1 00:00:00,480 --> 00:00:03,030 How you deal with security patching for Linux 2 00:00:03,080 --> 00:00:05,540 will depend on the distribution that you use. 3 00:00:05,870 --> 00:00:08,570 Now I recommend Debian as a general use 4 00:00:08,620 --> 00:00:11,059 operating system for those who care about 5 00:00:11,060 --> 00:00:13,490 security, privacy and anonymity. 6 00:00:13,770 --> 00:00:15,449 For security patching I'm going to talk 7 00:00:15,450 --> 00:00:18,090 about Debian and Debian based systems. 8 00:00:18,200 --> 00:00:19,549 If you look here, you can see 9 00:00:19,550 --> 00:00:22,250 all of the Debian derivatives here. 10 00:00:22,420 --> 00:00:25,109 A lot of these are operating systems 11 00:00:25,110 --> 00:00:26,639 that are important to security, 12 00:00:26,640 --> 00:00:30,170 such as Kali, Tails, Whonix etc. 13 00:00:31,010 --> 00:00:33,279 The Debian Project do an excellent job 14 00:00:33,280 --> 00:00:36,139 of providing security updates for Debian. 15 00:00:36,140 --> 00:00:39,599 Security is a priority for the Project 16 00:00:39,600 --> 00:00:41,050 and for the operating system. 17 00:00:41,260 --> 00:00:42,739 If you want to find the details 18 00:00:42,740 --> 00:00:45,460 of the security issues related to the patches, 19 00:00:45,540 --> 00:00:47,780 then have a look at the security update 20 00:00:47,840 --> 00:00:50,340 page that Debian provides, which is here. 21 00:00:50,580 --> 00:00:53,300 If we wander down to the bottom, 22 00:00:53,940 --> 00:00:56,120 we can see all of the updates. 23 00:00:56,240 --> 00:00:58,040 We can click on any of the updates 24 00:00:59,760 --> 00:01:02,380 and find out more information about that particular update. 25 00:01:03,030 --> 00:01:05,319 It can take us through to Mitre 26 00:01:05,320 --> 00:01:07,520 and we can find out more on the CVE. 27 00:01:11,040 --> 00:01:14,700 There's the details there, for the CVE. 28 00:01:15,490 --> 00:01:17,030 We can see more details here. 29 00:01:17,970 --> 00:01:20,699 And then we can follow the various sources 30 00:01:20,700 --> 00:01:22,640 for more information here as well, 31 00:01:23,160 --> 00:01:26,310 and potentially find even exploit code for it. 32 00:01:28,130 --> 00:01:30,359 So as they say, they handle all security problems 33 00:01:30,360 --> 00:01:31,500 brought to their attention 34 00:01:31,790 --> 00:01:33,739 and ensure that they are corrected 35 00:01:33,740 --> 00:01:35,540 within a reasonable time frame. 36 00:01:35,730 --> 00:01:36,310 They also say that 37 00:01:36,311 --> 00:01:37,999 many advisors are coordinated 38 00:01:38,000 --> 00:01:39,889 with other free software vendors, 39 00:01:39,890 --> 00:01:41,850 and are published the same day 40 00:01:41,920 --> 00:01:43,550 a vulnerability is made public. 41 00:01:43,690 --> 00:01:46,249 They also have an internal security 42 00:01:46,250 --> 00:01:48,760 audit team that reviews the archive 43 00:01:48,840 --> 00:01:52,000 looking for new or unfixed security bugs. 44 00:01:52,540 --> 00:01:54,600 They also believe in public disclosure 45 00:01:54,700 --> 00:01:56,500 and not security through obscurity, 46 00:01:56,620 --> 00:01:59,850 in order to find security vulnerabilities which is great. 47 00:01:59,980 --> 00:02:00,680 It's all good, 48 00:02:00,850 --> 00:02:03,249 which is the reason why I recommend Debian 49 00:02:03,250 --> 00:02:05,769 as the main go-to operating system 50 00:02:05,770 --> 00:02:07,880 for general use when it comes to 51 00:02:07,960 --> 00:02:10,060 security, privacy and anonymity. 52 00:02:10,800 --> 00:02:12,490 How do we update Debian? 53 00:02:14,600 --> 00:02:15,200 In Debian, 54 00:02:15,570 --> 00:02:18,940 DPKG is the main package manager. 55 00:02:19,120 --> 00:02:21,209 It's used to install, remove 56 00:02:21,210 --> 00:02:24,560 and provide information about .deb packages. 