLY RISKY SUCH AS WHEN ) WANT TO VIEW A SKETCHY LOOKING 52, For instance, my mail client is configured to open all attachments AUTOMATICALLY IN A DISPOSABLE 6- BASED ON THE OFFICIAL 1UBES MUTT guide: HTTPSWWWQUBES OSORGDOCMUTT). That way, even if someone were to send me a malicious Word document or PDF, I can read it in the DISPOSABLE 6- AND THE ATTACK IS ISOLATED INSIDE THAT 6- 7HEN ) CLOSE the document, any malicious program it is running goes away and in the meantime, the attacker had no access to any of my personal files. untrusted—red: -Y UNTRUSTED APP6- IS WHERE ) PERFORM ALL OF MY GENERAL PURPOSE 7EB BROWSING BUT NOT ANY 7EB SITES THAT REQUIRE A USER name and password. It has unrestricted access to the Internet. I’ve set UP SOME OTHER MORE TRUSTED 6-S SUCH AS THE ONE WHERE ) CHAT IN )2# 53 | June 2016 | http://www.linuxjournal.com LJ266-June2016.indd 53 5/18/16 12:58 PM HACK AND / In this way, any tracking cookies are limited to the Web browser inside this appVM; Tor prevents any other servers apart from Facebook from knowing I’m using Facebook, and even Facebook itself doesn’t know my IP. TO OPEN UP 52,S IN THIS 6- AUTOMATICALLY BY SETTING THE DEFAULT 7EB BROWSER IN THAT APP6- TO BE THE QVM OPEN IN VM COMMAND LINE TOOL ) DONT STORE ANY PERSONAL FILES IN MY UNTRUSTED 6- SO IF ) FEEL LIKE A 52, ) OPENED LOOKS PARTICULARLY SKETCHY ) CAN JUST DELETE THE 6- AND RE CREATE IT AND IN LESS THAN A MINUTE )M BACK WITH A CLEAN UNTRUSTED 6- 3INCE ) BROWSE RANDOM 7EB SITES WITH THIS 6- AND MIGHT OPEN OBSCURED 52, SHORTENED 52,S IN IT ITS ONE OF THE 6-S MOST LIKELY TO BE compromised. That said, because I don’t store any personal files in the 6- AND ) DONT BROWSE TO ANY 7EB SITES THAT REQUIRE A USER NAME AND PASSWORD THE MOST AN ATTACKER COULD DO BESIDES JUST USE THAT 6- FOR ITS network and CPU resources is view my general browsing habits. fb—orange: It may surprise some readers to know that I have a Facebook account. I personally don’t post to my account all that much (and when I do, I post only things I’m fine with the whole world seeing), but like many of you, I have friends that I don’t see often who post about what’s going on with their lives only on Facebook. I’m concerned about the privacy issues surrounding Facebook tracking my every move on the Web, but I still want to be able to view my friends’ posts, which I can’t do without logging in. -Y COMPROMISE HAS BEEN TO CREATE A SPECIAL APP6- JUST FOR &ACEBOOK AND NOTHING ELSE 4HIS APP6- IS CONFIGURED TO USE THE SYS WHONIX PROXY6- FOR NETWORK ACCESS SO ALL OF ITS TRAFFIC GOES OVER 4OR AND ) USE Facebook’s Tor hidden service at https://facebookcorewwwi.onion to access the site. In this way, any tracking cookies are limited to the Web BROWSER INSIDE THIS APP6- 4OR PREVENTS ANY OTHER SERVERS APART FROM Facebook from knowing I’m using Facebook, and even Facebook itself doesn’t know my IP.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-