Defcon Crypto Village - OPSEC Concerns in Using Crypto
-
Upload
john-c-a-bambenek -
Category
Internet
-
view
522 -
download
6
Transcript of Defcon Crypto Village - OPSEC Concerns in Using Crypto
OPSEC CONCERNS IN USING CRYPTOGRAPHYOR:HOW YOUR BAD TECH DECISIONS HELP ME PUT YOU IN JAIL
JOHN BAMBENEKCRYPTO & PRIVACY VILLAGE, DEFCON 24
BIO
• Manager, Threat Systems @ Fidelis Cybersecurity• Lecturer in CS @ University of Illinois Urbana-Champaign• Run several takedown oriented groups on malware threats• Crafter of Artisanal Molotov Cocktails
DEMO
• Who here has a cell phone?
TL;DR - PATTERNS AND NORMALCY
• Surveillance does not scale for large datasets:• People, malware, packets on the internet, etc.
• There has to be multiple layers of filtering and scoring to determine priority of tasking resources.• Some targets are specifically and explicitly tasked,
everything else is all subject to some level of pattern matching and prioritization.
REMINDER
• You are not a normal.• This is a normal:
WHAT IS OPSEC?
• Operational security: keep what you don’t want known unknown.• Part is keeping secrets.• Another (more important part) is not looking like you have secrets
worth having.
• Basic security matters (we’re still not using passphrase-less keys are we?)• Compartmentalization: everyone has compartments.• Signaling vs. Communication
RISK ASSESSMENT?
• Who are we hiding from? What are their interests and capabilities? What is “sufficiency”?
• Intelligence services, law enforcement, and their friends (like me)• Criminals or other malicious actors• Comcast
DON’T THINK YOU ARE A TARGET?
• How many people here have admin/root on infrastructure they don’t own?
• Our government has already said that is the exact kind of people they are targeted (even before those of you how have 0-days, etc).
• You don’t think the US is the only one who does this, do you?
WHY OPSEC CONCERNS WITH CRYPTO?
• Thought process starting in tracking mobile malware, Android Apps need to be signed.• As an investigator and intel analyst, I LOVE free-form text
fields. (more later)• As technologists, crypto is hard and many of us still don’t
understand it’s limitations.• Encrypt all the things may not be the best option in certain
circumstances.
WHY OPSEC CONCERNS WITH CRYPTO?
• Two parts of OPSEC:• Want to hide the secrets• Want to hide the fact you have secrets
• Crypto is great at the first one.• Crypto often loudly yells that you are the second guy.• Note- Everyone I’ve helped put in jail is there because they
screwed up their OPSEC.
WHAT’S WRONG WITH THIS?
OPSEC PROBLEM #1 WITH ENCRYPTION
• Not everything is encrypted.• Above example, the DNS request which is “good enough” to know
what you’re doing.
• Even in a “perfect” crypto world, the session metadata isn’t encrypted.• Source, Destination, Time, Inferences of size of communication…• If I know who you are calling/texting, sometimes that’s enough to
make inferences.• The HEIST attack at RSA, while overhyped, is an example.
