Difference between revisions of "Security Overview"
Jump to navigation
Jump to search
(giant brain dump) |
(update, partially consolidate) |
||
| Line 1: | Line 1: | ||
http://does-this-need-to-be-said.tumblr.com/ | http://does-this-need-to-be-said.tumblr.com/ | ||
=Social Engineering & Basic Stuff= | |||
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ | * doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ | ||
* cultivate multiple identities, emails, usernames, etc | * cultivate multiple identities, emails, usernames, etc | ||
* be very wary of facebook, g+, social networks | |||
* always avoid using your legal name, address | |||
* avoid logging in on your phone, or entering your phone # | |||
* you can look up license plates | |||
* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt | |||
=Hardware= | |||
* cameras, microphones, radios | * cameras, microphones, radios | ||
* facial recognition | * facial recognition | ||
| Line 12: | Line 18: | ||
* monitors leak radiation | * monitors leak radiation | ||
* tracking devices on cars - ride a bicycle, store it indoors | * tracking devices on cars - ride a bicycle, store it indoors | ||
* burner phones - prepaid, kept batteryless | |||
* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html | |||
=Endpoints= | |||
* nonfree software (microsoft, apple, google: all evil) | * nonfree software (microsoft, apple, google: all evil) | ||
* security updates: package managers are the only way | * security updates: package managers are the only way | ||
* app stores add complications: paywalls, "permission creep" | * app stores add complications: paywalls, "permission creep" | ||
* how exploits work: backdoors, CVEs, black market, foxacid | * how exploits work: backdoors, CVEs, black market, foxacid | ||
* hall of shame: skype, silverlight, flash are all evil | * hall of shame: skype, silverlight, flash are all evil | ||
* | * how a computer works | ||
* | * picture a vast table of index cards - that is memory, it is addressable | ||
* | * CPU instructions manipulate the index cards | ||
* I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor) | |||
* how an operating system works | |||
* kernel vs userspace - enforced by CPU | |||
* kernel runs on a CPU, has access to hardware | |||
* CPU time is expensive, so how to multitask? | |||
* kernel invents concept of "users", protects them from each other | |||
* if user figures out how to mess with the kernel, that's an escalation bug | |||
* userspace is often called a "shell" | |||
* trusted boot | |||
* causing kernel escalation bugs to be taken more seriously | |||
* when combined with full-disk encryption, prevents "evil maid" | |||
* sometimes only trusts windows | |||
* attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/ | |||
* super users | |||
* root on unix, admin on windows | |||
* privilege separation made windows XP unusable | |||
* android uses privilege separation - every app is its own user | |||
* getting super user is also an escalation bug | |||
* sometimes achieved by keyloggers | |||
* Xorg / linux desktop ships with its own keylogger (xev) | |||
* userspace apps are sandboxes | |||
* interact with images, html, javascript, emails | |||
* buffer overflows, bad code, bad runtime, bad languages | |||
* if remote attacker can run code directly on your CPU, that's an execution bug | |||
* this is how the NSA defeated TBB: bug in firefox xml library | |||
* execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd | |||
* arms race: who wants to break in? | |||
* govts, spies | |||
* vandals - gnaa, syrian electronic army | |||
* botnets: send spam, mine bitcoin, steal your identity | |||
* black market for pwnd computers, amazon accounts, etc | |||
* because exploits are valuable, they use sparingly to avoid discovery | |||
* defense in depth | |||
* antivirus | |||
* helps slow mass infections | |||
* does not protect you personally | |||
* it's too late, wipe & restore | |||
* cannot remove all rootkits, kernel exploits, firmware worms | |||
* firewalls | |||
* reduce attack surface | |||
* prevents propagation, phoning home, so no payload for attacker | |||
* NAT is not security, ipv6 is coming, "internet of things" *shiver* | |||
* developer security | * developer security | ||
* source control (git) | * source control (git) | ||
| Line 37: | Line 81: | ||
disk encryption | disk encryption | ||
* "rubber hose" | * "rubber hose cryptanalysis" https://xkcd.com/538/ | ||
* adds security at rest, but not while running | * adds security at rest, but not while running | ||
* android makes this easy | |||
* your mugger probably won't dump the RAM, but cops can | * your mugger probably won't dump the RAM, but cops can | ||
* always keep backups - data loss is DoS | * always keep backups - data loss is DoS | ||
* deniability is very hard | |||
* steganography: hiding in plain sight | |||
