823
edits
Difference between revisions of "Security Overview"
Jump to navigation
Jump to search
→Endpoints: clean up, expand a little bit
(reformat with bullet points) |
(→Endpoints: clean up, expand a little bit) |
||
| Line 26: | Line 26: | ||
* how exploits work: backdoors, CVEs, black market, foxacid | * how exploits work: backdoors, CVEs, black market, foxacid | ||
* hall of shame: skype, silverlight, flash are all evil | * hall of shame: skype, silverlight, flash are all evil | ||
* early security: mainframes, protecting users from each other | |||
* how a computer works | * how a computer works | ||
** picture a vast table of index cards - that is memory, it is addressable | ** picture a vast table of index cards - that is memory, it is addressable | ||
| Line 52: | Line 53: | ||
*** interact with images, html, javascript, emails | *** interact with images, html, javascript, emails | ||
*** buffer overflows, bad code, bad runtime, bad languages | *** buffer overflows, bad code, bad runtime, bad languages | ||
*** difference between code & data is arbitrary, enforced by software! this is what makes computers powerful, but is also very dangerous | |||
*** if remote attacker can run code directly on your CPU, that's an execution bug | *** if remote attacker can run code directly on your CPU, that's an execution bug | ||
*** this is how the NSA defeated TBB: bug in firefox xml library | *** this is how the NSA defeated TBB: bug in firefox xml library | ||
| Line 57: | Line 59: | ||
* arms race: who wants to break in? | * arms race: who wants to break in? | ||
** govts, spies | ** govts, spies | ||
** vandals | ** vandals, trolls, syrian electronic army | ||
** botnets: send spam, mine bitcoin, steal your identity | ** botnets: send spam, mine bitcoin, steal your identity | ||
** black market for pwnd computers, amazon accounts, etc | ** black market for pwnd computers, amazon accounts, etc | ||
| Line 71: | Line 73: | ||
*** prevents propagation, phoning home, so no payload for attacker | *** prevents propagation, phoning home, so no payload for attacker | ||
*** NAT is not security, ipv6 is coming, "internet of things" *shiver* | *** NAT is not security, ipv6 is coming, "internet of things" *shiver* | ||
* | |||
** | ==Developer Security== | ||
** package signing | * source control | ||
** | ** http://www.git-scm.com/about/info-assurance | ||
** https://www.kernel.org/ | |||
** http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg | |||
* secret backdoors submitted openly? https://www.nsa.gov/research/selinux/ | |||
* package signing, opsec | |||
* deterministic builds are the future | |||
** https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise | |||
** https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details | |||
** multiple compiler ecosystems (gcc, llvm/clang) | ** multiple compiler ecosystems (gcc, llvm/clang) | ||
==Disk Encryption== | ==Disk Encryption== | ||
* "rubber hose cryptanalysis" https://xkcd.com/538/ | * "rubber hose cryptanalysis" https://xkcd.com/538/ | ||
* adds security at rest, but not while running | * adds security at rest, but not while running | ||
| Line 87: | Line 93: | ||
* always keep backups - data loss is DoS | * always keep backups - data loss is DoS | ||
* deniability is very hard | * deniability is very hard | ||
* steganography: hiding in plain sight | ** much easier to avoid being a suspect | ||
** having TBB on your disk is a red flag, especially with particular extensions | |||
** ideal solution is steganography: hiding in plain sight | |||
=Networks= | =Networks= | ||