Actions

Essential Security Guide Introduction

From Whonix



Padlock-597495-640.jpg

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is an introduction into computer security and motivation to care about computer security.

Essentials[edit]

Info "Security is a process, not a product." -- Bruce Schneier, encryption and security expert. [1] [2]

It is important to understand that Whonix ™ and all general software cannot guarantee absolute anonymity or security; 'perfect security' is a mirage. The reason is flaws in hardware and software are ever-present, as continual upgrades and patches inevitably introduce further coding [3] or design errors which attackers of varying skill can profit from. As a consequence, the best approach is to try and mitigate risk exposure and provide defense in depth. [1] [4]

With this understanding, a material improvement in security and anonymity requires 'raising the bar' against potential attackers and eavesdroppers: [5]

Security is a process, not a product. It is also about economics. Briefly explained, each attacker has a set of capabilities, privileges, and a certain amount of budget, time and motivation. Given enough of these resources, security of any process will fail; the goal when securing a system is to add layers of security that make attacks too expensive. Nation-state actors have massive budgets, and no single system can be made secure enough against targeted attacks. However, if widely deployed, systems that cannot be compromised with automated attacks, increase the attacker's cost linearly and thus force the attacker to pick targets. Such systems are the only way to make mass surveillance infeasibly expensive.

In the case of Whonix ™, relative security and anonymity can be improved by utilizing the Whonix ™ split-VM design (particularly Qubes-Whonix ™), hardening the platform as much as possible, and adopting online behaviors which minimize the threat of deanonymization. If you are unfamiliar with Whonix ™ / Linux or have limited knowledge of computer security and anonymity topics, then it is recommended to first read these resources:

If you have more time available, then it is recommended to read the Documentation widely.

Motivation[edit]

If motivation is needed to secure your computer, refer to these articles:

If the reader is time-poor, then just review the Hacked PC [archive] or Hacked Email [archive] figures, or briefly scan the summary tables below.

Hacked PC[edit]

US journalist and investigative reporter Brian Krebs notes there are a large number of malicious uses for hacked PCs, including ransomware, bot activity, stolen account credentials, webmail spam and much more.

Table: Value of a Hacked PC [6]

Category Attacker Activity
Account Credentials eBay/Paypal fake auctions

Online gaming, website FTP, Skype/VOIP credentials
Client-side encryption certificates

Bot Activity Zombies: spam, DDoS extortion, click fraud and CAPTCHA-solving

Anonymization proxy

Email Attacks Webmail spam

Stranded abroad advance scams
Harvesting email contacts and associated accounts
Access to corporate email

Financial Credentials Bank account and credit card data

Stock trading account
Mutual fund / 401k account

Hostage Attacks Fake anti-virus

Ransomware and email account ransom
Webcam image extortion

Reputation Hijacking Facebook, Twitter, LinkedIn, Google
Virtual Goods Online gaming characters, goods/currency

OS and PC game license keys

Web Server Phishing, malware download site

Warez/privacy, child pornography server
Spam site

Hacked Email Account[edit]

Krebs also notes the significant value of a hacked email account. Just one breach of an online email service permits the theft of valuable personal data, account/contact harvesting, re-sale of retail accounts, spam and much more. An email account is a particularly weak link, since once under the attacker's control they can reset the password, along with the passwords of many linked services and accounts.

Table: Value of a Hacked Email Account [7]

Category Attacker Activity
Employment Forwarded work documents and work email

Fedex, UPS, Pitney Bowes account
Salesforce, ADP accounts

Financial Bank accounts

Email account ransom
Change of billing
Cyberheist lure

Harvesting Email, chat contacts

File hosting accounts
Google Docs, MS Drive, Dropbox, Box.com
Software license keys

Privacy Your messages, calendar, photos, Google/Skype chats

Call records (+ mobile account)
Your location (+ mobile/itunes)

Retail Resale Facebook, Twitter, Tumbler, Macys, Amazon, Walmart

i-Tunes, Skype, Bestbuy, Spotify, Hulu+, Netflix
Origin, Steam, Crossfire

Spam Commercial email

Phishing, malware
Stranded abroad, email signature and Facebook/Twitter scams

Advanced Security Guide[edit]

After reading this chapter, it is recommended to refer to the Advanced Security Guide section for even more security advice.

Stay Tuned[edit]

It is recommended to read the latest Whonix ™ news to stay in touch with ongoing developments, such as notifications about important security vulnerabilities, improved Whonix ™ releases, other software updates and additional advice.

Footnotes[edit]

  1. 1.0 1.1 https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html [archive]
  2. Similarly, anonymity is a continual process -- not an end destination -- that is informed by new knowledge that is constantly gathered.
  3. Security bugs generally fall into two categories: those which pose a passive threat due to eventual erroneous behavior, and the introduction of accidental vulnerabilities that are exploitable with malicious inputs.
  4. Schneier also notes several other security principles: limit privilege, secure the weakest link, use choke points, fail securely, leverage unpredictability, enlist the users, embrace simplicity, detect attackers, respond to attackers, be vigilant, and watch the watchers.
  5. https://github.com/maqp/tfc/wiki/Threat-model [archive]
  6. https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ [archive] Figure 1.
  7. https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ [archive] Figure 1.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Basic Security Guide Introduction&body=./Basic_Security_Guide_Introduction link=https://reddit.com/submit?url=./Basic_Security_Guide_Introduction&title=Basic Security Guide Introduction link=https://news.ycombinator.com/submitlink?u=./Basic_Security_Guide_Introduction&t=Basic Security Guide Introduction link=https://mastodon.technology/share?message=Basic Security Guide Introduction%20./Basic_Security_Guide_Introduction&t=Basic Security Guide Introduction

Iconfinder Apple Mail 2697658.png Subscribe to Whonix ™ Newsletter.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Basic_Security_Guide_Introduction&oldid=66210"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information