1 / 30

Crypto, Anonymity, and Privacy

Simple Nomad DC214 10Nov2004. Crypto, Anonymity, and Privacy. Hello. Threat Models. Kiddie vs Hacker vs Mafia vs TLA vs Nation State Known vs Unknown Targeted vs Random. Cryptography. What to use Why you would use it When (and when not) to use it. Common Algorithms. Symmetrical

cindy
Download Presentation

Crypto, Anonymity, and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simple Nomad DC214 10Nov2004 Crypto, Anonymity, and Privacy

  2. Hello

  3. Threat Models • Kiddie vs Hacker vs Mafia vs TLA vs Nation State • Known vs Unknown • Targeted vs Random

  4. Cryptography • What to use • Why you would use it • When (and when not) to use it

  5. Common Algorithms • Symmetrical • AES, DES, etc • Public/Private Key • RSA, PGP, etc • Stream Cipher • SSL, TLS • A Note on Blocking

  6. Good PGP (GnuPG) Ncrypt Outguess (MP3?) Bad Suite document passwords (MS Office, WP, etc) Proprietary encryption schemes Lame encryption schemes What To (Not) Use

  7. Examples of Lame Encryption • XOR • By itself, lame • Still used heavily in a lot of algorithms, but as a part of a larger and more complex algorithm • Known Keying Material • Algorithm Too Simple

  8. Testing for XOR • Demo

  9. Cracking XOR • Demo

  10. Known Keying Material – Access 97 • Access 97 MDB files, starting at byte 66 • The “secret” string – 0x86fbec375d449cfac65e28e613 • Simple XOR to recover password • http://www.nmrc.org/~thegnome/acc_rec.c • Elcomsoft does current MS Office docs, and most other suite password schemes

  11. How Brute Force (Should) Work • Read in first block of encrypted file • Try a password • Use file-matching techniques to determine if password is valid • Keep trying in case of multiple “matches” • A skilled attacker will focus on the target’s interests first

  12. File Encryption Tips • Compress before encryption • Tar up file with random data first • Securely wipe the original • Ncrypt, Wipe, etc • Use very long and strong passphrases • The more characters used, the greater the entropy • Watch passphrase reuse in general • If your /etc/shadow password is the passphrase, a system compromise could reveal your secret files

  13. Encryption of Streams • SSL/TLS, SSH, VPN technologies • Nothing is “solved” if the implementation is wrong, or the end points are insecure • Bad passwords • Vulnerable daemons wrapped in SSL (e.g. Metasploit is SSL-aware) • Attackers have been known to “sniff” for encrypted traffic, then attack the endpoints

  14. Protocol Issues • Secure algorithms, yet insecure usage • Proprietary algorithms and protocols • Perfect example: Novell NetWare

  15. Security Through Obscurity • Don’t name your secret files really-krad-0day.tgz.encrypted • Consider “bait” encryption files • Old Linux kernel source code or porn, encrypted: not-public-0day.tgz.enc • Consider such technologies as Rubberhose

  16. Security Through Obscurity • Don’t use EFS • Don’t store your keys on a regular drive, especially on Windows • Use alternate storage devices • Pocket USB drives • Digital cameras • Cell phones

  17. Miscellany • Watch your subject line in encrypted email • Covert channel usage • Use it a lot or not at all • Make sure your OS is as random as the covert channel • Steganography • Never send a file with a non-steg version available • A picture in email will look suspicious if you never send or receive pictures • Encrypt and compress first

  18. Miscellany • Encrypted mailing lists are good, hybrids can lead to mistakes • When to have/not have a key-signing party

  19. Anonymity • Use a specific “nym” • Give this nym its own PGP key, etc • Use pseudo anonymous mail for this nym • Hushmail, Gmail (not Hotmail) • Use anonymizing proxies for checking mail and web browsing • SwitchProxy for Firefox, Thunderbird, Mozilla (slow but worth the effort) • Never use the nym except with the proxies • Anonymous hacking is another story (and another presentation)

  20. Example of Nym Usage • Get a Gmail account • Set up a Hotmail account from a free wireless connection using Firefox/SwitchProxy • Send invite to Hotmail account • Set up Gmail account from wireless w/SwitchProxy • Repeat a couple of times • Only use Gmail Nym with wireless and SwitchProxy • Only cut and paste in encrypted text (avoids Gmail’s market scanner)

  21. Privacy • Online • Use FPM or Password Safe to store passwords, and always generate safe passwords • Bear in mind that password crackers will target the data files of these programs • Backup the data files to a USB drive • See previous two slides

  22. Privacy • How much is your privacy worth? • Never fill out warranty cards or rebates • Never use “shopping cards” • Don’t pay for phone cards with a credit card, in fact use cash whenever possible • Don’t use toll booth tags

  23. Privacy • Credit Cards • Use the fewest credit cards possible, regardless of how many you have • Consider a low-limit card for basic online purchases, with a daily limit cap • Write “check photo ID” on the back • Notify your bank when you are using a credit card out of town • Checking • Have the branch hold your checks • Avoid direct deposit and automatic bill paying

  24. Privacy • Travel • Use an alias (it can be done) • Most good hotels support “Non-Registered Guest” • U.S. Mail • Never mail anything from home, go to the Post Office, and go to the slot inside, not the box outside, especially when sending money or paying bills • Have the Post Office hold your mail when out of town, even for a day

  25. Privacy • Don’t use “real” personal identifiers • Make up a “mother’s maiden name” • Shred everything • Use a cross-shredder • Shred all envelopes and extraneous junk mail material, makes nice “whitening” • Burn the shreddings, stir the ashes • Keep shredder handy and shred daily • Avoid a “shred pile”

  26. Privacy Tips • Don’t offer extra info • Question the questioners • Does the store clerk really need your phone number or zip code? • Don’t conduct private matters on cellular or cordless phones • Don’t leave confidential info in your car • Assume all plaintext documents, email, etc is being read by co-workers, employers, The Man, etc, and act accordingly

  27. Case Study in Paranoia #1 – Paranoid Guy Weasel and I Know • Man dedicated to privacy • Different names on all utilities • Moves every few years, changes names on all utilities every six months • No tattoos or identifying marks • Uses cash for almost everything • Average haircut, average clothes, does not stand out

  28. Case Study in Paranoia #2 – Eric Raymond • Does not own a credit card • When travelling to speaking engagements, he manages to get all the way there are back without credit cards

  29. Case Study in Paranoia #3 – Hacker in Vegas for BH/DC • Stay at a decent hotel (which supports the following needs below) • Large casino theme hotels on the strip, not the Comfort Inn • Register as Non-Registered Guest • Register under your handle to impress your friends • Block incoming phones from everyone except hotel personnel • Impress your friends when they try to call your room and the phone system says “that room is unoccupied” • Switch room assignment before arrival as well as at the check-in desk • Note screwplate positions, and consider opening and examining all electronic devices • When reporting a security incident, only involve hotel security staff, not law enforcement • Only use credit-card style in-room safes, and don’t use a credit card (assume hidden camera)

  30. Fin • Links • ftp://ftp.habets.pp.se/pub/synscan/xor-analyze-0.5.tar.gz • http://ncrypt.sourceforge.net/ • http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_NovellMITM.cfm • http://jgillick.nettripper.com/switchproxy/ • http://www.steganos.com/?area=updateproxylist • Questions? • Simple Nomad [thegnome@nmrc.org]

More Related