57 00:02:24,720 --> 00:02:27,540 This will be considered the lowest level tool 58 00:02:27,760 --> 00:02:31,440 that other tools rely on to install packages. 59 00:02:36,500 --> 00:02:38,579 So you’d issue a command, something like this. 60 00:02:38,580 --> 00:02:41,090 If you want to install a Debian packages, 61 00:02:41,140 --> 00:02:42,890 file name .deb would need to be 62 00:02:42,960 --> 00:02:44,599 locally in your directory 63 00:02:44,600 --> 00:02:46,220 in order for you to install it there. 64 00:02:49,420 --> 00:02:51,819 There's also the advanced packaging tool 65 00:02:51,820 --> 00:02:53,300 which is APT. 66 00:02:53,360 --> 00:02:55,920 This is a command line front-end 67 00:02:56,070 --> 00:03:00,880 for DPKG, for .deb and rpm packages. 68 00:03:01,660 --> 00:03:03,519 An example of how you might use this 69 00:03:03,520 --> 00:03:05,290 in order to do an install would be: 70 00:03:10,110 --> 00:03:13,130 command here sudu apt-get install nmap. 71 00:03:13,210 --> 00:03:16,400 Sudo is so that we can run under administrative privileges. 72 00:03:16,540 --> 00:03:19,340 What this will do is this will install the nmap package 73 00:03:19,450 --> 00:03:21,560 if it exists in the repository. 74 00:03:25,070 --> 00:03:26,170 nmap's already installed 75 00:03:26,300 --> 00:03:27,860 so it's not installed the newer version. 76 00:03:28,090 --> 00:03:29,320 That was apt-get 77 00:03:29,390 --> 00:03:31,440 but there are other apt commands as well, 78 00:03:31,550 --> 00:03:33,100 which I’ll be showing you in a second. 79 00:03:33,260 --> 00:03:36,400 We've shown DPKG, we've shown apt, 80 00:03:36,490 --> 00:03:38,250 and now we're going to show aptitude. 81 00:03:40,400 --> 00:03:42,860 Aptitude is a front-end 82 00:03:43,240 --> 00:03:44,829 for the advanced packaging tool. 83 00:03:44,830 --> 00:03:46,350 It's a front end for APT. 84 00:03:46,610 --> 00:03:47,780 Let me quit this. 85 00:03:52,900 --> 00:03:54,459 Very similar to apt-get, 86 00:03:54,460 --> 00:03:57,290 this will install the zenmap package 87 00:03:57,400 --> 00:03:59,790 if it's available within the repositories. 88 00:03:59,950 --> 00:04:02,310 We're going to talk about what repositories are in a second. 89 00:04:08,810 --> 00:04:10,020 That installs zenmap 90 00:04:10,100 --> 00:04:16,300 and that will then appear as an application. 91 00:04:17,900 --> 00:04:19,859 That's telling us that we can't do 92 00:04:19,860 --> 00:04:22,459 all the things that we might want to do in zenmap, 93 00:04:22,460 --> 00:04:23,859 unless we've got root privileges. 94 00:04:23,860 --> 00:04:25,399 There's the application zenmap 95 00:04:25,400 --> 00:04:27,980 that we've just downloaded and installed. 96 00:04:28,860 --> 00:04:31,040 Okay, but what about software updates, 97 00:04:31,200 --> 00:04:32,200 security updates? 98 00:04:37,140 --> 00:04:40,400 To upgrade the operating system and the applications, 99 00:04:40,480 --> 00:04:43,540 the commands that you will most often use are these: 100 00:04:43,900 --> 00:04:45,580 and it's apt-get update 101 00:04:45,700 --> 00:04:48,600 and it's apt-get dist-upgrade. 102 00:04:48,980 --> 00:04:49,980 Let's run that. 103 00:04:53,780 --> 00:04:54,980 The first thing it does 104 00:04:55,400 --> 00:04:57,540 is run the apt-get update 105 00:04:57,690 --> 00:05:00,000 and then it runs the dist-upgrade. 106 00:05:00,100 --> 00:05:02,540 In this case there's nothing for it to upgrade. 107 00:05:02,660 --> 00:05:04,129 If there was, it would simply 108 00:05:04,130 --> 00:05:05,930 download them and install them. 109 00:05:06,440 --> 00:05:08,980 Apt-get update first, let me explain that. 110 00:05:09,010 --> 00:05:10,810 This is used to synchronize 111 00:05:10,930 --> 00:05:14,410 the package index files from their source. 