Jump to: navigation, search

Security Guide

(Redirected from SecurityGuide)


About this Security Guide Page
support status stable
difficulty medium
maintainer Whonix team
support Support

Basics[edit]

Motivation[edit]

You may skip this Motivation chapter.

If you need motivation to secure your computer, refer to these articles.

And if that's too much to read, just have a glimpse on the graphics.

Operating System[edit]

Updates[edit]

Important! Everything must stay current.

1. Update your package lists.

Check at least at a daily base. Keep your host operating system updated. Update Whonix-Gateway and Whonix-Workstation packages lists.

sudo apt-get update

Should look similar to this.

Hit http://security.debian.org jessie/updates Release.gpg                                                                                                    
Hit http://security.debian.org jessie/updates Release                                                                                                        
Hit http://deb.torproject.org jessie Release.gpg                           
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release                                             
Hit http://security.debian.org jessie/updates/contrib i386 Packages    
Hit http://ftp.us.debian.org jessie Release                           
Hit http://security.debian.org jessie/updates/non-free i386 Packages  
Hit http://deb.torproject.org jessie/main i386 Packages               
Hit http://security.debian.org jessie/updates/contrib Translation-en  
Hit http://ftp.us.debian.org jessie/main i386 Packages                
Hit http://security.debian.org jessie/updates/main Translation-en                        
Hit http://ftp.us.debian.org jessie/contrib i386 Packages                                
Hit http://security.debian.org jessie/updates/non-free Translation-en                    
Hit http://ftp.us.debian.org jessie/non-free i386 Packages                               
Ign http://ftp.us.debian.org jessie/contrib Translation-en              
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists... Done

If you see something like this.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org jessie Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org jessie/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500  Unable to connect

Then something went wrong. Could be a temporary Tor exit relay or server failure that should fix itself. Check if your network connection is functional, change your Tor circuit, then try again. Running whonixcheck might also help diagnosing the problem.

Sometimes if you see a message such as.

Could not resolve 'security.debian.org'

It helps to run.

nslookup security.debian.org

And then trying again.

2. Upgrade

sudo apt-get dist-upgrade

Please note that if you disabled the Whonix APT Repository (see Disable_Whonix_APT_Repository) you'll have to manually check for new Whonix releases and manually install them from source code.

3. Never install unsigned packages!

If you see something like this.

WARNING: The following packages cannot be authenticated!
  icedove
Install these packages without verification [y/N]?

Don't proceed! Press N and <enter>. Running apt-get update again should fix it. If not, something is broken or it's a man-in-the-middle attack, which isn't that unlikely, since we are updating over Tor exit relays and some of them are malicious. Try to change your Tor circuit.

4. signature verification warnings

There should be none at the moment. If there was such a warning, it would look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In that case, you should be careful. Even though, apt-get will automatically ignore repositories with expired keys or signatures, you will not receive upgrades from that repository. Unless the issue is already known/documented, it should be reported so it can be further investigated

There are two possible reasons why this could happen. Either there is an issue with repository that the maintainers of that repository have to fix or you are victim of a man-in-the-middle attack. [1] The latter would not be a big issue [2] and might go away after a while automatically [3] or try to change your Tor circuit.

In past various apt repositories were signed with expired key. If you want to see how the documentation looked at that point, please click on expand on the right.

The Tor Project's apt repository key was expired. You saw the following warning.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

It had already been reported. There was no immediate danger. You could have just ignored it. Just make sure, you never install unsigned packages as explained above.

See also the more recent Whonix apt repository keyexpired error.

If you were to see other signature verification errors, those should be reported, but it shouldn't happen at this time.

5. Changed Configuration Files

If you see something like the following.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file isn't coming from Whonix specific package (some are called whonix-...), then press n. Otherwise anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them.

How could you find out if the file is coming from a Whonix specific package or not?

  • Whonix specific packages are sometimes called whonix-.... In the example above it's saying "Setting up ifupdown ...", so the file isn't coming from a Whonix specific package. In this case, you should press n as advised in the paragraph above.
  • If the package name does include whonix-..., it's a Whonix specific package. In that case, your safest bet should be pressing y, but then you would loose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use Whonix modular flexible .d style configuration folders.

6. Restart Services after Upgrading

After upgrading either (easy) reboot.

sudo reboot

Or (harder) if you want to omit rebooting, use needrestart. If you are interested in the latter, please click on expand on the right side.

Do once. Install needrestart.

sudo apt-get update
sudo apt-get install needrestart

Run needrestart.

sudo needrestart

It will provide some advice.

Run it again after applying advice.

sudo needrestart

If nothing else has to be restarted, it should show.

No services need to be restarted.

