Difference between revisions of "Security Overview"

2,970 bytes added ,  11:42, 15 December 2013
update, partially consolidate
(giant brain dump)
 
(update, partially consolidate)
Line 1: Line 1:
http://does-this-need-to-be-said.tumblr.com/
http://does-this-need-to-be-said.tumblr.com/


social engineering
=Social Engineering & Basic Stuff=
 
  * doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
  * doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
  * cultivate multiple identities, emails, usernames, etc
  * cultivate multiple identities, emails, usernames, etc
* be very wary of facebook, g+, social networks
* always avoid using your legal name, address
* avoid logging in on your phone, or entering your phone #
* you can look up license plates
* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt


hardware
=Hardware=
  * cameras, microphones, radios
  * cameras, microphones, radios
  * facial recognition
  * facial recognition
Line 12: Line 18:
  * monitors leak radiation
  * monitors leak radiation
  * tracking devices on cars - ride a bicycle, store it indoors
  * tracking devices on cars - ride a bicycle, store it indoors
* burner phones - prepaid, kept batteryless
* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html


endpoint operating systems: main problems
=Endpoints=
  * nonfree software (microsoft, apple, google: all evil)
  * nonfree software (microsoft, apple, google: all evil)
  * security updates: package managers are the only way
  * security updates: package managers are the only way
  * app stores add complications: paywalls, "permission creep"
  * app stores add complications: paywalls, "permission creep"
  * how exploits work: backdoors, CVEs, black market, foxacid
  * how exploits work: backdoors, CVEs, black market, foxacid
* execution, escalation, propagation, phoning home
* privilege separation (made windows XP unusable)
  * on linux this is defeated by keyloggers - X Windows is broken, even ships with its own keylogger (xev)
* sandboxing is imperfect (that's how the NSA defeated TBB)
  * hall of shame: skype, silverlight, flash are all evil
  * hall of shame: skype, silverlight, flash are all evil
  * firewalls++
  * how a computer works
  * NAT is not security, ipv6 is coming
  * picture a vast table of index cards - that is memory, it is addressable
  * virus scanners are an ugly hack. it's too late, wipe & restore
  * CPU instructions manipulate the index cards
* rootkits, worms, botnets
  * I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
* PRNGs: android fail
  * how an operating system works
  * kernel vs userspace - enforced by CPU
    * kernel runs on a CPU, has access to hardware
    * CPU time is expensive, so how to multitask?
    * kernel invents concept of "users", protects them from each other
    * if user figures out how to mess with the kernel, that's an escalation bug
    * userspace is often called a "shell"
    * trusted boot
      * causing kernel escalation bugs to be taken more seriously
      * when combined with full-disk encryption, prevents "evil maid"
      * sometimes only trusts windows
      * attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
  * super users
    * root on unix, admin on windows
    * privilege separation made windows XP unusable
    * android uses privilege separation - every app is its own user
    * getting super user is also an escalation bug
    * sometimes achieved by keyloggers
    * Xorg / linux desktop ships with its own keylogger (xev)
  * userspace apps are sandboxes
    * interact with images, html, javascript, emails
    * buffer overflows, bad code, bad runtime, bad languages
    * if remote attacker can run code directly on your CPU, that's an execution bug
    * this is how the NSA defeated TBB: bug in firefox xml library
    * execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  * arms race: who wants to break in?
    * govts, spies
    * vandals - gnaa, syrian electronic army
    * botnets: send spam, mine bitcoin, steal your identity
    * black market for pwnd computers, amazon accounts, etc
    * because exploits are valuable, they use sparingly to avoid discovery
* defense in depth
  * antivirus
    * helps slow mass infections
    * does not protect you personally
    * it's too late, wipe & restore
    * cannot remove all rootkits, kernel exploits, firmware worms
  * firewalls
    * reduce attack surface
    * prevents propagation, phoning home, so no payload for attacker
    * NAT is not security, ipv6 is coming, "internet of things" *shiver*
  * developer security
  * developer security
   * source control (git)
   * source control (git)
Line 37: Line 81:


disk encryption
disk encryption
  * "rubber hose", "evil maid"
  * "rubber hose cryptanalysis" https://xkcd.com/538/
* risky without trusted boot, but trusted boot also broken
* deniability is very hard
* steganography
* best use case: phones (because of controlled environment)
  * adds security at rest, but not while running
  * adds security at rest, but not while running
* android makes this easy
  * your mugger probably won't dump the RAM, but cops can
  * your mugger probably won't dump the RAM, but cops can
  * always keep backups - data loss is DoS
  * always keep backups - data loss is DoS
* deniability is very hard
* steganography: hiding in plain sight
=Networks=


networks are evil
networks are evil
Line 74: Line 119:
  * anyone controlling the pipes can do it
  * anyone controlling the pipes can do it
  * Tor can make this WORSE, not better, so router-level Tor is also bad
  * Tor can make this WORSE, not better, so router-level Tor is also bad
* SSL
 
  * https://www.eff.org/https-everywhere
=Crypto=
  * cert authorities don't solve mitm, just narrows down who can do it
 
  * french ISP spoofed google, so did chinese govt
* SSL
  * show directory with certs your OS trusts
  * show example of site that sells SSL certs (namecheap.com)
  * show example of site that sells SSL certs (namecheap.com)
  * show directory with certs your OS trusts
  * one solution is ipsec + dnssec + dane, but these are not deployed. internet is broken.
  * any of these orgs can impersonate any website
* metadata
  * cert authorities don't solve mitm, just narrows down who can do it
  * even with SSL, they can see who you're talking to
* US & UK govt: FLYING PIG?
  * traffic analysis, packet size gives away a lot: google maps tiles, for example
  * french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/
* tor hidden services
  * chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
  * the address is the certificate
* bootstrap problem
  * solves the mitm problem
  * HSTS preloading
  * solves the metadata problem
  * https://www.eff.org/https-everywhere
  * solves the auth problem
  * ipsec + dnssec + dane
  * are not user-friendly by today's standards
* metadata
  * this is what securedrop uses
  * even with SSL, they can see who you're talking to
* in the future we will all memorize hashes like phone #s
  * traffic analysis, packet size gives away a lot: google maps tiles, for example
  * similarly: hashed.im
* tor hidden services
  * OTR approximates this
  * the address is the certificate
  * solves the mitm problem
  * solves the metadata problem
  * solves the auth problem
  * are not user-friendly by today's standards
  * this is what securedrop uses
* in the future we will all memorize hashes like phone #s
  * similarly: hashed.im
  * OTR approximates this
  * this means that access to truly random numbers is very important
    * specialized crypto hardware
    * PRNGs: android fail
    * freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
 
=Datamining=


cookies
cookies
Line 111: Line 170:


browser fingerprinting
browser fingerprinting
* https://panopticlick.eff.org/
* http://browserspy.dk
  * https reduces attack surface but does not solve
  * https reduces attack surface but does not solve
   * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
   * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
   * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
   * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
  * in active use at major sites
  * in active use at major sites
  * http://homes.esat.kuleuven.be/~gacar/fpdetective/
  * https://github.com/fpdetective/fpdetective/
  * worst offenders: javascript, plugins, user agents
  * worst offenders: javascript, plugins, user agents
  * TBB does its best, not perfect
  * TBB does its best, not perfect