=Networks= | |||
networks are evil | networks are evil | ||
| Line 74: | Line 119: | ||
* anyone controlling the pipes can do it | * anyone controlling the pipes can do it | ||
* Tor can make this WORSE, not better, so router-level Tor is also bad | * Tor can make this WORSE, not better, so router-level Tor is also bad | ||
=Crypto= | |||
* SSL | |||
* show example of site that sells SSL certs (namecheap.com) | |||
* show directory with certs your OS trusts | |||
* any of these orgs can impersonate any website | |||
* cert authorities don't solve mitm, just narrows down who can do it | |||
* US & UK govt: FLYING PIG? | |||
* french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/ | |||
* chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle | |||
* bootstrap problem | |||
* HSTS preloading | |||
* https://www.eff.org/https-everywhere | |||
* ipsec + dnssec + dane | |||
* metadata | |||
* even with SSL, they can see who you're talking to | |||
* traffic analysis, packet size gives away a lot: google maps tiles, for example | |||
* tor hidden services | |||
* the address is the certificate | |||
* solves the mitm problem | |||
* solves the metadata problem | |||
* solves the auth problem | |||
* are not user-friendly by today's standards | |||
* this is what securedrop uses | |||
* in the future we will all memorize hashes like phone #s | |||
* similarly: hashed.im | |||
* OTR approximates this | |||
* this means that access to truly random numbers is very important | |||
* specialized crypto hardware | |||
* PRNGs: android fail | |||
* freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/ | |||
=Datamining= | |||
cookies | cookies | ||
| Line 111: | Line 170: | ||
browser fingerprinting | browser fingerprinting | ||
* https://panopticlick.eff.org/ | |||
* http://browserspy.dk | |||
* https reduces attack surface but does not solve | * https reduces attack surface but does not solve | ||
* with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE | * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE | ||
* with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks | * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks | ||
* in active use at major sites | * in active use at major sites | ||
* http://homes.esat.kuleuven.be/~gacar/fpdetective/ | |||
* https://github.com/fpdetective/fpdetective/ | |||
* worst offenders: javascript, plugins, user agents | * worst offenders: javascript, plugins, user agents | ||
* TBB does its best, not perfect | * TBB does its best, not perfect | ||
Revision as of 11:42, 15 December 2013
http://does-this-need-to-be-said.tumblr.com/
Social Engineering & Basic Stuff
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ * cultivate multiple identities, emails, usernames, etc * be very wary of facebook, g+, social networks * always avoid using your legal name, address * avoid logging in on your phone, or entering your phone # * you can look up license plates * "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
Hardware
* cameras, microphones, radios * facial recognition * evil chip manufacturers * keyloggers * monitors leak radiation * tracking devices on cars - ride a bicycle, store it indoors * burner phones - prepaid, kept batteryless * tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
Endpoints
* nonfree software (microsoft, apple, google: all evil)
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* how a computer works
* picture a vast table of index cards - that is memory, it is addressable
* CPU instructions manipulate the index cards
* I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
* how an operating system works
* kernel vs userspace - enforced by CPU
* kernel runs on a CPU, has access to hardware
* CPU time is expensive, so how to multitask?
* kernel invents concept of "users", protects them from each other
* if user figures out how to mess with the kernel, that's an escalation bug
* userspace is often called a "shell"
* trusted boot
* causing kernel escalation bugs to be taken more seriously
* when combined with full-disk encryption, prevents "evil maid"
* sometimes only trusts windows
* attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
* super users
* root on unix, admin on windows
* privilege separation made windows XP unusable
* android uses privilege separation - every app is its own user
* getting super user is also an escalation bug
* sometimes achieved by keyloggers
* Xorg / linux desktop ships with its own keylogger (xev)
* userspace apps are sandboxes
* interact with images, html, javascript, emails
* buffer overflows, bad code, bad runtime, bad languages
* if remote attacker can run code directly on your CPU, that's an execution bug
* this is how the NSA defeated TBB: bug in firefox xml library
* execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
* arms race: who wants to break in?
