Upload
michael-johansen
View
69
Download
2
Embed Size (px)
Citation preview
PErsOnaL dIgiTal seCurIty
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Michael Johansen [email protected]
JavaZone Academy
An example from the real world
HOw BadLy You caN gEt HacKed
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Wired: How Apple and Amazon Security Flaws Led to My Epic Hacking
wired.com/2012/08/apple-amazon-mat-honan-hacking/
MAt honAn
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired
1. Find target’s email addresses using the Interwebz
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
2. Find target’s billing address by doing a whois on target’s personal domain
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
3. Generate fake credit card number
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
4. Call Amazon, use info you have to add fake credit card
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
5. Call Amazon again, use fake credit card to prove identity, get access
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
6. Find last 4 digits of real credit card in Amazon account
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
7. Call Apple, use info you have to get access to iCloud account
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
8. iCloud email was backup email for Gmail
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
9. Rain hell
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
“I still can’t get into Gmail. My phone and iPads are down. MacBook is likely irrecoverable. I’ve lost at more than a year’s worth of photos, emails, documents, …
It’s been a shitty night.”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Quote source: http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
APplE aNd amaZon teCh SupPorT pRovIdeD aCceSs
“If I had (…) used two-factor authentication for Gmail, everything would have stopped here.”
“I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.”
“…And I should have had a recovery [email] address that’s only used for recovery without being tied to core services.”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
clapping game 👏👏
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
I have a few passwords I use just about everywhere.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
But I only use the good password on the important things!
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
I haven’t had time to fix all of the password stuff yet, but I will definitely do it one day.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
If I’m being honest with myself, I have lost track of how many user accounts I have out there.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Bad security
THe PsyChoLogy
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
“Security Fatigue Can Cause Computer Users to Feel
Hopeless and Act Recklessly, New Study Suggests”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: http://www.imedicalapps.com/wp-content/uploads/2015/07/NIST-Logo.jpg
Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly
“Security seems to be cumbersome, just something else to keep up with.”
“…first it gives me a login, then it gives me a site key I have to recognize. Then it gives me a password. So that is enough, don't ask me anything else.”
“I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: http://www.imedicalapps.com/wp-content/uploads/2015/07/NIST-Logo.jpg
Material source: https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly
So how do we solve this for all of you?
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Simple!
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
First we’ll spoon-feed you the basics, and give you good habits that are dead simple to do.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
A love/hate relationship
PAssWorDs And you
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
RUles•Use uncrackable passwords•Do not ever reuse a password•Do not trust your own memory•Store passwords securely encrypted•Store passwords safely backed up•Consider your own demise•Use 2-factor authentication on all key accounts
• Your email (because of the password reset function)• Cloud sync accounts (Dropbox++)• Social media accounts (Facebook++)
Conclusion: Use a password manager.
MIchAel’s pasSwoRd RulEs
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Something you know: A password
Something you have: A key generator
Something you are: A fingerprint
WHat is 2/3 fActOr AutHenTicAtiOn?
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Authenticator
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Authenticator
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Download LastPass’ or Google’s Authenticator on your phone.
Set up for Google, Dropbox, GitHub.
Apple uses your other devices (and more) for 2-factor.
Facebook uses its own in-app 2-factor system.
LinkedIn sends SMS with 2-factor codes.
GEt 2-fActOr AutHenTicAtiOn Now
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
( )Caveat for Apple users:
2-step verification
2-factor authentication
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
If you lose your authenticator and access to your backup codes, you will be locked out of your accounts even though you have the password. This can be remedied by using a backup email address that nobody knows about, - without 2-factor.
WArnIng: LOsiNg YouR aUthEntIcaTor
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Image source: Yubico AB
YUbikey
Using a YubiKey means an attacker must steal a physical key to gain access.
YUbikey
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Sign up for this service: https://haveibeenpwned.com/
U pwNd?
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Diving into the password manager
EXplOriNg LasTpaSs
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Google this: “The Best Password Managers for 2016”: pcmag.com/article2/0,2817,2407168,00.asp
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Avoid deterministic password managers1. Can’t use varying password policies (without keeping state) 2. Can’t revoke passwords (without keeping state) 3. Can’t store existing secrets 4. Exposing master password exposes all passwords
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Source: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers
LastPass• Super cross platform • Shared folders • Secure notes with backup codes, pin codes, last will • Security challenge • Emergency access • Binary component (extension → about → install binary component)
• Settings → Lock / logout after idle / screensaver / whatever • Use only your own devices to log in, this is your life now. (☉_☉)
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copy password:Cmd + C
Launch site: Enter
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Diving into the OS
EXplOriNg Macos
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
macOS• Sleep (Cmd + Alt + Power) • Lock (Ctrl + Shift + Power) ← learn it, use it
• Keychain Access and XProtect
• System settings • Security and Privacy
• General → Require password immediately, use lock message • FileVault → Full disk encryption • Firewall → Enable, consider stealth mode • Privacy → Location services → Show icon when active
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
macOS• System settings
• iCloud • Keychain • Find My Mac (Mat Honan doesn’t like this!)