This might become more usable and automated in future. (T324)

7. Restart after Kernel Upgrades

When linux-image-... was upgraded, reboot is required to profit from security updates.

Whonix-Gateway Security[edit]

General[edit]

You should never use Whonix-Gateway for anything other than running Tor on it!

In case the Whonix-Gateway is compromised the identity (public IP), all destinations and all clear-text (and hidden service) communication over Tor is available to the attacker.

If you feel you need to install any extra packages on the Gateway please consult the developers first to ask if that is really necessary/wise.

Warning: Bridged Networking[edit]

You shouldn't change the Whonix-Gateway's first or second network interface to bridged network. This is untested. It should not be necessary. If you feel it is necessary, please get in contact.

If you are interested, here is a discussion thread, and another one, with arguments whether NAT or bridged network is more secure.

Host Security[edit]

Basics[edit]

Please read the Computer Security Education about Host Security.

Power Saving Considerations[edit]

Upon system suspend/standby Full Disk Encryption keys are still in RAM - avoid leaving the machine in this state if in high risk situation or on the go. Hibernating the system locks all system partitions to a safe state and is the recommended power mode to use even if there is a small trade-off in startup time.

On GNU/Linux hosts, its not a given that standby means having LUKS keys in memory. Some experimental projects[4] and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.

The network fingerprint for a Tor on Whonix-Gateway is no different than a standard Tor instance on the host that's gone through standby. There are some old connections that go stale and need renewal - but nothing seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol/OpenSSL and TCP Timestamps are gone. Manual time adjustment has to be done however to be able to reconnect. Alternatively, an easy method would be to power off and power on the VM. This will no longer be necessary once hypervisor specific post resume hooks will be used because guest clocks will be seamlessly updated upon power state changes from the host.

Risks through hardware components[edit]

Assumption: an adversary managed to break out of Whonix-Workstation's Virtual Machine using an exploit.

Hardware components, either built in or extra components, such as CPU or hdd temperature sensors, microphones and cameras introduce risks.

Whonix with Physical Isolation is affected:

  • User's IP address is still safe, but the temperature sensors can be used for anonymity set reduction. Different CPU or hdd models will have a different sensor information, depending on climate and weather. If you can, you are advised to remove or to obfuscate the sensors result.
  • Camera and microphones can be covertly activated by the adversary. At least remove them (external ones) or disable them in BIOS if possible. Better cover them or ideally remove them.

Whonix Default version is affected, although it does not matter:

  • Same as above applies. If the assumption is true, the adversary can already find out the user's real IP address.

Thanks to Robert Ransom for pointing out this issue.

Anonymous 3G modem[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Non-physical isolation users: Either 1) Plugged or integrated into the host as host internet connection replacement (easier) or 2) plugged into Whonix-Gateway and only routing Whonix-Gateway's traffic through it, not the host's one (undocumented, therefore harder).
  • Physical Isolation: Same as 2) above. (While there is no host in that sense.)
  • Buy the 3G modem anonymously (in a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Also be sure to buy the SIM-card anonymously.
  • Prepaid is better.
  • Buy cash codes in different stores anonymously.
  • Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G modem.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check of cameras and witnesses.
  • 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet user's (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)

Anonymous WiFi adapter[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Plugged or integrated into Whonix-Gateway.
  • Buy the wifi adapter anonymously (In a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because a few providers or hotspot providers log the MAC address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check cameras and witnesses.

Hardening[edit]

Whonix does not yet improve host security. You are advised to use a secure host operating system.

Mandatory Access Control[edit]

AppArmor[edit]

Check out Whonix's AppArmor profiles. Not that difficult and considerable security enhancement.

Seccomp[edit]

Consider enabling secomp.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add.

Sandbox 1

Save.

Firejail[edit]

https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

Virtualization Platform[edit]

VirtualBox Hardening[edit]

For an overview on security risks of VMs in general: How secure are Virtual Machines really?

The less features, the smaller the attack surface. Here are some suggestions for features which you can remove and not impact core functionality:

  • Disable Audio
  • Do not enable Shared Folders
  • Do not enable video acceleration
  • Do not enable 3d acceleration [5] [6]
  • Do not enable Serial Port
  • Remove Floppy drive
  • Remove CD/DVD drive
  • Do not attach USB devices
    • Disable USB controller (enabled by default). Requires setting Pointing Device to "PS/2 Mouse" or changes will revert
  • Do not enable Remote Display server
  • Do not enable IO APIC, EFI? (questionable)
  • Enable PAE/NX? (NX is a security feature)

Whonix-Workstation Security[edit]

Introduction[edit]

If this VM is compromised all data it has access to, all credentials, browser data, passwords... the user has entered can be compromised. The IP is never leaked but these information can still result in identity disclosure.

