Advanced Browser Security with Firejail – A Hands On Guide

Advanced Browser Security

Many people believe that browser security is difficult. I created this guide as an overview of Firejail sandboxing technology. The goal is to show you that security can be simple and fun.

The video guide is structured as a hacking session. The victim is running a sandboxed browser. An imaginary zero-day exploit gives the attacker control of the sandbox in the form of a remote shell. Let’s see what damage we can do. And maybe, reconfigure the sandbox so the victim can survive the aftermath of such an attack.

Enjoy!

Advertisement

Securing Bind 9 with AppArmor and Firejail

Securing Bind 9 with AppArmor and Firejail

This is a small excerpt from a ISC Security Series webinar titled “Securing Bind 9 with AppArmor and Firejail”. ISC is a non-profit organization that develops several widely used open source software packages such as BIND 9, ISC DHCP, and Kea DHCP.

Firejail profile used in the video:

Continue reading →

Jolla/Sailfish OS 4.0.1 Koli is now available

There are many reasons to choose Sailfish OS over other mobile operating systems, but at Jolla we never forget that privacy and control are things our customers care deeply about. That’s because we care deeply about them too, and that’s why we’ve introduced Firejail app sandboxing into Sailfish OS 4 Koli.

When you first run an application, the Firejail app sandbox will make clear which permissions an application needs in order to run. A Firejailed app is prevented from accessing any of the functionality not granted on the list. Why is that important? We know Jolla developers are trustworthy, but there’s always the possibility someone will release an app containing rogue code, or with an accidental vulnerability for an attacker to exploit. If this happens, it’s reassuring to know the app is confined to minimise any harm it can do.

Some users may be concerned that this increasing security and privacy may impact the control you have over your own device. Rest assured this is not the case. With developer mode activated you’re still free to execute apps outside the sandbox if you prefer. In contrast to other mobile operating systems we want all Sailfish OS users to have full control of their devices, while ensuring malicious hackers don’t.

In the latest release many of the Jolla apps are sandboxed by default, but we’re not yet applying this to third party apps. Sandboxing prevents the use of boosters and QML pre-compilation, with a performance penalty we’re working to avoid. Restricting its use initially to a selected set of apps will give us the chance to iron out some of these kinks before we activate it for third party apps in a future release.

more

SafetyDetectives: 5 Best Antivirus Protection for Linux

After years of using Linux on my main computer, I got really tired of seeing how many low-quality Linux antivirus programs were floating around the internet. While Linux is much more secure than other operating systems, I kept finding vulnerabilities that I was struggling to patch.

One of the reasons for this is that there simply aren’t very many antivirus scanners for Linux. While malware is still an issue, Linux users don’t face the same risks as PC and Mac users, so we need to utilize other cybersecurity tools to harden our devices.

I spent a long time finding the best free Linux cybersecurity tools on the internet. After testing 29 different programs, I’ve come up with some rock-solid programs to help bulk up security on my Linux machine.

• ClamAV: Open-source freeware antivirus scanner with a GUI.
• Sophos: Free for one user, scan and remove malware, command line only.
• Firetools: Sandboxing software prevents malicious web scripts with a GUI.
• Rootkit Hunter: Behavior-based rootkit scanning, command line only.
• Qubes: A distro designed to keep your computer as secure as possible.

more… Also in French and Romanian

Parrot OS 4.9 Released!

Parrot is a worldwide community of developers and security specialists that work together to build a shared framework of tools to make their job easier, standardized and more reliable and secure.

Parrot OS, the flagship product of Parrot Security is a GNU/Linux distribution based on Debian and designed with Security and Privacy in mind. It includes a full portable laboratory for all kinds of cyber security operations, from pentesting to digital forensics and reverse engineering, but it also includes everything needed to develop your own software or keep your data secure.

more

Aaron Jones: Introduction To Firejail, AppArmor, and SELinux

FossMint: 15 Best Security Tools You Should Have on Linux

When talking about security many terms come to mind. Hacking, viruses, malware, data loss, etc. Here is our list of the 15 security tools you should be using on your Linux system.

1. Firejail

Firejail is a c-based community SUID project that minimizes security breaches by managing the access that applications using Linux namespaces and seccomp-bpf run.

Firejail can easily sandbox server, GUI apps, and login session processes and because it ships with several security profiles for different Linux programs including Mozilla Firefox, VLC, and transmission, it is simple to set up.

more

Parrot 3.10 is out

We are proud to announce the release of Parrot 3.10, the latest version of our security oriented GNU/Linux distribution.

The first big news is the introduction of a full firejail+apparmor sandboxing system to proactively protect the OS by isolating its components with the combination of different techniques. The first experiments were already introduced in Parrot 3.9 with the inclusion of firejail, but we took almost a month of hard work to make it even better with the improvement of many profiles, the introduction of the apparmor support and enough time to make all the tests.

more

OWN YOUR BITS: Sandbox your applications with Firejail

One thing I that like about the Android App security model is that for a given app, it presents the permissions to the user and the user has to accept them. This is good because the user has control over the software it runs, and is an invaluable tool to be able to use an App without granting it too much access without having to renounce to use it altogether.

Fortunately, the Linux world is a much more friendly environment in terms of malicious software. A big reason for this, is the fact that software is audited and curated by distro package maintainers. I recommend this interesting post on the subject.

Even the best written software can contain vulnerabilities that can be exploited. With the advent of container technologies, such as docker, flatpak or LXC, many have suggested to use them to isolate software from the rest of the system and in doing so mitigate the harm of possible breaches.

By sandboxing software this way, you get some more control over what it is capable of doing, effectively getting closer to the Android security model.

more

Beebom – How to Sandbox Non-trusted Apps in Linux Systems

Restricted home directory in Google Chrome

Sometimes we have to run an application that we do not trust, but we are afraid that it might look at or delete our personal data, since even though Linux systems are less prone to malware, they are not completely immune. Maybe you want to access a shady-sounding website. Or perhaps you need to access your bank account, or any other site dealing with sensitive private information. You might trust the website, but do not trust the add-ons or extensions installed in your browser.

In each of the above cases, sandboxing is useful. The idea is to restrict the non-trusted application in an isolated container -a sandbox– so that it does not have access to our personal data, or the other applications on our system. While there is a software called Sandboxie that does what we need, it is only available for Microsoft Windows. But Linux users need not worry, since we have Firejail for the job. more…