Changes

Jump to navigation Jump to search

Security Overview

762 bytes added, 12:36, 17 December 2013
→‎Fingerprinting: link to tor bug tracker
=Social Engineering & Basic Stuff=
  * doxxing: http://thebot.net/general-tutorials/233339-how-doxing-works-protect-yourself/ * cultivate multiple identities, emails, usernames, etc * be very wary of facebook, g+, social networks * always avoid using your legal name, address * avoid logging in on your phone, or entering your phone # * you can look up license plates * "20 questions" metaphor: http://geer.tinho.net/geer.uncc.9x13.txt
=Hardware=
* cameras, microphones, radios * facial recognition * evil chip manufacturers * keyloggers * monitors leak radiation * tracking devices on cars - ride a bicycle, store it indoors * burner phones - prepaid, kept batteryless * tin foil houses: http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html
=Endpoints=
* nonfree software (microsoft, apple, google: all evil) * early security updates: package managers are the only way * app stores add complications: paywallsmainframes, "permission creep" * how exploits work: backdoors, CVEs, black market, foxacidprotecting users from each other * hall of shame: skype, silverlight, flash are all evil * how a computer works ** picture a vast table of index cards - that is memory, it is addressable ** CPU instructions manipulate the index cards ** I/O devices all have addresses you write to/from (registers, ram, disk, net, keyboard, mouse, monitor) * how an operating system works ** kernel vs userspace - enforced by CPU *** kernel runs on a CPU, has access to hardware *** CPU time is expensive, so how to multitask? *** kernel invents concept of "users", protects them from each other *** if user figures out how to mess with the kernel, that's an escalation bug *** userspace is often called a "shell" *** trusted boot **** causing kernel escalation bugs to be taken more seriously **** when combined with full-disk encryption, prevents "evil maid" **** sometimes only trusts windows **** attempts at closing this hole on linux: http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/ ** super users *** root on unix, admin on windows *** privilege separation made windows XP unusable *** android uses privilege separation - every app is its own user *** getting super user is also an escalation bug *** sometimes achieved by keyloggers *** Xorg / linux desktop ships with its own keylogger (xev) ** userspace apps are sandboxes *** interact with images, html, javascript, emails *** buffer overflows, bad code, bad runtime, bad languages *** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous*** if remote attacker can run code directly on your CPU, that's an execution bug *** this is how the NSA defeated TBB: bug in firefox xml library *** execution (get shell) then escalation (get root), optionally get kernel (rootkit) == pwnd * arms race: who wants to break in? ** govts, spies ** vandals - gnaa, trolls, syrian electronic army ** botnets: send spam, mine bitcoin, steal your identity ** black market for pwnd computers, amazon accounts, etc ** backdoors, CVEs, foxacid** because exploits are valuable, they use sparingly to avoid discovery ** updates*** always update!*** package managers are the only way*** app stores add complications: paywalls, "permission creep"** nonfree software*** microsoft, apple, google: all evil*** hall of shame: skype, silverlight, flash are all evil*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android* defense in depth ** antivirus *** helps slow mass infections *** does not protect you personally *** it's too late, wipe & restore *** cannot remove all rootkits, kernel exploits, firmware worms ** firewalls *** reduce attack surface *** prevents propagation, phoning home, so no payload for attacker *** NAT is not security, ipv6 is coming, "internet of things" *shiver* * developer security ==Developer Security==* source control (** http://www.git)-scm.com/about/info-assurance** https://www.kernel.org/** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/ * package signing, opsec* deterministic builds are the future** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise * opsec* https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details ** multiple compiler ecosystems (gcc, llvm/clang) * deterministic builds are the future * secret backdoors submitted openly (selinux?)
disk encryption==Disk Encryption== * "rubber hose cryptanalysis" https://xkcd.com/538/ * adds security at rest, but not while running * android makes this easy * your mugger probably won't dump the RAM, but cops can * always keep backups - data loss is DoS * deniability is very hard * * much easier to avoid being a suspect** having TBB on your disk is a red flag, especially with particular extensions** ideal solution is steganography: hiding in plain sight
=Networks=
networks are * evil * ISPs spy on you * assume all cables are tapped, intercepted * routers & modems are vulnerable * NSA suppresses openwrt to keep them that way * closed hardware drivers are the other culprit - patents, binary blobs ** some things need old kernels: more work for kernel devs ** #1 reason some hardware needs dd-wrt, not openwrt * cell phones especially, even with cyanogenmod
mesh networks==Mesh== * harder to wiretap individuals * but ideally should not be trusted either - end-to-end encryption * can do location analysis, enable stalkers (seattle) * mac address randomization: unsupported, not foolproof, easy to block
tor==Tor, vpnsVPNs, proxiesProxies== * protect you from your own ISP/network hardware * provider or exit node still can spy on you * much VPN software/protocols are not audited * local traffic analysis & timestamps could give you less deniability * they can tell WHEN you are using tor/vpn * tor only hides/obfuscates your IP address - NOTHING ELSE (unless you use tbb) * flash is evil: poor sandboxing, disrespects proxies
mitm==MITM== * anyone controlling the pipes can do it * Tor can make this WORSE, not better, so router-level Tor is also bad
=Crypto=
* SSL
* show * example of site that sells SSL certs (: https://www.namecheap.com)/ssl-certificates.aspx * show directory with certs your * example of who an OS trusts(Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/ ** any of these orgs can impersonate any website ** cert authorities don't solve mitm, just narrows down who can do it** US & UK govt: FLYING PIG? *** french govt http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/ *** chinese govt https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle** bootstrap problem *** HSTS preloading *** https://www.eff.org/https-everywhere *** ipsec + dnssec + dane** metadata *** even with SSL, they can see who you're talking to *** traffic analysis, packet size gives away a lot: google maps tiles, for example
* tor hidden services
** the address is the certificate ** solves the mitm problem ** solves the metadata problem ** solves the auth problem ** are not user-friendly by today's standards ** this is what securedrop uses
* in the future we will all memorize hashes like phone #s
** similarly: hashed.im ** OTR approximates this ** this means that access to truly random numbers is very important *** specialized crypto hardware *** PRNGs: android fail *** freebsd no longer trusts intel http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
=Datamining=
cookies==Cookies== * ad networks: google, etc * analytics: google, etc * CDNs: google, amazon, akamai * social networks: facebook "like" button, twitter, etc * session cookies partially solves ** but how long is your session? ** what did you do in your session? * persistence - anything on disk: flash cookies, DOM objects, cache * deleting flash cookies deletes security settings. flash is evil! * disk encryption does not solve this - it is still a disk! * private / incognito mode partially solves, makes false promises ** bugs, leaks, plugins: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs * TAILS solves this - defense in depth
browser fingerprinting==Fingerprinting== * https://panopticlick.eff.org/ * http://browserspy.dk * tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting* https reduces attack surface but does not solve ** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE ** with https you are vulnerable to fingerprinting from sites you visit & 3rd party networks * in active use at major sites ** http://homes.esat.kuleuven.be/~gacar/fpdetective/ ** https://github.com/fpdetective/fpdetective/ * worst offenders: javascript, plugins, user agents * TBB does its best, not perfect * TAILS mostly solves - but webrtc * still leaves: your language, timezone (country), window size, timestamps, things you say & do, textual analysis
other datamining vectors==Other== * referers * geolocation * URL shorteners: t.co, bit.ly * if you're not paying, you're the product

Navigation menu