Difference between revisions of "Security Overview"

 

* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/

* cultivate multiple identities, emails, usernames, etc

* be very wary of facebook, g+, social networks

* always avoid using your legal name, address

* avoid logging in on your phone, or entering your phone #

* you can look up license plates

* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt

* cameras, microphones, radios

* facial recognition

* evil chip manufacturers

* keyloggers

* monitors leak radiation

* tracking devices on cars - ride a bicycle, store it indoors

* burner phones - prepaid, kept batteryless

* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html

* nonfree software (microsoft, apple, google: all evil)

* security updates: package managers are the only way

* app stores add complications: paywalls, "permission creep"

* how exploits work: backdoors, CVEs, black market, foxacid

* hall of shame: skype, silverlight, flash are all evil

* how a computer works

  * picture a vast table of index cards - that is memory, it is addressable

  * CPU instructions manipulate the index cards

  * I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)

* how an operating system works

  * kernel vs userspace - enforced by CPU

    * kernel runs on a CPU, has access to hardware

    * CPU time is expensive, so how to multitask?

    * kernel invents concept of "users", protects them from each other

    * if user figures out how to mess with the kernel, that's an escalation bug

    * userspace is often called a "shell"

    * trusted boot

      * causing kernel escalation bugs to be taken more seriously

      * when combined with full-disk encryption, prevents "evil maid"

      * sometimes only trusts windows

      * attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/

  * super users

    * root on unix, admin on windows

    * privilege separation made windows XP unusable

    * android uses privilege separation - every app is its own user

    * getting super user is also an escalation bug

    * sometimes achieved by keyloggers

    * Xorg / linux desktop ships with its own keylogger (xev)

  * userspace apps are sandboxes

    * interact with images, html, javascript, emails

    * buffer overflows, bad code, bad runtime, bad languages

    * if remote attacker can run code directly on your CPU, that's an execution bug

    * this is how the NSA defeated TBB: bug in firefox xml library

    * execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd

* arms race: who wants to break in?

    * govts, spies

    * vandals - gnaa, syrian electronic army

    * botnets: send spam, mine bitcoin, steal your identity

    * black market for pwnd computers, amazon accounts, etc

    * because exploits are valuable, they use sparingly to avoid discovery

* defense in depth

  * antivirus

    * helps slow mass infections

    * does not protect you personally

    * it's too late, wipe & restore

    * cannot remove all rootkits, kernel exploits, firmware worms

  * firewalls

    * reduce attack surface

    * prevents propagation, phoning home, so no payload for attacker

    * NAT is not security, ipv6 is coming, "internet of things" *shiver*

* developer security

  * source control (git)

  * package signing

  * opsec

  * multiple compiler ecosystems (gcc, llvm/clang)

  * deterministic builds are the future

  * secret backdoors submitted openly (selinux?)

* "rubber hose cryptanalysis" https://xkcd.com/538/

* adds security at rest, but not while running

* android makes this easy

* your mugger probably won't dump the RAM, but cops can

* always keep backups - data loss is DoS

* deniability is very hard

* steganography: hiding in plain sight

networks are evil

* ISPs spy on you

* assume all cables are tapped, intercepted

* routers & modems are vulnerable

* NSA suppresses openwrt to keep them that way

* closed hardware drivers are the other culprit - patents, binary blobs

  * some things need old kernels: more work for kernel devs

  * #1 reason some hardware needs dd-wrt, not openwrt

* cell phones especially, even with cyanogenmod

* harder to wiretap individuals

* but ideally should not be trusted either - end-to-end encryption

* can do location analysis, enable stalkers (seattle)

* mac address randomization: unsupported, not foolproof, easy to block

tor, vpns, proxies

* protect you from your own ISP/network hardware

* provider or exit node still can spy on you

* much VPN software/protocols are not audited

* local traffic analysis & timestamps could give you less deniability

* they can tell WHEN you are using tor/vpn

* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)

* flash is evil: poor sandboxing, disrespects proxies

* anyone controlling the pipes can do it

* Tor can make this WORSE, not better, so router-level Tor is also bad

  * show example of site that sells SSL certs (namecheap.com)

  * show directory with certs your OS trusts

  * any of these orgs can impersonate any website

  * cert authorities don't solve mitm, just narrows down who can do it

* US & UK govt: FLYING PIG?

  * french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/

  * chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle

* bootstrap problem

  * HSTS preloading

  * https://www.eff.org/https-everywhere

  * ipsec + dnssec + dane

* metadata

  * even with SSL, they can see who you're talking to

  * traffic analysis, packet size gives away a lot: google maps tiles, for example

  * the address is the certificate

  * solves the mitm problem

  * solves the metadata problem

  * solves the auth problem

  * are not user-friendly by today's standards

  * this is what securedrop uses

  * similarly: hashed.im

  * OTR approximates this

  * this means that access to truly random numbers is very important

    * specialized crypto hardware

    * PRNGs: android fail

    * freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

* ad networks: google, etc

* analytics: google, etc

* CDNs: google, amazon, akamai

* social networks: facebook "like" button, twitter, etc

* session cookies partially solves

  * but how long is your session?

  * what did you do in your session?

* persistence - anything on disk: flash cookies, DOM objects, cache

* deleting flash cookies deletes security settings. flash is evil!

* disk encryption does not solve this - it is still a disk!

* private / incognito mode partially solves, makes false promises

  * bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs

* TAILS solves this - defense in depth

* https://panopticlick.eff.org/

* http://browserspy.dk

* https reduces attack surface but does not solve

  * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE

  * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks

* in active use at major sites

  * http://homes.esat.kuleuven.be/~gacar/fpdetective/

  * https://github.com/fpdetective/fpdetective/

* worst offenders: javascript, plugins, user agents

* TBB does its best, not perfect

* TAILS mostly solves - but webrtc

* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis

* referers

* geolocation

* URL shorteners: t.co, bit.ly

* if you're not paying, you're the product