Personal Digital Security (JavaZone Academy 2017)

PErsOnaL dIgiTal seCurIty

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.

Michael Johansen [email protected]

JavaZone Academy

An example from the real world

HOw BadLy You caN gEt HacKed


Wired: How Apple and Amazon Security Flaws Led to My Epic Hacking

wired.com/2012/08/apple-amazon-mat-honan-hacking/

MAt honAn

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired

http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

1. Find target’s email addresses using the Interwebz


2. Find target’s billing address by doing a whois on target’s personal domain


3. Generate fake credit card number


4. Call Amazon, use info you have to add fake credit card


5. Call Amazon again, use fake credit card to prove identity, get access


6. Find last 4 digits of real credit card in Amazon account


7. Call Apple, use info you have to get access to iCloud account


8. iCloud email was backup email for Gmail


9. Rain hell


“I still can’t get into Gmail. My phone and iPads are down. MacBook is likely irrecoverable. I’ve lost at more than a year’s worth of photos, emails, documents, …

It’s been a shitty night.”

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Quote source: http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

APplE aNd amaZon teCh SupPorT pRovIdeD aCceSs

“If I had (…) used two-factor authentication for Gmail, everything would have stopped here.”

“I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.”

“…And I should have had a recovery [email] address that’s only used for recovery without being tied to core services.”


clapping game 👏👏


I have a few passwords I use just about everywhere.


But I only use the good password on the important things!


I haven’t had time to fix all of the password stuff yet, but I will definitely do it one day.


If I’m being honest with myself, I have lost track of how many user accounts I have out there.


Bad security

THe PsyChoLogy


“Security Fatigue Can Cause Computer Users to Feel

Hopeless and Act Recklessly, New Study Suggests”

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: http://www.imedicalapps.com/wp-content/uploads/2015/07/NIST-Logo.jpg

Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

“Security seems to be cumbersome, just something else to keep up with.”

“…first it gives me a login, then it gives me a site key I have to recognize. Then it gives me a password. So that is enough, don't ask me anything else.”

“I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: http://www.imedicalapps.com/wp-content/uploads/2015/07/NIST-Logo.jpg

Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

So how do we solve this for all of you?


Simple!


First we’ll spoon-feed you the basics, and give you good habits that are dead simple to do.


A love/hate relationship

PAssWorDs And you


RUles•Use uncrackable passwords•Do not ever reuse a password•Do not trust your own memory•Store passwords securely encrypted•Store passwords safely backed up•Consider your own demise•Use 2-factor authentication on all key accounts

• Your email (because of the password reset function)• Cloud sync accounts (Dropbox++)• Social media accounts (Facebook++)

Conclusion: Use a password manager.

MIchAel’s pasSwoRd RulEs


Something you know: A password

Something you have: A key generator

Something you are: A fingerprint

WHat is 2/3 fActOr AutHenTicAtiOn?


Authenticator


Authenticator


Download LastPass’ or Google’s Authenticator on your phone.

Set up for Google, Dropbox, GitHub.

Apple uses your other devices (and more) for 2-factor.

Facebook uses its own in-app 2-factor system.

LinkedIn sends SMS with 2-factor codes.

GEt 2-fActOr AutHenTicAtiOn Now


( )Caveat for Apple users:

2-step verification

2-factor authentication


If you lose your authenticator and access to your backup codes, you will be locked out of your accounts even though you have the password. This can be remedied by using a backup email address that nobody knows about, - without 2-factor.

WArnIng: LOsiNg YouR aUthEntIcaTor


Image source: Yubico AB

YUbikey

Using a YubiKey means an attacker must steal a physical key to gain access.

YUbikey


Sign up for this service: https://haveibeenpwned.com/

U pwNd?


https://haveibeenpwned.com/

Diving into the password manager

EXplOriNg LasTpaSs







Google this: “The Best Password Managers for 2016”: pcmag.com/article2/0,2817,2407168,00.asp


http://www.pcmag.com/article2/0,2817,2407168,00.asp

Avoid deterministic password managers1. Can’t use varying password policies (without keeping state) 2. Can’t revoke passwords (without keeping state) 3. Can’t store existing secrets 4. Exposing master password exposes all passwords

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Source: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers

LastPass• Super cross platform • Shared folders • Secure notes with backup codes, pin codes, last will • Security challenge • Emergency access • Binary component (extension → about → install binary component)

• Settings → Lock / logout after idle / screensaver / whatever • Use only your own devices to log in, this is your life now. (☉_☉)


Copy password:Cmd + C

Launch site: Enter



Diving into the OS

EXplOriNg Macos



macOS• Sleep (Cmd + Alt + Power) • Lock (Ctrl + Shift + Power) ← learn it, use it

• Keychain Access and XProtect

• System settings • Security and Privacy

• General → Require password immediately, use lock message • FileVault → Full disk encryption • Firewall → Enable, consider stealth mode • Privacy → Location services → Show icon when active


macOS• System settings

• iCloud • Keychain • Find My Mac (Mat Honan doesn’t like this!)

