nsa-proof communications (mostly)

NSA-proof communications

(mostly)

Jan Seidl

$ whoami

Full Name: Jan SeidlOrigin: Rio de Janeiro, RJ Brazil

Work:CTO @ TI Safe

OpenSource contributor for: PEV, Logstash

Codes and snippets @ github.com/jseidl

Features:UNIX Evangelist/Addict/Freak (but no fanboy!)

Digital tools blacksmith / Python and C lover

Guitarist @ UmInE

Coffee dependent

Hates printers and social networks

Proud DC Labs Researcher

NSA-Proof Communications. SEIDL, Jan
FISL 2014 Porto Alegre, Brasil

$ agenda

0x0 Quick summary on privacy0x1 Who, why and how can you be spied on0x2 Cryptography primer0x3 Insecure communications0x4 False sense of security0x5 E-Mail never meant to be secure0x6 Secure communications (mostly)0x7 Creating a mostly secure communication infrastructure0x8 The remaining points of failure0x9 Closing up0xA Questions?


Quick summary on privacy

https://xkcd.com/1269/


Why privacy matters?

You do not hold only info about yourselfYou may hold key information about other people's lifesLess information about your target = Harder to engageOPSEC

http://en.wikipedia.org/wiki/Operations_security



Are we more public than before?

Most people know about physical world threatsMost people don't know about digital threats

And it's not their fault (mostly)



Q: Do you stop a random stranger on the street and tell him:- Your past locations (incl. Home, work, school, shops, parties)- Your parents & kids' names, location, ages and pictures- Your favorite interests (movies, books, sports etc)- Confirm that you'll be at a given event




Q: Would you easily engage conversation with someone that shared interest or experiences about- Being at your past locations (incl. Home, work, school, shops, parties)- Having parents & kids' with same names, ages and locations- Sharing your favorite interests (movies, books, sports etc)- Going to that given event




Q: Do you think agencies, criminals and spies can easily sufficiently profile you using publicly available information?

Yes, there's also a cool term for it: OSINT

http://en.wikipedia.org/wiki/Open-source_intelligence




PLEASE STOP sharing everything on the INTERNET!




Sharing is definitely not caringThere's a huge chance you're an oversharer.Yes. There is. Stop your internal dialog.




The Internet is FINO First-In-Never-OutEven with court orders. There's always a copy somewhere.

Eg: Google Caches, The Internet Archive, someone's hard disk

The Internet never forgets!!1!


Who/why/how can you be spied on?


Commercial competitorsHaters (are you from a race/religion someone doesn't likes?)AgenciesData minersMarketing researchCriminals / Psychos

Who would spy on me?



YES YOU DO!You might have key intelligence files / information about your companyYou might don't know the value of them

Why would someone spy on me? I have no valuable data!



SOMETIMES IT'S NOT ABOUT YOU!You may know / be communicating with someone worth spying onYour identity can be stolen to gain leverage on a target

Why would someone spy on me? I have no valuable data!



Local machine compromiseCommunications interception (local LAN, ISP, remote LAN)Remote server compromise

How would someone (digitally) spy on me?



Where can your data be stolen



Where can your data be stolen

Here

Here

Here

Here

Here

Here

Here

Here

Here



Do you still feel safe?

Relax, me neither.


Cryptography primer


What the heck is encryption?

Long story short: It makes plaintext unreadable, unless key is provided

No! Perl is not ciphertext (I think...)

Cryptography primer


What the heck is encryption?

Sample dumbest example everf(text, key) 2text ^ (key/3)

Cryptography primer


What does it provide?

Two out of three of the CIA-Triad (no, not the agency!)Confidentiality & IntegrityAlso: Identification, Authentication & Non-repudiation

Cryptography primer


Cryptography primer

Key-pairDiff. Keys for encr. / decr.SlowerEasier to maintain

Single KeySame key for bothFasterHarder to maintain

Asymmetric vs Symmetric


Cryptography primer

Key-pairDiff. Keys for encr. / decr.SlowerEasier to maintain

Single KeySame key for bothFasterHarder to maintain

Asymmetric vs Symmetric

MUST be kept private

Can be public


How HTTPS works

Cryptography primer


How HTTPS works

Asymmetric

Symmetric

Cryptography primer


Is cryptography gonna make me safe?

Well... that depends...

Cryptography primer



It supposed so... but then...

http://heartbleed.com/

Cryptography primer



It supposed so... but then...

https://www.imperialviolet.org/2014/02/22/applebug.html

Cryptography primer



FACT: People make mistakes. People make code. Code gets bugs.