* govts, spies
* vandals - gnaa, syrian electronic army
* botnets: send spam, mine bitcoin, steal your identity
* black market for pwnd computers, amazon accounts, etc
* because exploits are valuable, they use sparingly to avoid discovery
* defense in depth
* antivirus
* helps slow mass infections
* does not protect you personally
* it's too late, wipe & restore
* cannot remove all rootkits, kernel exploits, firmware worms
* firewalls
* reduce attack surface
* prevents propagation, phoning home, so no payload for attacker
* NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
* source control (git)
* package signing
* opsec
* multiple compiler ecosystems (gcc, llvm/clang)
* deterministic builds are the future
* secret backdoors submitted openly (selinux?)
disk encryption
* "rubber hose cryptanalysis" https://xkcd.com/538/ * adds security at rest, but not while running * android makes this easy * your mugger probably won't dump the RAM, but cops can * always keep backups - data loss is DoS * deniability is very hard * steganography: hiding in plain sight
Networks
networks are evil
* ISPs spy on you * assume all cables are tapped, intercepted * routers & modems are vulnerable * NSA suppresses openwrt to keep them that way * closed hardware drivers are the other culprit - patents, binary blobs * some things need old kernels: more work for kernel devs * #1 reason some hardware needs dd-wrt, not openwrt * cell phones especially, even with cyanogenmod
mesh networks
* harder to wiretap individuals * but ideally should not be trusted either - end-to-end encryption * can do location analysis, enable stalkers (seattle) * mac address randomization: unsupported, not foolproof, easy to block
tor, vpns, proxies
* protect you from your own ISP/network hardware * provider or exit node still can spy on you * much VPN software/protocols are not audited * local traffic analysis & timestamps could give you less deniability * they can tell WHEN you are using tor/vpn * tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb) * flash is evil: poor sandboxing, disrespects proxies
mitm
* anyone controlling the pipes can do it * Tor can make this WORSE, not better, so router-level Tor is also bad
Crypto
- SSL
* show example of site that sells SSL certs (namecheap.com) * show directory with certs your OS trusts * any of these orgs can impersonate any website * cert authorities don't solve mitm, just narrows down who can do it
- US & UK govt: FLYING PIG?
* french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/ * chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
- bootstrap problem
* HSTS preloading * https://www.eff.org/https-everywhere * ipsec + dnssec + dane
- metadata
* even with SSL, they can see who you're talking to * traffic analysis, packet size gives away a lot: google maps tiles, for example
- tor hidden services
* the address is the certificate * solves the mitm problem * solves the metadata problem * solves the auth problem * are not user-friendly by today's standards * this is what securedrop uses
- in the future we will all memorize hashes like phone #s
* similarly: hashed.im * OTR approximates this * this means that access to truly random numbers is very important * specialized crypto hardware * PRNGs: android fail * freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
Datamining
cookies
* ad networks: google, etc * analytics: google, etc * CDNs: google, amazon, akamai * social networks: facebook "like" button, twitter, etc * session cookies partially solves * but how long is your session? * what did you do in your session? * persistence - anything on disk: flash cookies, DOM objects, cache * deleting flash cookies deletes security settings. flash is evil! * disk encryption does not solve this - it is still a disk! * private / incognito mode partially solves, makes false promises * bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs * TAILS solves this - defense in depth
browser fingerprinting
* https://panopticlick.eff.org/ * http://browserspy.dk * https reduces attack surface but does not solve * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks * in active use at major sites * http://homes.esat.kuleuven.be/~gacar/fpdetective/ * https://github.com/fpdetective/fpdetective/ * worst offenders: javascript, plugins, user agents * TBB does its best, not perfect * TAILS mostly solves - but webrtc * still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
other datamining vectors
* referers * geolocation * URL shorteners: t.co, bit.ly * if you're not paying, you're the product