Your Privacy Online by Alex McGeorge

Version 4.0 - Presented at Black Rose October 27th 2015

Press Down Key to continue
Or Swipe Up if you prefer.

Class handout

License

Who am I?

My name is Alex McGeorge and I break into things for a living with Immunity, Inc.

What kinds of things?

  • Websites and applications
  • Networks
  • Other people's software
  • Other people (social engineering)
  • Physical places

I also teach some of these things to others and occasionally I put on a suit and talk into a camera

Why am I here?

  • I'm here to be a resource, to give you straight answers in plain english and to dispell bullshit
  • We have ton of content to cover

There are some limitations..

  • Unfortunately I am not here to fix your computer
  • I'm not here to recommend specific products or services
  • I'd really prefer not to get into a technical dick showing competition

Why should you care?

You may value your privacy or be worried that someone is actively trying to snoop on you

Some of the topics we cover in this talk will help you make their job more difficult

A disclaimer

I am not an employee of: Facebook, Google, FetLife, Recon, DropBox, Microsoft, etc.

I can not comment on what they actually do with your data only what is possible

Who is this class for?

  1. Non IT professionals
  2. We will also cover only personal privacy and security
  3. This is not a tutorial on breaking the law

A note on choosing your enemies

Nothing I say here will prepare you for a nation state level adversary

Allow me to save you some time: if the NSA is your enemy, you're fucked

As promised there will be porn

A brief note on why I include porn

What does a site know about you?

Lets use FetLife as an example:

  • Your IP address
  • The ISP that owns the IP address
  • The approximate geographic location of that IP
  • All the browsers you've used to access FL
  • The operating systems those have been accessed from
  • Your username, password and one email address
  • Who you're friends with, who you've conversed with, what you've said
  • What profiles you've visited
  • Do you support FL? Name, address, CC
  • Cell phone pictures? Geographic location
  • Your kinks

Does this make FetLife evil?

Not really, any social networking site or forum will have similar information

About Face Recognition and Comparisson

Does that actually work?


FetLife profile photo

Talking head photo

It took me about 15m to write up a program to do fairly accurate face detection with freely available libraries

Problems

Q: How do I hide my username/password/email address?

  • Make your username and password unique to each site you're on
    • This is also useful in that if your password on one site is compromised it can't be used against you on others
  • Having a separate email for each site can become impractical but you can have kinky and vanilla addresses

Problems

Q: Can I hide who I'm friends with and who I've conversed with?

  • Not really as this is a core functionality of the site
  • You could have multiple profiles if you wanted but again that would be hard to manage
  • You would have to disguise everything else IP, Browser, etc. to keep the illusion

Problems

Q: Can I hide what I've said?

  • Yes! You could use PGP to encrypt your messages
  • In our example of FetLife the messaging portion would be cumbersome for this, so instead switch communications channels then encrypt!

Problems

Q: Can I hide my browser and OS?

Problems

Q: What about sanitizing my photos?

  • If your face is in it, completely remove your face. Don't get cute with a blur, it's possible to undo.
  • Reverse image searching is totally viable. Which means, if you have an unsanitized picture on your flickr but use the same picture only sanitized on FetLife, someone can use the sanitized image itself to find the original.
  • Most image files contain space for so called EXIF metadata which your phone can use to helpfuly include GPS coordinants and other interesting information
File name : dsc_0790.jpg
File size : 4654488 bytes
File date : 2008:07:16 09:45:20
Camera make : NIKON CORPORATION
Camera model : NIKON D200
Date/Time : 2007:06:23 22:00:14
Resolution : 3880 x 2608
Exposure bias: 1.00
Whitebalance : Auto
Exposure : aperture priority (semi-auto)
GPS Latitude : 41.40338
GPS Longitude: 2.17403
DateCreated : 20070623
Time Created : 220014
Record vers. : 4

EXIF continued

Q: Ok so how do I remove it?

Here are some: Windows Options, Mac Options, and Linux Instructions.

Note: I have only tried the Linux methods

Problems

Q: What about my IP?

  • This is an example of an IP: 149.101.1.3
  • When someone knows your IP
    • They can determine which organization owns that IP (via whois)
    • If there is a host name associated with the IP (via reverse DNS)
    • What the approximate geographic location of the IP is (via GeoIP)
  • The legal system is starting to accept that an IP is not an identity
  • Which brings us to...

Virtual Private Networks!

  • Virtual Private Networks (VPNs) allow for two computers to have a private conversation via encryption
  • This may sound a lot like SSL (the s in https) and it is!
  • The difference is that with a VPN you send all your traffic through the connection

Problems

Q: This sounds great but are there downsides?

  • If your traffic is unencrypted going into the VPN, it'll be unencrypted going out of it which means the provider can snoop
  • The solution is to encrypt all your traffic (web, mail, etc)

But which VPN?

Find the latest recommendations from Torrent Freak

What about Tor?

  • Tor is a great technology
  • How it works is complicated. But the Reader's Digest version is this:
    • Your traffic enters a network at point A and it bounces around points B-K in a path you choose so that no part of B-K knows where you came from
    • Your traffic leaves at point R and even if you snoop at point R (or any other point) you can't get back to who connected at point A

Problems

There are a few problems

  • Some unsavory types use Tor
  • We know Tor users are actively targeted by governments
  • Did I also mention that Tor is an invention of the US Navy?

