Difference between revisions of "Security Overview"

From Sudo Room
Jump to navigation Jump to search
(reformat with bullet points)
(→‎Fingerprinting: link to tor bug tracker)
 
(4 intermediate revisions by the same user not shown)
Line 21: Line 21:


=Endpoints=
=Endpoints=
* nonfree software (microsoft, apple, google: all evil)
early security: mainframes, protecting users from each other
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* how a computer works
* how a computer works
** picture a vast table of index cards - that is memory, it is addressable
** picture a vast table of index cards - that is memory, it is addressable
Line 52: Line 48:
*** interact with images, html, javascript, emails
*** interact with images, html, javascript, emails
*** buffer overflows, bad code, bad runtime, bad languages
*** buffer overflows, bad code, bad runtime, bad languages
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
*** if remote attacker can run code directly on your CPU, that's an execution bug
*** if remote attacker can run code directly on your CPU, that's an execution bug
*** this is how the NSA defeated TBB: bug in firefox xml library
*** this is how the NSA defeated TBB: bug in firefox xml library
Line 57: Line 54:
* arms race: who wants to break in?
* arms race: who wants to break in?
** govts, spies
** govts, spies
** vandals - gnaa, syrian electronic army
** vandals, trolls, syrian electronic army
** botnets: send spam, mine bitcoin, steal your identity
** botnets: send spam, mine bitcoin, steal your identity
** black market for pwnd computers, amazon accounts, etc
** black market for pwnd computers, amazon accounts, etc
** backdoors, CVEs, foxacid
** because exploits are valuable, they use sparingly to avoid discovery
** because exploits are valuable, they use sparingly to avoid discovery
** updates
*** always update!
*** package managers are the only way
*** app stores add complications: paywalls, "permission creep"
** nonfree software
*** microsoft, apple, google: all evil
*** hall of shame: skype, silverlight, flash are all evil
*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
* defense in depth
* defense in depth
** antivirus
** antivirus
Line 71: Line 77:
*** prevents propagation, phoning home, so no payload for attacker
*** prevents propagation, phoning home, so no payload for attacker
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
 
** source control (git)
==Developer Security==
** package signing
* source control
** opsec
** http://www.git-scm.com/about/info-assurance
** https://www.kernel.org/
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
* package signing, opsec
* deterministic builds are the future
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
** multiple compiler ecosystems (gcc, llvm/clang)
** multiple compiler ecosystems (gcc, llvm/clang)
** deterministic builds are the future
** secret backdoors submitted openly (selinux?)


==Disk Encryption==
==Disk Encryption==
* "rubber hose cryptanalysis" https://xkcd.com/538/
* "rubber hose cryptanalysis" https://xkcd.com/538/
* adds security at rest, but not while running
* adds security at rest, but not while running
Line 87: Line 97:
* always keep backups - data loss is DoS
* always keep backups - data loss is DoS
* deniability is very hard
* deniability is very hard
* steganography: hiding in plain sight
** much easier to avoid being a suspect
** having TBB on your disk is a red flag, especially with particular extensions
** ideal solution is steganography: hiding in plain sight


=Networks=
=Networks=
Line 123: Line 135:


* SSL
* SSL
** show example of site that sells SSL certs (namecheap.com)
** example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
** show directory with certs your OS trusts
** example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
** any of these orgs can impersonate any website
** any of these orgs can impersonate any website
** cert authorities don't solve mitm, just narrows down who can do it
** cert authorities don't solve mitm, just narrows down who can do it
Line 172: Line 184:
* https://panopticlick.eff.org/
* https://panopticlick.eff.org/
* http://browserspy.dk
* http://browserspy.dk
* tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
* https reduces attack surface but does not solve
* https reduces attack surface but does not solve
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE

Latest revision as of 13:36, 17 December 2013

http://does-this-need-to-be-said.tumblr.com/

Social Engineering & Basic Stuff

Hardware

Endpoints

early security: mainframes, protecting users from each other

  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals, trolls, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • backdoors, CVEs, foxacid
    • because exploits are valuable, they use sparingly to avoid discovery
    • updates
      • always update!
      • package managers are the only way
      • app stores add complications: paywalls, "permission creep"
    • nonfree software
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*

Developer Security

Disk Encryption

  • "rubber hose cryptanalysis" https://xkcd.com/538/
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
    • much easier to avoid being a suspect
    • having TBB on your disk is a red flag, especially with particular extensions
    • ideal solution is steganography: hiding in plain sight

Networks

  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod

Mesh

  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies

MITM

  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad

Crypto

Datamining

Cookies

  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth

Fingerprinting

Other

  • referers
  • geolocation
  • URL shorteners: t.co, bit.ly
  • if you're not paying, you're the product