lp0 on fire

My personal blog

OS: Hardening my devices

After a friend of mine had isar flagged as infected when he used it in his flutter application, I realized it was high time for me to look into what I can do to secure myself from potential security hazards.

1. Review all source code used in the project

This takes a whole lot of time, but it's better to be safe than sorry. This is especially true for ecosystems where a package pulls in many others. Just because a package is used everywhere doesn't mean it's safe!

2. Very strict firewall rules

Did you know that Ubuntu 22.04 doesn't come with any rules enabled? Yeah that's right, no filters by default! This can luckily easily be fixed by adding some strict default rules:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Did you also know that Steam (game platform) enabled all ports for inbound connections for every game it installs? Enjoy those remote-execution exploits on your system while playing games online. So make sure these firewall rules once the games are installed.

While Windows 10 Enterprise LTSC 21H2 was at the right track by disabling most inbound connections, it doesn't disable Wi-Fi Direct (WFD) by default. If you don't use it, turn it off.

3. Take special care with browsers

The most vunerable part of your system are you. Most time people spend on the computer is on an internet browser, whenever its through webview or the actual application. That's why its a very good idea to reinforce it as much as possible to protect oneself. That way you don't compromise yourself when you click on a bad link by accident.

Like with swf and java ads in the past, malicious advertisements are using js to facilitate attacks through the browser. So disable and filter whatever you don't use in the browser. UBlock Origin makes it easy by making difficult configurations more easily toggable.

I only allow images, fonts and js on websites that I trust, and have as strict as possible filtering of advertisements and malicious elements. I clear cookies and everything else I don't need when I close the browser, and never safe passwords.

Personally I use Edge on windows because I get to control a whole lot of it through domain policies and run it hardware sandbox through the windows security plugin. On linux I use Gnome Web, installed as a flatpak with strict rules.

4. Don't have sensitive information

...on your computer. Keep that on an external hard drive, with encryption. Cold storage with encryption that's only connected when you really need it is the best way to prevent data theft.

Conclusion

Just be careful, make sure to keep the device clean and safe, and everything should be fine! It is always worth the effort to go the extra mile, because you wish you did when something happens to ya.