Difference between revisions of "Security Overview"
Jump to navigation
Jump to search
(giant brain dump) |
(→Fingerprinting: link to tor bug tracker) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
http://does-this-need-to-be-said.tumblr.com/ | http://does-this-need-to-be-said.tumblr.com/ | ||
=Social Engineering & Basic Stuff= | |||
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ | |||
* cultivate multiple identities, emails, usernames, etc | |||
* be very wary of facebook, g+, social networks | |||
* always avoid using your legal name, address | |||
* avoid logging in on your phone, or entering your phone # | |||
* you can look up license plates | |||
* "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt | |||
=Hardware= | |||
* cameras, microphones, radios | |||
* facial recognition | |||
* evil chip manufacturers | |||
* keyloggers | |||
* monitors leak radiation | |||
* tracking devices on cars - ride a bicycle, store it indoors | |||
* burner phones - prepaid, kept batteryless | |||
* tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html | |||
=Endpoints= | |||
early security: mainframes, protecting users from each other | |||
* how a computer works | |||
** picture a vast table of index cards - that is memory, it is addressable | |||
** CPU instructions manipulate the index cards | |||
** I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor) | |||
* how an operating system works | |||
** kernel vs userspace - enforced by CPU | |||
*** kernel runs on a CPU, has access to hardware | |||
*** CPU time is expensive, so how to multitask? | |||
*** kernel invents concept of "users", protects them from each other | |||
*** if user figures out how to mess with the kernel, that's an escalation bug | |||
*** userspace is often called a "shell" | |||
*** trusted boot | |||
**** causing kernel escalation bugs to be taken more seriously | |||
**** when combined with full-disk encryption, prevents "evil maid" | |||
**** sometimes only trusts windows | |||
**** attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/ | |||
** super users | |||
*** root on unix, admin on windows | |||
*** privilege separation made windows XP unusable | |||
*** android uses privilege separation - every app is its own user | |||
*** getting super user is also an escalation bug | |||
*** sometimes achieved by keyloggers | |||
*** Xorg / linux desktop ships with its own keylogger (xev) | |||
** userspace apps are sandboxes | |||
*** interact with images, html, javascript, emails | |||
*** buffer overflows, bad code, bad runtime, bad languages | |||
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous | |||
*** if remote attacker can run code directly on your CPU, that's an execution bug | |||
*** this is how the NSA defeated TBB: bug in firefox xml library | |||
*** execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd | |||
* arms race: who wants to break in? | |||
** govts, spies | |||
** vandals, trolls, syrian electronic army | |||
** botnets: send spam, mine bitcoin, steal your identity | |||
** black market for pwnd computers, amazon accounts, etc | |||
** backdoors, CVEs, foxacid | |||
** because exploits are valuable, they use sparingly to avoid discovery | |||
** updates | |||
*** always update! | |||
*** package managers are the only way | |||
*** app stores add complications: paywalls, "permission creep" | |||
** nonfree software | |||
*** microsoft, apple, google: all evil | |||
*** hall of shame: skype, silverlight, flash are all evil | |||
*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android | |||
* defense in depth | |||
** antivirus | |||
*** helps slow mass infections | |||
*** does not protect you personally | |||
*** it's too late, wipe & restore | |||
*** cannot remove all rootkits, kernel exploits, firmware worms | |||
** firewalls | |||
*** reduce attack surface | |||
*** prevents propagation, phoning home, so no payload for attacker | |||
*** NAT is not security, ipv6 is coming, "internet of things" *shiver* | |||
==Developer Security== | |||
* source control | |||
** http://www.git-scm.com/about/info-assurance | |||
** https://www.kernel.org/ | |||
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg | |||
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/ | |||
* package signing, opsec | |||
* deterministic builds are the future | |||
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise | |||
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details | |||
** multiple compiler ecosystems (gcc, llvm/clang) | |||
==Disk Encryption== | |||
* "rubber hose cryptanalysis" https://xkcd.com/538/ | |||
* adds security at rest, but not while running | |||
* android makes this easy | |||
* your mugger probably won't dump the RAM, but cops can | |||
* always keep backups - data loss is DoS | |||
* deniability is very hard | |||
** much easier to avoid being a suspect | |||
** having TBB on your disk is a red flag, especially with particular extensions | |||
** ideal solution is steganography: hiding in plain sight | |||
=Networks= | |||
* evil | |||
* ISPs spy on you | |||
* assume all cables are tapped, intercepted | |||
* routers & modems are vulnerable | |||
* NSA suppresses openwrt to keep them that way | |||
