Security Overview

From Sudo Room
Revision as of 18:22, 10 December 2013 by Yar (talk | contribs) (giant brain dump)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

http://does-this-need-to-be-said.tumblr.com/

social engineering

* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
* cultivate multiple identities, emails, usernames, etc

hardware

* cameras, microphones, radios
* facial recognition
* evil chip manufacturers
* keyloggers
* monitors leak radiation
* tracking devices on cars - ride a bicycle, store it indoors

endpoint operating systems: main problems

* nonfree software (microsoft, apple, google: all evil)
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* execution, escalation, propagation, phoning home
* privilege separation (made windows XP unusable)
  * on linux this is defeated by keyloggers - X Windows is broken, even ships with its own keylogger (xev)
* sandboxing is imperfect (that's how the NSA defeated TBB)
* hall of shame: skype, silverlight, flash are all evil
* firewalls++
* NAT is not security, ipv6 is coming
* virus scanners are an ugly hack. it's too late, wipe & restore
* rootkits, worms, botnets
* PRNGs: android fail
* developer security
  * source control (git)
  * package signing
  * opsec
  * multiple compiler ecosystems (gcc, llvm/clang)
  * deterministic builds are the future
  * secret backdoors submitted openly (selinux?)

disk encryption

* "rubber hose", "evil maid"
* risky without trusted boot, but trusted boot also broken
* deniability is very hard
* steganography
* best use case: phones (because of controlled environment)
* adds security at rest, but not while running
* your mugger probably won't dump the RAM, but cops can
* always keep backups - data loss is DoS

networks are evil

* ISPs spy on you
* assume all cables are tapped, intercepted
* routers & modems are vulnerable
* NSA suppresses openwrt to keep them that way
* closed hardware drivers are the other culprit - patents, binary blobs
  * some things need old kernels: more work for kernel devs
  * #1 reason some hardware needs dd-wrt, not openwrt
* cell phones especially, even with cyanogenmod

mesh networks

* harder to wiretap individuals
* but ideally should not be trusted either - end-to-end encryption
* can do location analysis, enable stalkers (seattle)
* mac address randomization: unsupported, not foolproof, easy to block

tor, vpns, proxies

* protect you from your own ISP/network hardware
* provider or exit node still can spy on you
* much VPN software/protocols are not audited
* local traffic analysis & timestamps could give you less deniability
* they can tell WHEN you are using tor/vpn
* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
* flash is evil: poor sandboxing, disrespects proxies

mitm

* anyone controlling the pipes can do it
* Tor can make this WORSE, not better, so router-level Tor is also bad
* SSL
  * https://www.eff.org/https-everywhere
  * cert authorities don't solve mitm, just narrows down who can do it
  * french ISP spoofed google, so did chinese govt
  * show directory with certs your OS trusts
  * show example of site that sells SSL certs (namecheap.com)
  * one solution is ipsec + dnssec + dane, but these are not deployed. internet is broken.
* metadata
  * even with SSL, they can see who you're talking to
  * traffic analysis, packet size gives away a lot: google maps tiles, for example
* tor hidden services
  * the address is the certificate
  * solves the mitm problem
  * solves the metadata problem
  * solves the auth problem
  * are not user-friendly by today's standards
  * this is what securedrop uses
* in the future we will all memorize hashes like phone #s
  * similarly: hashed.im
  * OTR approximates this

cookies

* ad networks: google, etc
* analytics: google, etc
* CDNs: google, amazon, akamai
* social networks: facebook "like" button, twitter, etc
* session cookies partially solves
  * but how long is your session?
  * what did you do in your session?
* persistence - anything on disk: flash cookies, DOM objects, cache
* deleting flash cookies deletes security settings. flash is evil!
* disk encryption does not solve this - it is still a disk!
* private / incognito mode partially solves, makes false promises
  * bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
* TAILS solves this - defense in depth

browser fingerprinting

* https reduces attack surface but does not solve
  * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
  * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
* in active use at major sites
* worst offenders: javascript, plugins, user agents
* TBB does its best, not perfect
* TAILS mostly solves - but webrtc
* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis

other datamining vectors

* referers
* geolocation
* URL shorteners: t.co, bit.ly
* if you're not paying, you're the product