Difference between revisions of "Security Overview"

From Sudo Room
Jump to navigation Jump to search
(→‎Endpoints: clean up & consolidate more)
(→‎Crypto: add some ssl links)
Line 134: Line 134:
** show example of site that sells SSL certs (namecheap.com)
** example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
** show directory with certs your OS trusts
** example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
** any of these orgs can impersonate any website
** any of these orgs can impersonate any website
** cert authorities don't solve mitm, just narrows down who can do it
** cert authorities don't solve mitm, just narrows down who can do it

Revision as of 13:52, 15 December 2013


Social Engineering & Basic Stuff



early security: mainframes, protecting users from each other

  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals, trolls, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • backdoors, CVEs, foxacid
    • because exploits are valuable, they use sparingly to avoid discovery
    • updates
      • always update!
      • package managers are the only way
      • app stores add complications: paywalls, "permission creep"
    • nonfree software
      • microsoft, apple, google: all evil
      • hall of shame: skype, silverlight, flash are all evil
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*

Developer Security

Disk Encryption

  • "rubber hose cryptanalysis" https://xkcd.com/538/
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
    • much easier to avoid being a suspect
    • having TBB on your disk is a red flag, especially with particular extensions
    • ideal solution is steganography: hiding in plain sight


  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod


  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies


  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad




  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth



  • referers
  • geolocation
  • URL shorteners: t.co, bit.ly
  • if you're not paying, you're the product