Jump to content

Setting up a secure laptop?


TN.Frank
 Share

Recommended Posts

I'm still a novice to Linux and having a laptop. My last computer was an iMac that I used for 11 years and it was plugged into an Ethernet cable to my modem so it was secure from anyone wanting to hack into it via WiFi. Now that I'm using a laptop with WiFi I'd like to understand a bit more about how to secure it from being hacked into via SSH, ect. so that if/when I'm out and about I can safely surf the Interweb without fear of having my system taken over.

I was watching an episode from DerbyCon 2012 and a guy was talking about how some of the more knowlegable Security guys were hacking into the newer guys laptops via SSH through CUPS and how he thought it would have been better if the older guys would have helped the newer guys instead of messin' with em' like that. Anyway, What do ya'll do to secure your laptops when you're on the move? I'm running Linux Mint 15 MATE and I have an HP nc6400 with Broadcom WiFi, how can I set it up to be more "hacker" proof? Thanks.

Link to comment
Share on other sites

@TN.Frank Thats only possible if you're running network services on your wireless network such as SSH/CUPS. SSH is a secure protocol designed to allow remote access to your network. I doubt your ISP set you up with such third party services, most don't even enable WiFi. You're best bet would be to encrypt all your traffic with using AES/WPA2, use mac filtering to allow just your PCs, hide your SSID and change your 63char hex pswd frequently. You don't have to go ape shit worrying. Check your routers manual for a list of features. RTFM as we used to say in the ol' days.

Edited by logicalconfusion
Link to comment
Share on other sites

My last computer was an iMac that I used for 11 years and it was plugged into an Ethernet cable to my modem

Thats not making you secure, since if you're not behind NAT, that box most likely got scanned every day being on the external internet if directly ON the modem itself, and I would gather, it was probably compromised at one time if thats the case. Just because your on wired != security, and also, just because its OSX != security. Apple devices are just as exploitable as Windows and Linux, so if you aren't behind NAT and have a router locked down, you are doing yourself a disservice connecting directly to the internet(not to mention if its IPv6 capable, will make it easier to find you even if your external IP changes, your IPv6 address will be the same if you use IPv6 networking over the internet in any fashion).

If going to a conference or traveling, 1, remove the HDD, leave it at home, 2 use truecrypt or other such encryption to store files on an external HDD or Thumb Drive,SE-CARD, etc and 2, use a live cd/dvd to boot from and also has tools to open what you need from the external drive to access your encrypted volume or files.

This "helps" minimize your attack surface(but is not full proof), and has no storage on the laptop itself if ever seized or stolen no data of yours can be accessed, and the external drives data, so long as its an uber strong/long password and encryption mechanism, will most likely be intact for which you don't have to give anyone the password to, ever. Just don't ever forget the password!

Might seem extreme, but its generally a good idea to go disk-less when traveling or hitting up hacker conferences just to safeguard your data. If paranoid, you can do the same thing at home for specific machines you use to do things of a questionable or just paranoid surfing nature, ie: sites you believe to be hostile. Just make sure if doing so, unhook the rest of the devices from the network in case you get compromised, they can't pivot through you to your other machines.

Just make sure the Live CD/DVD has what you need/want on it, and if you can, build your own live disc with tools you want, and after boot, run passwd to change the password after boot every time(and don't store personal data on the Live CD - be sure all browsing history, cookies, former DHCP leases are all flushed and logs are cleared before building the live disc - once found a live distro, that contained former users TORRENT history and sites they browsed - for which will remain nameless). Can also configure it so no services start by default on boot, such as SSH, networking, etc, so you can set it up after booting and manually acquire your network access as needed and start the services you want/need as needed.

Link to comment
Share on other sites

Thanks for the replies. Yes, I'm running AES/WPA2 Security and Yes I'm hidden. So you can only SSH into someone's laptop if they're on the same network then? I guess the guys at Derby Con were all running off the same WiFi connection then and that's how the other guys SSH'ed into their computers. Like I said, I'm a Novice, not a Noob so I do know a little bit about Linux, WiFi, ect. Not to come off as a smarty pants but give me a little credit, LOL.

So, basically, if I go to a public WiFi Cafe and connect to their WiFi and use WPA2 I should be ok then? Long as I don't connect to a Pineapple and get a Man in the Middle attack I should be ok then. Thanks. :)

Link to comment
Share on other sites

If using open WiFi, even with WPA2, I would still consider using a VPN or SSH tunnel out of their network. Others on the same LAN can possibly attack your machine on the network or poison the routers DNS, which is also why I hard code my DNS server on my box vs using DHCP's settings. Nothing is fullproof though, and while WPA2 is good to keep people from seeing plain packets over monitor mode, won't stop attacks from people already on the same network.

Link to comment
Share on other sites

@TN.Frank Well, a public WiFi hotspot is public, and usually monitored and might even be compromised by a hacker. Security experts recommend setting up a VPN on your home network so you can tunnel from the pub WiFi to your own dedicated ISP using encryption to CYA - (cover your ass). There're a lot of free VPN services available that you can sign up for, some of them are actually located outside the U.S. so, your IP will look like it originated from some place else. Either way, the VPN admins on the other end can monitor your traffic, unless your connecting to private sites that implement SSL - correctly, like Gmail.

Link to comment
Share on other sites

I've been unemployed for almost 4 years so I really don't have the money to set up a VPN with my ISP.

If you guys get a chance and can pull up DerbyCon 2012(I have a Roku I watch on) then check out Day 3, Chris Jenks, Intro to Linux System Hardening. Pretty interesting even if I only get about half of what he's saying, LOL.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...