Hardening Qubes-Whonix

Patrick · January 14, 2017, 9:44pm

Documentation on that question has just now been added here:
Advanced Security Guide - Whonix

adw · January 14, 2017, 11:11pm

Thanks! The feeling is mutual.

Thanks again! However, I should note that @marmarek pointed out a significant limitation of doing this manually:

The downside of such “manual” approach is the repository definitions are managed by some package, so if you modify it, you’ll need to apply further updates also manually.

Thanks, Patrick!

torjunkie · January 15, 2017, 12:19pm

I’ve added onionizing Qubes packages to the wiki based on Andrew’s steps. Awaiting reviewer sign-off.

Patrick · January 15, 2017, 12:43pm

Thanks!

Done.

torjunkie · January 15, 2017, 3:27pm

I’ve decided to go for a general checklist of the most important ‘hardening’ ideas as a wiki entry instead and mark some items as ‘Qubes-Whonix or non-Qubes-Whonix only’.

This fits better with the Security wiki and it’s nice to have a quick reference for users who don’t want to trawl the documents and discover various things they could (or should) have done, but missed.

See the suggested entry further below. If you’re happy with it, I’ll post it straight away.

Ideas I’ve discarded:

Running hardened alpha Tor Browsers if adventurous due to near-term (December) sandboxing opportunities;

→ Scrapped this idea, since we now know sandboxing works with any Tor Browser series.

following Qubes guideline for MAC spoofing

→ Scrapped this idea.

Although this is now easy using a Debian-9 template and the latest Network Manager (see updated Qubes docs), MAC spoofing is NOT recommended for home PCs or laptops from my reading e.g. TAILS docs, because it hurts your anonymity. So, this can’t be recommended unless one is using a laptop from various locations. Plus, MAC addresses are largely hidden, especially with use of VMs and Whonix.

Anyhow, based upon the lengthy discussions in this thread and input from various people, I think this entry is now suitable for the Security wiki:

#General Hardening Checklist

It is possible to significantly harden your platform and improve the chances of successful anonymous activity. This depends upon a user’s skill level, motivations and available hardware. This checklist is intended to provide a quick overview of some of the most important issues, categorized by difficulty level (easy, moderate and difficult).

Note: some of these recommendations are Qubes-Whonix or non-Qubes-Whonix specific; they have been marked accordingly.

###Easy

Blogging

To blog anonymously, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometry analysis and other covert channels. Surfing Posting Blogging - Whonix

Disabling/Minimizing Hardware Risks

In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required);
Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices; Computer Security Education - Whonix
Preferably detach or cover webcams unless they are in use; and Computer Security Education - Whonix
Avoiding using wireless devices, since they are insecure. Computer Security Education - Whonix

Mandatory Access Control

Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs; and Security Guide - Whonix
Enable seccomp on the Whonix-Gateway AppVM. Security Guide - Whonix

Passwords and Logins (Qubes-Whonix Only)

Store all login credentials and passwords in an offline vault VM (preferably with KeypassX) and securely cut and paste into the Tor Browser; and
Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.

Tor Browser Series and Settings

Consider using the ‘hardened’ Tor Browser series for additional ALSR memory protections;
Default search settings to the DuckDuckGo .onion hidden service;
Select ‘ClearClick’ protections in NoScript;
Run the Tor Browser Security Slider in the highest position;
Disable Javascript by default and only allow sparingly for trusted sites;
Use .onion hidden services where possible to stay within the Tor network; and
Follow all other Whonix recommendations for safe use of the Tor Browser. Tor Browser Essentials

VirtualBox (non-Qubes-Whonix Only)

Remove a host of VirtualBox features to reduce the attack surface; Security Guide - Whonix
Take regular ‘clean’ VM snapshots that are not used for any activities; and Security Guide - Whonix
Spoof the Initial Virtual Hardware Clock Offset. Advanced Security Guide - Whonix

Whonix Updates

Install newer Tor versions via jessie-proposed-updates. Whonix ™ APT Repository

###Moderate

Create a USB Qube (Qubes-Whonix only)

Prepare and utilize a USB qube to protect dom0 from malicious USB devices. Redirecting…

Networking (Qubes-Whonix Only)

Use the Debian-8 Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not ‘ping home’, unlike the Fedora Template. Meta-ticket: suggest/remove default applications in official templates · Issue #1781 · QubesOS/qubes-issues · GitHub Disable sys-net pings to fedoraproject.org

Newer Kernels (Qubes-Whonix Only)

Install newer kernels to benefit from additional protections (including grsec elements) being mainlined by the kernel hardening project. Redirecting…

