2013/8/12 Daniel J Walsh <dwa...@redhat.com> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 08/11/2013 02:28 PM, Alchemist wrote: > > > > > > > > 2013/8/11 <linuxnuts...@videotron.ca <mailto:linuxnuts...@videotron.ca>> > > > > On 08/10/2013 11:55 AM, Alchemist wrote: > > > > ..2013/8/10 <linuxnuts...@videotron.ca <mailto:linuxnuts...@videotron.ca > > > > <mailto:linuxnutster@__videotron.ca <mailto:linuxnuts...@videotron.ca>>> > > > > I was just reading about this new malware threat. I'm not clear on how > > exactly this thing can get installed on a Linux system. Would it require > > 100% social engineering? I installed Fedora on my elderly mother's last > two > > laptops so she can do her banking without being paranoid about > keyloggers, > > trojans, etc... She is a news hound, so it's only a matter of time before > > she comes flying at me demanding reassurances. -- > > > > Mini gude how Fedora can protect You: > > > > 1. Use only official repos/strict package signing, no untrusted package > > sources. 2. Update browser scope threats, Iced-Tea, Flash-plugin. (whole > > system, whuh!) 3. Better create two browser profiles, one for everyday > > usage with Iced-Tea disabled, other one ONLY for internet-banking with > > Iced-Tea enabled, and tell your mother about the value of such security > > solution. 4. Disable autorun > > > http://blogs.iss.net/archive/__papers/ShmooCon2011-USB___Autorun_attacks_against_Linux.__pdf > > > > > < > http://blogs.iss.net/archive/papers/ShmooCon2011-USB_Autorun_attacks_against_Linux.pdf > > > > 5. Use SELinux shield: # setsebool -P allow_execstack=0 # setsebool -P > > allow_execheap=0 # setsebool -P allow_execmod=0 (may break some buggy > > apps) 6. Set umask 077 in ~/.bashrc (and if needed ~/.gnomerc) to locally > > or globally(/etc/profile,/etc/__bashrc) prevent new planted executables > of > > being execuded. Of course if only system is not for multiuser, and there > is > > no need for binary execution ~/ 7. HoT runs without root, so primary > impact > > will be taking over control of user evironment. Protect important config > > files from modification, by setting chattr +i.(remove when needed) > .bashrc > > .bash_profile .bash_logout .pam_environment .xinitrc .gnomerc > > .config/autostart/* and so on 8. Configure firewall, but this is > different > > story, as I know from experience, this is difficult to fit any user > > browsing desires. But it's worth a try :) > > > > > > An excellent turorial, thanks! Does HOT rely completely on social > > engineering or can it penetrate easily via other means? Bearing in mind > > that we only use offical repos... > > > > Yes, as this is still the most effective way nowadays (for Windows, > > Android too), but as we understand social engineering as a wide range of > > techniques(see SET), you may be ready to tell your mother, not to enter > > root password, when PackageKit will ask for it- on malicious unsigned RPM > > received with Skype or by clickjacking for example. Or even give her > > limited sudo rigts if needed, and keep root password only to yourself. > > Don't forget about browser exploit packs, it is only a matter of time > until > > they will put it browser exploits, but here properly configured SELinux > > comes into play. Stay safe. > > > > > > > > > > > > -- users mailing list users@lists.fedoraproject.org > > <mailto:users@lists.fedoraproject.org> To unsubscribe or change > > subscription options: > > https://admin.fedoraproject.__org/mailman/listinfo/users > > <https://admin.fedoraproject.org/mailman/listinfo/users> Fedora Code of > > Conduct: http://fedoraproject.org/code-__of-conduct > > <http://fedoraproject.org/code-of-conduct> Guidelines: > > http://fedoraproject.org/wiki/__Mailing_list_guidelines > > <http://fedoraproject.org/wiki/Mailing_list_guidelines> Have a question? > > Ask away: http://ask.fedoraproject.org > > > > > > > > > > You could also setup a confined user to run user_u for example. >
Sure, I forgot about user_u. Htw all those who are afraid or lazy, here is there is a nice SELinux into https://www.youtube.com/watch?v=MxjenQ31b70 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlII5vQACgkQrlYvE4MpobOKeQCgknWMZ5qCFO2KJj18avvjulMx > O28AoJjRP+PMUqumGqOc0OLl+06NkNu4 > =Tp7O > -----END PGP SIGNATURE----- >
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
