It is important to highlight user account security

[Just17]

Tony,
          what started this thread was to highlight what I see as a problem for Linux users.

The message being sent out is that once you do not run as root and are careful then all is OK.

My message is that 'all is ok' only applies to the operating system itself, and not to the user account and the data attached to it.

Sure an unprivileged breach can 'only' damage the user and not the operating system or other user accounts etc.

That is VERY important on a multiuser system; particularly in commercial installations etc.

As there are no other users of my system; it takes 15 mins to reinstall from my remaster the only thing of value is my data ......  and this is at risk if there is a 'low level' breach ......  as in the user account (not the root account) being compromised.

The problem, as I saw it when starting this thread, was (and is) that this danger is being overshadowed by the 'Linux is secure, just don't run as root' type of mantra.

Most of the security is around the operating system and the separation of privileges between users etc ......  which is not applicable if my own single user account is compromised.

Yes, there are extra dangers from 'running as root' ......  but none of them are any more dangerous to my user data (that I can determine) than a low level breach of my account.

I do not hear this, or a similar, message being broadcast in relation to Linux. Certainly not anywhere near as much as 'Linux is secure'.

I believe it is a disservice to all single account Linux users ......  the majority of home users, I am led to believe.

[menotu]

Tony,
          what started this thread was to highlight what I see as a problem for Linux users.

The message being sent out is that once you do not run as root and are careful then all is OK.

My message is that 'all is ok' only applies to the operating system itself, and not to the user account and the data attached to it.

Sure an unprivileged breach can 'only' damage the user and not the operating system or other user accounts etc.

That is VERY important on a multiuser system; particularly in commercial installations etc.

As there are no other users of my system; it takes 15 mins to reinstall from my remaster the only thing of value is my data ......  and this is at risk if there is a 'low level' breach ......  as in the user account (not the root account) being compromised.

The problem, as I saw it when starting this thread, was (and is) that this danger is being overshadowed by the 'Linux is secure, just don't run as root' type of mantra.

Most of the security is around the operating system and the separation of privileges between users etc ......  which is not applicable if my own single user account is compromised.

Yes, there are extra dangers from 'running as root' ......  but none of them are any more dangerous to my user data (that I can determine) than a low level breach of my account.

I do not hear this, or a similar, message being broadcast in relation to Linux. Certainly not anywhere near as much as 'Linux is secure'.

I believe it is a disservice to all single account Linux users ......  the majority of home users, I am led to believe.

+1

[menotu]

On the topic of scams/malware et al I spotted the following on Planet KDE
==================================================

laurent KDE, planetkde   2013-04-21

News in kdepim 4.11: Scam detection

A bug report signaled me that KMail didn’t have Scam detection.
So I decided to implement it.
The phishing used several method that KMail try to detect:

    some HTML email uses a title in href different from url ( for example : <a href=”http://phishing-website.fr/foo.html title=”http://mybank.com/”>hello it’s your bank [/url]
    url has a redirect url <a href=”http://mybank.com/?q=http://phishing-website.fr/foo.html>
    html mail has a form
    url uses directly IP

So when KMail detects it it shows a warning:



You can:

    Show details (what KMail detected)
    Move mail directly to trash (=> avoid to click on)
    Confirm that it’s not a scam, we don’t want that warning is show all the time because  Scan detection shows false positive
    Disable Scam detection for all.

You have details dialogbox too:



http://www.aegiap.eu/kdeblog/2013/04/news-in-kdepim-4-11-scam-detection/

[Tony]

I understand your concerns about a "single User account".
I read your thread; http://www.pclinuxos.com/forum/index.php/topic,73799.0.html
which is great as you are trying to get some feedback as to plugging Browser exploits, as a part of securing your 'User Account'. Personally, I find Firefox is a good and hugely supported Browser, security wise. How far you go is up to you. I use Adblock, with a subscription, I could use NoScript, but to get where I wanna go I generally have to turn it off, ... 

Oddly, if we were using Windows I could secure my User Account in a snap.

Linux, having a confidence that there are no threats out there, and you've (Just17) been pushing the envelope pretty hard to get some answers, spread the word about vulnerability of user data in the 'user account' have had generic replies of clear your cache, and cookies, don't visit sites that are known to be a risk, which are good advice, but maybe not enough, ...
Went looking online, ... just a start.
http://winhelp2002.mvps.org/hosts.htm

Although I do not use either Linux or a Mac, I often get requests for "How To" on that system, so here are a few resources:

*Block unwanted advertisements with /etc/hosts file on Linux
http://www.putorius.net/2012/01/block-unwanted-advertisements-on.html

Basically to secure your User Account you're gonna have to Drop the Rights of Files, Directories, so they can't be Read, or Written to, whilst online is my only suggestion, plus a good HOSTS file, play around with DNS, Set up a Firewall. We don't have 'Resident Protectection' as is provided by AntiVirus software in Linux, as far as I know.
Have you played with NMap ? See who might be peeping at you ? I dunno, ... I'm out of my league this being a Linux OS. Plus I'm done, but will watch with interest, Tinfoil hat firmly placed on my head.