Ubuntu Privacy Remix
| Ubuntu Privacy Remix | |
|---|---|
| developer | UPR team |
| License (s) | various |
| Current version |
04/10 r3 of February 21, 2013 (7 years and 191 days ago) |
| Current preliminary version | 04/12 r1 (August 11, 2013) |
| ancestry |
GNU / Linux ↳ Debian ↳ Ubuntu ↳ UPR |
| Languages) | multilingual |
| www.privacy-cd.org | |
Ubuntu Privacy Remix (UPR) is a modified live CD based on the Linux distribution Ubuntu . UPR is not intended to be permanently installed on the hard drive. Ubuntu Privacy Remix is intended to provide an isolated work environment in which confidential data can be safely processed. The system installed on the hard drive of the computer used for this purpose remains unaffected. The development and update was stopped in 2016, so UPR is no longer considered safe today. Discreete Linux is considered the successor version.
history
The first stable version of UPR was released on December 4th, 2008, it was based on Ubuntu 8.04. Even before the first stable version of UPR, TrueCrypt was an essential part of the system. The development and updating of TrueCrypt was stopped in 2014. VeraCrypt is regarded as the follow-up version. The last stable 7-series TrueCrypt versions are still recommended today, but security researchers keep finding new security gaps in TrueCrypt.
aims
The UPR developers believe that the risk of theft of confidential data no longer only comes from common internet criminals and their Trojan horses , rootkits and keyloggers . Rather, in many countries around the world, the state is also taking measures to spy on and monitor citizens' computers with such means . Ubuntu Privacy Remix is designed as a tool to protect your own data against unauthorized access.
Encryption
Ubuntu Privacy Remix contains the two well-known encryption programs TrueCrypt and GnuPG . The authors note, however, that the security of encryption cannot be derived from the encryption program in isolation. Operating systems, application programs, personal behavior and of course malicious software such as Trojan horses, rootkits and keyloggers could undermine or even undermine the security of a good encryption program. That is why UPR relies on providing a complete, unchangeable and isolated working environment for the processing, encryption and decryption of sensitive documents.
Functions
Read-only operating system
With data carriers , downloads , e-mails , manipulated websites and harmless-looking manipulated documents that exploit buffer overflow gaps in programs and other attack methods, there are many ways to get infected with malware , which then endangers the confidentiality of your own data. Break-ins carried out especially for this purpose are also part of the plans of the Federal Ministry of the Interior. UPR protects against this by leaving the system in a clean unchanged state every time it starts up.
UPR is on a read-only CD; H. it cannot be changed afterwards. The use only as a live CD is part of the concept and an installation of UPR on the hard disk is deliberately not intended. Spy and other malware cannot be installed permanently. Of course, it must be ensured that the UPR CD comes from a safe source and was not later replaced.
software
TrueCrypt is a free, open source program for encrypting hard disks, parts of them or removable media and is installed in UPR. The full range of functions of the Linux version of TrueCrypt is available in UPR. As a special adaptation to work on a temporary live system, the functionality of the "extended TrueCrypt volumes" was developed in UPR.
In contrast, GnuPG is more suitable for encrypting individual files and especially when exchanging files with other people because of the asymmetrical procedure. GnuPG is also included in UPR.
The following are included for the actual editing:
- OpenOffice.org
- Evolution for task, contact and calendar management
- GIMP for image editing
- Scribus for desktop publishing
No network
The UPR developers attach double importance to the prevention of all network connections for security:
- on the one hand, malware can penetrate via such network connections,
- on the other hand, malware that has already penetrated or is active can use network connections to transport "captured" data and to pass it on to the respective attacker.
Many malware types use network connections - especially those to the Internet - to reload additional components. Then they try, for example, to adapt to the specific configuration of the computer or to change themselves in order to avoid virus scanners.
In order to achieve the goal of a sealed off island system, Ubuntu Privacy Remix prevents the activation of existing network hardware. For this purpose, the support for LAN , WLAN , Bluetooth and infrared hardware and, above all, the remote data transmission protocols were removed from the adapted Linux kernel .
No hard drives
The UPR developers also attach double importance for security to preventing access to local (and possibly already contaminated) hard drives:
- on the one hand, malware could penetrate via such hard drives, for example by mounting them and starting the malware from there,
- on the other hand, malware that has already penetrated and is active can use the hard disks to store “captured” data.
The next time the locally installed system is used for Internet connections, they could then, for example, be transported away by a locally installed Trojan.
The fact that the operating system is not able to activate the hard disks at all also prevents unencrypted swap partitions from being automatically mounted on the local hard disks, as would happen with a normal Ubuntu Live CD. This means that there is a risk that sensitive information would be transferred to the hard drive in this way in plain text.
In order to achieve the goal of an isolated island system, Ubuntu Privacy Remix prevents the activation of local hard drives by changing the treatment of ATA devices in the source code of the adapted Linux kernel . This means that the system completely ignores the (possibly compromised) local S / ATA hard drives, but recognizes ATA / ATAPI devices such as DVD drives normally so that the system can even run from CD.
"Noexec" mounted data carriers
As of Release 8.04_r2, all removable media are mounted in the system by default with the mount option “noexec”. This means that files on these media can be read and written, but no longer executed as code. As a result, malware can no longer be executed directly from a removable medium within the running system. This applies to removable media with the file systems (v) fat, ntfs, ext2 / ext3 or reiserfs.