* closed hardware drivers are the other culprit - patents, binary blobs | |||
** some things need old kernels: more work for kernel devs | |||
** #1 reason some hardware needs dd-wrt, not openwrt | |||
* cell phones especially, even with cyanogenmod | |||
==Mesh== | |||
* harder to wiretap individuals | |||
* but ideally should not be trusted either - end-to-end encryption | |||
* can do location analysis, enable stalkers (seattle) | |||
* mac address randomization: unsupported, not foolproof, easy to block | |||
==Tor, VPNs, Proxies== | |||
* protect you from your own ISP/network hardware | |||
* provider or exit node still can spy on you | |||
* much VPN software/protocols are not audited | |||
* local traffic analysis & timestamps could give you less deniability | |||
* they can tell WHEN you are using tor/vpn | |||
* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb) | |||
* flash is evil: poor sandboxing, disrespects proxies | |||
==MITM== | |||
* anyone controlling the pipes can do it | |||
* Tor can make this WORSE, not better, so router-level Tor is also bad | |||
=Crypto= | |||
* SSL | |||
** example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx | |||
** example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/ | |||
** any of these orgs can impersonate any website | |||
** cert authorities don't solve mitm, just narrows down who can do it | |||
** US & UK govt: FLYING PIG? | |||
*** french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/ | |||
*** chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle | |||
** bootstrap problem | |||
*** HSTS preloading | |||
*** https://www.eff.org/https-everywhere | |||
*** ipsec + dnssec + dane | |||
** metadata | |||
*** even with SSL, they can see who you're talking to | |||
*** traffic analysis, packet size gives away a lot: google maps tiles, for example | |||
* tor hidden services | |||
** the address is the certificate | |||
** solves the mitm problem | |||
** solves the metadata problem | |||
** solves the auth problem | |||
** are not user-friendly by today's standards | |||
** this is what securedrop uses | |||
* in the future we will all memorize hashes like phone #s | |||
** similarly: hashed.im | |||
** OTR approximates this | |||
** this means that access to truly random numbers is very important | |||
*** specialized crypto hardware | |||
*** PRNGs: android fail | |||
*** freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/ | |||
=Datamining= | |||
==Cookies== | |||
* ad networks: google, etc | |||
* analytics: google, etc | |||
* CDNs: google, amazon, akamai | |||
* social networks: facebook "like" button, twitter, etc | |||
* session cookies partially solves | |||
** but how long is your session? | |||
** what did you do in your session? | |||
* persistence - anything on disk: flash cookies, DOM objects, cache | |||
* deleting flash cookies deletes security settings. flash is evil! | |||
* disk encryption does not solve this - it is still a disk! | |||
* private / incognito mode partially solves, makes false promises | |||
** bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs | |||
* TAILS solves this - defense in depth | |||
==Fingerprinting== | |||
* https://panopticlick.eff.org/ | |||
* http://browserspy.dk | |||
* tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting | |||
* https reduces attack surface but does not solve | |||
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE | |||
** with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks | |||
* in active use at major sites | |||
** http://homes.esat.kuleuven.be/~gacar/fpdetective/ | |||
** https://github.com/fpdetective/fpdetective/ | |||
* worst offenders: javascript, plugins, user agents | |||
* TBB does its best, not perfect | |||
* TAILS mostly solves - but webrtc | |||
* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis | |||
==Other== | |||
* referers | |||
* geolocation | |||
* URL shorteners: t.co, bit.ly | |||
* if you're not paying, you're the product | |||
Latest revision as of 13:36, 17 December 2013
http://does-this-need-to-be-said.tumblr.com/
Social Engineering & Basic Stuff
- doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/
- cultivate multiple identities, emails, usernames, etc
- be very wary of facebook, g+, social networks
- always avoid using your legal name, address
- avoid logging in on your phone, or entering your phone #
- you can look up license plates
- "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
Hardware
- cameras, microphones, radios
- facial recognition
- evil chip manufacturers
- keyloggers
- monitors leak radiation
- tracking devices on cars - ride a bicycle, store it indoors
- burner phones - prepaid, kept batteryless
- tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
Endpoints
early security: mainframes, protecting users from each other
- how a computer works
- picture a vast table of index cards - that is memory, it is addressable
- CPU instructions manipulate the index cards
- I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
- how an operating system works
- kernel vs userspace - enforced by CPU
- kernel runs on a CPU, has access to hardware
- CPU time is expensive, so how to multitask?
