lcu14 115- security best practices
Post on 13-Jun-2015
318 Views
Preview:
DESCRIPTION
TRANSCRIPT
LCU14 BURLINGAME
John Stultz, LCU14
LCU14-115: Security Best Practices
Why is this important?
Linaro is a organization of technical excellence Members trust us with private information that should be handled
appropriately.
Within the organization we share private information that many would
not want made public (vacation schedules, telephone numbers, etc).
Distributed environment often requires HR data which can contain
very personal information to have to be digitally shared.
Why is this *very* important?
(slide stolen from GregKH)
Linaro is a major contributor to Linux
Our work is a potential target
We owe it to ourselves, our members, our community, and our users to
take reasonable precautions
Disclaimer... Nothing is going to prevent targeted action by well-resourced
opponents.
But we don’t have to out-run the bear...
Overview of steps you should take
● Basic tips everyone should know o Two factor authentication
o Password managers
o Keeping your system secure
o Unsecure communication/storage
● Advanced topics o SSH key management
o Extra steps to securing your dev system
o Secure mail
Tips for everyone
Password rules ● *Never* reuse passwords
o Trusting other parties w/ passwords
o Other parties have repeatedly been found to be untrustworthy
● Don’t use passwords, use passphrases o Every 8char password can be computed in one day w/ current labs
o 16 char min
● Do this for your 30-80 accounts on the web o (Basically impossible)
Two factor authentication Password + out-of-band time-limited number
Usually via SMS
Google authenticator
RSA token / Yubikey
Go set it up now on your Google accounts!: https://support.google.com/accounts/answer/185839?hl=en&ref_topic=1099588
Password manager ● Stores all your passwords encrypted w/ a master password.
Integrates with browsers.
● Remember one password, access all your others.
● Allows for really random passwords to be generated for each web
site.
● Browser-native managers often don’t work for all sites.
● I recommend lastpass.com, but there’s others.
Password manager gotcha ● Important: Email is how you recover accounts, reset passwords.
● If you use a free email service for your personal mail, I don’t
recommend using a pw manager to manage that password, since
if you lose your master key you’ll be stuck, and no one will help
you.
● Use a strong & memorable password + 2 factor authentication for
personal email!
Keeping your system secure ● Stay current w/ supported distro version!
● Enable disk encryption on laptops
● Make sure you have your local firewall enabled o gufw makes this easy on ubuntu
o Block everything!
● Be intentional with the applications you run o Avoid flash, java plugins, IM apps, video players, etc.
o Don’t just download and run things
● Don’t surf sites of ill repute from your work box!
Unsecure communication/storage Just a reminder, the following are not secure communication methods
●Unencrypted Email
●IRC
●Hangouts/Google Talk*
●Google Drive / Docs / Sheets*
*While in most cases protected by SSL, we have to “trust” Google and
other service providers we use.
Advanced tips
SSH Keys ● Asymmetric (public/private) keys
● Don’t have to worry about reusing keys, since public key doesn’t
reveal anything about the private key
● Much stronger than passwords/passphrases
SSH Key Security ● Use SSH keys instead of passwords
● Make sure your keys are encrypted!
● Only keep keys on your physical devices!
● Only ssh out from your physical devices (end to end secure
connections)! o Avoid ssh-agent forwarding
SSH Key Management ● I reccomend per-device keys.
o Allows you to restrict number of machines that could be accessed if you lose your
laptop.
● Keep track of what machines your keys can access!
● Rotate keys semi-regularly (requires you to know where your
public keys are).
● Tools needed here!
Securing your development system ● Stay current w/ supported distro version!
● Make sure you have your local firewall enabled
● Don’t run incoming services on your dev machine (ie where you
keep your keys)! o This includes even SSH!
● Run as few network connected apps as possible (browser,
terminal)
● Avoid flash, java plugins, IM clients (pidgin/libpurple), etc.
● Don’t copy-paste commands from web-browsers to shells
● Don’t surf sites of ill repute from your dev box!
Secure email ● GPG/PGP - Asymmetric key encryption/signing
● Generate public and private key, distribute the public key, which
users can encrypt mail to and use to validate signatures, which are
read and signed using private key
● Web of trust
● Unfortunately doing this right is annoying complicated
Secure email ● This requires non-webmail interface
o Thunderbird: Enigmail add-on
o Evolution: Integrated support
o Mutt: You figure it out, smartypants!
o GPGMail: For the MacOS users out there
● Managing keys: o Seahorse or Kgpg for GUI
o keychain is also helpful for CLI
●Cool hardware options are out there o Crypto-stick
o Yubikey neo
Secure email: How to start ● Read the docs
o https://help.ubuntu.com/community/GnuPrivacyGuardHowto
o https://fedoraproject.org/wiki/Creating_GPG_Keys
o https://wiki.debian.org/Keysigning
o https://help.riseup.net/en/security/message-security/openpgp/best-practices
● Generate a key, publish it.
● Get your key signed by other devs o Add fingerprint to your business card
o Print out fingerprint & hand out at conferences
●Start signing mail and git tags! o Consistency is more important than number of signatures
Is all this really doable? ● In the real world, we can’t follow all the rules all the time.
● Many of these suggestions are easily doable, some less so.
● The threat is real, though.
● Being conscious about the threat, and minimizing needless
exposure reduces the risks we have to take.
All of this and more on the wiki
wiki.linaro.org/Process/DevSecurityBestPractices
More about Linaro Connect: connect.linaro.org
Linaro members: www.linaro.org/members
More about Linaro: www.linaro.org/about/
top related