Difference between revisions of "Security Overview"

Jump to navigation Jump to search
698 bytes added ,  13:20, 15 December 2013
→‎Endpoints: clean up, expand a little bit
(reformat with bullet points)
(→‎Endpoints: clean up, expand a little bit)
Line 26: Line 26:
* how exploits work: backdoors, CVEs, black market, foxacid
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* hall of shame: skype, silverlight, flash are all evil
* early security: mainframes, protecting users from each other
* how a computer works
* how a computer works
** picture a vast table of index cards - that is memory, it is addressable
** picture a vast table of index cards - that is memory, it is addressable
Line 52: Line 53:
*** interact with images, html, javascript, emails
*** interact with images, html, javascript, emails
*** buffer overflows, bad code, bad runtime, bad languages
*** buffer overflows, bad code, bad runtime, bad languages
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous
*** if remote attacker can run code directly on your CPU, that's an execution bug
*** if remote attacker can run code directly on your CPU, that's an execution bug
*** this is how the NSA defeated TBB: bug in firefox xml library
*** this is how the NSA defeated TBB: bug in firefox xml library
Line 57: Line 59:
* arms race: who wants to break in?
* arms race: who wants to break in?
** govts, spies
** govts, spies
** vandals - gnaa, syrian electronic army
** vandals, trolls, syrian electronic army
** botnets: send spam, mine bitcoin, steal your identity
** botnets: send spam, mine bitcoin, steal your identity
** black market for pwnd computers, amazon accounts, etc
** black market for pwnd computers, amazon accounts, etc
Line 71: Line 73:
*** prevents propagation, phoning home, so no payload for attacker
*** prevents propagation, phoning home, so no payload for attacker
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
*** NAT is not security, ipv6 is coming, "internet of things" *shiver*
* developer security
 
** source control (git)
==Developer Security==
** package signing
* source control
** opsec
** http://www.git-scm.com/about/info-assurance
** https://www.kernel.org/
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/
* package signing, opsec
* deterministic builds are the future
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
** multiple compiler ecosystems (gcc, llvm/clang)
** multiple compiler ecosystems (gcc, llvm/clang)
** deterministic builds are the future
** secret backdoors submitted openly (selinux?)


==Disk Encryption==
==Disk Encryption==
* "rubber hose cryptanalysis" https://xkcd.com/538/
* "rubber hose cryptanalysis" https://xkcd.com/538/
* adds security at rest, but not while running
* adds security at rest, but not while running
Line 87: Line 93:
* always keep backups - data loss is DoS
* always keep backups - data loss is DoS
* deniability is very hard
* deniability is very hard
* steganography: hiding in plain sight
** much easier to avoid being a suspect
** having TBB on your disk is a red flag, especially with particular extensions
** ideal solution is steganography: hiding in plain sight


=Networks=
=Networks=

Navigation menu