Professionals: How do you make sure your computer hasn't been hacked? - dtnomad
======
heiseb
TL;DR Security done this way is expensive, using four physical devices: A
gaming desktop, a secure workstation, a NAS, an ESXi server. The hardest part
at first was the discipline to use each workstation for its intended purpose
and breaking bad habits, IE not browsing the web from the gaming machine etc.

As a pentester, here are some of the things that I use and do to reduce my
personal attack surface. I separate out functions by device. Note that, other
than the windows 10 section, this isn't cheap and isn't for most people. I've
invested a large number of hours into this setup to get it to a place where I
feel its "trustworthy enough."

If I were a regular user and had to use Windows 10, most of the following
guide would be helpful ([https://hackernoon.com/the-2017-pentester-guide-to-
windows-1...](https://hackernoon.com/the-2017-pentester-guide-to-
windows-10-privacy-security-cf734c510b8d)). I went with a hybrid approach and
incorporated elements from Sean Metcalfe's (Trimarc Security) guide on
developing a secure baseline
([https://adsecurity.org/?p=3299](https://adsecurity.org/?p=3299)). I've done
most of this to my gaming computer. I only play games and use VOIP programs on
this machine. Other programs I use on this system (not in the guides) are:
glasswire, herdprotect, immunet. I set up win10 to take a full system backup
once a week, and this gets auto backed up to a NAS.

I use QubesOS for all non-gaming functions. This can be a painful OS to learn,
but I like its "containerization" of information and the workflows for using
it. Encrypted, password protected copies of my various VMs are backed up to
the NAS.

I log some specific event types from every device on my network, and send it
to a SIEM in a VM on a ESXi system. I have custom splunk dashboards to sort
through this data and only show me what I think is important.

~~~
rogersb
It must be nice to feel at home.

There is still the cheaper alternative to pack light and move often, although
it also requires exercising some level of good practices, everyone feels a bit
better using a freshly installed OS.

Build your own live-CD distro, use file-system snapshots, segregate data
susceptible of containing malware, or buy new stuff in random shops you deem
trustworthy, use it and throw it away.

On a side note, as we've seen recently, using untrustworthy sources of
software like npm will without a doubt affect your level of security.

There is no complete and simple solution, AFAIK.

------
rl3
The first step you should take is conducting a complex threat assessment.

Question 1: "Am I someone a sophisticated actor (e.g. nation states) would
target?"

If the answer is yes, then congratulations—you're probably already compromised
and will never know it.

If the answer is no, then you've very little to worry about as long as you
practice good security habits.

~~~
ganeshkrishnan
>If the answer is no, then you've very little to worry about as long as you
practice good security habits.

This is very hard to define. I have all my servers on cloud locked down and
can only ssh with keys (No passwords) and everytime I look at the access log,
it just makes me sweat seeing all the "drive by" ssh access attempts using
standard usernames (which I don't use) and even unstandard user names (like
"mother", "suser" etc).

Almost like returning home and seeing unknown footprints outside your home
door. You know the door is secure, the window is bolted and you have an alarm.
But still it's unnerving.

Basic practices I follow:

Don't run services with a user that has root access.

SSH only with keys

Open up ports on Azure portal only for required services.

Check "last", "uptime" "htop" everytime I login.

~~~
andrewSC
Have you tried/are you interested in setting a different port number on the
server? Setting a different port number and using ssh_config on your clients
(so you don't have to keep specifying the different port) helps a ton. I've
done this with a Google 2FA solution[1] and honestly haven't seen a single
rogue attempt.

\----- [1] [https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-
factor-authentication-for-ssh-on-ubuntu-16-04)

~~~
techcode
While most guides/books on initial setting up sshd explain the usual stuff -
e.g.: allow only key auth, no root ...etc.

Changing ssh port from standard (I literally forgot, is it 22?) to something
else is one of those things you pick up in the field.

Usually only once you actually had to maintain production servers. And
hopefully before some of the fancy things (e.g.: port-knockers) failed and
locked you out :)

Changing port is super simple to configure and yet it cuts out 99.9% of noise
(if not 100%) from brute-force attempts that otherwise might make you ignore
alarms ...

------
zlynx
On a Fedora Linux laptop, I occasionally boot from USB and verify the RPM
package database.

On servers, try to have secure remote logs. Use a different administration SSH
key for the log server so that even if your user account and ssh-agent was
compromised the attacker can't use it to edit the logs.

Have your firewall log new connections that aren't part of normal, regular
service. Especially outgoing connections from servers. If a web server
suddenly starts sending email on port 25 to France, it's probably hacked.

Audit the logs for anomalies such as SSH connections from new remote IPs, etc.
Or known user accounts at weird times. Why is your sysadmin coworker suddenly
logging in at 4 am? Etc.

------
nandesu
I'm not going to answer how I go about detecting infestations, because I don't
want my techniques to become useless. However, I'll depart some knowledge on
how to better protect yourself.

