Difference between revisions of "Security Overview"

From Sudo Room
Jump to navigation Jump to search
(update, partially consolidate)
(→‎Fingerprinting: link to tor bug tracker)
 
(5 intermediate revisions by the same user not shown)
Line 2: Line 2:


=Social Engineering & Basic Stuff=
=Social Engineering & Basic Stuff=
 
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
* cultivate multiple identities, emails, usernames, etc
* cultivate multiple identities, emails, usernames, etc
* be very wary of facebook, g+, social networks
* be very wary of facebook, g+, social networks
* always avoid using your legal name, address
* always avoid using your legal name, address
* avoid logging in on your phone, or entering your phone #
* avoid logging in on your phone, or entering your phone #
* you can look up license plates
* you can look up license plates
* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt


=Hardware=
=Hardware=
* cameras, microphones, radios
* cameras, microphones, radios
* facial recognition
* facial recognition
* evil chip manufacturers
* evil chip manufacturers
* keyloggers
* keyloggers
* monitors leak radiation
* monitors leak radiation
* tracking devices on cars - ride a bicycle, store it indoors
* tracking devices on cars - ride a bicycle, store it indoors
* burner phones - prepaid, kept batteryless
* burner phones - prepaid, kept batteryless
* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html


=Endpoints=
=Endpoints=
* nonfree software (microsoft, apple, google: all evil)
early security: mainframes, protecting users from each other
* security updates: package managers are the only way
* how a computer works
* app stores add complications: paywalls, "permission creep"
** picture a vast table of index cards - that is memory, it is addressable
* how exploits work: backdoors, CVEs, black market, foxacid
** CPU instructions manipulate the index cards
* hall of shame: skype, silverlight, flash are all evil
** I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
* how a computer works
* how an operating system works
  * picture a vast table of index cards - that is memory, it is addressable
** kernel vs userspace - enforced by CPU
  * CPU instructions manipulate the index cards
*** kernel runs on a CPU, has access to hardware
  * I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
*** CPU time is expensive, so how to multitask?
* how an operating system works
*** kernel invents concept of "users", protects them from each other
  * kernel vs userspace - enforced by CPU
*** if user figures out how to mess with the kernel, that's an escalation bug
    * kernel runs on a CPU, has access to hardware
*** userspace is often called a "shell"
    * CPU time is expensive, so how to multitask?
*** trusted boot
    * kernel invents concept of "users", protects them from each other
**** causing kernel escalation bugs to be taken more seriously
    * if user figures out how to mess with the kernel, that's an escalation bug
**** when combined with full-disk encryption, prevents "evil maid"
    * userspace is often called a "shell"
**** sometimes only trusts windows
    * trusted boot
**** attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
      * causing kernel escalation bugs to be taken more seriously
** super users
      * when combined with full-disk encryption, prevents "evil maid"
*** root on unix, admin on windows
      * sometimes only trusts windows
*** privilege separation made windows XP unusable
      * attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
*** android uses privilege separation - every app is its own user
  * super users
*** getting super user is also an escalation bug
    * root on unix, admin on windows
*** sometimes achieved by keyloggers
    * privilege separation made windows XP unusable
*** Xorg / linux desktop ships with its own keylogger (xev)
    * android uses privilege separation - every app is its own user
** userspace apps are sandboxes
    * getting super user is also an escalation bug
*** interact with images, html, javascript, emails
    * sometimes achieved by keyloggers
*** buffer overflows, bad code, bad runtime, bad languages
    * Xorg / linux desktop ships with its own keylogger (xev)
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
  * userspace apps are sandboxes
*** if remote attacker can run code directly on your CPU, that's an execution bug
    * interact with images, html, javascript, emails
*** this is how the NSA defeated TBB: bug in firefox xml library
    * buffer overflows, bad code, bad runtime, bad languages
*** execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
    * if remote attacker can run code directly on your CPU, that's an execution bug
* arms race: who wants to break in?
    * this is how the NSA defeated TBB: bug in firefox xml library
** govts, spies
    * execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
** vandals, trolls, syrian electronic army
* arms race: who wants to break in?
** botnets: send spam, mine bitcoin, steal your identity
    * govts, spies
** black market for pwnd computers, amazon accounts, etc
    * vandals - gnaa, syrian electronic army
** backdoors, CVEs, foxacid
    * botnets: send spam, mine bitcoin, steal your identity
** because exploits are valuable, they use sparingly to avoid discovery
    * black market for pwnd computers, amazon accounts, etc
** updates
    * because exploits are valuable, they use sparingly to avoid discovery
*** always update!
* defense in depth
*** package managers are the only way
  * antivirus
*** app stores add complications: paywalls, "permission creep"
    * helps slow mass infections
** nonfree software
    * does not protect you personally
*** microsoft, apple, google: all evil
    * it's too late, wipe & restore
*** hall of shame: skype, silverlight, flash are all evil
    * cannot remove all rootkits, kernel exploits, firmware worms
*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
  * firewalls
* defense in depth
    * reduce attack surface
** antivirus
    * prevents propagation, phoning home, so no payload for attacker
*** helps slow mass infections
    * NAT is not security, ipv6 is coming, "internet of things" *shiver*
*** does not protect you personally
* developer security
*** it's too late, wipe & restore
  * source control (git)
*** cannot remove all rootkits, kernel exploits, firmware worms
  * package signing
** firewalls
  * opsec
*** reduce attack surface
  * multiple compiler ecosystems (gcc, llvm/clang)
*** prevents propagation, phoning home, so no payload for attacker
  * deterministic builds are the future
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
  * secret backdoors submitted openly (selinux?)
 