- kernel invents concept of "users", protects them from each other
- if user figures out how to mess with the kernel, that's an escalation bug
- userspace is often called a "shell"
- trusted boot
- causing kernel escalation bugs to be taken more seriously
- when combined with full-disk encryption, prevents "evil maid"
- sometimes only trusts windows
- attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
- super users
- root on unix, admin on windows
- privilege separation made windows XP unusable
- android uses privilege separation - every app is its own user
- getting super user is also an escalation bug
- sometimes achieved by keyloggers
- Xorg / linux desktop ships with its own keylogger (xev)
- userspace apps are sandboxes
- interact with images, html, javascript, emails
- buffer overflows, bad code, bad runtime, bad languages
- difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
- if remote attacker can run code directly on your CPU, that's an execution bug
- this is how the NSA defeated TBB: bug in firefox xml library
- execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
- kernel vs userspace - enforced by CPU
- arms race: who wants to break in?
- govts, spies
- vandals, trolls, syrian electronic army
- botnets: send spam, mine bitcoin, steal your identity
- black market for pwnd computers, amazon accounts, etc
- backdoors, CVEs, foxacid
- because exploits are valuable, they use sparingly to avoid discovery
- updates
- always update!
- package managers are the only way
- app stores add complications: paywalls, "permission creep"
- nonfree software
- microsoft, apple, google: all evil
- hall of shame: skype, silverlight, flash are all evil
- http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
- defense in depth
- antivirus
- helps slow mass infections
- does not protect you personally
- it's too late, wipe & restore
- cannot remove all rootkits, kernel exploits, firmware worms
- firewalls
- reduce attack surface
- prevents propagation, phoning home, so no payload for attacker
- NAT is not security, ipv6 is coming, "internet of things" *shiver*
- antivirus
Developer Security
- source control
- secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
- package signing, opsec
- deterministic builds are the future
- https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
- https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
- multiple compiler ecosystems (gcc, llvm/clang)
Disk Encryption
- "rubber hose cryptanalysis" https://xkcd.com/538/
- adds security at rest, but not while running
- android makes this easy
- your mugger probably won't dump the RAM, but cops can
- always keep backups - data loss is DoS
- deniability is very hard
- much easier to avoid being a suspect
- having TBB on your disk is a red flag, especially with particular extensions
- ideal solution is steganography: hiding in plain sight
Networks
- evil
- ISPs spy on you
- assume all cables are tapped, intercepted
- routers & modems are vulnerable
- NSA suppresses openwrt to keep them that way
- closed hardware drivers are the other culprit - patents, binary blobs
- some things need old kernels: more work for kernel devs
- #1 reason some hardware needs dd-wrt, not openwrt
- cell phones especially, even with cyanogenmod
Mesh
- harder to wiretap individuals
- but ideally should not be trusted either - end-to-end encryption
- can do location analysis, enable stalkers (seattle)
- mac address randomization: unsupported, not foolproof, easy to block
Tor, VPNs, Proxies
- protect you from your own ISP/network hardware
- provider or exit node still can spy on you
- much VPN software/protocols are not audited
- local traffic analysis & timestamps could give you less deniability
- they can tell WHEN you are using tor/vpn
- tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
- flash is evil: poor sandboxing, disrespects proxies
MITM
- anyone controlling the pipes can do it
- Tor can make this WORSE, not better, so router-level Tor is also bad
Crypto
- SSL
- example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
- example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
- any of these orgs can impersonate any website
- cert authorities don't solve mitm, just narrows down who can do it
- US & UK govt: FLYING PIG?
- bootstrap problem
- HSTS preloading
- https://www.eff.org/https-everywhere
- ipsec + dnssec + dane
- metadata
- even with SSL, they can see who you're talking to
- traffic analysis, packet size gives away a lot: google maps tiles, for example
- tor hidden services
- the address is the certificate
- solves the mitm problem
- solves the metadata problem
- solves the auth problem
- are not user-friendly by today's standards
- this is what securedrop uses
- in the future we will all memorize hashes like phone #s
- similarly: hashed.im
- OTR approximates this
- this means that access to truly random numbers is very important
- specialized crypto hardware
- PRNGs: android fail
- freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
Datamining
Cookies
- ad networks: google, etc
- analytics: google, etc
- CDNs: google, amazon, akamai
- social networks: facebook "like" button, twitter, etc
- session cookies partially solves
- but how long is your session?
- what did you do in your session?
- persistence - anything on disk: flash cookies, DOM objects, cache
- deleting flash cookies deletes security settings. flash is evil!
- disk encryption does not solve this - it is still a disk!
- private / incognito mode partially solves, makes false promises
- bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
- TAILS solves this - defense in depth
Fingerprinting
- https://panopticlick.eff.org/
- http://browserspy.dk
- tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
- https reduces attack surface but does not solve
- with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
- with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
- in active use at major sites
- worst offenders: javascript, plugins, user agents
- TBB does its best, not perfect
- TAILS mostly solves - but webrtc
- still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
Other
- referers
- geolocation
- URL shorteners: t.co, bit.ly
- if you're not paying, you're the product