112 00:05:14,620 --> 00:05:17,059 The indexes of available packages 113 00:05:17,060 --> 00:05:25,480 are fetched from a location specified in this file here. 114 00:05:26,300 --> 00:05:29,760 These are the sources here and here. 115 00:05:32,130 --> 00:05:33,130 Here and here. 116 00:05:36,320 --> 00:05:37,320 Here and here. 117 00:05:39,050 --> 00:05:41,650 And these are not sources because they've been hashed out. 118 00:05:41,820 --> 00:05:43,270 That's actually the CD-ROM. 119 00:05:44,220 --> 00:05:45,550 If you had the CD-ROM, 120 00:05:45,700 --> 00:05:48,170 it could actually get the files from there as well. 121 00:05:48,300 --> 00:05:51,120 Apt-get update tells apt-get 122 00:05:51,220 --> 00:05:53,740 if there had been any package changes. 123 00:05:53,840 --> 00:05:56,120 An update must be performed first 124 00:05:56,480 --> 00:05:58,519 so that apt-get knows that 125 00:05:58,520 --> 00:06:01,120 new versions of packages are available 126 00:06:01,240 --> 00:06:04,600 before you run the apt-get dist-upgrade. 127 00:06:05,000 --> 00:06:07,060 Dist stands for distribution. 128 00:06:13,440 --> 00:06:15,719 It's also possible to run this command as well. 129 00:06:15,720 --> 00:06:17,640 We always need to run apt-get update, 130 00:06:17,990 --> 00:06:20,160 but we can run apt-get upgrade 131 00:06:20,540 --> 00:06:23,600 instead of apt-get dist-upgrade. 132 00:06:23,930 --> 00:06:25,056 Let's go through the difference 133 00:06:25,080 --> 00:06:27,480 between upgrade and dist-upgrade. 134 00:06:28,090 --> 00:06:30,840 Upgrade is used to actually install 135 00:06:31,170 --> 00:06:33,900 the newest versions of all packages 136 00:06:33,980 --> 00:06:35,920 currently installed on the system 137 00:06:36,190 --> 00:06:41,160 from the sources enumerated in here. 138 00:06:41,760 --> 00:06:43,330 Packages currently installed 139 00:06:43,580 --> 00:06:45,370 with new versions available 140 00:06:45,560 --> 00:06:47,740 are retrieved and upgraded. 141 00:06:47,900 --> 00:06:49,209 Under no circumstances 142 00:06:49,210 --> 00:06:51,450 are currently installed packages removed 143 00:06:51,650 --> 00:06:55,040 or packages not already installed, retrieved and installed. 144 00:06:55,240 --> 00:06:57,719 New versions of currently installed packages 145 00:06:57,720 --> 00:07:00,079 that cannot be upgraded without changing 146 00:07:00,080 --> 00:07:02,370 the install status of another package 147 00:07:02,500 --> 00:07:04,940 will be left at their current version. 148 00:07:05,690 --> 00:07:08,920 Now, dist-upgrade is slightly different. 149 00:07:09,000 --> 00:07:12,050 In addition to performing the function of upgrade, 150 00:07:12,180 --> 00:07:14,680 it also intelligently handles 151 00:07:14,800 --> 00:07:17,770 changing dependencies with new versions of packages. 152 00:07:17,940 --> 00:07:21,180 Apt-get has a small conflict resolution system 153 00:07:21,340 --> 00:07:24,900 and it will attempt to upgrade the most important packages 154 00:07:25,000 --> 00:07:28,290 at the expense of less important ones if necessary. 155 00:07:28,460 --> 00:07:32,220 Dist-upgrade command may remove some packages. 156 00:07:32,460 --> 00:07:34,779 And the sources.list file contains 157 00:07:34,780 --> 00:07:37,820 the list of locations from which to retrieve 158 00:07:37,960 --> 00:07:39,680 desired package files. 159 00:07:40,370 --> 00:07:41,879 Therefore, this is a good option 160 00:07:41,880 --> 00:07:45,740 for updating and upgrading your distribution 161 00:07:45,900 --> 00:07:47,649 and would be the command that I recommend 162 00:07:47,650 --> 00:07:49,130 for Debian and KALI. 163 00:07:50,370 --> 00:07:52,890 If you remember, we also mentioned aptitude. 