Cyber Security for Perverts
By: Alex McGeorge
Presented at: Black Rose Tuesday Education, 10/22/13
Version: 3.0
Warnings and such
- I can not answer questions about corporate computer security due to an agreement with my employer
- This presentation is not aimed at IT professionals, though they may enjoy it
- There will be pornography
- There will be gifs!
- A link to this presentation and the handout will appear at the end
- Tested Browsers: Firefox, Google Chrome, YMMV
Notes for the online version
Unfortunately I can't include every single thing I might think of saying when giving this presentation in person, in the online version. I'm
making it available as a reference for those who've seen it in person. If you're viewing this online without having seen the presentation some
information will be disjointed, such is life. If possible I may try to get a recording of the presentation put somewhere online for reference.
An Important Note: Don't be Evil
Courtesy of Shmorky: butthug.com
Who am I?
The First Law Of Security
If someone wants to fuck you bad enough, they will find a way to make it happen
So what now?
You can improve your security posture such that only the most motivated and most skilled can affect you.
But you can't beat everyone
By in large FetLife takes your privacy seriously*
- Both on-site and off-site resources are served over an encrypted channel
- They clearly care about security and privacy from the code we can see
- Hooray!
* I have not done an exhaustive security audit, these are my general impressions
This is my account's picture page as seen in Google Chrome
Let's take a closer look at one of the pictures using the 'Inspect Element' function
What's the URL for one of my pictures?
Here's the whole URL:
https://flpics1.a.ssl.fastly.net/95/95644/0004eb6b-db7f-57da-eac2-a30f8f213f36_110.jpg
- https:// - Schema, tells your browser how to connect
- flpics1.a.ssl.fastly.net - Site*, tells your browser WHERE to connect
- /95/95644/ - Path, where to find the file on the site, note 95644 is my FetLife user number
- 0004eb6b-db7f-57da-eac2-a30f8f213f36_110.jpg - File we want to access, this is (probably) random
* URL parsing is actually very complex so I've simplified it. For more check out
The Tangled Web by Zalewski.
Ok great, so what?
We know how to connect, the site where FetLife pictures live and how to find where on the site all the user's pictures live
Shit, that sounds bad
Not really so bad
- There's not a straight forward way to list the pictures in a given directory
- And we don't have a good way to predict those (probably) random file names
Ok so what's the catch?
The catch
Miss it?
- I'm accessing this picture directly from a different browser that is not logged in
- That means if I know the address of the picture I can see it whenever I want without authentication
- These addresses never (to my knowledge) change
Result: Whenever you friend anyone on FL, they will always be able to see the pictures you had up until you unfriended them. Provided
they wrote down the address to save for later. Or of course they could just download the pictures.
Security Updates
(Sections: 1.1, 2.1, 3.1, 4.3, 5.1)
Definitions
- Bugs - Errors in software
- Vulnerability - A bug with some type of security consequence
- Exploit - A program written to take advantage of a vulnerability in another piece of software
- 0day - A vulnerability (and sometimes exploit) that is known privately but not disclosed publicly
- Malware - Any type of software that intends to maliciously
and persistently alter the normal operations of your computer
How to Think of Software
It can take many kinds of input and preform many kinds of actions
Image courtesy of GitaaOnline: here
Basic Binary Entomology
Unexpected input =>
Software Bug =>
Basic Binary Entomology Pt. II
Sometimes these bugs allow for control of execution which can avoid a crash but make the software behave in a way the attacker chooses
Image courtesy of Squ11head: Deviant Art
Summary
Do I need to apply this security update?
Erotic photo break!
Realistic Expectations
- Anti-Virus will be less effective at preventing attacks
- Anti-Virus will be more effective at cleaning up
- Do I need anti-virus for my Mac? Probably
I'm compromised!
(General guidelines)
- Take the computer off your network
- When you need to update or install AV or anti-malware, take other computers off the network
- Using a separate uninfected computer change all your passwords
- If you have done online shopping from the infected computer, notify your bank/credit for suspicious charges
- Keep rescanning with AV and anti-malware until you receive a clean bill of health, reboot between scans
- Always maintain good backups! Sometimes you have to start from scratch
Summary
- Pick an AV product that annoys you the least and is well reviewed
- Set up weekly scans
- Set it to auto-update itself
Firewalls
Sections: 1.3, 2.2
Summary
- Think of a port as an extension on a switch board
- Programs listen on a specific port
- Firewalls are like operators, they allow or disallow connections based on a set of rules
- While important, they are becoming less of a complete solution with the advent of 'clientside' exploits
- All modern operating systems have good builtin firewalls
The unfriendly network
Section 3.2
Man-in-the-Middle
Someone is getting fucked
Wireless, how does it work?
An attacker enters!
An attack!
6 Degrees of Kevin Beacon
Image courtesy of Google TV
Summary
- By design phones will attempt to connect to networks they've seen before
- This can provide information about where you hang out
- Attackers can choose to impersonate these networks to trick your phone into connecting
- Onces you're connected to an attacker controlled network they can see, intercept and modify your traffic
- Encryption is the solution to this problem
Wireless Networks
Sections: 4.X
Wireless, how does it work?
Attacks against the router itself
From Office Space
Manufacturer Default Passwords
Summary
- WPA2 based authentication is the current secure standard
- WEP and WPS are both broken, disable them
- Your router needs updating too
- Change the default passwords on the router
- Change your wireless keys once every 6 months
The Browser
- The browser parses many types of data
- It's relatively easy to trick or force someone to view something you control
- Unexpected input => software bug => :(
Browser Extensions
- Additional software to render specific content
- Java
- Flash
- Acrobat
- Office Suites
So the sky is falling, now what?
- No browser is perfect but I like Chrome
- Disable as many browser extensions as possible
- Uninstall Java
Browser extensions that can help
What does private browsing actually do?
Make it slightly harder for your S/O to look at your porn history
The Road to El Dorado
Erotic photo break!
Iggy Pop via Dior
Privacy
An enormously deep rabbit hole
Caveats
Good news!
If you are reading this or attending this lecture, you are almost definitely not a priority intelligence target. The NSA does not care what you jerk off to.
Bad news
Even if we spent the entire 90 minutes of this talk discussing privacy, I would be unable to impart enough knowledge for you to avoid being spied upon
by a state sponsored adversary.
Choices
If you're chosing adversaries, choose someone other than the NSA
Realistic choices
Desire | Difficulty |
I don't want other people using this network knowing what I'm doing | Easy |
I don't want my ISP knowing what I'm doing | Easy |
I don't want local law enforcement knowing what I'm doing | Difficult |
I don't want federal law enforcement knowing what I'm doing | Very difficult |
I don't want NSA or allied intelligence agencies knowing what I'm doing | Incredibly difficult |
Tor
Brought to you by =>
Privacy Links
These can get pretty technical but the information is solid