LCU14 BURLINGAME

John Stultz, LCU14

LCU14-115: Security Best Practices

Why is this important?

Linaro is a organization of technical excellence Members trust us with private information that should be handled

appropriately.

Within the organization we share private information that many would

not want made public (vacation schedules, telephone numbers, etc).

Distributed environment often requires HR data which can contain

very personal information to have to be digitally shared.

Why is this *very* important?

(slide stolen from GregKH)

Linaro is a major contributor to Linux

Our work is a potential target

We owe it to ourselves, our members, our community, and our users to

take reasonable precautions

Disclaimer... Nothing is going to prevent targeted action by well-resourced

opponents.

But we don’t have to out-run the bear...

Overview of steps you should take

● Basic tips everyone should know o Two factor authentication

o Password managers

o Keeping your system secure

o Unsecure communication/storage

● Advanced topics o SSH key management

o Extra steps to securing your dev system

o Secure mail

Tips for everyone

Password rules ● *Never* reuse passwords

o Trusting other parties w/ passwords

o Other parties have repeatedly been found to be untrustworthy

● Don’t use passwords, use passphrases o Every 8char password can be computed in one day w/ current labs

o 16 char min

● Do this for your 30-80 accounts on the web o (Basically impossible)

Two factor authentication Password + out-of-band time-limited number

Usually via SMS

Google authenticator

RSA token / Yubikey

Go set it up now on your Google accounts!: https://support.google.com/accounts/answer/185839?hl=en&ref_topic=1099588

Password manager ● Stores all your passwords encrypted w/ a master password.

Integrates with browsers.

● Remember one password, access all your others.

● Allows for really random passwords to be generated for each web

site.

● Browser-native managers often don’t work for all sites.

● I recommend lastpass.com, but there’s others.

Password manager gotcha ● Important: Email is how you recover accounts, reset passwords.

● If you use a free email service for your personal mail, I don’t

recommend using a pw manager to manage that password, since

if you lose your master key you’ll be stuck, and no one will help

you.

● Use a strong & memorable password + 2 factor authentication for

personal email!

Keeping your system secure ● Stay current w/ supported distro version!

● Enable disk encryption on laptops

● Make sure you have your local firewall enabled o gufw makes this easy on ubuntu

o Block everything!

● Be intentional with the applications you run o Avoid flash, java plugins, IM apps, video players, etc.

o Don’t just download and run things

● Don’t surf sites of ill repute from your work box!

Unsecure communication/storage Just a reminder, the following are not secure communication methods

●Unencrypted Email

●IRC

●Hangouts/Google Talk*

●Google Drive / Docs / Sheets*

*While in most cases protected by SSL, we have to “trust” Google and

other service providers we use.

Advanced tips

SSH Keys ● Asymmetric (public/private) keys

● Don’t have to worry about reusing keys, since public key doesn’t

reveal anything about the private key

● Much stronger than passwords/passphrases

SSH Key Security ● Use SSH keys instead of passwords

● Make sure your keys are encrypted!

● Only keep keys on your physical devices!

● Only ssh out from your physical devices (end to end secure

connections)! o Avoid ssh-agent forwarding

SSH Key Management ● I reccomend per-device keys.

o Allows you to restrict number of machines that could be accessed if you lose your

laptop.

● Keep track of what machines your keys can access!

● Rotate keys semi-regularly (requires you to know where your

public keys are).

● Tools needed here!

Securing your development system ● Stay current w/ supported distro version!

● Make sure you have your local firewall enabled

● Don’t run incoming services on your dev machine (ie where you

keep your keys)! o This includes even SSH!

● Run as few network connected apps as possible (browser,

terminal)

● Avoid flash, java plugins, IM clients (pidgin/libpurple), etc.

● Don’t copy-paste commands from web-browsers to shells

● Don’t surf sites of ill repute from your dev box!

Secure email ● GPG/PGP - Asymmetric key encryption/signing

● Generate public and private key, distribute the public key, which

users can encrypt mail to and use to validate signatures, which are

read and signed using private key

● Web of trust

● Unfortunately doing this right is annoying complicated

Secure email ● This requires non-webmail interface

o Thunderbird: Enigmail add-on

o Evolution: Integrated support

o Mutt: You figure it out, smartypants!

o GPGMail: For the MacOS users out there

● Managing keys: o Seahorse or Kgpg for GUI

o keychain is also helpful for CLI

●Cool hardware options are out there o Crypto-stick

o Yubikey neo

Secure email: How to start ● Read the docs

o https://help.ubuntu.com/community/GnuPrivacyGuardHowto

o https://fedoraproject.org/wiki/Creating_GPG_Keys

o https://wiki.debian.org/Keysigning

o https://help.riseup.net/en/security/message-security/openpgp/best-practices

● Generate a key, publish it.

● Get your key signed by other devs o Add fingerprint to your business card

o Print out fingerprint & hand out at conferences

●Start signing mail and git tags! o Consistency is more important than number of signatures

Is all this really doable? ● In the real world, we can’t follow all the rules all the time.

● Many of these suggestions are easily doable, some less so.

● The threat is real, though.

● Being conscious about the threat, and minimizing needless

exposure reduces the risks we have to take.

All of this and more on the wiki

wiki.linaro.org/Process/DevSecurityBestPractices

More about Linaro Connect: connect.linaro.org

Linaro members: www.linaro.org/members

More about Linaro: www.linaro.org/about/