Home Wireless Routers

Let's talk about stopping people from snooping on you via your router

Basic Security Settings

Things that work:

  • On use WPA2 with a pre-shared key
  • Diable WEP and WPS completely

Things that don't:

  • Using a "hidden" SSID
    • If clients are actively connected to the wireless network we can see the AP they are connected to
  • Filtering based on MAC address
    • If clients are actively connected to the AP, we can switch our MAC to theirs and de-auth them

Other good habits

  • Change the default admin password for the router's management interface
  • Check for firmware updates to the router
  • Realize that if the connection that feeds your router is only rated at X, having a wireless router capable of X*10 throughput will actually not speed up your internet experience.
    • It will allow you to share files/media between hosts on your home network quicker

What files? Maybe high quality videos of your.. unique desires

For example:

Can I use my friend's wireless?

Sure! But a few things to realize

  • Any time you give someone a key to your WiFi they can see all the traffic until you change it (if they are within range of the router's wireless signal)
  • Sending your traffic through a malicious router gives the router operator an incredible opportunity for villainy

Allow me to tell you about a WiFi network I used to run...

VPNs are a good way to mitigate this risk, get in the habit of using them away from home

What about phones?

Not surprisingly there's a lot to say

Common Questions

Q: Can someone other than law enforcement intercept my cell phone calls?

Yes, the gear to do this has gotten cheaper but is still a few thousand dollars investment

A safe assumption is: it can be done and will only become cheaper to do

Q: What is the most secure phone?

Well..

 
Level of Concern Potential Solution
I'm just concerned about malware Pick whatever phone works for you, keep it up to date, don't download a bunch of apps
I have a nosy spouse/partner/parent Buy a prepaid phone with cash that is 'lockable'
I saw The Wire and that looks cool Have someone else buy a prepaid phone and dispose of it weekly, leave it off when not in direct use
I want to join ISIS Good luck with that

Jail breaking?

Common Questions

Q: If my spouse/partner/parent has physical access to my phone..

Yes, many more things become possible such as

  • Retrieving "deleted" texts, emails, photos
  • Installing software to covertly send and copy all of the above
  • Installing software that tracks your location via GPS etc
  • Remotely turning on the phone's microphone/camera

Common Questions

Q: What about Skype and other altnernatives

  • Disclaimer: I only know a little bit about Skype
  • Intercepting Skype traffic of someone using the same network as you is easy
  • Extracting anything meaningful out of the data is very hard (though there is interesting research)
  • Verdict: Probably ok unless you are a priority intelligence target

Current Events

Ashley Madison

FetLife Hacked!

FetLife phonies!

Ashley Madison got screwed

  • Serious compromise, all user records / conversation / profiles / payment history stolen
  • The CTO decided to play chicken with the attackers and lost! Everything published
  • Bonus: Most of the accounts professing to be women were bots run by Ashley Madison!

But Alex, how would I have protected myself?

  • Disposable credit/debit card (buy this at your local grocery store)
  • An email account you only use for this purpose and isn't myinterest.mybirthday@gmail.com
  • Use a VPN, pick a city of residence NEAR your own when registering
  • Don't visit the site from your home or work networks

FetLife Hacked!!

Not really, someone just scraped a bunch of the information public account information and made a searchable relational database out of it

FetLife Phonies

While I was thinking about updating this class I had a spammy FetLife friend request

I figured I would take you through my brief "legitness" workflow

This account looks pretty new

Let's take a look at one of the profile pictures

Hmm, ok that's a neutral sign

Let's get a second opinion

Yup, that's definitely used for other spam stuff

What about the second profile picture?

That has made the rounds on tumblr

What else?

Only a few friends, none in common with me and only the default group? Yup, spam.

-->

Miscellaneous

Various bits and bobs that I think are relevant to online privacy

Password Managers

  • Don't let your browsers save passwords on your behalf to autofill them for convienance
  • Don't subscribe to an online service which will "save all your passwords for you"
  • For a reasonable discussion of good password managers: see this paper
  • I use Password Safe

Full Disk Encryption

FDE encrypts the entire contents of a disk drive such that if anyone steals it they will not be able to retrieve any of the data on it unless they have the password

E-Mail and file based encryption

I want to donate/dispose of an old computer

  • Simple solution: remove the hard drive before you donate it, they will always accept it
  • To completely wipe a drive use: DBAN
  • If you are really paranoid, wipe it then take a hammer to it

Someone leaked my personal info!

  • Usernames? Passwords? Change any and all
  • Real name, DOB, address? Alert your bank for fraud
  • SSN? Account numbers? Alert your bank and the police
  • Realize that once information is on the internet and has been seen by many, it is very difficult to get it off

I'll get a lawyer!

Do get a lawyer! There are situations they can help you resolve

They can also (hopefully) help you avoid looking like a giant idiot if you have no case

I caught the malware!

  • Most malware seeks to turn your computer into a commodity
  • Banking details, online accounts to things like Amazon or Steam..
  • Your sexy pictures and emails are typically not a commodity
  • If someone targets you specifically (which is uncommon) then worry about sexy picture leaks.

Questions?

This presentation has been made with Flowtime.js