CAREER DECISIONSFrom: Kevin Mandia [email protected]: John Bambenek [email protected]: Job Offer for VP role
-----BEGIN PGP MESSAGE-----Version: GnuPG v2hQEMA/RALgVP0CqhAQf+K6nsUfJ2JZKEJQIqcuywV3xwtpRR4bQhZblCPQcSJwbPzgh/q4zoIZi/yy5XLTGQ6p2WrQH+0UfmQmyu44v1VPBF+3JFReG1IJvJNXPQPcH13gGiyLRj4A1r32EgieHIxbfN+TWvrrl4M1BOQ0dQ2UXkrInj2/5xLFl2HunrDZiqSQcpZrqwTCJf+CJXlZJJKmQRNz76ohQzVbJFyqV/zIKD26DBMGKRB0v2gYjhTRWV9cuHLf9JSNA5ZdmyskcEM0PFCzSnv9Mx6VprsbWGeb6dbkwW1kM+xgdbcSnyEuRyVFUoOPTb1E0q5rDNwVZknUZAq1pjYnn+D+zoVRyz99LA0AFLgF8T3gQaQqIQErW3OlVxQKb58DKv6lM4x5oxlI4sv1je6HT7+PKnCvmbhRRWFpWVkyot5Fam0xILWR2UbE+/1a3nSDySnGnzNNq2e2EDrKA+CNVFGXd3HfFZgzAp2foEP/Z+kbU9O/2QvwS/jBbclti9SPK0PNuPa321TpD/Qoz0yuPWhpOrYp/kxN7nJ9FW5OWI+r5dEB29yasAeeCoMsxJzyzo7TnKQEOP5Ty/Sae+K0yY4Do7oakGQVKyEkQUzQlOc0bwAwINavXJsov2nlGmV7eRJgr8xzDc6DCHuZm3URfqKvt37Vbr1kpPs6mjtHSw0iJJ1tvk9tbiElfAQvXr3KyQlGhqNjtPC8TEYnWeIlq27OfQ6iLarTtkYX3oJLW5NlIlvSVLICzB+yejDP+8HMVKF1s8Nc6D9V78dyHBPdx8wafPUYf4XeImux1m1SFdRJjvYhaU5famV0hPR22Tui+eEPSvzKWDa4VDT/jIENl9TSPH3LqpXEQVYoL2Cw/+0lBpWE90+Hlw2w8==Iidd-----END PGP MESSAGE-----
AND THERE’S MORE
$ gpg -vvvv text.gpg gpg: using character set `utf-8’gpg: armor: BEGIN PGP MESSAGEgpg: armor header: Version: GnuPG v2:pubkey enc packet: version 3, algo 1, keyid F4402E054FD02AA1data: [2046 bits]gpg: public key is 4FD02AA1:encrypted data packet:length: 400 mdc_method: 2gpg: encrypted with RSA key, ID 4FD02AA1gpg: decryption failed: secret key not available
IF YOU HAVE THE KEY, YOU GET MORE
:secret key packet: version 4, algo 1, created 1442844965, expires 0 skey[0]: [4096 bits] skey[1]: [17 bits] iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 1edfd8aa175bb427 protect count: 65536 (96) protect IV: 8a d6 c0 76 0e c4 86 5c encrypted stuff follows keyid: 0F3B1D99BBB8C31E:user ID packet: "John Bambenek <[email protected]>”
Anonymity with PGP is hard. See Tom Ritter’s Deanonymizing Alt.Anonymous.Messages talk: https://ritter.vg/p/AAM-defcon13.pdf
KEYSERVERS
• With a Key ID, you can cross-search keyservers to find the identity.• Old keys never die.
• Many people have multiple emails tied to the same key (not usually a good idea).• People reuse same SSH keys for authentication across
environments.• Silk Road – Dread Pirate Roberts compartmentalization screw-
ups should be required reading.
BOTTOM LINE
• The argument for shutting down “safe spaces” for terrorists to communicate is stupid. Never drive a known into an unknown without some return.• Lots of useful data still available in metadata.• Required reading: @thegrugq• https://medium.com/@thegrugq/intelligence-services-are-
scary-af-40f7646ea117#.o6hszwm7g
OPSEC PROBLEM #2 WITH CRYPTO
• SSL/TLS Certificates, Signing Certs create all sorts of new metadata• Geolocation, Identity, Serial Number, Creation/Expiration Dates
• CAs have one job: to verify identify of the owner of certs they sign
• Have I said I love free-form text fields?
YOU HAVE ONE JOB
# ./letsencrypt-auto certonly --standalone -d gmail.com An unexpected error occurred:Policy forbids issuing for name
# ./letsencrypt-auto certonly --standalone -d fireeye.comInstallation succeeded.
# ./letsencrypt-auto certonly --standalone -d illinois.govInstallation succeeded.
IT GETS WORSE
• What happens when someone gets a wildcard certificate?
• What about when a security company gets their own CA certificate?