• Network • Advanced → Remove old wifi networks • Advanced → Require admin access to change anything
• Sharing • Disable all unnecessary services • Consider using a non-descript computer name
• App Store • Auto-install security updates
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
OS defense / offensemacOS defense
• https://github.com/drduh/macOS-Security-and-Privacy-Guide • “Mac OS X Maximum Security” (John Ray, William Ray)
Linux defense / offense • Defense: https://selinuxproject.org/ • Offense: https://www.kali.org/
Windows defense: • At least disable privacy invasion features!
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Kali image source: https://www.offensive-security.com/wp-content/uploads/2015/06/home-kali-slider-1.png
SELinux image source: https://www.drupalwatchdog.com/sites/default/files/images/web/selinux-penguin-new_medium.png
Diving into the browser
EXplOriNg ChrOme
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Google Chrome
is evergreen
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://evolution-of-apps.firebaseapp.com/images/chrome-evergreen.png
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Marking HTTP as insecureThe transition of the entire web to HTTPS has begun.
T0: Insecure origins unmarked
T1 (now): Insecure origins marked as dubious T2: Insecure origins marked as insecure T3: Secure origins unmarked
chromium.org/Home/chromium-security/marking-http-as-non-secure
Marking HTTP as insecure
Aug. 2016
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1
Marking HTTP as insecure
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.Image source: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1
Chrome extensions & plugins
chrome://extensions • uBlock Origin • Privacy Badger / Disconnect / Ghostery • HTTPS Everywhere
• Uninstall “Hola!” immediately • Uninstall the ones you don’t recognize
chrome://plugins • Disable unnecessary/unknown plugins
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
chrome://help • Check for update failure
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Chrome settingsSearch engines
• Manage search engines • https://encrypted.google.com/search?q=%s
Privacy • Content settings → Cookies → Block 3rd party cookies
• Content settings → Flash → Block sites from running Flash • Do not track
Passwords and forms • Don’t save passwords, delete the saved ones • Disable autofill
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Google this: “robinlinus fingerprint"
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Privacy focused browsers have unfortunate trade-offs
Hidden Reflex
• 2010 - Epic Browser (Firefox → 2013 → Chrome)
Comodo
• 2011 - Comodo Dragon (Chrome)
• 2012 - Comodo IceDragon (Firefox)
• 2015 - Chromodo (Chrome) - Called out by Google for being really insecure However:
• New and unknown zero days
• Browser core lagging behind parent “parent”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Diving into the phone
EXplOriNg IOs
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
iOSNotifications
• Messages → Show Previews (pins sent by SMS)
Touch ID & Passcode
• Change passcode → Custom alphanumeric
• Require passcode → Immediately • Consider disabling Siri (it’s a personal assistant) • Erase data after 10 failed attempts (unless you have kids) • Note that a fingerprint is a username but TouchID is still
a good trade-off
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016 Michael Johansen. Do not distribute without my written consent.
iOSControl Centre → Access on Lock Screen
Privacy → Advertising → Limit Ad Tracking
Safari → Content Blockers (get one of these)
App Transport Security - HTTPS enforced in apps
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016 Michael Johansen. Do not distribute without my written consent.
iOSConsider what a thief can do with your phone when it’s locked. What would you do? Put it in airplane mode?
Required to unlock your device at the airport?
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Diving into the shell
EXplOriNg ssH
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Ssh ConFig DSA: Nopes, nopes all around RSA 1024 bits: Red flag RSA 2048 bits: Yellow flag RSA 4096 bits: Well OK ECDSA: Now we’re talking Ed25519: Aww yes, sweet sweet encryption
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Credits: https://blog.g3rt.nl/upgrade-your-ssh-keys.html Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
mkdir ~/.ssh # Create SSH folder cd ~/.ssh # Go into your SSH folder
# Choose one: ssh-keygen -t rsa -b 4096 -f id_rsa # Always worksssh-keygen -t ecdsa -b 521 -f id_ecdsa # Better ssh-keygen -t ed25519 -a 100 -f id_ed25519 # Best
Ssh ConFig
Here and there
NUggEts of inSigHt
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur teRmiNalPrevent a keylogger from recording your keystrokes by enabling “secure keyboard entry” in your terminal.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur coNneCtiOnExpressVPN has a pretty UI and fast connectivity. PrivateInternetAccess (PIA) has a nice kill switch.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Image source: Apple Inc.
