Difference between revisions of "Security Overview"

From Sudo Room
Jump to: navigation, search
(reformat with bullet points)
(Endpoints: clean up, expand a little bit)
Line 26: Line 26:
 
* how exploits work: backdoors, CVEs, black market, foxacid
 
* how exploits work: backdoors, CVEs, black market, foxacid
 
* hall of shame: skype, silverlight, flash are all evil
 
* hall of shame: skype, silverlight, flash are all evil
 +
* early security: mainframes, protecting users from each other
 
* how a computer works
 
* how a computer works
 
** picture a vast table of index cards - that is memory, it is addressable
 
** picture a vast table of index cards - that is memory, it is addressable
Line 52: Line 53:
 
*** interact with images, html, javascript, emails
 
*** interact with images, html, javascript, emails
 
*** buffer overflows, bad code, bad runtime, bad languages
 
*** buffer overflows, bad code, bad runtime, bad languages
 +
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
 
*** if remote attacker can run code directly on your CPU, that's an execution bug
 
*** if remote attacker can run code directly on your CPU, that's an execution bug
 
*** this is how the NSA defeated TBB: bug in firefox xml library
 
*** this is how the NSA defeated TBB: bug in firefox xml library
Line 57: Line 59:
 
* arms race: who wants to break in?
 
* arms race: who wants to break in?
 
** govts, spies
 
** govts, spies
** vandals - gnaa, syrian electronic army
+
** vandals, trolls, syrian electronic army
 
** botnets: send spam, mine bitcoin, steal your identity
 
** botnets: send spam, mine bitcoin, steal your identity
 
** black market for pwnd computers, amazon accounts, etc
 
** black market for pwnd computers, amazon accounts, etc
Line 71: Line 73:
 
*** prevents propagation, phoning home, so no payload for attacker
 
*** prevents propagation, phoning home, so no payload for attacker
 
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
 
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
+
 
** source control (git)
+
==Developer Security==
** package signing
+
* source control
** opsec
+
** http://www.git-scm.com/about/info-assurance
 +
** https://www.kernel.org/
 +
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg
 +
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
 +
* package signing, opsec
 +
* deterministic builds are the future
 +
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
 +
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
 
** multiple compiler ecosystems (gcc, llvm/clang)
 
** multiple compiler ecosystems (gcc, llvm/clang)
** deterministic builds are the future
 
** secret backdoors submitted openly (selinux?)
 
  
 
==Disk Encryption==
 
==Disk Encryption==
 
 
* "rubber hose cryptanalysis" https://xkcd.com/538/
 
* "rubber hose cryptanalysis" https://xkcd.com/538/
 
* adds security at rest, but not while running
 
* adds security at rest, but not while running
Line 87: Line 93:
 
* always keep backups - data loss is DoS
 
* always keep backups - data loss is DoS
 
* deniability is very hard
 
* deniability is very hard
* steganography: hiding in plain sight
+
** much easier to avoid being a suspect
 +
** having TBB on your disk is a red flag, especially with particular extensions
 +
** ideal solution is steganography: hiding in plain sight
  
 
=Networks=
 
=Networks=

Revision as of 13:20, 15 December 2013

http://does-this-need-to-be-said.tumblr.com/

Social Engineering & Basic Stuff

Hardware

Endpoints

  • nonfree software (microsoft, apple, google: all evil)
  • security updates: package managers are the only way
  • app stores add complications: paywalls, "permission creep"
  • how exploits work: backdoors, CVEs, black market, foxacid
  • hall of shame: skype, silverlight, flash are all evil
  • early security: mainframes, protecting users from each other
  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals, trolls, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • because exploits are valuable, they use sparingly to avoid discovery
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*

Developer Security

Disk Encryption

  • "rubber hose cryptanalysis" https://xkcd.com/538/
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
    • much easier to avoid being a suspect
    • having TBB on your disk is a red flag, especially with particular extensions
    • ideal solution is steganography: hiding in plain sight

Networks

  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod

Mesh

  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies

MITM

  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad

Crypto

Datamining

Cookies

  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth

Fingerprinting

Other

  • referers
  • geolocation
  • URL shorteners: t.co, bit.ly
  • if you're not paying, you're the product