Cryptography primer


Legal issues

Encryption is not allowed everywhere.Might be seen as sign of illegal activity! So be advised!

http://en.wikipedia.org/wiki/Cryptography_law

http://bit.ly/RbsYgo

Cryptography primer


Insecure communications

http://xkcd.com/257/


Which services are insecure?

*

*

*

*



Whaa? But they don't use HTTPs?

HTTPs protects you from traffic eavesdroppingTraffic gets deciphered at company server before going to destinationAgencies may request your data to be forwarded to them (court orders)Agencies may request company private keys for interception (same above)

Booya!



Should I break up with them?

You could. But you don't really need to.Just don't say anything there that you wouldn't say to a random stranger.If you need to exchange sensitive information, escalate to a secure medium.



What about DNS servers?

Responsible for connecting us to the host we want.Can be perverted to use the host THEY want.



What about DNS servers?

It is not that hard at all.DNS is a plaintext protocol.

ewww...



The case of the famous Brazilian ISP

Google servers DNS lookup from a foreign (USA) connection


(ping + dig using Google's DNS server)


The case of the famous Brazilian ISP

Google servers DNS lookup from the ISP connection

(ping + dig using Google's DNS server)



Keep that motto in mind

Don't think someone may be watching. KNOW that someone IS watching!


False sense of security



HTTPs is not gonna save you

Don't feel safe only because of that padlock iconCertificates/keys may be stolen/taken overDidn't I say that already?



Private key custody = Ability to plaintext!

ssldump is an SSL/TLS network protocol analyzer. () If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

http://www.rtfm.com/ssldump/Ssldump.html




Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

http://en.wikipedia.org/wiki/Server_Name_Indication



Always keep in mind the Evil Server




Server/network owners and admins might intercept your dataCriminals may have foothold on target serverGenerally data flows unencrypted on internal infrastructureData can be found unencrypted on memory and session files




User-land libraries may dump your SSL

() attempts to MITM these communications at the network level have been fruitless. To get at this sensitive data we will intercept calls to SSL_write, the function responsible for encrypting then sending data over a socket. Intercepting SSL_write will allow us to log the string sent to the function and pass the original parameters along, effectively bypassing the encryption protections while allowing the application to run normally

https://www.netspi.com/DesktopModules/SunBlog/Handlers/Print.aspx?id=191




Man-in-the-App Proof-of-Concept Credential Sniffer

https://github.com/jseidl/mita

() will detect and log any credential communication over cookies and get/post requests and exfiltrate somewhere.

() monitors data from inside application context/env. thus can't be defeated by the use of SSL.



Truth is, email is oooooold

E-mail never meant to be secure

First concept ~1962 (AUTODIN)From host-based, to LAN-based, to ARPANET-based, to INTERNET-basedIn IT, old pans doesn't makes good food.


Second, email is also plaintext


You're starting to hate this word, aren't you?


But hey, I've heard of this PGP thingy...


It has that encryption thing you were talking about...

Yeap! And can also be used to verify the identity of the sender!


And there's also a GNU version!


Isn't that beautiful?


Fact is: PGP is quite complicated


Did I mentioned the lack of mail client support?


Fact is: PGP doesn't protects metadata


Servers involvedPeople's names and e-mail addressesLots of other information


Fact is: E-mail can't be fixed


(in my opinion)

Encryption breaks search.Indexing hurts security.Decrypt all your messages to search? Good luck with that.If perfect-forward, messages will be lost over time.Key handling would be nightmare.

Secure communications


As Jack the Ripper would say, let's go by parts

Secure communications (mostly)


Now that you know you can't trust the parties


There's no way you want your data in plaintext over the circuitThe service machine may be evil and under 3rd party controlYour own network may be compromisedYou definitely can't trust no ISPYou better not trust no one ;)


Make sure your workstation is secure


https://tails.boum.org/

Prefer live-cd operating systems


Roll your own local DNS server


Configure-it properly!Completely block outside accessListen on loopback onlyEtc...


Embrace the darkness


Darknets are the new black

http://en.wikipedia.org/wiki/Darknet_(file_sharing)

A darknet is a private network where connections are made only between trusted peers () Darknets are distinct from other distributed peer-to-peer networks as sharing is anonymous () and therefore users can communicate with little fear of governmental or corporate interference.