Onionizing Repositories

Default the Debian, Whonix and Qubes package updates to Tor hidden service repositories. Security Guide - Whonix

Sandboxing

Use the alpha sandbox to restrict the Tor Browser; and Tor Browser Essentials
Use Firejail to restrict Firefox-ESR, VLC and other applications. Security Guide - Whonix

Secure Back-ups (Qubes-Whonix Only)

Store encrypted back-ups on a separate back-up disk that is already encrypted with LUKS. Improve qvm-backup key derivation/management · Issue #971 · QubesOS/qubes-issues · GitHub

Time Stamps (non-Qubes-Whonix only)

Disable ICMP and TCP timestamps on your host operating system. Computer Security Education - Whonix Computer Security Education - Whonix

###Difficult

Anti-Evil Maid (Qubes-Whonix only)

If you have a Trusted Platform Module, use AEM protection to attest that only desired (trusted) components have been loaded and executed during the system boot. Anti evil maid (AEM) | Qubes OS https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README

Chaining Anonymizing Tunnels

Avoid this course of action; the anonymity benefits are unproven and it may actually hurt your anonymity and security. Combining Tunnels with Tor

Disposable VMs (Qubes-Whonix Only)

Run all instances of the Tor Browser in a DispVM - preferably uncustomized to resist fingerprinting. Qubes Disposables

Email (Qubes-Whonix Only)

Use split-GPG for email to reduce the risk of key theft used for encryption/decryption and signing. Split GPG | Qubes OS

Grsec Templates

In Qubes-Whonix, use dom0, Debian, Fedora and Whonix grsec templates to provide significant kernel exploit protections; and Deprecated/grsecurity - Whonix
In non-Qubes-Whonix, install the latest Grsecurity kernel on your host or KVM Whonix guest. Deprecated/grsecurity - Whonix

Host Security (non-Qubes-Whonix Only)

Follow all Whonix recommendations to harden your host OS e.g. minimize the attack surface, utilize full-disk encryption, torify apt-get traffic, scan your firewall, and other measures. Advanced Security Guide - Whonix Advanced Security Guide - Whonix

anonymous1 · January 15, 2017, 5:59pm

new addresses are here deb.qubesos4rrrrz6n4.onion yum.qubesos4rrrrz6n4.onion ftp.qubesos4rrrrz6n4.onion

torjunkie · January 16, 2017, 4:32am

We could probably add an ‘expert’ category to this list… any others you’d care to add?

###Expert

Disable Intel ME Blobs

It is possible to partially deblob Intel’s (despicable) ME firmware image by removing unnecessary partitions from it (warning: high risk of bricking of your computer!). me_cleaner/me_cleaner.py at master · corna/me_cleaner · GitHub Neutralize ME firmware on SandyBridge and IvyBridge platforms

Flash the Router with Opensource Firmware

Flash the insecure, limited-utility, proprietary firmware on your router with a powerful open-source Linux alternative (warning: risk of bricking your router!). https://www.flashrouters.com/ddwrt-router-information https://www.flashrouters.com/ddwrt-router-information

Install Libreboot

Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS (warning: incompatible with newer architecture; risk of bricking your computer!). https://libreboot.org/

Patrick · January 16, 2017, 12:32pm

Looks fine overall! Please add!

A few nitpicks…

On home PCs MAC spoofing is without positive effect. But also without negative effect. (=“not useful”) Doing it for a home PC / notebook is most useful if spontaneous travel may happen. If that is excluded, indeed then it’s not useful.

It’s actually not so much about blogging. Any posting in any forum post anywhere applies as well. Also any chat / file send. So Surfing_Posting_Blogging really is an a name for that page that leaves room for improvement. The content is important, but page name, titles and presentation is leaves room for improvement.

As for subjects… If you are going to add Disposable VMs (Qubes-Whonix Only)… Perhaps make that just

Disposable VMs (as subject)
’’‘Qubes-Whonix Only’’’

Only reason for that: It’s because anchored links become ugly when using certain special characters such as ( ).

torjunkie · January 16, 2017, 4:10pm

The General Hardening checklist is awaiting reviewer sign-off.

OK, I think this thread is done

Time to revisit sandboxing Tor Browser in Qubes-Whonix and see if it now works with the Qubes kernel based on feedback you got recently. Then, that sandboxing wiki entry can be finalized.

Also, once coldhak releases the Fedora grsec kernel for Qubes in the next few weeks, the grsec wiki entries can be added to. I’ll probably have time to test if grsec works also in the Whonix templates using the default Debian template instructions, because I’m impatient and willing to smash a template or two.

Cheers

Patrick · January 17, 2017, 5:57am

Thank you!

