1	Crypto, Anonymity, and Privacy Simple Nomad DC214 10Nov2004
2	Hello
3	Threat Models Kiddie vs Hacker vs Mafia vs TLA vs Nation State Known vs Unknown Targeted vs Random
4	Cryptography What to use Why you would use it When (and when not) to use it
5	Common Algorithms Symmetrical AES, DES, etc Public/Private Key RSA, PGP, etc Stream Cipher SSL, TLS A Note on Blocking
6	What To (Not) Use Good PGP (GnuPG) Ncrypt Outguess (MP3?) Bad Suite document passwords (MS Office, WP, etc) Proprietary encryption schemes Lame encryption schemes
7	Examples of Lame Encryption XOR By itself, lame Still used heavily in a lot of algorithms, but as a part of a larger and more complex algorithm Known Keying Material Algorithm Too Simple
8	Testing for XOR Demo
9	Cracking XOR Demo
10	Known Keying Material – Access 97 Access 97 MDB files, starting at byte 66 The “secret” string – 0x86fbec375d449cfac65e28e613 Simple XOR to recover password http://www.nmrc.org/~thegnome/acc_rec.c Elcomsoft does current MS Office docs, and most other suite password schemes
11	How Brute Force (Should) Work Read in first block of encrypted file Try a password Use file-matching techniques to determine if password is valid Keep trying in case of multiple “matches” A skilled attacker will focus on the target’s interests first
12	File Encryption Tips Compress before encryption Tar up file with random data first Securely wipe the original Ncrypt, Wipe, etc Use very long and strong passphrases The more characters used, the greater the entropy Watch passphrase reuse in general If your /etc/shadow password is the passphrase, a system compromise could reveal your secret files
13	Encryption of Streams SSL/TLS, SSH, VPN technologies Nothing is “solved” if the implementation is wrong, or the end points are insecure Bad passwords Vulnerable daemons wrapped in SSL (e.g. Metasploit is SSL-aware) Attackers have been known to “sniff” for encrypted traffic, then attack the endpoints
14	Protocol Issues Secure algorithms, yet insecure usage Proprietary algorithms and protocols Perfect example: Novell NetWare
15	Security Through Obscurity Don’t name your secret files really-krad-0day.tgz.encrypted Consider “bait” encryption files Old Linux kernel source code or porn, encrypted: not-public-0day.tgz.enc Consider such technologies as Rubberhose
16	Security Through Obscurity Don’t use EFS Don’t store your keys on a regular drive, especially on Windows Use alternate storage devices Pocket USB drives Digital cameras Cell phones
17	Miscellany Watch your subject line in encrypted email Covert channel usage Use it a lot or not at all Make sure your OS is as random as the covert channel Steganography Never send a file with a non-steg version available A picture in email will look suspicious if you never send or receive pictures Encrypt and compress first
18	Miscellany Encrypted mailing lists are good, hybrids can lead to mistakes When to have/not have a key-signing party
19	Anonymity Use a specific “nym” Give this nym its own PGP key, etc Use pseudo anonymous mail for this nym Hushmail, Gmail (not Hotmail) Use anonymizing proxies for checking mail and web browsing SwitchProxy for Firefox, Thunderbird, Mozilla (slow but worth the effort) Never use the nym except with the proxies Anonymous hacking is another story (and another presentation)
20	Example of Nym Usage Get a Gmail account Set up a Hotmail account from a free wireless connection using Firefox/SwitchProxy Send invite to Hotmail account Set up Gmail account from wireless w/SwitchProxy Repeat a couple of times Only use Gmail Nym with wireless and SwitchProxy Only cut and paste in encrypted text (avoids Gmail’s market scanner)
21	Privacy Online Use FPM or Password Safe to store passwords, and always generate safe passwords Bear in mind that password crackers will target the data files of these programs Backup the data files to a USB drive See previous two slides
22	Privacy How much is your privacy worth? Never fill out warranty cards or rebates Never use “shopping cards” Don’t pay for phone cards with a credit card, in fact use cash whenever possible Don’t use toll booth tags
23	Privacy Credit Cards Use the fewest credit cards possible, regardless of how many you have Consider a low-limit card for basic online purchases, with a daily limit cap Write “check photo ID” on the back Notify your bank when you are using a credit card out of town Checking Have the branch hold your checks Avoid direct deposit and automatic bill paying
24	Privacy Travel Use an alias (it can be done) Most good hotels support “Non-Registered Guest” U.S. Mail Never mail anything from home, go to the Post Office, and go to the slot inside, not the box outside, especially when sending money or paying bills Have the Post Office hold your mail when out of town, even for a day
25	Privacy Don’t use “real” personal identifiers Make up a “mother’s maiden name” Shred everything Use a cross-shredder Shred all envelopes and extraneous junk mail material, makes nice “whitening” Burn the shreddings, stir the ashes Keep shredder handy and shred daily Avoid a “shred pile”
26	Privacy Tips Don’t offer extra info Question the questioners Does the store clerk really need your phone number or zip code? Don’t conduct private matters on cellular or cordless phones Don’t leave confidential info in your car Assume all plaintext documents, email, etc is being read by co-workers, employers, The Man, etc, and act accordingly
27	Case Study in Paranoia #1 – Paranoid Guy Weasel and I Know Man dedicated to privacy Different names on all utilities Moves every few years, changes names on all utilities every six months No tattoos or identifying marks Uses cash for almost everything Average haircut, average clothes, does not stand out
28	Case Study in Paranoia #2 – Eric Raymond Does not own a credit card When travelling to speaking engagements, he manages to get all the way there are back without credit cards
29	Case Study in Paranoia #3 – Hacker in Vegas for BH/DC Stay at a decent hotel (which supports the following needs below) Large casino theme hotels on the strip, not the Comfort Inn Register as Non-Registered Guest Register under your handle to impress your friends Block incoming phones from everyone except hotel personnel Impress your friends when they try to call your room and the phone system says “that room is unoccupied” Switch room assignment before arrival as well as at the check-in desk Note screwplate positions, and consider opening and examining all electronic devices When reporting a security incident, only involve hotel security staff, not law enforcement Only use credit-card style in-room safes, and don’t use a credit card (assume hidden camera)
30	Fin Links ftp://ftp.habets.pp.se/pub/synscan/xor-analyze-0.5.tar.gz http://ncrypt.sourceforge.net/ http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_NovellMITM.cfm http://jgillick.nettripper.com/switchproxy/ http://www.steganos.com/?area=updateproxylist Questions? Simple Nomad [[email protected]]