Embrace the darkness


Popular darknets

https://www.torproject.org/

http://geti2p.net/en/

https://freenetproject.org/


Perfect-forward secrecy


(...) Allows today information to be kept secret even if the private key is compromised in the future. Vincent Bernat, PhD




Without forward-secrecy (TLS-AES128-SHA)

http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html




With forward-secrecy (Ephemeral Diffie-Hellman)

http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Because the Diffie-Hellman exchange described above always uses new random values a and b, it is called Ephemeral Diffie-Hellman (EDH or DHE). Cipher suites like DHE-RSA-AES128-SHA use this protocol to achieve perfect forward secrecy

Optional Forward-secrecy: ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHAForward-secrecy only: ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA




With forward-secrecy (TextSecure's OTR ratchet)

https://whispersystems.org/blog/advanced-ratcheting/




Apache & NGINX

http://bit.ly/1hmsysR

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy




Gtalk, Hangouts, Facebook Chat and any XMPP-based I.M.

https://securityinabox.org/en/pidgin_main

Pidgin with OTR - Secure Instant Messaging

http://phrozenblog.com/?p=615

Encrypt your GTalk / Hangout / Facebook chat




Mobile messaging

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

TextSecure Private Messenger (Android only)

https://telegram.org/

Telegram (Android & iOS)




Voice calls

http://en.wikipedia.org/wiki/ZRTP

VoIP with ZRTP




Mobile ZRTP

https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

RedPhone (Android only)




Platform S/ZRTP

https://jitsi.org/Main/HomePage




Platform S/ZRTP

http://bit.ly/1jvlbo7

How To Encrypt Chat And VoIP With Jitsi and XMPP

Secure communication infrastructure


More load to process, more time to process


Encryptions makes things slower


First, choose your preferred Linux flavor


or BSD if you want :)


Let's start with some good full-disk encryption


Most distro's installer offer this option nowadaysIt's not hard to implement if you are already a sysadmin

https://library.linode.com/security/full-disk-encryption


Then harden that system, baby!


Fix your perms (least privilege principle)Setup your services config. properlyUninstall bloatware + Apply security updatesUse host-firewall (at least)*Disable kernel module loading*Install PaX / GRSecurity patches*Not for the faint of heart

http://grsecurity.net/


SSL EVERYWHERE


In every communication between services, SSL must be enforcedDo certificate pinning

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning


LDAP for identity management & authentication


Most software has support for LDAP as backend


Pretty default mail stack


Postfix + Dovecot + dspam + postgrey + LDAP auth. backend


We add auto PGP encryption to it


Heyyyy, but you said PGP sucks! I never said that! It's still better than plaintext!

https://github.com/mikecardwell/gpgithttps://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve


PGP supported software


Thunderbird handles well with Enigmail pluginK9 Mail (Android) only handles low quality PGP keys (due APG limitation)Other mail clients may support PGP too

https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/


XMPP for chat


Will use SSL for connection but clients need to do OTR on their side


XMPP for chat


ejabberd + punjab BOSH proxy + LDAP auth. Backend + MySQL roster backend

https://github.com/twonds/punjabhttp://www.ejabberd.im/


Compliant XMPP+OTR clients


Win/Mac OS X/Linux: PidginAndroid: XabberIOS / Android: ChatSecure

https://pidgin.im/http://www.xabber.org/http://chrisballinger.info/apps/chatsecure/


XMPP+OTR clients + S/ZRTP


https://jitsi.org/Main/HomePage


Optional insecure feature: Web-mail Interface


Browsers are vulnerable to many attacksOpen-source web-mail software code still needs maturityCrypto-in-the-browser is a little creepy


Optional insecure feature: Web-mail Interface


Roundcube + rc_openpgpjs + LDAP auth. Backendconverse.js for embedded chat

http://roundcube.net/https://github.com/qnrq/rc_openpgpjshttps://github.com/jcbrand/converse.js/https://github.com/priyadi/roundcube-converse.js-xmpp-plugin

The final product


The remaining points of failure


Metadata is gold and is always leaking out


Metadata is "data about data".

http://en.wikipedia.org/wiki/Metadata


Metadata is gold and is always leaking out


Metadata carries out lots of Personal Identifiable Information (PII)Can be very helpful on correlating people and eventsLeaks everywhere. DNS, Web, Email, Documents, Images, Photos from cameras and cellphones etc


Code may have bugs


Even the ones meant to secure us.Just like OpenSSL's Heartbleed and Apple's goto fail


Code may have features


http://bit.ly/18DOX71




http://cnet.co/1rVzAL0




http://bit.ly/1hO99Uo


Agencies can be very persuasive



So I'll never be completely safe?

Closing up


Well, so I don't need to do security at all

Closing up


Closing up

We know security is not easy

Security = Usability-1


Sometimes can be a pain

Closing up


But you gotta take care out there!

Closing up

That's all folks!

http://wroot.org

@jseidl

[email protected]

https://github.com/jseidl/

http://www.slideshare.net/jseidl

nsa-proof communications (mostly)

Technology