300 likes | 311 Views
Learn about encryption, common algorithms, file encryption tips, protocol issues, anonymity, and privacy. Understand how to protect your data, ensure online privacy, and anonymize your activities effectively.
E N D
Simple Nomad DC214 10Nov2004 Crypto, Anonymity, and Privacy
Threat Models • Kiddie vs Hacker vs Mafia vs TLA vs Nation State • Known vs Unknown • Targeted vs Random
Cryptography • What to use • Why you would use it • When (and when not) to use it
Common Algorithms • Symmetrical • AES, DES, etc • Public/Private Key • RSA, PGP, etc • Stream Cipher • SSL, TLS • A Note on Blocking
Good PGP (GnuPG) Ncrypt Outguess (MP3?) Bad Suite document passwords (MS Office, WP, etc) Proprietary encryption schemes Lame encryption schemes What To (Not) Use
Examples of Lame Encryption • XOR • By itself, lame • Still used heavily in a lot of algorithms, but as a part of a larger and more complex algorithm • Known Keying Material • Algorithm Too Simple
Testing for XOR • Demo
Cracking XOR • Demo
Known Keying Material – Access 97 • Access 97 MDB files, starting at byte 66 • The “secret” string – 0x86fbec375d449cfac65e28e613 • Simple XOR to recover password • http://www.nmrc.org/~thegnome/acc_rec.c • Elcomsoft does current MS Office docs, and most other suite password schemes
How Brute Force (Should) Work • Read in first block of encrypted file • Try a password • Use file-matching techniques to determine if password is valid • Keep trying in case of multiple “matches” • A skilled attacker will focus on the target’s interests first
File Encryption Tips • Compress before encryption • Tar up file with random data first • Securely wipe the original • Ncrypt, Wipe, etc • Use very long and strong passphrases • The more characters used, the greater the entropy • Watch passphrase reuse in general • If your /etc/shadow password is the passphrase, a system compromise could reveal your secret files
Encryption of Streams • SSL/TLS, SSH, VPN technologies • Nothing is “solved” if the implementation is wrong, or the end points are insecure • Bad passwords • Vulnerable daemons wrapped in SSL (e.g. Metasploit is SSL-aware) • Attackers have been known to “sniff” for encrypted traffic, then attack the endpoints
Protocol Issues • Secure algorithms, yet insecure usage • Proprietary algorithms and protocols • Perfect example: Novell NetWare
Security Through Obscurity • Don’t name your secret files really-krad-0day.tgz.encrypted • Consider “bait” encryption files • Old Linux kernel source code or porn, encrypted: not-public-0day.tgz.enc • Consider such technologies as Rubberhose
Security Through Obscurity • Don’t use EFS • Don’t store your keys on a regular drive, especially on Windows • Use alternate storage devices • Pocket USB drives • Digital cameras • Cell phones
Miscellany • Watch your subject line in encrypted email • Covert channel usage • Use it a lot or not at all • Make sure your OS is as random as the covert channel • Steganography • Never send a file with a non-steg version available • A picture in email will look suspicious if you never send or receive pictures • Encrypt and compress first
Miscellany • Encrypted mailing lists are good, hybrids can lead to mistakes • When to have/not have a key-signing party
Anonymity • Use a specific “nym” • Give this nym its own PGP key, etc • Use pseudo anonymous mail for this nym • Hushmail, Gmail (not Hotmail) • Use anonymizing proxies for checking mail and web browsing • SwitchProxy for Firefox, Thunderbird, Mozilla (slow but worth the effort) • Never use the nym except with the proxies • Anonymous hacking is another story (and another presentation)
Example of Nym Usage • Get a Gmail account • Set up a Hotmail account from a free wireless connection using Firefox/SwitchProxy • Send invite to Hotmail account • Set up Gmail account from wireless w/SwitchProxy • Repeat a couple of times • Only use Gmail Nym with wireless and SwitchProxy • Only cut and paste in encrypted text (avoids Gmail’s market scanner)
Privacy • Online • Use FPM or Password Safe to store passwords, and always generate safe passwords • Bear in mind that password crackers will target the data files of these programs • Backup the data files to a USB drive • See previous two slides
Privacy • How much is your privacy worth? • Never fill out warranty cards or rebates • Never use “shopping cards” • Don’t pay for phone cards with a credit card, in fact use cash whenever possible • Don’t use toll booth tags
Privacy • Credit Cards • Use the fewest credit cards possible, regardless of how many you have • Consider a low-limit card for basic online purchases, with a daily limit cap • Write “check photo ID” on the back • Notify your bank when you are using a credit card out of town • Checking • Have the branch hold your checks • Avoid direct deposit and automatic bill paying
Privacy • Travel • Use an alias (it can be done) • Most good hotels support “Non-Registered Guest” • U.S. Mail • Never mail anything from home, go to the Post Office, and go to the slot inside, not the box outside, especially when sending money or paying bills • Have the Post Office hold your mail when out of town, even for a day
Privacy • Don’t use “real” personal identifiers • Make up a “mother’s maiden name” • Shred everything • Use a cross-shredder • Shred all envelopes and extraneous junk mail material, makes nice “whitening” • Burn the shreddings, stir the ashes • Keep shredder handy and shred daily • Avoid a “shred pile”
Privacy Tips • Don’t offer extra info • Question the questioners • Does the store clerk really need your phone number or zip code? • Don’t conduct private matters on cellular or cordless phones • Don’t leave confidential info in your car • Assume all plaintext documents, email, etc is being read by co-workers, employers, The Man, etc, and act accordingly
Case Study in Paranoia #1 – Paranoid Guy Weasel and I Know • Man dedicated to privacy • Different names on all utilities • Moves every few years, changes names on all utilities every six months • No tattoos or identifying marks • Uses cash for almost everything • Average haircut, average clothes, does not stand out
Case Study in Paranoia #2 – Eric Raymond • Does not own a credit card • When travelling to speaking engagements, he manages to get all the way there are back without credit cards
Case Study in Paranoia #3 – Hacker in Vegas for BH/DC • Stay at a decent hotel (which supports the following needs below) • Large casino theme hotels on the strip, not the Comfort Inn • Register as Non-Registered Guest • Register under your handle to impress your friends • Block incoming phones from everyone except hotel personnel • Impress your friends when they try to call your room and the phone system says “that room is unoccupied” • Switch room assignment before arrival as well as at the check-in desk • Note screwplate positions, and consider opening and examining all electronic devices • When reporting a security incident, only involve hotel security staff, not law enforcement • Only use credit-card style in-room safes, and don’t use a credit card (assume hidden camera)
Fin • Links • ftp://ftp.habets.pp.se/pub/synscan/xor-analyze-0.5.tar.gz • http://ncrypt.sourceforge.net/ • http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_NovellMITM.cfm • http://jgillick.nettripper.com/switchproxy/ • http://www.steganos.com/?area=updateproxylist • Questions? • Simple Nomad [thegnome@nmrc.org]