One nitpick. What I find non-ideal is using external links (https...) rather than [internal links]. As well as using references for major points.

* Disable ICMP and TCP timestamps on your host operating system.<ref>https://www.whonix.org/wiki/Computer_Security_Education#Disable_TCP_Timestamps</ref> <ref>https://www.whonix.org/wiki/Computer_Security_Education#Disable_ICMP_Timestamps</ref>

Proposal.

* [[Computer_Security_Education#Disable_TCP_Timestamps|Disable ICMP timestamps]] and [[Computer_Security_Education#Disable_ICMP_Timestamps|disable TCP timestamps]] on your host operating system.

I envisioned to use footnotes for stuff that is less important for users.

To hide complexity from someone who just wants to absorb the information. To present the complexity in smaller steps.
More detailed technical reasoning why one or another thing is stated. This gives people who want to question/audit this information on why it was done. So they and we are spared from a lot questions. Also because it’s a lot stuff which is easily forgotten in a year from now.
To back up controversial / unpopular claims. For example under Windows Hosts we say:
This feature includes a kill switch that can allow Microsoft (or any one with an exploit for this mechanism) to delete programs on your machine without your consent.
For someone not into that topic it sounds outrageous and unbelievable this easily triggers a “conspiracy theorist bullshit” thought. Therefore we back it up with a reference to a PC magazine saying the same and going into details. The Windows 8 Kill Switch: A Hacker's Dream Come True | PCMag

What do you think?

torjunkie · January 17, 2017, 10:28am

No problem.

I was only using external links, because my knowledge of the wiki platform and editing is almost non-existent So, I can change all those to internal links easy enough.

Re: major points, do you want that stuff fleshed out in summary detail for each bullet point that is an external reference e.g. a paragraph or two or more? Is that the idea?

That fleshing out might make less sense for internal links, since we’d just be repeating ourselves with information already available in the wiki. But, if you think it improves readability, then I can paraphrase existing material in the wiki if you’d like.

I think almost all the points were footnoted/referenced, so not sure which claims are controversial there and not backed up. Which ones do you think - maybe the VPN hurts your anonymity claim? Others?

PS We have advice throughout the wiki to use strong and unique passwords, to change passwords and so on, but I don’t think any actual recommendation on how this is done properly. I think it belongs in the Security Guide somewhere.

My thinking is showing people how quickly password hashes under 12 characters can now be brute-forced, and people should be defaulting to Diceware passphrases of 6 or 7 random words in length, particularly for encryption/decryption, accounts and email signing.

This puts their passwords beyond bruteforce cracking by 3 letter agencies, until quantum computers are utilized in the future.

Patrick · January 17, 2017, 12:04pm

I didn’t mean to suggest that.

I also vary of duplication. Then we may be better of moving it rather than duplicating.

I haven’t made my mind up about that. If I hear an argument on what improves usability, by all means, I am listening.

Sorry, I was just speaking generally on how I envisioned footnotes to be used. Perhaps I should have made that a separate post. (Nothing controversial / not backed up in your edits.)

torjunkie · January 18, 2017, 6:35pm

OK - I understand you now.

I fixed up the General Hardening Checklist with internal references etc. I agree, it looks a lot nicer now.

Awaiting signoff.

I also added Diceware passphrases under the Passwords and Logins category to prevent the feasibility of successful brute-force attacks without quantum computers.

You know that research shows that 123456 is still one of the most popular passwords out there? LOL

torjunkie · January 18, 2017, 6:38pm

Thanks. Has already been added to the wiki entry.

Patrick · January 19, 2017, 7:37am

Tor onion instructions may require some changes.

should use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";:
https://phabricator.whonix.org/T6101

torjunkie · January 19, 2017, 10:33am

Fixed. changed to -> tor+http in various places in the security wiki.

I also added email provider suggestions to the relevant section under the hardening wiki entry, and noted that sandboxing Tor Browser in non-Qubes-Whonix is blocked due to Whonix 14 developer repository issues.

Patrick · January 21, 2017, 9:25pm

A post was split to a new topic: Should we recommend to avoid WiFi?

Patrick · January 24, 2017, 6:28pm

A post was merged into an existing topic: firejail / seccomp / More Options for Program Containment

bane_humeston · February 20, 2022, 5:46pm

I was wondering this as well. Any updates on this?

If I would make this change away from the standard would this mean my ‘fingerprint’ would become more unique, or a change list this wouldn’t matter?

Patrick · February 20, 2022, 6:34pm

I doubt there will be ever any updates unless contributed.

This is a Tor Browser issue and unspecific to Whonix. So nothing from Whonix required for contacting The Tor Project.