Tomas Lipensky - vedomostni koutek

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

blog:index [2022/01/26 11:37]
127.0.0.1 external edit 		blog:index [2023/05/31 11:00]
tomas
Line 1: Line 1:
 I have decided to keep this section in English as I can see overlapping of the topics over the borders. It makes the information more useful. I have decided to keep this section in English as I can see overlapping of the topics over the borders. It makes the information more useful.
 +
 +====Secure workstation===
 +==31.05.2023==
 +There is used to be lot of sensitive data stored on the computers (laptops, desktop, servers). It may consist pictures, texts, code, data, but one very sensitive type of data is identity (access to multiple cloud services), history, filled forms, passwords, sessions. To obtain the sensitive data, it is enough to have read access over the files, so for example root/admin access to the computer. How can it happen?
 +- steal device - boot from custom boot image as superadmin and access data
 +- steal disk - put into own device with superuser and access data
 +- logging to the system as a different user - when data is not protected by user account (access rights, ownership)
 +- stealing the superuser, or target account
 +- some system vulnerability - stealing in the memory, on the way (network) etc.
 +
 +For system vulnerability, it is important to have system well maintained and configured (limited functionality just to necessary options, password policies etc.)
 +
 +Stealing account threatens by leaking the password, session, key etc. It is ususally the human error and we must trust the persons they protect their data.
 +
 +Access configuration on the server - it is partially in the scope of administrator and the user. Always think about access rights of the files and their location on the server (for example not keep it on unprotected places like temporary directories, unprotected removable devices etc.
 +
 +Steal device and steal disk - for both cases the data encryption is very important to avoid leak of sensitive data. Very important is to have encrypted user profile. In some systems it requires encrypted operating system disk. Here we need to be careful. The encrypted key can be a file on the computer and it can be stolen. Or the encryption key can be a chip on the mainboard and bios can be unprotected and allow insert another boot media or be reset to factory configuration. This is not case of manually entered key (passphrase). But it should be long and hard enough, because the compute force allows to get it bruteforce in shorten time nowadays. When the computer shared by multiple people, all need to know the passphrase and this is not comfortable.
 +
 +Another alternative is  to have encrypted just disk (filesystem, logical volume), which contains home data. But this requires oftentime to enter the passphrase during boot time, or have extra account, where we unlock the disk.
 +
 +Best thing is bind the account password with disk encryption password and enter is just once during login. There is quite new tool on linux - systemd-homed, which is a service maintaining such functionality and making security and login comfort on very nice level.
  
 ====Huion 420 tablet=== ====Huion 420 tablet===
Last modified: 2023/05/31 11:00
GNU Free Documentation License 1.3 Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3