Personal Digital Security (JavaZone Academy 2017)

PErsOnaL dIgiTal seCurIty

Michael Johansen mjo@knowit.no

JavaZone Academy

An example from the real world

HOw BadLy You caN gEt HacKed

Wired: How Apple and Amazon Security Flaws Led to My Epic Hacking

wired.com/2012/08/apple-amazon-mat-honan-hacking/

MAt honAn

1. Find target’s email addresses using the Interwebz

2. Find target’s billing address by doing a whois on target’s personal domain

3. Generate fake credit card number

4. Call Amazon, use info you have to add fake credit card

5. Call Amazon again, use fake credit card to prove identity, get access

6. Find last 4 digits of real credit card in Amazon account

7. Call Apple, use info you have to get access to iCloud account

8. iCloud email was backup email for Gmail

9. Rain hell

“I still can’t get into Gmail. My phone and iPads are down. MacBook is likely irrecoverable. I’ve lost at more than a year’s worth of photos, emails, documents, …

It’s been a shitty night.”

APplE aNd amaZon teCh SupPorT pRovIdeD aCceSs

“If I had (…) used two-factor authentication for Gmail, everything would have stopped here.”

“I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.”

“…And I should have had a recovery [email] address that’s only used for recovery without being tied to core services.”

clapping game 👏👏

I have a few passwords I use just about everywhere.

But I only use the good password on the important things!

I haven’t had time to fix all of the password stuff yet, but I will definitely do it one day.

If I’m being honest with myself, I have lost track of how many user accounts I have out there.

Bad security

THe PsyChoLogy

“Security Fatigue Can Cause Computer Users to Feel

Hopeless and Act Recklessly, New Study Suggests”

Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

“Security seems to be cumbersome, just something else to keep up with.”

“…first it gives me a login, then it gives me a site key I have to recognize. Then it gives me a password. So that is enough, don't ask me anything else.”

“I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”

Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

So how do we solve this for all of you?

Simple!

First we’ll spoon-feed you the basics, and give you good habits that are dead simple to do.

A love/hate relationship

PAssWorDs And you

RUles•Use uncrackable passwords•Do not ever reuse a password•Do not trust your own memory•Store passwords securely encrypted•Store passwords safely backed up•Consider your own demise•Use 2-factor authentication on all key accounts

• Your email (because of the password reset function)• Cloud sync accounts (Dropbox++)• Social media accounts (Facebook++)

Conclusion: Use a password manager.

MIchAel’s pasSwoRd RulEs

Something you know: A password

Something you have: A key generator

Something you are: A fingerprint

WHat is 2/3 fActOr AutHenTicAtiOn?

Authenticator

Download LastPass’ or Google’s Authenticator on your phone.

Set up for Google, Dropbox, GitHub.

Apple uses your other devices (and more) for 2-factor.

Facebook uses its own in-app 2-factor system.

LinkedIn sends SMS with 2-factor codes.

GEt 2-fActOr AutHenTicAtiOn Now

( )Caveat for Apple users:

2-step verification

2-factor authentication

If you lose your authenticator and access to your backup codes, you will be locked out of your accounts even though you have the password. This can be remedied by using a backup email address that nobody knows about, - without 2-factor.

WArnIng: LOsiNg YouR aUthEntIcaTor

Image source: Yubico AB

YUbikey

Using a YubiKey means an attacker must steal a physical key to gain access.

YUbikey

Sign up for this service: https://haveibeenpwned.com/

U pwNd?

Diving into the password manager

EXplOriNg LasTpaSs

Google this: “The Best Password Managers for 2016”: pcmag.com/article2/0,2817,2407168,00.asp

Avoid deterministic password managers1. Can’t use varying password policies (without keeping state) 2. Can’t revoke passwords (without keeping state) 3. Can’t store existing secrets 4. Exposing master password exposes all passwords

LastPass• Super cross platform • Shared folders • Secure notes with backup codes, pin codes, last will • Security challenge • Emergency access • Binary component (extension → about → install binary component)

• Settings → Lock / logout after idle / screensaver / whatever • Use only your own devices to log in, this is your life now. (☉_☉)

Copy password:Cmd + C

Launch site: Enter

Diving into the OS

EXplOriNg Macos

macOS• Sleep (Cmd + Alt + Power) • Lock (Ctrl + Shift + Power) ← learn it, use it

• Keychain Access and XProtect

• System settings • Security and Privacy

• General → Require password immediately, use lock message • FileVault → Full disk encryption • Firewall → Enable, consider stealth mode • Privacy → Location services → Show icon when active

macOS• System settings

• iCloud • Keychain • Find My Mac (Mat Honan doesn’t like this!)

