Security Overview
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
http://does-this-need-to-be-said.tumblr.com/
Social Engineering & Basic Stuff
* doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ * cultivate multiple identities, emails, usernames, etc * be very wary of facebook, g+, social networks * always avoid using your legal name, address * avoid logging in on your phone, or entering your phone # * you can look up license plates * "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
Hardware
* cameras, microphones, radios * facial recognition * evil chip manufacturers * keyloggers * monitors leak radiation * tracking devices on cars - ride a bicycle, store it indoors * burner phones - prepaid, kept batteryless * tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
Endpoints
* nonfree software (microsoft, apple, google: all evil)
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* how a computer works
* picture a vast table of index cards - that is memory, it is addressable
* CPU instructions manipulate the index cards
* I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor)
* how an operating system works
* kernel vs userspace - enforced by CPU
* kernel runs on a CPU, has access to hardware
* CPU time is expensive, so how to multitask?
* kernel invents concept of "users", protects them from each other
* if user figures out how to mess with the kernel, that's an escalation bug
* userspace is often called a "shell"
* trusted boot
* causing kernel escalation bugs to be taken more seriously
* when combined with full-disk encryption, prevents "evil maid"
* sometimes only trusts windows
* attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/
* super users
* root on unix, admin on windows
* privilege separation made windows XP unusable
* android uses privilege separation - every app is its own user
* getting super user is also an escalation bug
* sometimes achieved by keyloggers
* Xorg / linux desktop ships with its own keylogger (xev)
* userspace apps are sandboxes
* interact with images, html, javascript, emails
* buffer overflows, bad code, bad runtime, bad languages
* if remote attacker can run code directly on your CPU, that's an execution bug
* this is how the NSA defeated TBB: bug in firefox xml library
* execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd
* arms race: who wants to break in?
* govts, spies
* vandals - gnaa, syrian electronic army
* botnets: send spam, mine bitcoin, steal your identity
* black market for pwnd computers, amazon accounts, etc
* because exploits are valuable, they use sparingly to avoid discovery
* defense in depth
* antivirus
* helps slow mass infections
* does not protect you personally
* it's too late, wipe & restore
* cannot remove all rootkits, kernel exploits, firmware worms
* firewalls
* reduce attack surface
* prevents propagation, phoning home, so no payload for attacker
* NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
* source control (git)
* package signing
* opsec
* multiple compiler ecosystems (gcc, llvm/clang)
* deterministic builds are the future
* secret backdoors submitted openly (selinux?)
disk encryption
* "rubber hose cryptanalysis" https://xkcd.com/538/ * adds security at rest, but not while running * android makes this easy * your mugger probably won't dump the RAM, but cops can * always keep backups - data loss is DoS * deniability is very hard * steganography: hiding in plain sight
Networks
networks are evil
* ISPs spy on you * assume all cables are tapped, intercepted * routers & modems are vulnerable * NSA suppresses openwrt to keep them that way * closed hardware drivers are the other culprit - patents, binary blobs * some things need old kernels: more work for kernel devs * #1 reason some hardware needs dd-wrt, not openwrt * cell phones especially, even with cyanogenmod
mesh networks
* harder to wiretap individuals * but ideally should not be trusted either - end-to-end encryption * can do location analysis, enable stalkers (seattle) * mac address randomization: unsupported, not foolproof, easy to block
tor, vpns, proxies
* protect you from your own ISP/network hardware * provider or exit node still can spy on you * much VPN software/protocols are not audited * local traffic analysis & timestamps could give you less deniability * they can tell WHEN you are using tor/vpn * tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb) * flash is evil: poor sandboxing, disrespects proxies
mitm
* anyone controlling the pipes can do it * Tor can make this WORSE, not better, so router-level Tor is also bad
Crypto
- SSL
* show example of site that sells SSL certs (namecheap.com) * show directory with certs your OS trusts * any of these orgs can impersonate any website * cert authorities don't solve mitm, just narrows down who can do it
- US & UK govt: FLYING PIG?
* french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/ * chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
- bootstrap problem
* HSTS preloading * https://www.eff.org/https-everywhere * ipsec + dnssec + dane
- metadata
* even with SSL, they can see who you're talking to * traffic analysis, packet size gives away a lot: google maps tiles, for example
- tor hidden services
* the address is the certificate * solves the mitm problem * solves the metadata problem * solves the auth problem * are not user-friendly by today's standards * this is what securedrop uses
- in the future we will all memorize hashes like phone #s
* similarly: hashed.im * OTR approximates this * this means that access to truly random numbers is very important * specialized crypto hardware * PRNGs: android fail * freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
Datamining
cookies
* ad networks: google, etc * analytics: google, etc * CDNs: google, amazon, akamai * social networks: facebook "like" button, twitter, etc * session cookies partially solves * but how long is your session? * what did you do in your session? * persistence - anything on disk: flash cookies, DOM objects, cache * deleting flash cookies deletes security settings. flash is evil! * disk encryption does not solve this - it is still a disk! * private / incognito mode partially solves, makes false promises * bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs * TAILS solves this - defense in depth
browser fingerprinting
* https://panopticlick.eff.org/ * http://browserspy.dk * https reduces attack surface but does not solve * with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE * with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks * in active use at major sites * http://homes.esat.kuleuven.be/~gacar/fpdetective/ * https://github.com/fpdetective/fpdetective/ * worst offenders: javascript, plugins, user agents * TBB does its best, not perfect * TAILS mostly solves - but webrtc * still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
other datamining vectors
* referers * geolocation * URL shorteners: t.co, bit.ly * if you're not paying, you're the product