YOur roUterSet up Google’s great DNS and avoid your ISP. Addresses: 8.8.8.8 / 2001:4860:4860::8888 8.8.4.4 / 2001:4860:4860::8844
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur hiStoRy: whAt’S tRacKed whEre anD wHen?Dropbox shared links https://dropbox.com/links/
Facebook ad settings https://facebook.com/settings?tab=ads
Facebook activity log https://fb.com/your_username/allactivity?log_filter=all
Facebook location history https://fb.com/your_username/allactivity?log_filter=cluster_222
Facebook search history https://fb.com/your_username/allactivity?log_filter=search
Google ad settings http://www.google.com/settings/ads/
Google dashboard https://www.google.com/settings/dashboard
Google search history https://myactivity.google.com/
Google location history https://www.google.com/maps/timeline
Google passwords https://passwords.google.com/
Google permissions https://security.google.com/settings/security/permissions
Google takeout https://www.google.com/takeout/
YouTube search history https://www.youtube.com/feed/history/Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Image source: Apple Inc.
USe OnlY yOur owN dEviCes.Plug a malicious memory stick into your unlocked laptop or a malicious chargerinto your unlocked phone: ~# pwnd
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Think preparation
SCenAriOs
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
SOmeOne haS cHanGed yoUr
PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In
YouR nAme.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
SOmeOne haS cHanGed yoUr
PosTal adDreSs, anD iS oRdeRinG cRedIt CarDs In
YouR nAme.
Identity theft can get really bad. Especially if someone pretends to be you at a hospital.
The worst part is not knowing what’s next. Years of struggles may lie ahead.
The only proper way to thwart identity theft in Norway is to prevent credit checks of yourself.
Google this: “datatilsynet sperre kredittvurdering”
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur baCkpAck geTs StoLen
toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur baCkpAck geTs StoLen
toNigHt. it haD yOur laPtoP, TabLet anD pHonE iN iT.
1. Not losing data: Continous full backups of everything to a cloud service like Dropbox. Include dotfiles++
2. Protecting data: Make it impossible to login. Have at least two emergency contacts in LastPass.
3. Getting the devices back: Have a secure note in your vault with the serial number of your laptop, phone, pad, watch, etc. The police cares deeply about serial numbers.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur laPtoP iS iNfeCteD wIth raNsoMwaRe.
yoUr EntIre clOud baCkuP iS eNcrYptEd.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur laPtoP iS iNfeCteD wIth raNsoMwaRe.
yoUr EntIre clOud baCkuP iS eNcrYptEd.
1. Disconnect the patient: Turn off wifi on the infected machine. Then disconnect it from the Dropbox through the web interface (use another machine for this).
2. Get rid of the malware: Duh.
3. Getting your files back: Rollback files individually or contact Dropbox staff to rollback your entire account to an earlier event. You have 30 days of file version history.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
YOur laPtoP iS iNfeCteD wIth raNsoMwaRe.
yoUr EntIre clOud baCkuP iS eNcrYptEd.
4. Getting your files back #2: For shared folders you need to provide links to the Dropbox staff for each shared folder.
5. Still paranoid? Get a business account with unlimited version history.
Caveat #1: Files are irrecoverable if they have been manually permanently deleted through the web interface. Caveat #2: You may not notice a slow virus.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Want to get serious? Pay attention to…
cOmmOn VulNerAbiLitIes anD eXpoSurEs
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
CVE-2016-1740 is an example of a vulnerability
“Common Vulnerabilities and Exposures”. The standard for information security vulnerability naming. https://cve.mitre.org/
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
“APPLE-SA-2016-09-01-2 (…) El Capitan” is another example
Apple is one of several CVE Numbering Authorities. https://cve.mitre.org/cve/cna.html
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Image source: Apple Inc.Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Image source: USA Network
UNfoRtuNatEly……all of today’s information will be visible one day, but proper encryption delays that date.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
UNfoRtuNatEly……quantum computers are breaking RSA in the lab.
Source: http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
fOrtUnaTely……most stuff stops being sensitive over time.
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
…that your carrier can remotely and silently install Java applets on the SIM-card in your phone and run arbitrary commands.
ANd If You evEr FeeL tOo SafE, JusT rEmeMber…
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.
Stay safe. Reach me at [email protected]
Academy
Copyright © 2016-2017 Michael Johansen. Do not distribute without my written consent.