Security Overview

From Sudo Room
Revision as of 11:42, 15 December 2013 by Yar (talk | contribs) (update, partially consolidate)
Jump to navigation Jump to search

Social Engineering & Basic Stuff

* doxxing:
* cultivate multiple identities, emails, usernames, etc
* be very wary of facebook, g+, social networks
* always avoid using your legal name, address
* avoid logging in on your phone, or entering your phone #
* you can look up license plates
* "20 questions" metaphor:


* cameras, microphones, radios
* facial recognition
* evil chip manufacturers
* keyloggers
* monitors leak radiation
* tracking devices on cars - ride a bicycle, store it indoors
* burner phones - prepaid, kept batteryless
* tin foil houses:


* nonfree software (microsoft, apple, google: all evil)
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* how a computer works
  * picture a vast table of index cards - that is memory, it is addressable
  * CPU instructions manipulate the index cards
  * I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
* how an operating system works
  * kernel vs userspace - enforced by CPU
    * kernel runs on a CPU, has access to hardware
    * CPU time is expensive, so how to multitask?
    * kernel invents concept of "users", protects them from each other
    * if user figures out how to mess with the kernel, that's an escalation bug
    * userspace is often called a "shell"
    * trusted boot
      * causing kernel escalation bugs to be taken more seriously
      * when combined with full-disk encryption, prevents "evil maid"
      * sometimes only trusts windows
      * attempts at closing this hole on linux:
  * super users
    * root on unix, admin on windows
    * privilege separation made windows XP unusable
    * android uses privilege separation - every app is its own user
    * getting super user is also an escalation bug
    * sometimes achieved by keyloggers
    * Xorg / linux desktop ships with its own keylogger (xev)
  * userspace apps are sandboxes
    * interact with images, html, javascript, emails
    * buffer overflows, bad code, bad runtime, bad languages
    * if remote attacker can run code directly on your CPU, that's an execution bug
    * this is how the NSA defeated TBB: bug in firefox xml library
    * execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
* arms race: who wants to break in?
    * govts, spies
    * vandals - gnaa, syrian electronic army
    * botnets: send spam, mine bitcoin, steal your identity
    * black market for pwnd computers, amazon accounts, etc
    * because exploits are valuable, they use sparingly to avoid discovery
* defense in depth
  * antivirus
    * helps slow mass infections
    * does not protect you personally
    * it's too late, wipe & restore
    * cannot remove all rootkits, kernel exploits, firmware worms
  * firewalls
    * reduce attack surface
    * prevents propagation, phoning home, so no payload for attacker
    * NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
  * source control (git)
  * package signing
  * opsec
  * multiple compiler ecosystems (gcc, llvm/clang)
  * deterministic builds are the future
  * secret backdoors submitted openly (selinux?)

disk encryption

* "rubber hose cryptanalysis"
* adds security at rest, but not while running
* android makes this easy
* your mugger probably won't dump the RAM, but cops can
* always keep backups - data loss is DoS
* deniability is very hard
* steganography: hiding in plain sight


networks are evil

* ISPs spy on you
* assume all cables are tapped, intercepted
* routers & modems are vulnerable
* NSA suppresses openwrt to keep them that way
* closed hardware drivers are the other culprit - patents, binary blobs
  * some things need old kernels: more work for kernel devs
  * #1 reason some hardware needs dd-wrt, not openwrt
* cell phones especially, even with cyanogenmod

mesh networks

* harder to wiretap individuals
* but ideally should not be trusted either - end-to-end encryption
* can do location analysis, enable stalkers (seattle)
* mac address randomization: unsupported, not foolproof, easy to block

tor, vpns, proxies

* protect you from your own ISP/network hardware
* provider or exit node still can spy on you
* much VPN software/protocols are not audited
* local traffic analysis & timestamps could give you less deniability
* they can tell WHEN you are using tor/vpn
* tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb)
* flash is evil: poor sandboxing, disrespects proxies


* anyone controlling the pipes can do it
* Tor can make this WORSE, not better, so router-level Tor is also bad


  • SSL
 * show example of site that sells SSL certs (
 * show directory with certs your OS trusts
 * any of these orgs can impersonate any website
 * cert authorities don't solve mitm, just narrows down who can do it
  • US & UK govt: FLYING PIG?
 * french govt
 * chinese govt
  • bootstrap problem
 * HSTS preloading
 * ipsec + dnssec + dane
  • metadata
 * even with SSL, they can see who you're talking to
 * traffic analysis, packet size gives away a lot: google maps tiles, for example
  • tor hidden services
 * the address is the certificate
 * solves the mitm problem
 * solves the metadata problem
 * solves the auth problem
 * are not user-friendly by today's standards
 * this is what securedrop uses
  • in the future we will all memorize hashes like phone #s
 * similarly:
 * OTR approximates this
 * this means that access to truly random numbers is very important
   * specialized crypto hardware
   * PRNGs: android fail
   * freebsd no longer trusts intel



* ad networks: google, etc
* analytics: google, etc
* CDNs: google, amazon, akamai
* social networks: facebook "like" button, twitter, etc
* session cookies partially solves
  * but how long is your session?
  * what did you do in your session?
* persistence - anything on disk: flash cookies, DOM objects, cache
* deleting flash cookies deletes security settings. flash is evil!
* disk encryption does not solve this - it is still a disk!
* private / incognito mode partially solves, makes false promises
  * bugs, leaks, plugins:
* TAILS solves this - defense in depth

browser fingerprinting

* https reduces attack surface but does not solve
  * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
  * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks
* in active use at major sites
* worst offenders: javascript, plugins, user agents
* TBB does its best, not perfect
* TAILS mostly solves - but webrtc
* still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis

other datamining vectors

* referers
* geolocation
* URL shorteners:,
* if you're not paying, you're the product