164 00:07:53,290 --> 00:07:55,610 Aptitude can be used as well 165 00:07:55,810 --> 00:07:57,320 to upgrade and update, 166 00:07:57,440 --> 00:07:58,539 and you would just substitute 167 00:07:58,540 --> 00:08:01,120 the command aptitude with apt-get. 168 00:08:01,200 --> 00:08:04,220 This is the recommended way of doing it by Debian. 169 00:08:04,370 --> 00:08:06,090 I just prefer the apt-get 170 00:08:06,200 --> 00:08:08,499 way of doing it because I prefer the output, 171 00:08:08,500 --> 00:08:10,500 but this can also be used. 172 00:08:15,060 --> 00:08:17,010 There're also some GUI tools that you can use. 173 00:08:22,680 --> 00:08:26,879 Synaptic, which will need to be run 174 00:08:26,880 --> 00:08:29,070 as an administrator or root, 175 00:08:29,520 --> 00:08:31,980 has a GUI front-end for the package manager, 176 00:08:32,560 --> 00:08:33,759 you can see here for example 177 00:08:33,760 --> 00:08:37,230 the repositories that we mentioned before. 178 00:08:45,680 --> 00:08:48,320 Also Package Updater and Packages. 179 00:08:49,820 --> 00:08:51,240 You can see that's packages. 180 00:08:51,920 --> 00:08:55,160 You can look for things that are installed 181 00:08:55,550 --> 00:08:56,780 and things that are available. 182 00:09:04,440 --> 00:09:07,149 Package Updater will, as the name suggests, 183 00:09:07,150 --> 00:09:10,240 look for updates and enable you to install them. 184 00:09:12,010 --> 00:09:14,999 It is possible to setup automatic updates 185 00:09:15,000 --> 00:09:17,609 for Debian and automatic updates 186 00:09:17,610 --> 00:09:20,010 for security updates, specifically. 187 00:09:20,160 --> 00:09:22,719 There are a number of different methods you can use 188 00:09:22,720 --> 00:09:24,990 so it's really down to you, what you want to do. 189 00:09:25,310 --> 00:09:27,629 Check out this page if you want some more details 190 00:09:27,630 --> 00:09:30,510 on the various options on what it is you want to do. 191 00:09:31,020 --> 00:09:33,289 There's four main options: 192 00:09:33,290 --> 00:09:35,739 you can use the GNOME update manager, 193 00:09:35,740 --> 00:09:39,160 you can use the unattended upgrades package, 194 00:09:39,660 --> 00:09:41,850 you can write your own cron script 195 00:09:41,950 --> 00:09:44,350 that calls aptitude or apt-get, 196 00:09:45,040 --> 00:09:46,960 and you can use cron apt. 197 00:09:47,560 --> 00:09:50,920 You can see here this details the various methods. 198 00:09:51,400 --> 00:09:53,260 This is a method I tend to use 199 00:09:53,900 --> 00:09:55,770 and I can show you simply how I do that. 200 00:09:57,050 --> 00:10:00,650 First thing is, we need to install unattended upgrades. 201 00:10:07,960 --> 00:10:12,060 Then we want to edit the 10 periodic file. 202 00:10:12,140 --> 00:10:14,359 You can do that with your favorite text editor. 203 00:10:14,360 --> 00:10:15,690 I'm using gedit here. 204 00:10:17,280 --> 00:10:19,559 This is what you need to be in this file 205 00:10:19,560 --> 00:10:20,810 and then you need to save it. 206 00:10:21,050 --> 00:10:22,690 Let me show you these a little bit bigger. 207 00:10:26,570 --> 00:10:28,860 There you go, so that's what you need in that file. 208 00:10:30,620 --> 00:10:32,589 You also need to edit this file here, 209 00:10:32,590 --> 00:10:34,730 50 unattended upgrades. 210 00:10:38,190 --> 00:10:39,530 If I remove these here, 211 00:10:40,170 --> 00:10:43,710 this will automatically update the security updates. 212 00:10:43,900 --> 00:10:45,879 You can change some of these to update, 213 00:10:45,880 --> 00:10:48,279 some of the other options, but for here, 214 00:10:48,280 --> 00:10:50,520 I'm just showing you the security updates. 215 00:10:50,560 --> 00:10:53,550 You can make your own decision on the other updates. 216 00:10:53,660 --> 00:10:54,540 And if you save that, 217 00:10:54,541 --> 00:10:56,800 you should be good to go for automatic updates.