• Network • Advanced → Remove old wifi networks • Advanced → Require admin access to change anything

• Sharing • Disable all unnecessary services • Consider using a non-descript computer name

• App Store • Auto-install security updates


OS defense / offensemacOS defense

• https://github.com/drduh/macOS-Security-and-Privacy-Guide • “Mac OS X Maximum Security” (John Ray, William Ray)

Linux defense / offense • Defense: https://selinuxproject.org/ • Offense: https://www.kali.org/

Windows defense: • At least disable privacy invasion features!

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Kali image source: https://www.offensive-security.com/wp-content/uploads/2015/06/home-kali-slider-1.png

SELinux image source: https://www.drupalwatchdog.com/sites/default/files/images/web/selinux-penguin-new_medium.png

https://github.com/drduh/macOS-Security-and-Privacy-Guide

https://selinuxproject.org/

https://www.kali.org/

Diving into the browser

EXplOriNg ChrOme


Google Chrome

is evergreen

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://evolution-of-apps.firebaseapp.com/images/chrome-evergreen.png




Marking HTTP as insecureThe transition of the entire web to HTTPS has begun.

T0: Insecure origins unmarked

T1 (now): Insecure origins marked as dubious T2: Insecure origins marked as insecure T3: Secure origins unmarked

chromium.org/Home/chromium-security/marking-http-as-non-secure

http://chromium.org/Home/chromium-security/marking-http-as-non-secure

http://chromium.org/Home/chromium-security/marking-http-as-non-secure

Marking HTTP as insecure

Aug. 2016

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1

Marking HTTP as insecure

Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1

Chrome extensions & plugins

chrome://extensions • uBlock Origin • Privacy Badger / Disconnect / Ghostery • HTTPS Everywhere

• Uninstall “Hola!” immediately • Uninstall the ones you don’t recognize

chrome://plugins • Disable unnecessary/unknown plugins


chrome://extensions

chrome://plugins

chrome://help • Check for update failure


chrome://help

Chrome settingsSearch engines

• Manage search engines • https://encrypted.google.com/search?q=%s

Privacy • Content settings → Cookies → Block 3rd party cookies

• Content settings → Flash → Block sites from running Flash • Do not track

Passwords and forms • Don’t save passwords, delete the saved ones • Disable autofill


Google this: “robinlinus fingerprint"


Privacy focused browsers have unfortunate trade-offs

Hidden Reflex

• 2010 - Epic Browser (Firefox → 2013 → Chrome)

Comodo

• 2011 - Comodo Dragon (Chrome)

• 2012 - Comodo IceDragon (Firefox)

• 2015 - Chromodo (Chrome) - Called out by Google for being really insecure However:

• New and unknown zero days

• Browser core lagging behind parent “parent”


Diving into the phone

EXplOriNg IOs


iOSNotifications

• Messages → Show Previews (pins sent by SMS)

Touch ID & Passcode

• Change passcode → Custom alphanumeric

• Require passcode → Immediately • Consider disabling Siri (it’s a personal assistant) • Erase data after 10 failed attempts (unless you have kids) • Note that a fingerprint is a username but TouchID is still

a good trade-off


Copyright © 2016 Michael Johansen. Do not distribute without my written consent.

iOSControl Centre → Access on Lock Screen

Privacy → Advertising → Limit Ad Tracking

Safari → Content Blockers (get one of these)

App Transport Security - HTTPS enforced in apps


Copyright © 2016 Michael Johansen. Do not distribute without my written consent.

iOSConsider what a thief can do with your phone when it’s locked. What would you do? Put it in airplane mode?

Required to unlock your device at the airport?


Diving into the shell

EXplOriNg ssH


Ssh ConFig DSA: Nopes, nopes all around RSA 1024 bits: Red flag RSA 2048 bits: Yellow flag RSA 4096 bits: Well OK ECDSA: Now we’re talking Ed25519: Aww yes, sweet sweet encryption


Credits: https://blog.g3rt.nl/upgrade-your-ssh-keys.html Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.

mkdir ~/.ssh # Create SSH folder cd ~/.ssh # Go into your SSH folder

# Choose one: ssh-keygen -t rsa -b 4096 -f id_rsa # Always worksssh-keygen -t ecdsa -b 521 -f id_ecdsa # Better ssh-keygen -t ed25519 -a 100 -f id_ed25519 # Best

Ssh ConFig

Here and there

NUggEts of inSigHt


YOur teRmiNalPrevent a keylogger from recording your keystrokes by enabling “secure keyboard entry” in your terminal.


