<div dir="ltr">..2013/8/10 <span dir="ltr"><<a href="mailto:linuxnutster@videotron.ca" target="_blank">linuxnutster@videotron.ca</a>></span><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I was just reading about this new malware threat. I'm not clear on how exactly this thing can get installed on a Linux system. Would it require 100% social engineering? I installed Fedora on my elderly mother's last two laptops so she can do her banking without being paranoid about keyloggers, trojans, etc... She is a news hound, so it's only a matter of time before she comes flying at me demanding reassurances.<span><font color="#888888"><br>
-- <br></font></span></blockquote><div> </div><div>Mini gude how Fedora can protect You:<br></div><div><br></div><div>1. Use only official repos/strict package signing, no untrusted package sources.<br></div><div>
2. Update browser scope threats, Iced-Tea, Flash-plugin. (whole system, whuh!)<br>
</div><div>3. Better create two browser profiles, one for everyday usage with Iced-Tea disabled, other one ONLY for internet-banking with Iced-Tea enabled, and tell your mother about the <span lang="en"><span>value of such security solution.<br>
</span></span></div><div>4. Disable autorun <a href="http://blogs.iss.net/archive/papers/ShmooCon2011-USB_Autorun_attacks_against_Linux.pdf" target="_blank">http://blogs.iss.net/archive/papers/ShmooCon2011-USB_Autorun_attacks_against_Linux.pdf</a><br>
</div><div>5. Use SELinux shield:<br># setsebool -P allow_execstack=0<br># setsebool -P allow_execheap=0<br># setsebool -P allow_execmod=0 (may break some buggy apps)<br></div><div>6. Set umask 077 in ~/.bashrc (and if needed ~/.gnomerc) to locally or globally(/etc/profile,/etc/bashrc) prevent new planted executables of being execuded. Of course if only system is not for multiuser, <span lang="en"><span>and</span> <span>there is no need for binary execution ~/<br>
</span></span></div><div><span lang="en"><span>7. </span></span><span lang="en"><span><span lang="en"><span>HoT runs without root, so primary impact will be taking over control of user evironment. </span></span>Protect important config files from modification, by setting chattr +i.(remove when needed)<br>
.bashrc<br>.bash_profile<br>.bash_logout<br>.pam_environment<br>.xinitrc<br>.gnomerc<br>
.config/autostart/*<br></span></span></div><div><span lang="en"><span>and so on<br>
</span></span></div><div>8. Configure firewall, but this is different story, as I know from experience, this is difficult to fit any user browsing desires. <span lang="en"><span>But it's</span> <span>worth a try :)<br>
</span></span></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span><font color="#888888">
users mailing list<br>
<a href="mailto:users@lists.fedoraproject.org" target="_blank">users@lists.fedoraproject.org</a><br>
To unsubscribe or change subscription options:<br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/users" target="_blank">https://admin.fedoraproject.<u></u>org/mailman/listinfo/users</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-<u></u>of-conduct</a><br>
Guidelines: <a href="http://fedoraproject.org/wiki/Mailing_list_guidelines" target="_blank">http://fedoraproject.org/wiki/<u></u>Mailing_list_guidelines</a><br>
Have a question? Ask away: <a href="http://ask.fedoraproject.org" target="_blank">http://ask.fedoraproject.org</a><br>
</font></span></blockquote></div><br></div></div>