==Developer Security==
* source control
** http://www.git-scm.com/about/info-assurance
** https://www.kernel.org/
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
* package signing, opsec
* deterministic builds are the future
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
** multiple compiler ecosystems (gcc, llvm/clang)


disk encryption
==Disk Encryption==
* "rubber hose cryptanalysis" https://xkcd.com/538/
* "rubber hose cryptanalysis" https://xkcd.com/538/
* adds security at rest, but not while running
* adds security at rest, but not while running
* android makes this easy
* android makes this easy
* your mugger probably won't dump the RAM, but cops can
* your mugger probably won't dump the RAM, but cops can
* always keep backups - data loss is DoS
* always keep backups - data loss is DoS
* deniability is very hard
* deniability is very hard
* steganography: hiding in plain sight
** much easier to avoid being a suspect
** having TBB on your disk is a red flag, especially with particular extensions
** ideal solution is steganography: hiding in plain sight


=Networks=
=Networks=


networks are evil
* evil
* ISPs spy on you
* ISPs spy on you
* assume all cables are tapped, intercepted
* assume all cables are tapped, intercepted
* routers & modems are vulnerable
* routers & modems are vulnerable
* NSA suppresses openwrt to keep them that way
* NSA suppresses openwrt to keep them that way
* closed hardware drivers are the other culprit - patents, binary blobs
* closed hardware drivers are the other culprit - patents, binary blobs
  * some things need old kernels: more work for kernel devs
** some things need old kernels: more work for kernel devs
  * #1 reason some hardware needs dd-wrt, not openwrt
** #1 reason some hardware needs dd-wrt, not openwrt
* cell phones especially, even with cyanogenmod
* cell phones especially, even with cyanogenmod


mesh networks
==Mesh==
* harder to wiretap individuals
* harder to wiretap individuals
* but ideally should not be trusted either - end-to-end encryption
* but ideally should not be trusted either - end-to-end encryption
* can do location analysis, enable stalkers (seattle)
* can do location analysis, enable stalkers (seattle)
* mac address randomization: unsupported, not foolproof, easy to block
* mac address randomization: unsupported, not foolproof, easy to block


tor, vpns, proxies
==Tor, VPNs, Proxies==
* protect you from your own ISP/network hardware
* protect you from your own ISP/network hardware
* provider or exit node still can spy on you
* provider or exit node still can spy on you
* much VPN software/protocols are not audited
* much VPN software/protocols are not audited
* local traffic analysis & timestamps could give you less deniability
* local traffic analysis & timestamps could give you less deniability
* they can tell WHEN you are using tor/vpn
* they can tell WHEN you are using tor/vpn
* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
* flash is evil: poor sandboxing, disrespects proxies
* flash is evil: poor sandboxing, disrespects proxies


mitm
==MITM==
* anyone controlling the pipes can do it
* anyone controlling the pipes can do it
* Tor can make this WORSE, not better, so router-level Tor is also bad
* Tor can make this WORSE, not better, so router-level Tor is also bad


