Crypto, Anonymity, and Privacy

Simple Nomad DC214 10Nov2004

Hello

Threat Models

• Kiddie vs Hacker vs Mafia vs TLA vs Nation State

• Known vs Unknown• Targeted vs Random

Cryptography

• What to use• Why you would use it• When (and when not) to use it

Common Algorithms

• Symmetrical– AES, DES, etc

• Public/Private Key– RSA, PGP, etc

• Stream Cipher– SSL, TLS

• A Note on Blocking

What To (Not) Use

• Good– PGP (GnuPG)– Ncrypt– Outguess– (MP3?)

• Bad– Suite document

passwords (MS Office, WP, etc)

– Proprietary encryption schemes

– Lame encryption schemes

Examples of Lame Encryption

• XOR– By itself, lame– Still used heavily in a lot of algorithms, but

as a part of a larger and more complex algorithm

• Known Keying Material• Algorithm Too Simple

Testing for XOR

• Demo

Cracking XOR

• Demo

Known Keying Material – Access 97

• Access 97 MDB files, starting at byte 66• The “secret” string –

0x86fbec375d449cfac65e28e613• Simple XOR to recover password• http://www.nmrc.org/~thegnome/acc_rec.c• Elcomsoft does current MS Office docs, and

most other suite password schemes

How Brute Force (Should) Work

• Read in first block of encrypted file• Try a password• Use file-matching techniques to

determine if password is valid• Keep trying in case of multiple “matches”• A skilled attacker will focus on the

target’s interests first

File Encryption Tips

• Compress before encryption– Tar up file with random data first

• Securely wipe the original– Ncrypt, Wipe, etc

• Use very long and strong passphrases– The more characters used, the greater the entropy

• Watch passphrase reuse in general– If your /etc/shadow password is the passphrase, a

system compromise could reveal your secret files

Encryption of Streams

• SSL/TLS, SSH, VPN technologies• Nothing is “solved” if the implementation

is wrong, or the end points are insecure– Bad passwords– Vulnerable daemons wrapped in SSL (e.g.

Metasploit is SSL-aware)

• Attackers have been known to “sniff” for encrypted traffic, then attack the endpoints

Protocol Issues

• Secure algorithms, yet insecure usage• Proprietary algorithms and protocols• Perfect example: Novell NetWare

Security Through Obscurity

• Don’t name your secret files really-krad-0day.tgz.encrypted

• Consider “bait” encryption files– Old Linux kernel source code or porn,

encrypted: not-public-0day.tgz.enc

• Consider such technologies as Rubberhose

Security Through Obscurity

• Don’t use EFS• Don’t store your keys on a regular drive,

especially on Windows• Use alternate storage devices

– Pocket USB drives– Digital cameras– Cell phones

Miscellany

• Watch your subject line in encrypted email• Covert channel usage

– Use it a lot or not at all– Make sure your OS is as random as the covert

channel

• Steganography– Never send a file with a non-steg version available– A picture in email will look suspicious if you never

send or receive pictures– Encrypt and compress first

Miscellany

• Encrypted mailing lists are good, hybrids can lead to mistakes

• When to have/not have a key-signing party

Anonymity

• Use a specific “nym”– Give this nym its own PGP key, etc

• Use pseudo anonymous mail for this nym– Hushmail, Gmail (not Hotmail)

• Use anonymizing proxies for checking mail and web browsing– SwitchProxy for Firefox, Thunderbird, Mozilla (slow

but worth the effort)• Never use the nym except with the proxies• Anonymous hacking is another story (and

another presentation)

Example of Nym Usage

• Get a Gmail account• Set up a Hotmail account from a free wireless

connection using Firefox/SwitchProxy• Send invite to Hotmail account• Set up Gmail account from wireless

w/SwitchProxy• Repeat a couple of times• Only use Gmail Nym with wireless and

SwitchProxy• Only cut and paste in encrypted text (avoids

Gmail’s market scanner)

Privacy

• Online– Use FPM or Password Safe to store

passwords, and always generate safe passwords

• Bear in mind that password crackers will target the data files of these programs

– Backup the data files to a USB drive– See previous two slides

Privacy

• How much is your privacy worth?

• Never fill out warranty cards or rebates

• Never use “shopping cards”

• Don’t pay for phone cards with a credit card, in fact use cash whenever possible

• Don’t use toll booth tags

Privacy

• Credit Cards– Use the fewest credit cards possible, regardless of

how many you have– Consider a low-limit card for basic online purchases,

with a daily limit cap– Write “check photo ID” on the back– Notify your bank when you are using a credit card

out of town• Checking

– Have the branch hold your checks– Avoid direct deposit and automatic bill paying

Privacy

• Travel– Use an alias (it can be done)

– Most good hotels support “Non-Registered Guest”

• U.S. Mail– Never mail anything from home, go to the Post

Office, and go to the slot inside, not the box outside, especially when sending money or paying bills

– Have the Post Office hold your mail when out of town, even for a day

Privacy

• Don’t use “real” personal identifiers– Make up a “mother’s maiden name”

• Shred everything– Use a cross-shredder– Shred all envelopes and extraneous junk

mail material, makes nice “whitening”– Burn the shreddings, stir the ashes

• Keep shredder handy and shred daily– Avoid a “shred pile”

Privacy Tips

• Don’t offer extra info• Question the questioners

– Does the store clerk really need your phone number or zip code?

• Don’t conduct private matters on cellular or cordless phones

• Don’t leave confidential info in your car• Assume all plaintext documents, email, etc is

being read by co-workers, employers, The Man, etc, and act accordingly

Case Study in Paranoia #1 – Paranoid Guy Weasel and I Know• Man dedicated to privacy• Different names on all utilities• Moves every few years, changes names

on all utilities every six months• No tattoos or identifying marks• Uses cash for almost everything• Average haircut, average clothes, does

not stand out

Case Study in Paranoia #2 – Eric Raymond

• Does not own a credit card

• When travelling to speaking engagements, he manages to get all the way there are back without credit cards

Case Study in Paranoia #3 – Hacker in Vegas for BH/DC

• Stay at a decent hotel (which supports the following needs below)– Large casino theme hotels on the strip, not the Comfort Inn

• Register as Non-Registered Guest– Register under your handle to impress your friends

• Block incoming phones from everyone except hotel personnel– Impress your friends when they try to call your room and the phone system

says “that room is unoccupied”

• Switch room assignment before arrival as well as at the check-in desk• Note screwplate positions, and consider opening and examining all

electronic devices• When reporting a security incident, only involve hotel security staff, not

law enforcement• Only use credit-card style in-room safes, and don’t use a credit card

(assume hidden camera)

•Fin

• Links

– ftp://ftp.habets.pp.se/pub/synscan/xor-analyze-0.5.tar.gz

– http://ncrypt.sourceforge.net/

– http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_NovellMITM.cfm

– http://jgillick.nettripper.com/switchproxy/

– http://www.steganos.com/?area=updateproxylist

• Questions?

• Simple Nomad [thegnome@nmrc.org]