The best practice is to back up the VM and "roll back" after risky activity and whenever the user suspect the integrity of the system could have been compromised, see the Recommendation to use multiple VM Snapshots below.

Whonix Example Implementation is currently based on Debian.

For Technical Design notes, see Dev/Operating System. For information on how to use other operating systems, see Other Operating Systems.

VM Snapshots[edit]

Apart from offering protection against hardware serial leaks, VMs got another great advantage: the ability to quickly discard and restore a system.

It is recommended that you keep a master copy of Whonix-Workstation, keep it updated, make regular "clean" snapshots but do not edit any settings or install additional software or use it directly for any activity. Instead make a clone or use snapshotting (but never mix up clean and unclean states!) for activities that require anonymity.

After importing the VMs, do a first run of the Whonix-Gateway and Whonix-Workstation virtual machines. Securely update it. After that stop and do not browse anywhere or open any unauthenticated communication channel to the internet. Shutdown the virtual machines and create snapshots of their clean state before browsing or initiating any connections with the outside world. Note: The only exception to this is running apt which has a guaranteed way to securely download and verify packages.

For important VirtualBox information, please press on expand on the right.

Warning to VirtualBox users: VirtualBox's VM Snapshot feature is recommended against, because we experienced data loss with it. You're better off using clones or see "Reliable Alternative To Virtualbox VM Snapshots" below.

Warning: VirtualBox's snapshot feature is not (highly) recommended as a reliable method for backing up virtual machines because of possible data loss primarily in the form of corrupted virtual hard drives [VHD]. Alternative methods are copy/paste, cloning, exporting/importing. While all these methods provide virtual machine [VM] backups, they nevertheless make inefficient use of disk resources and inherently require manual versioning. Virtualbox's 'snapshot' feature is very useful when it works properly particularly when making interim snapshots of live running systems prior to installing new application(s), reverting can be very painful, and sometimes impossible, if/when virtual hard drive file(s) is corrupted.

Alternative to methods mentioned above, SubVersioN [SVN] in particular is a very reliable tool with which to make backups of VM operating environments. It is akin to Virtualbox's snapshot feature in many respects but much more reliable and efficient. For those that have never used SVN, it is recommended they familiarize themselves with the tool's documentation - what it is/isn't and how it works prior to making use of it. Numerous implementations of SVN clients are available to choose from for various platforms.

What is SVN? In a nutshell, SVN is a tool typically used by software developers to conduct collaborative configuration management, version control and backup/restore of file sets under development by many people over extended period of time.

Why SVN as opposed to CVS, GIT, etc.? While most configuration management tools, including SVN, offer the same basic functionality of versioning, backing up and restoring changes to sets of files, by design SVN has no file size limitations - the operative words are "by design". This means when used to back up virtual hard drives for example, regardless of how big or small the files are SVN can handle them reliably and efficiently. See section "Be patient with large files" (link). When versioning file sets, SVN employs "atomic commits". By way of comparison, Concurrent Versions System (CVS) does not employ atomic commits. Manual backup procedures are inherently not atomic functions. Additionally, SVN also handles sparse (dynamic) virtual hard disk files (an option Virtualbox offers when instantiating new virtual disk drives).

From version to version, like Virtualbox's snapshot capability, SVN also takes into consideration differences in files - both textual and binary. This means, for example, if a 50GB virtual hard drive was saved last week and has grown to 60GB this week, SVN's repository will not [necessarily] grow by an additional 60GB when a new back up is performed this week - it depends how much of the original file changed since the previous backup. It will analyse differences between newer files against older files in its repository and only save differences. Therefore the repository may only grow as little as 10GB+ making more efficient use of system resources.

Virtualbox's snapshot feature provides 'branching' capability. This means, one can revert to an earlier version of your VM and start a new branch/version of your VM from where you left off earlier. By comparison, SVN also provides similar branching capability.

NOTE: When using configuration management tools like SVN for back ups and restores, a 50GB file for example typically requires approximately 150GB of disk space to manage that instance of the VM because you require 50GB for the original source file, 50GB in SVN's database repository, and another 50GB for SVN's local workspace working folder ['./.svn']. How is this more efficient? In that sense, it is not. However, when you consider SVN's functionality and reliability compared to manual backup methods mentioned above, this overhead might be considered an investment.

In addition to backing up Whonix gateway and workstation(s) virtual hard drive files, it is also possible to back up the whole of Virtualbox application in conjunction with Whonix for a complete restoreable environment. Cloning is also possible albeit that requires more advance technical skills.

