Security Overview
Revision as of 13:36, 17 December 2013 by Yar (talk | contribs) (→Fingerprinting: link to tor bug tracker)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Social Engineering & Basic Stuff
- doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
- cultivate multiple identities, emails, usernames, etc
- be very wary of facebook, g+, social networks
- always avoid using your legal name, address
- avoid logging in on your phone, or entering your phone #
- you can look up license plates
- "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
Hardware
- cameras, microphones, radios
- facial recognition
- evil chip manufacturers
- keyloggers
- monitors leak radiation
- tracking devices on cars - ride a bicycle, store it indoors
- burner phones - prepaid, kept batteryless
- tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
Endpoints
early security: mainframes, protecting users from each other
- how a computer works
- picture a vast table of index cards - that is memory, it is addressable
- CPU instructions manipulate the index cards
- I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
- how an operating system works
- kernel vs userspace - enforced by CPU
- kernel runs on a CPU, has access to hardware
- CPU time is expensive, so how to multitask?
- kernel invents concept of "users", protects them from each other
- if user figures out how to mess with the kernel, that's an escalation bug
- userspace is often called a "shell"
- trusted boot
- causing kernel escalation bugs to be taken more seriously
- when combined with full-disk encryption, prevents "evil maid"
- sometimes only trusts windows
- attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
- super users
- root on unix, admin on windows
- privilege separation made windows XP unusable
- android uses privilege separation - every app is its own user
- getting super user is also an escalation bug
- sometimes achieved by keyloggers
- Xorg / linux desktop ships with its own keylogger (xev)
- userspace apps are sandboxes
- interact with images, html, javascript, emails
- buffer overflows, bad code, bad runtime, bad languages
- difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
- if remote attacker can run code directly on your CPU, that's an execution bug
- this is how the NSA defeated TBB: bug in firefox xml library
- execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
- kernel vs userspace - enforced by CPU
- arms race: who wants to break in?
- govts, spies
- vandals, trolls, syrian electronic army
- botnets: send spam, mine bitcoin, steal your identity
- black market for pwnd computers, amazon accounts, etc
- backdoors, CVEs, foxacid
- because exploits are valuable, they use sparingly to avoid discovery
- updates
- always update!
- package managers are the only way
- app stores add complications: paywalls, "permission creep"
- nonfree software
- microsoft, apple, google: all evil
- hall of shame: skype, silverlight, flash are all evil
- http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
- defense in depth
- antivirus
- helps slow mass infections
- does not protect you personally
- it's too late, wipe & restore
- cannot remove all rootkits, kernel exploits, firmware worms
- firewalls
- reduce attack surface
- prevents propagation, phoning home, so no payload for attacker
- NAT is not security, ipv6 is coming, "internet of things" *shiver*
- antivirus
Developer Security
- source control
- secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
- package signing, opsec
- deterministic builds are the future
- https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
- https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
- multiple compiler ecosystems (gcc, llvm/clang)
Disk Encryption
- "rubber hose cryptanalysis" https://xkcd.com/538/
- adds security at rest, but not while running
- android makes this easy
- your mugger probably won't dump the RAM, but cops can
- always keep backups - data loss is DoS
- deniability is very hard
- much easier to avoid being a suspect
- having TBB on your disk is a red flag, especially with particular extensions
- ideal solution is steganography: hiding in plain sight
Networks
- evil
- ISPs spy on you
- assume all cables are tapped, intercepted
- routers & modems are vulnerable
- NSA suppresses openwrt to keep them that way
- closed hardware drivers are the other culprit - patents, binary blobs
- some things need old kernels: more work for kernel devs
- #1 reason some hardware needs dd-wrt, not openwrt
- cell phones especially, even with cyanogenmod
Mesh
- harder to wiretap individuals
- but ideally should not be trusted either - end-to-end encryption
- can do location analysis, enable stalkers (seattle)
- mac address randomization: unsupported, not foolproof, easy to block
Tor, VPNs, Proxies
- protect you from your own ISP/network hardware
- provider or exit node still can spy on you
- much VPN software/protocols are not audited
- local traffic analysis & timestamps could give you less deniability
- they can tell WHEN you are using tor/vpn
- tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
- flash is evil: poor sandboxing, disrespects proxies
MITM
- anyone controlling the pipes can do it
- Tor can make this WORSE, not better, so router-level Tor is also bad
Crypto
- SSL
- example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
- example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
- any of these orgs can impersonate any website
- cert authorities don't solve mitm, just narrows down who can do it
- US & UK govt: FLYING PIG?
- bootstrap problem
- HSTS preloading
- https://www.eff.org/https-everywhere
- ipsec + dnssec + dane
- metadata
- even with SSL, they can see who you're talking to
- traffic analysis, packet size gives away a lot: google maps tiles, for example
- tor hidden services
- the address is the certificate
- solves the mitm problem
- solves the metadata problem
- solves the auth problem
- are not user-friendly by today's standards
- this is what securedrop uses
- in the future we will all memorize hashes like phone #s
- similarly: hashed.im
- OTR approximates this
- this means that access to truly random numbers is very important
- specialized crypto hardware
- PRNGs: android fail
- freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
Datamining
Cookies
- ad networks: google, etc
- analytics: google, etc
- CDNs: google, amazon, akamai
- social networks: facebook "like" button, twitter, etc
- session cookies partially solves
- but how long is your session?
- what did you do in your session?
- persistence - anything on disk: flash cookies, DOM objects, cache
- deleting flash cookies deletes security settings. flash is evil!
- disk encryption does not solve this - it is still a disk!
- private / incognito mode partially solves, makes false promises
- bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
- TAILS solves this - defense in depth
Fingerprinting
- https://panopticlick.eff.org/
- http://browserspy.dk
- tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
- https reduces attack surface but does not solve
- with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
- with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
- in active use at major sites
- worst offenders: javascript, plugins, user agents
- TBB does its best, not perfect
- TAILS mostly solves - but webrtc
- still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
Other
- referers
- geolocation
- URL shorteners: t.co, bit.ly
- if you're not paying, you're the product