3

I'm learning that much of the security advice I come across under the "hardening" heading simply does not apply to a single-user home desktop box sitting in a private wireless IPv4 LAN behind a Comcast cable modem. Furthermore, FWIW, this system is Unix-based, and sudo is used whenever superuser privileges are needed.

My understanding (please correct me if I'm wrong) is that such a machine is basically "invisible to the outside", and thus cannot be specifically targeted, out-of-the-blue, by some random attacker. (See https://security.stackexchange.com/a/7831/49340.)

Therefore, AFAICT, the only significant vulnerabilities for such a machine would fall into one of four broad categories:

  1. "physical access" (e.g. a break-in);
  2. insecure passwords and/or weak password management;
  3. vectors inadvertently downloaded by the user while browsing the web;
  4. remote (third-party) site vulnerabilities.

The last category above, 4, refers to the exposure to home computer A that may suddenly arise when a third-party site B, holding confidential information about A, suffers a security breach, thereby rendering A more vulnerable than it was before. There's not much that the owner of A can do to prevent this, other than avoiding giving sensitive information to insecure third-party sites (which is, of course, easier said than done).

Regarding category 1, one thing that the owner of home desktop A could do to reduce this vulnerability would be to encrypt the machine's storage media using a strong password.

As for categories 2, a decent keyring-type program should offer adequate protection. And for category 3, which is probably the most significant of all four, adopting "safe browsing habits" (including always browsing the web as an non-privileged user) is just about the only thing one can do.

I see very little "machine/OS hardening" in any of the above. (Or, to put it differently, I don't recall seeing any of the measures described above in the many articles, posts, etc. that I've read in the general category of "hardening".) The one possible exception is the business of encrypting the machine's storage.

So my question is: how applicable is "hardening" to a home setup like the one described above? Have I missed some major security areas for which "hardening", as typically understood, would be of significant benefit to such a system?

(EDIT: clarified that the system is Unix-based, and that the browsing is done always by a non-privileged user.)

Community
  • 1
kjo
  • 1,043
  • 2
  • 9
  • 15

2 Answers2

6

There is one major category of home hardening that you missed, at least in part. 'Vectors downloaded by the user' is a huge category. It is the most used attack vector today.

A lot of attacks don't require any user interaction to run. See drive-by downloads for an example.

While you are correct that safe browsing habits are a good way to address this catrgory it simply is not enough. Perfectly normal sites are used to spread malware all the time. I have seen Facebook and yellowpages.com both spread malware.

Hardening (in the form of patches, service isolation, even wiping out changes to the system at reboot) is definitely applicable in a home setting. While you can't eliminate the threat 100 percent, you can reduce it greatly.

Edit: What I am trying to get across is this.

  1. A good policy on safe browing habbits is a great place to start.
  2. A good browsing policy is still ineffective with today's threat landscape.
  3. Antivirus / antimalware isn't enough.
  4. Updating software isn't enough.
  5. Even with all of the above it still may not be enough.
Damian T.
  • 334
  • 1
  • 6
Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
  • Thanks for your comments. I would indeed put most of the vulnerabilities you refer to under 3, and deal with them with a *very strict* browsing policy that confined itself to the safest websites... Perhaps I should have made it clearer that I'm working with a Unix-based system, and that all the browsing is done by a non-privileged user. It's hard for me to imagine a situation in which malware could do much damage *entirely* behind this non-privileged user's back. BTW, what does "service isolation" mean in the context of a single-user home computer system? – kjo Jun 22 '14 at 22:15
  • 1
    @kjo service isolation means only certain services can only use certain services. keeps rogue programs from doing bad things they're not supposed to http://windowsitpro.com/security/q-how-can-security-windows-service-benefit-service-isolation-feature-how-can-i-set-service- – Eric Lagergren Jun 22 '14 at 22:38
  • 1
    Browser+friends (flash, java...) are so commonly attacked by drive-by malware on the internet, that safe browsing habits do not really help (waterhole-attacks, ad-networks serving malware). The only remedy (in my opinion) is to create a safe browsing environment where anything is allowed to happen - all malware is isolated, and removed at the next browsing session. Either a sandboxed browser, or a dedicated terminal server for internet use. – Dog eat cat world Jun 23 '14 at 07:20
1

The point is about escalation. Regardless of the habits described, even the use of Unix, none of those prevent malware from exploiting a vulnerability to escalate its privileges.

I would also like to point out that rootkits originated on Unix.

As far as out of the blue attacks go, how many port scans have occurred on your system? I've been to perfectly safe seeming websites that none of my browsers detected as threats, only to have IP's connected to those sites attempt to scan my computer and be blocked by my security.

tk1974
  • 209
  • 1
  • 5
  • Regarding port scanning, the basic premise of my post is: *My understanding (please correct me if I'm wrong) is that such a machine [in a private IPv4 LAN behind a Comcast cable modem] is basically "invisible to the outside"*. If this premise is correct, then I don't see how the ports of such a machine can be scanned. If, on the other hand, the premise is *not* correct, could you explain in more detail where/how it goes wrong? – kjo Jun 23 '14 at 13:24
  • 1
    @kjo The computer is only invisible in the respect that Comcast assigns non-static IP addresses to private users that periodically change. Beneath that is your router which transforms the traffic from your LAN to travel over the internet and assigns subnet IP addresses in the NAT (Network Address Table) to the computers on that LAN. None of this especially makes you invisible to any of the systems on the internet, particularly any of the servers or intermediate systems that your computer has communicated with, because they all have to know where to direct the traffic. – tk1974 Jun 23 '14 at 13:48
  • Here's what I mean: http://security.stackexchange.com/a/7831/49340 (and why the IPv4 detail is important). – kjo Jun 23 '14 at 13:55
  • 1
    @kjo Also, if the system is compromised through some other route such as downloads or compromised websites, and becomes subverted as part of a botnet without your knowledge, that anonymity is meaningless because your computer will constantly connect to the controller and broadcast its new IP addresses to that system. – tk1974 Jun 23 '14 at 13:55
  • Regarding you last comment: note that my initial comment to you was "regarding port scanning". If the machine has been compromised already, that's another matter. – kjo Jun 23 '14 at 13:58
  • @kjo IP addresses from Comcast to your modem and router, and from your router to your computer are subscription based. Meaning there is a pool of them and they are allocated out on a time basis. So your IP subscription could last a day, a week, or a month based on how long the lease is set to last; and within that window anyone who knows that you have that current address can connect to your computer. – tk1974 Jun 23 '14 at 14:02