• Network • Advanced → Remove old wifi networks • Advanced → Require admin access to change anything

• Sharing • Disable all unnecessary services • Consider using a non-descript computer name

• App Store • Auto-install security updates

OS defense / offensemacOS defense

• https://github.com/drduh/macOS-Security-and-Privacy-Guide • “Mac OS X Maximum Security” (John Ray, William Ray)

Linux defense / offense • Defense: https://selinuxproject.org/ • Offense: https://www.kali.org/

Windows defense: • At least disable privacy invasion features!

SELinux image source: https://www.drupalwatchdog.com/sites/default/files/images/web/selinux-penguin-new_medium.png

Diving into the browser

EXplOriNg ChrOme

Google Chrome

is evergreen

Marking HTTP as insecureThe transition of the entire web to HTTPS has begun.

T0: Insecure origins unmarked

T1 (now): Insecure origins marked as dubious T2: Insecure origins marked as insecure T3: Secure origins unmarked

chromium.org/Home/chromium-security/marking-http-as-non-secure

Marking HTTP as insecure

Aug. 2016

Marking HTTP as insecure

Chrome extensions & plugins

chrome://extensions • uBlock Origin • Privacy Badger / Disconnect / Ghostery • HTTPS Everywhere

• Uninstall “Hola!” immediately • Uninstall the ones you don’t recognize

chrome://plugins • Disable unnecessary/unknown plugins

chrome://help • Check for update failure

Chrome settingsSearch engines

• Manage search engines • https://encrypted.google.com/search?q=%s

Privacy • Content settings → Cookies → Block 3rd party cookies

• Content settings → Flash → Block sites from running Flash • Do not track

Passwords and forms • Don’t save passwords, delete the saved ones • Disable autofill

Google this: “robinlinus fingerprint"

Privacy focused browsers have unfortunate trade-offs

Hidden Reflex

• 2010 - Epic Browser (Firefox → 2013 → Chrome)

Comodo

• 2011 - Comodo Dragon (Chrome)

• 2012 - Comodo IceDragon (Firefox)

• 2015 - Chromodo (Chrome) - Called out by Google for being really insecure However:

• New and unknown zero days

• Browser core lagging behind parent “parent”

Diving into the phone

EXplOriNg IOs

iOSNotifications

• Messages → Show Previews (pins sent by SMS)

Touch ID & Passcode

• Change passcode → Custom alphanumeric

• Require passcode → Immediately • Consider disabling Siri (it’s a personal assistant) • Erase data after 10 failed attempts (unless you have kids) • Note that a fingerprint is a username but TouchID is still

a good trade-off

iOSControl Centre → Access on Lock Screen

Privacy → Advertising → Limit Ad Tracking

Safari → Content Blockers (get one of these)

App Transport Security - HTTPS enforced in apps

iOSConsider what a thief can do with your phone when it’s locked. What would you do? Put it in airplane mode?

Required to unlock your device at the airport?

Diving into the shell

EXplOriNg ssH

Ssh ConFig DSA: Nopes, nopes all around RSA 1024 bits: Red flag RSA 2048 bits: Yellow flag RSA 4096 bits: Well OK ECDSA: Now we’re talking Ed25519: Aww yes, sweet sweet encryption

mkdir ~/.ssh # Create SSH folder cd ~/.ssh # Go into your SSH folder

# Choose one: ssh-keygen -t rsa -b 4096 -f id_rsa # Always worksssh-keygen -t ecdsa -b 521 -f id_ecdsa # Better ssh-keygen -t ed25519 -a 100 -f id_ed25519 # Best

Ssh ConFig

Here and there

NUggEts of inSigHt

YOur teRmiNalPrevent a keylogger from recording your keystrokes by enabling “secure keyboard entry” in your terminal.

YOur coNneCtiOnExpressVPN has a pretty UI and fast connectivity. PrivateInternetAccess (PIA) has a nice kill switch.

Image source: Apple Inc.

YOur roUterSet up Google’s great DNS and avoid your ISP. Addresses: 8.8.8.8 / 2001:4860:4860::8888 8.8.4.4 / 2001:4860:4860::8844

YOur hiStoRy: whAt’S tRacKed whEre anD wHen?Dropbox shared links https://dropbox.com/links/

Facebook ad settings https://facebook.com/settings?tab=ads

Facebook activity log https://fb.com/your_username/allactivity?log_filter=all

Facebook location history https://fb.com/your_username/allactivity?log_filter=cluster_222

Facebook search history https://fb.com/your_username/allactivity?log_filter=search

Google ad settings http://www.google.com/settings/ads/

Google dashboard https://www.google.com/settings/dashboard

Google search history https://myactivity.google.com/

Google location history https://www.google.com/maps/timeline

Google passwords https://passwords.google.com/

Google permissions https://security.google.com/settings/security/permissions

Google takeout https://www.google.com/takeout/

Image source: Apple Inc.

