Security Overview

From Sudo Room
Revision as of 12:53, 15 December 2013 by Yar (talk | contribs) (reformat with bullet points)
Jump to navigation Jump to search

Social Engineering & Basic Stuff



  • nonfree software (microsoft, apple, google: all evil)
  • security updates: package managers are the only way
  • app stores add complications: paywalls, "permission creep"
  • how exploits work: backdoors, CVEs, black market, foxacid
  • hall of shame: skype, silverlight, flash are all evil
  • how a computer works
    • picture a vast table of index cards - that is memory, it is addressable
    • CPU instructions manipulate the index cards
    • I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
  • how an operating system works
    • kernel vs userspace - enforced by CPU
      • kernel runs on a CPU, has access to hardware
      • CPU time is expensive, so how to multitask?
      • kernel invents concept of "users", protects them from each other
      • if user figures out how to mess with the kernel, that's an escalation bug
      • userspace is often called a "shell"
      • trusted boot
    • super users
      • root on unix, admin on windows
      • privilege separation made windows XP unusable
      • android uses privilege separation - every app is its own user
      • getting super user is also an escalation bug
      • sometimes achieved by keyloggers
      • Xorg / linux desktop ships with its own keylogger (xev)
    • userspace apps are sandboxes
      • interact with images, html, javascript, emails
      • buffer overflows, bad code, bad runtime, bad languages
      • if remote attacker can run code directly on your CPU, that's an execution bug
      • this is how the NSA defeated TBB: bug in firefox xml library
      • execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
  • arms race: who wants to break in?
    • govts, spies
    • vandals - gnaa, syrian electronic army
    • botnets: send spam, mine bitcoin, steal your identity
    • black market for pwnd computers, amazon accounts, etc
    • because exploits are valuable, they use sparingly to avoid discovery
  • defense in depth
    • antivirus
      • helps slow mass infections
      • does not protect you personally
      • it's too late, wipe & restore
      • cannot remove all rootkits, kernel exploits, firmware worms
    • firewalls
      • reduce attack surface
      • prevents propagation, phoning home, so no payload for attacker
      • NAT is not security, ipv6 is coming, "internet of things" *shiver*
  • developer security
    • source control (git)
    • package signing
    • opsec
    • multiple compiler ecosystems (gcc, llvm/clang)
    • deterministic builds are the future
    • secret backdoors submitted openly (selinux?)

Disk Encryption

  • "rubber hose cryptanalysis"
  • adds security at rest, but not while running
  • android makes this easy
  • your mugger probably won't dump the RAM, but cops can
  • always keep backups - data loss is DoS
  • deniability is very hard
  • steganography: hiding in plain sight


  • evil
  • ISPs spy on you
  • assume all cables are tapped, intercepted
  • routers & modems are vulnerable
  • NSA suppresses openwrt to keep them that way
  • closed hardware drivers are the other culprit - patents, binary blobs
    • some things need old kernels: more work for kernel devs
    • #1 reason some hardware needs dd-wrt, not openwrt
  • cell phones especially, even with cyanogenmod


  • harder to wiretap individuals
  • but ideally should not be trusted either - end-to-end encryption
  • can do location analysis, enable stalkers (seattle)
  • mac address randomization: unsupported, not foolproof, easy to block

Tor, VPNs, Proxies

  • protect you from your own ISP/network hardware
  • provider or exit node still can spy on you
  • much VPN software/protocols are not audited
  • local traffic analysis & timestamps could give you less deniability
  • they can tell WHEN you are using tor/vpn
  • tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
  • flash is evil: poor sandboxing, disrespects proxies


  • anyone controlling the pipes can do it
  • Tor can make this WORSE, not better, so router-level Tor is also bad




  • ad networks: google, etc
  • analytics: google, etc
  • CDNs: google, amazon, akamai
  • social networks: facebook "like" button, twitter, etc
  • session cookies partially solves
    • but how long is your session?
    • what did you do in your session?
  • persistence - anything on disk: flash cookies, DOM objects, cache
  • deleting flash cookies deletes security settings. flash is evil!
  • disk encryption does not solve this - it is still a disk!
  • private / incognito mode partially solves, makes false promises
  • TAILS solves this - defense in depth



  • referers
  • geolocation
  • URL shorteners:,
  • if you're not paying, you're the product