Difference between revisions of "Security Overview"

From Sudo Room
Jump to navigation Jump to search
(→‎Crypto: add some ssl links)
(→‎Fingerprinting: link to tor bug tracker)
 
(One intermediate revision by the same user not shown)
Line 66: Line 66:
*** microsoft, apple, google: all evil
*** microsoft, apple, google: all evil
*** hall of shame: skype, silverlight, flash are all evil
*** hall of shame: skype, silverlight, flash are all evil
*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
* defense in depth
* defense in depth
** antivirus
** antivirus
Line 183: Line 184:
* https://panopticlick.eff.org/
* https://panopticlick.eff.org/
* http://browserspy.dk
* http://browserspy.dk
* tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
* https reduces attack surface but does not solve
* https reduces attack surface but does not solve
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE

Latest revision as of 12:36, 17 December 2013

http://does-this-need-to-be-said.tumblr.com/

Social Engineering & Basic Stuff

Hardware

Endpoints

early security: mainframes, protecting users from each other

  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals, trolls, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • backdoors, CVEs, foxacid
    • because exploits are valuable, they use sparingly to avoid discovery
    • updates
      • always update!
      • package managers are the only way
      • app stores add complications: paywalls, "permission creep"
    • nonfree software
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*

Developer Security

Disk Encryption

  • "rubber hose cryptanalysis" https://xkcd.com/538/
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
    • much easier to avoid being a suspect
    • having TBB on your disk is a red flag, especially with particular extensions
    • ideal solution is steganography: hiding in plain sight

Networks

  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod

Mesh

  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies

MITM

  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad

Crypto

Datamining

Cookies

  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth

Fingerprinting

Other

  • referers
  • geolocation
  • URL shorteners: t.co, bit.ly
  • if you're not paying, you're the product