The number one thing you can do to keep that computer secure is to ensure that the packages are updated regularly. I would enable fully automatic updates (https://help.ubuntu.com/community/AutomaticSecurityUpdates), as long as the potential for a burst of network use while connected to dodgy hotel WiFi isn't a severe problem.
After that, I think the only big problem is VNC. If VNC server is running constantly, it is probably the biggest potential security issue on the system (SSH is similar in scope but is considered to be more secure by default). If you need VNC installed and need it to be running all of the time, then there's probably nothing you can do about it -- it's either running or it's not, and there's not much you can do to secure a process that has control over input/output like VNC does. But if you don't need it to be on all the time, then just disable it. You can start it up manually via SSH if you need to.
As long as your packages are up to date, I wouldn't worry about web browsing, USB sticks, malware or SSH vulnerabilities. Linux desktops/notebooks are not a common target for them and Ubuntu is fairly well hardened by design. Even if you don't do anything special to secure against those vulnerabilities, an Ubuntu system will be less likely to be compromised than a Windows machine running even fairly good security software.
Skype is not necessarily secure, but it doesn't run with elevated privileges and there's not very much you can do to secure it given the state of the Skype linux version. Just be aware that Skype for Linux is not very stable or featureful and hasn't been worked on for a long time. That having been said, I use it for business purposes all the time and after I got used to its quirks it was adequate.
- Security of Deb and Other Files
You can find a .deb file for a package somewhere on the Internet. Then you can use dpkg -i package.deb
and install it. That's no better than picking up an install for Windows somewhere on the Internet. Don't do it unless you are absolutely sure of the source, and even then make sure you have all of the prerequisite packages already installed.
Deb files, safe or not, do follow a format with hashes, etc. so that they have to be rebuilt if they are changed.
Package (.deb files) in the Ubuntu repositores are generally built from source on Launchpad build computers so the contents of the .deb file matches the source, and the source can be viewed by anyone. Many packages have teams maintaining them who follow them and are on the lookout for security problems. New source package versions have to be signed properly by gpg keys using public key cryptography before they can be built.
There are now binary only packages available in the Ubuntu Software Center, so the public can't view the source of those. I don't know about these for sure, but I believe they are reviewed before they are made available.
You generally shouldn't install a package with dpkg -i package.deb
, but use apt-get or the software center instead, downloading from an Ubuntu repository. You should also avoid picking up any other kind of script that you can't look at and understand completely before you run it.
The multi-user system Unix-like systems do mean that if you make a mistake you can mess up your account and its files, but not the accounts and settings of other users that have been established on the same system, nor the operating system itself.
The exception is when you run a command with sudo
or have to enter a password to install a package or do other maintenance. These are the times to be very careful about the source of what you are doing. This is very similar to using UAC.
- Executable Files on Removable Media
As long as you are using due care, I don't think you need to maintain programs on removable media. Like Windows, most programs are installed as packages and therefore aren't runnable from removable media (although you could put an entire Ubuntu on a flash drive if you want).
As I mentioned above, .deb files use hashes for the files they include to see that they aren't altered by an attacker. Ubuntu repositories also have gpg keys stored on your system when you install Ubuntu, and there is a signature and chain of hashes followed down to the .deb files to keep things secure. Ubuntu is derived from Debian and that project created this approach.
There are things like autorun in Linux and other Unix-like systems. When you install packages those packages can cause programs to start at boot time, or when a user logs in to a terminal, or when a user logs into a GUI session. Most users have a (hidden by default) .bashrc file in their home directories that execute when a user logs in to a terminal.
The Ubuntu download web site not only has the .iso files for CD's and DVD's but also message digests (hashes) you can check to make sure the file you retrieved is authentic down to the bit.
Despite everything else, developers make mistakes and potential security problems can creep into software. Running supported versions of Ubuntu means that you will be offered security fixes for items in the main Ubuntu repositories, and often for items in the universe and other repositories. You should apply those fixes. Long-term-support releases like 12.04 (Precise) offer this service for a longer term than other releases of Ubuntu.
I can't personally guarantee that the precautions are perfect, but I think they are pretty good for the current state of the art.
Best Answer
‘ActiveX’ can be considered in two parts, the object model and the installation method. Firefox has something similar—and cross-platform compatible, Ubuntu or other—for both.
The object model of ActiveX is Microsoft COM; Firefox's equivalent is XPCOM. Many other Windows features and applications that are nothing to do with web browsing use MS COM, and there have traditionally been endless problems where COM controls that were not written for secure web usage were nonetheless available to web pages. This caused many compromises. Firefox is better off here as XPCOM is not shared with the rest of the system. Newer versions of IE have better controls for mitigating what sites are allowed to use what controls.
(As a side-issue, because many add-ons for Firefox are themselves written in JavaScript, a high-level scripting language, they are often more secure from buffer overflow and string handling errors than extensions for IE which are commonly written in C[++].)
The control-downloader part of ActiveX has also been cleaned up a bit since the bad old days when anything in the My Computer zone could install any software it liked, and aggressive loader scripts could trap you in an
alert
loop until you agreed to approve the ActiveX prompt. Firefox's equivalent, XPInstall, behaves largely similarly, with the ‘information bar’ on all but Mozilla's sites by default and a suitable warning/prompt before installation.There is another built-in way you can compromise yourself in Mozilla: signed scripts. I have never seen this actually used, and certainly there'll be another warning window appear before a script gains extra rights, but it kind of worries me that this is available to web pages at all.
Yes, the majority of web exploits today occur in plugins. Adobe Reader, Java(*) and QuickTime are the most popular/vulnerable. IMO: get rid of those, and use FlashBlock to only show Flash when you want it.
(*: and Java's dialogues before it lets you give up all security to some untrusted applet is a bit bare too.)
Ubuntu gives you some questionable plugins by default, in particular a media player plugin that will make every vulnerability in any of your media codecs exploitable through the web (similar to the Windows Media Player plugin, only potentially with many more formats). Whilst I have yet to meet an exploit targeting Linux like this, that's really only security through obscurity.
Note that ActiveX itself is no different. A web browser compromise based on ActiveX still only gives user-level access; it's only because prior to Vista everyone habitually ran everything as Administrator that this escalated to a full-on rooting.
Maybe, maybe not. But I think you'll find the damage some malware can do from even a normal user account is quite bad enough. Copy all your personal data, observe your keypresses, delete all your documents...