=Crypto=
=Crypto=


* SSL
* SSL
  * show example of site that sells SSL certs (namecheap.com)
** example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
  * show directory with certs your OS trusts
** example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
  * any of these orgs can impersonate any website
** any of these orgs can impersonate any website
  * cert authorities don't solve mitm, just narrows down who can do it
** cert authorities don't solve mitm, just narrows down who can do it
* US & UK govt: FLYING PIG?
** US & UK govt: FLYING PIG?
  * french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/
*** french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/
  * chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
*** chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
* bootstrap problem
** bootstrap problem
  * HSTS preloading
*** HSTS preloading
  * https://www.eff.org/https-everywhere
*** https://www.eff.org/https-everywhere
  * ipsec + dnssec + dane
*** ipsec + dnssec + dane
* metadata
** metadata
  * even with SSL, they can see who you're talking to
*** even with SSL, they can see who you're talking to
  * traffic analysis, packet size gives away a lot: google maps tiles, for example
*** traffic analysis, packet size gives away a lot: google maps tiles, for example
* tor hidden services
* tor hidden services
  * the address is the certificate
** the address is the certificate
  * solves the mitm problem
** solves the mitm problem
  * solves the metadata problem
** solves the metadata problem
  * solves the auth problem
** solves the auth problem
  * are not user-friendly by today's standards
** are not user-friendly by today's standards
  * this is what securedrop uses
** this is what securedrop uses
* in the future we will all memorize hashes like phone #s
* in the future we will all memorize hashes like phone #s
  * similarly: hashed.im
** similarly: hashed.im
  * OTR approximates this
** OTR approximates this
  * this means that access to truly random numbers is very important
** this means that access to truly random numbers is very important
    * specialized crypto hardware
*** specialized crypto hardware
    * PRNGs: android fail
*** PRNGs: android fail
    * freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
*** freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/


=Datamining=
=Datamining=


cookies
==Cookies==
* ad networks: google, etc
* ad networks: google, etc
* analytics: google, etc
* analytics: google, etc
* CDNs: google, amazon, akamai
* CDNs: google, amazon, akamai
* social networks: facebook "like" button, twitter, etc
* social networks: facebook "like" button, twitter, etc
* session cookies partially solves
* session cookies partially solves
  * but how long is your session?
** but how long is your session?
  * what did you do in your session?
** what did you do in your session?
* persistence - anything on disk: flash cookies, DOM objects, cache
* persistence - anything on disk: flash cookies, DOM objects, cache
* deleting flash cookies deletes security settings. flash is evil!
* deleting flash cookies deletes security settings. flash is evil!
* disk encryption does not solve this - it is still a disk!
* disk encryption does not solve this - it is still a disk!
* private / incognito mode partially solves, makes false promises
* private / incognito mode partially solves, makes false promises
  * bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
** bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
* TAILS solves this - defense in depth
* TAILS solves this - defense in depth


browser fingerprinting
==Fingerprinting==
* https://panopticlick.eff.org/
* https://panopticlick.eff.org/
* http://browserspy.dk
* http://browserspy.dk
* https reduces attack surface but does not solve
* tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
  * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
* https reduces attack surface but does not solve
  * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
* in active use at major sites
** with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
  * http://homes.esat.kuleuven.be/~gacar/fpdetective/
* in active use at major sites
  * https://github.com/fpdetective/fpdetective/
** http://homes.esat.kuleuven.be/~gacar/fpdetective/
* worst offenders: javascript, plugins, user agents
** https://github.com/fpdetective/fpdetective/
* TBB does its best, not perfect
* worst offenders: javascript, plugins, user agents
* TAILS mostly solves - but webrtc
* TBB does its best, not perfect
* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
* TAILS mostly solves - but webrtc
* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis


other datamining vectors
==Other==
* referers
* referers
* geolocation
* geolocation
* URL shorteners: t.co, bit.ly
* URL shorteners: t.co, bit.ly
* if you're not paying, you're the product
* if you're not paying, you're the product

Latest revision as of 12:36, 17 December 2013

http://does-this-need-to-be-said.tumblr.com/

Social Engineering & Basic Stuff

Hardware

Endpoints

early security: mainframes, protecting users from each other

  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals, trolls, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • backdoors, CVEs, foxacid
    • because exploits are valuable, they use sparingly to avoid discovery
    • updates
      • always update!
      • package managers are the only way
      • app stores add complications: paywalls, "permission creep"
    • nonfree software
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*

Developer Security

Disk Encryption

  • "rubber hose cryptanalysis" https://xkcd.com/538/
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
    • much easier to avoid being a suspect
    • having TBB on your disk is a red flag, especially with particular extensions
    • ideal solution is steganography: hiding in plain sight

Networks

  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod

Mesh

  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies

MITM

  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad

Crypto

Datamining

Cookies

  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth

Fingerprinting

Other

  • referers
  • geolocation
  • URL shorteners: t.co, bit.ly
  • if you're not paying, you're the product