YOur coNneCtiOnExpressVPN has a pretty UI and fast connectivity. PrivateInternetAccess (PIA) has a nice kill switch.



Image source: Apple Inc.

YOur roUterSet up Google’s great DNS and avoid your ISP. Addresses: 8.8.8.8 / 2001:4860:4860::8888 8.8.4.4 / 2001:4860:4860::8844


YOur hiStoRy: whAt’S tRacKed whEre anD wHen?Dropbox shared links https://dropbox.com/links/

Facebook ad settings https://facebook.com/settings?tab=ads

Facebook activity log https://fb.com/your_username/allactivity?log_filter=all

Facebook location history https://fb.com/your_username/allactivity?log_filter=cluster_222

Facebook search history https://fb.com/your_username/allactivity?log_filter=search

Google ad settings http://www.google.com/settings/ads/

Google dashboard https://www.google.com/settings/dashboard

Google search history https://myactivity.google.com/

Google location history https://www.google.com/maps/timeline

Google passwords https://passwords.google.com/

Google permissions https://security.google.com/settings/security/permissions

Google takeout https://www.google.com/takeout/

YouTube search history https://www.youtube.com/feed/history/Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.

Image source: Apple Inc.

USe OnlY yOur owN dEviCes.Plug a malicious memory stick into your unlocked laptop or a malicious chargerinto your unlocked phone: ~# pwnd


Think preparation

SCenAriOs


SOmeOne haS cHanGed yoUr

PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In

YouR nAme.


SOmeOne haS cHanGed yoUr

PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In

YouR nAme.

Identity theft can get really bad. Especially if someone pretends to be you at a hospital.

The worst part is not knowing what’s next. Years of struggles may lie ahead.

The only proper way to thwart identity theft in Norway is to prevent credit checks of yourself.

Google this: “datatilsynet sperre kredittvurdering”


YOur baCkpAck geTs StoLen

toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.


YOur baCkpAck geTs StoLen

toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.

1. Not losing data: Continous full backups of everything to a cloud service like Dropbox. Include dotfiles++

2. Protecting data: Make it impossible to login. Have at least two emergency contacts in LastPass.

3. Getting the devices back: Have a secure note in your vault with the serial number of your laptop, phone, pad, watch, etc. The police cares deeply about serial numbers.


YOur laPtoP iS iNfeCteD wIth raNsoMwaRe.

yoUr EntIre clOud baCkuP iS eNcrYptEd.




1. Disconnect the patient: Turn off wifi on the infected machine. Then disconnect it from the Dropbox through the web interface (use another machine for this).

2. Get rid of the malware: Duh.

3. Getting your files back: Rollback files individually or contact Dropbox staff to rollback your entire account to an earlier event. You have 30 days of file version history.




4. Getting your files back #2: For shared folders you need to provide links to the Dropbox staff for each shared folder.

5. Still paranoid? Get a business account with unlimited version history.

Caveat #1: Files are irrecoverable if they have been manually permanently deleted through the web interface. Caveat #2: You may not notice a slow virus.



Want to get serious? Pay attention to…

cOmmOn VulNerAbiLitIes anD eXpoSurEs


CVE-2016-1740 is an example of a vulnerability

“Common Vulnerabilities and Exposures”. The standard for information security vulnerability naming. https://cve.mitre.org/


https://cve.mitre.org/

“APPLE-SA-2016-09-01-2 (…) El Capitan” is another example

Apple is one of several CVE Numbering Authorities. https://cve.mitre.org/cve/cna.html


https://cve.mitre.org/cve/cna.html


Image source: Apple Inc.Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.




Image source: USA Network

UNfoRtuNatEly……all of today’s information will be visible one day, but proper encryption delays that date.


UNfoRtuNatEly……quantum computers are breaking RSA in the lab.

Source: http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment


http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment



fOrtUnaTely……most stuff stops being sensitive over time.


…that your carrier can remotely and silently install Java applets on the SIM-card in your phone and run arbitrary commands.

ANd If You evEr FeeL tOo SafE, JusT rEmeMber…


Stay safe. Reach me at [email protected]

Academy


Technology

Personal Digital Security (JavaZone Academy 2017)