Typically, Virtualbox is an installable application as provided by Virtualbox.org. A portable application version of Virtualbox is possible via a tool provided by VBox.me. This application converts Virtualbox 'install application' into a 'portable application' thereby providing the option to port VMs to other computers via external USB hard drives and/or sticks. By instantiating virtual machines under portable Virtualbox's '~/data/.VirtualBox/Machines' folder, it is possible to backup and restore the complete operating environment not only that of Whonix but also specific instance of Virtualbox as well via SVN for complete portability. This encapsulates the entire Whonix operating environment under one parent folder rather than distributing it across various user and system folders:

2014-05-11 09 42 19.png

2014-05-11 09 46 43.png

2014-05-11 09 54 39.png

Adding NAT adapter to Whonix-Workstation / Updates without Tor[edit]

Obviously the anonymity will get compromised if you add another NAT network adapter to the Whonix-Workstation. It is quite clear not to do that. If you were infected, it could leak then. Therefore it's recommended to do updates over Tor. It's slow but there are no leaks.

Adding Host-Only Networking adapter to Whonix-Workstation / SSH into Whonix-Workstation[edit]

One might wish to access the Whonix-Workstation through SSH. Therefore one could consider something dangerous - to add a second network adapter with Host-Only Networking. Dangerous! Don't add another network adapter! Also potentially dangerous if any other VMs are running besides Whonix-Workstation! This would expose the MAC address of your host to Whonix-Workstation.

The warning of VMware Host Only networking may also apply to Whonix:

"If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing."

  1. If you want to SSH or VNC your Whonix-Workstation your safest bet would be to do it from another Whonix-Workstation. When using Virtual Machines, if they are within the same virtual LAN, they can see each other. When using Physical Isolation, if they are within the same LAN, they can see each other.
  2. Or you could run those services using Hidden Services and access them through another Whonix-Workstation...
  3. ...or from the host using the ordinary torification methods.
  4. Alternatively you could SSH from the host into Whonix-Gateway (see File Transfer for instructions) and SSH from there into Whonix-Workstation.

In case 3 and 4, you would weaken isolation between the host and Whonix-Workstation.

Installing additional software[edit]

See Install Software.

Updating with extra care[edit]

See How to install or update with most caution?.

Other Anonymizing Networks over Tor UDP Tunnel[edit]

If you are Tunneling UDP over Tor to connect to Other Anonymizing Networks you must read this chapter, otherwise you can skip this one.

Read first: Tor Plus VPN or Proxy and Whonix VPN disclaimer.

You should beware that because you need to install additional tunnel software (OpenVPN, etc.), once exploits are found, an attacker could target them.

However, when you are using a secure tunnel software (for example, OpenVPN, not PPTP), the Tor exit relay may not read your communication with the VPN provider. It can only recognize, a encrypted VPN connection to the VPN provider.

The VPN provider can find out, depending on the other anonymizing network design, that you are connecting to that network. The VPN provider won't know who you are, but can find out, that someone is connecting over Tor.

The encryption of the tunnel software is not relevant, because the other anonymizing network most likely will make use of encryption itself. Subsequently neither the Tor exit relay nor the VPN provider will know the content of your other anonymizing network connection. The usefulness of the information, the Tor exit relay and the VPN provider can gather, is minimal.

"Normally Tor switches frequently its path through the network. When you choose a permanent destination X, you give away this advantage, which may have serious repercussions for your anonymity." as mentioned applies.

It's recommended to use a dedicated virtual machine for this activity, see Multiple Whonix-Workstations.

Time Attacks[edit]

See Time Attacks.

Advanced Security Guide[edit]

For even more Security, see Advanced Security Guide.

Footnotes[edit]

  1. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.
  2. No malicious packages get installed.
  3. Because you got a different, non-malicious Tor exit relay.
  4. https://github.com/jonasmalacofilho/ubuntu-luks-suspend
  5. Quote http://www.virtualbox.org/manual/ch04.html#guestadd-3d

    Untrusted guest systems should not be allowed to use VirtualBox's 3D acceleration features, just as untrusted host software should not be allowed to use 3D acceleration. Drivers for 3D hardware are generally too complex to be made properly secure and any software which is allowed to access them may be able to compromise the operating system running them. In addition, enabling 3D acceleration gives the guest direct access to a large body of additional program code in the VirtualBox host process which it might conceivably be able to use to crash the virtual machine.

  6. Quote https://hsmr.cc/palinopsia/

    If the "3D-Acceleration" feature of VirtualBox is activated, running the proof-of-concept code from inside the VM provides the ability to read framebuffers from the host system.


Random News:

Want to make Whonix more safe and usable? We're looking for helping hands. Check out Open Issues and development forum.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.