Extended TrueCrypt volumes
Working with a live CD brings the security advantages mentioned, but also productivity disadvantages because certain configuration and user data cannot be saved permanently. This means for example:
- no learning spell check in OpenOffice.org,
- OpenOffice.org templates would have to be imported by hand every time
- GnuPG would neither keep its keys nor its configuration,
- Evolution could not be used as an appointment and task planner.
Extended Truecrypt containers are a feature of Ubuntu Privacy Remix that solves these problems and is intended to make working with the system more convenient and efficient. Their main functions are:
- Storage of the configurations and data directories of OpenOffice, Evolution and GnuPG within the container. With Evolution, the values of the Gconf database are also stored in the container. In this way, a major disadvantage of an immutable system on CD - the volatility of program configurations - can be avoided. With Evolution, this also affects the user data (tasks, appointments, notes, contacts), with GnuPG also the keys themselves.
- If desired, the container can be indexed with beagle so that filenames, content and tags can be searched for quickly and easily. This enables, among other things, to work with a tag-based filing system instead of hierarchical folders. Trackerd's configuration and databases are also located inside the container, so that - in contrast to conventional desktop indexing programs - this is not a security problem. During the work, all changes in the container are automatically indexed without any major loss of performance.
- Intelligent backup system: If the system finds a file backup.tc on a removable storage medium when an extended container is closed, it is possible to automatically perform an incremental backup in this container with rsync. Since only hard links are set with unchanged data, much less space is required than with full backups. The last 4 backups are always kept in a separate folder.
"Extended TrueCrypt volumes" do not interfere with the function or the container format of TrueCrypt. A few additional commands are only executed when opening and closing, such as setting symbolic links from the (volatile) home directory to the opened TrueCrypt volume.
Restricted user rights
As of version 9.04r1, the rights of the user under whom the Live CD is running are severely restricted, unlike in other Live CD systems. It should be made more difficult to smuggle malware into the running system or z. B. Reload kernel modules. This is not primarily directed against deliberate measures taken by the user, but against automated attacks.
restrictions
The UPR developers expressly point out on the website that there is no such thing as absolute security and that the system cannot protect against a number of attacks, which are usually very complex for the attacker.
Attacks below the operating system level
This includes, for example, the insertion of a virtualization layer between the hardware and the UPR operating system. This could be achieved by installing specially manipulated hardware in the computer. Special devices such as hardware keyloggers must also be included in this class . Attacks of this type usually require multiple physical accesses to the computer. Attacks based on hardware virtualization ( virtual machine based rootkit ) could form an exception under certain conditions .
Reading out the main memory
The so-called cold boot attack refers to an attack in which a computer is cold restarted (power off and on again without a proper shutdown) with a minimal operating system. Because this mini-system uses very little memory, the rest of the memory still contains exactly what was in memory before the restart. This could also be the keys of TrueCrypt containers or GPG keys. Depending on the computer, such residues can still be found after several seconds to minutes without electricity.
A special attack against systems on which UPR is used can be derived from this method. The security of UPR is based on the fact that the system installed locally on the PC used, all hard drives and network hardware are completely ignored, so that UPR itself cannot harm any malware that may be present.
In the case of a UPR-specific attack, a Trojan horse that searches the memory for information such as keys, passphrases, etc., must succeed in implanting itself in the locally installed system. If UPR is now used on this system to process private data - which should actually also be safe on an otherwise insecure PC - and is immediately rebooted into the local system, this Trojan could still have remnants such as keys from the UPR system after the restart find in memory. This could undermine the security of UPR. The chance of success is slightly lower than with “real” cold boot attacks, because the local system has probably already overwritten a large part of the memory that UPR had previously used.
This attack requires that the attacker at least suspect that UPR is being used on this computer. An opposing function in UPR 8.04r3 has been removed in the current version because it has proven to be unstable.
Non-IT attacks
This includes, for example, a camera secretly installed in the apartment, which is aimed at the keyboard and screen and films all content. Or a bad password for encryption that can be found out through social engineering . In many cases, the attacker must also be able to gain physical access to the premises.
Reading out exposing radiation
All electrical devices, especially computer screens, emit electromagnetic waves. This so-called compromising radiation can be intercepted with suitable receiving devices over long distances (up to 100 meters) in order to eavesdrop on the data traffic. In particular, an attacker can reconstruct the video signal and display it on a second screen. The video signal is well suited for quick visualization, but other components and signal lines can also emit and thus unintentionally send the processed information. In a recent study, Vuagnoux / Pasini from the École polytechnique fédérale de Lausanne even demonstrated the limited “audibility” of wired keyboards. Easily interceptable wireless keyboards with primitive XOR encryption mechanisms are in any case unsuitable for processing sensitive data.
Web links
- Project website
- Bug tracker of the project
- Anika Kehrer: Ubuntu Privacy Remix seals off users. In: linux-community.de. November 21, 2008, accessed on August 25, 2012 (German).
- Ubuntu: With the Privacy Remix against the Federal Trojan. In: gulli.com. November 23, 2008, accessed on August 25, 2012 (German).
- Frank Ziemann: Process confidential data securely. In: pcwelt.de. November 25, 2008, accessed on August 25, 2012 (German).
- Jürgen Donauer: Ubuntu Privacy Remix - secure work environment. In: tecchannel.de. May 20, 2010, accessed on August 25, 2012 (German).
- Markus Franz: Anonymous: Surf and work safely with Ubuntu Privacy Remix. In: netzwelt.de. February 7, 2012, accessed on August 25, 2012 (German).