USe OnlY yOur owN dEviCes.Plug a malicious memory stick into your unlocked laptop or a malicious chargerinto your unlocked phone: ~# pwnd

Think preparation

SCenAriOs

SOmeOne haS cHanGed yoUr

PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In

YouR nAme.

SOmeOne haS cHanGed yoUr

PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In

YouR nAme.

Identity theft can get really bad. Especially if someone pretends to be you at a hospital.

The worst part is not knowing what’s next. Years of struggles may lie ahead.

The only proper way to thwart identity theft in Norway is to prevent credit checks of yourself.

Google this: “datatilsynet sperre kredittvurdering”

YOur baCkpAck geTs StoLen

toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.

YOur baCkpAck geTs StoLen

toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.

1. Not losing data: Continous full backups of everything to a cloud service like Dropbox. Include dotfiles++

2. Protecting data: Make it impossible to login. Have at least two emergency contacts in LastPass.

3. Getting the devices back: Have a secure note in your vault with the serial number of your laptop, phone, pad, watch, etc. The police cares deeply about serial numbers.

YOur laPtoP iS iNfeCteD wIth raNsoMwaRe.

yoUr EntIre clOud baCkuP iS eNcrYptEd.

1. Disconnect the patient: Turn off wifi on the infected machine. Then disconnect it from the Dropbox through the web interface (use another machine for this).

2. Get rid of the malware: Duh.

3. Getting your files back: Rollback files individually or contact Dropbox staff to rollback your entire account to an earlier event. You have 30 days of file version history.

4. Getting your files back #2: For shared folders you need to provide links to the Dropbox staff for each shared folder.

5. Still paranoid? Get a business account with unlimited version history.

Caveat #1: Files are irrecoverable if they have been manually permanently deleted through the web interface. Caveat #2: You may not notice a slow virus.

Want to get serious? Pay attention to…

cOmmOn VulNerAbiLitIes anD eXpoSurEs

CVE-2016-1740 is an example of a vulnerability

“Common Vulnerabilities and Exposures”. The standard for information security vulnerability naming. https://cve.mitre.org/

“APPLE-SA-2016-09-01-2 (…) El Capitan” is another example

Apple is one of several CVE Numbering Authorities. https://cve.mitre.org/cve/cna.html

Image source: USA Network

UNfoRtuNatEly……all of today’s information will be visible one day, but proper encryption delays that date.

UNfoRtuNatEly……quantum computers are breaking RSA in the lab.

Source: http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment

fOrtUnaTely……most stuff stops being sensitive over time.

…that your carrier can remotely and silently install Java applets on the SIM-card in your phone and run arbitrary commands.

ANd If You evEr FeeL tOo SafE, JusT rEmeMber…

Stay safe. Reach me at michael@informatikk.org

Academy

Personal Digital Security (JavaZone Academy 2017)

Technology

About Personal Wealth Academy

2016 Conference - My Personal Best - Ormiston Denes Academy

John Davies: "High Performance Java Binary" from JavaZone 2015

Cuke4Duke JavaZone 2009

Do I still hate SOA? JavaZone Johannes Brodwall, Steria Organized Architect Steria Norway

Extreme Programming Live - JavaZone

Personal Innovation - Academy Xi THINK

Apache Pig - JavaZone 2013

High Performance Hibernate JavaZone 2016

JavaZone 2014 : The Spirit of the Dugnad… Support Your Local Meetup!

JavaZone 2014 - Iteration 2.0: Stream

Real Single Sign-on for web applications Holger Zobel (holger.zobel@accenture.com) JavaZone 2005

COLLEGIATE ACADEMY FOR MATHEMATICS AND PERSONAL AWARENESS APPLICATION

Javazone 2005-mule-real-world-old

Practical microservices - javazone 2014

JavaZone 2016 : MQTT and CoAP for the Java Developer

JavaZone 2015: Mine containere er lettere enn dine

Javazone Beer Analytics with ELK

Marymount* Academy* Internationalmarymount.emsb.qc.ca/documents/marymount academy internation… · 8" Personal"Projects" " Marymount"Academy"" 3.WHAT"IS"A"PERSONAL"PROJECT?" The

Java @ Google JavaZone 2005 Knut Magne Risvik Google Inc. September 14, 2005