1\. Get familiar with your router. \- Find it's logs and look for anything
weird incoming or outgoing that you know isn't you. \- Keep your firmware
updated. \- Learn how to configure the firewall.

2\. Get the most powerful machine you can afford and run a from the metal
hyper visor. Make all your everyday OS installs be virtual machines or
containers and be vigilant about keeping an eye on what's running on them.

4\. On Linux \- Learn the "top", "ps", and "netstat" commands. \- After
initial install of the OS, setup Tripwire. \- Pay attention to CERT alerts and
try not to be one of the suckers that installs the various honeypot malware.
\- Be concerned more with patches then Uptime (If the OS tells you it needs to
be rebooted when you login, reboot the damn thing ASAP with respect to your
maintenance windows).

4- OS X. \- Same as Linux, except OS X doesn't really virtualize so great.
Apple really hasn't taken the time to stream line their code base when it's
being run virtualized. Maybe performance will be okay on the new iMac Pro just
as an effect of the Hardware overkill. Your milage may vary.

5- On Windows. Windows is an entirely different level of complexity. However,
it does virtualize very well and Microsoft has made many optimizations for it
especially if you use Hyper-V. The key here is backups. Seriously. You need to
create snapshots after the initial install and if you really need to run some
kind of shady freeware application, or scammy application to get your music
onto your iPhone without iTunes, spin up a completely new windows VM, install
all that crap in there, and when you are finished, trash that VM. \- Keep the
windows defender updated and run a full scan weekly. \- Learn Task Manager \-
Install SysInternals and learn what is going on in your system.
[https://technet.microsoft.com/en-
us/sysinternals/bb842062.as...](https://technet.microsoft.com/en-
us/sysinternals/bb842062.aspx)

~~~
everdayimhustln
Samhain is less well-known but superior to TW, AIDE and OSSEC. (I've deployed
both FOSS and commercial TW.)

[http://www.la-samhna.de/library/scanners.html](http://www.la-
samhna.de/library/scanners.html)

[http://www.la-samhna.de/samhain/s_faq.html](http://www.la-
samhna.de/samhain/s_faq.html)

------
calafrax
I just assume my system is hacked at all times and act accordingly.

That is the only truly secure practice.

~~~
digitalsushi
You're being downvoted - maybe because it sounds like a snarky answer? I've
thought about your response and after some thinking, I feel that it's a
legitimate answer. I reflected for a moment and have decided that I am
starting to do the same - using the computer with the expectation that I am
not the only user. It's paranoid, but it also helps me sleep at night.

Maybe working at a large insurance company, where every keystroke could be
replayed by a perfect stranger, has rubbed off on my home usage. But I come
from a networking field and know perfectly well that our little home routers
are not things we should rely on to be on our side. Maybe they are, but I
think there's a bit of luck. A lot of planning and a bit of luck.

~~~
calafrax
I was being serious even if it came off flippant.

There is no way to be 100% certain of your security with a system as complex
as a computer so if you need 100% certainty then you have to assume you are
compromised, even if that is a very low probability.

~~~
Shorel
Now that I think about it, that's the same reasoning Batman used to justify
attacking Superman in the movie.

~~~
calafrax
"preemptive self-defense" ftw

------
1ba9115454
You can't.

You can only make sure you limit any potential damage and reduce your attack
surface as much as possible.

Limiting damage...

\- Regular backups. \- Be careful what you store on your hard drive.

Reducing attack surface.

\- Latest version of operating system. \- Try not to install anything.

------
mattbgates
I use a Chromebook which prevents me from getting 99.9% of viruses or malware.
I love the fact that I load it and it loads quick and I know whats running.
The thing that probably slows it down the most is that I tend to open a dozen
or more tabs, so it does experience crashing when it runs out of memory.
That's about it.

------
saganus
Somewhat related, does anyone use Moxie's knocknock [0] or a similar procedure
to secure ports?

Since I learned about it I thought it was a very interesting idea. Even tried
it out a couple of times but not sure if anyone else is using it. It doesn't
seem maintained and I'm not aware of more recent implementations of this.

Does anyone else use it for their setups? is it worth/not worth it?

[0][https://moxie.org/software/knockknock/](https://moxie.org/software/knockknock/)

------
hluska
Are you asking about my personal machine (ie - the laptop that I'm writing
this on) or about a server? The answers are slightly different.

------
BorisMelnik
for windows, I follow this:

[https://decentsecurity.com/#/holiday-
tasks/](https://decentsecurity.com/#/holiday-tasks/)

It pretty much keeps me out of any and all infestations. also a great site in
general.

------
_RPM
Define hacked, what does that mean to you?

~~~
mattbgates
Just as important, define "professional".

~~~
brad0
It's obvious he means a hit man :)

------
cypherg
reinstall.

------
throwawaymanbot
God(s) love(s) a try-er!