MORE CERTIFICATE FUN
Certificate: Data: Version: 1 (0x0) Serial Number: fa:21:6b:2c:8e:6c:35:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/[email protected] Validity Not Before: Jan 6 16:33:13 2015 GMT Not After : May 23 16:33:13 2042 GMT Subject: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/[email protected]
MORE CERTIFICATE FUN
• Malware builder always used the above cert when it resigned trojanized app.• Now it’s trivial to find the “many” apps in the Google Play
store with that malware.• Basic statistically analysis, hunting for geographic oddities,
etc makes hunting mobile malware easy.
HOW TO FAIL AT TLS
Data: Version: 3 (0x2) Serial Number: 522427837 (0x1f239dbd) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, O=assylias.Inc, CN=assylias Validity Not Before: Jan 17 05:26:19 2015 GMT Not After : Dec 24 05:26:19 2114 GMT Subject: C=FR, O=assylias.Inc, CN=assylias
HOW TO FAIL AT TLS
ONE LAST POINT
• SSL/TLS certification information is searchable with Shodan and a few other tools specifically for archiving observed SSL/TLS certs.
• If you re-use certs, it makes it easy to correlate your activities and break your compartmentalization.
OPSEC PROBLEM #3 WITH ENCRYPTION
• Encryption (to some) is inherently suspicious.
• What is actually suspicious is abnormal behavior.
• All profiling (and surveillance) is based on this concept because it is impossible to monitor everyone completely. Target selection is important.
EXAMPLE #1
EXAMPLE #2
VPNS
• I may not know what you’re saying, but I know when you’re saying it.• All the “privacy” VPN services are known and their IP space is
profiled.• You could set up your own VPN, but you immediately lose the
privacy using a common service provides.• And don’t think all those bitcoin services will help you either.
Bitcoin is anonymous but it is NOT private.
MAKING ENCRYPTION MAINSTREAM
• We’re already doing it with Let’s Encrypt and other aspects of PRISM fallout.• Google now sends email over TLS (**if other side supports it**)
• Tor is not ”normal”• VPNs to non-corporate endpoints are not “normal”• Encrypted email is not ”normal”, nor is WhatsApp, Signal, et al… yet.
• But they can be. We may not look like a sheep, but maybe we can make the sheep look like us.
SOMETIMES ENCRYPTION IS NOT WORTH IT• When traveling in “less friendly” locations, it may be better
not to draw attention. Border checkpoints are not your friends.• Tor may hide what you are looking at but it stands out on a
network.• Many criminal and intelligence professionals use electronic
means for signaling and then have a conversation in a preferred secure location.
SOMETIMES ENCRYPTION IS NOT WORTH IT• How many people here have secure wifi at home?
• Note, digital forensics is good at figuring out the bits. It can be hard to figure out what’s going on in actual meat space.
• Sometimes ambiguity is your friend.
OPSEC PROBLEM #4 WITH ENCRYPTION
• Encryption doesn’t protect you against stupid mistakes. Including by others.• It’s the stupid stuff that gets you.
• Password re-use, even when hashed and salted can taint compartmentalization.
• Passphrase-less keys publicly available on the web
STUPID MISTAKES BY OTHERS
• All security is based on trust.• Using a hacker bulletin board? How can you be sure they are fully
patched and haven’t had their database dumped?• Are you sure your encrypted messenger isn’t just giving your data away
anyway?• Think it can’t happen? Look at Wall of Sheep upstairs. Or ask Ashley
Madison. • Important point, password hashes become identifiers.
ALL ENCRYPTION NEEDS TO BE EVENTUALLY DECRYPTED• Cracking crypto is hard… attacking endpoints is easy.
Attacking people’s stupid mistakes is trivial.
• If I already own your box, all your encrypted comms are worthless.
PASSPHRASE-LESS KEYS• You may be in a scenario to have to give up your files… if your keys are
there it’s game over.• Virustotal keeps all files that are submitted to it and makes them
available via commercial API.• You can use Yara to find things, like all files that have “BEGIN RSA
PRIVATE KEY”.• The search “maxes” out the results at 10,000. Of those, over 85% had no
passphrase.• SSH keys don’t have targeting information in them directly.
• PGP keys do though, and you can search for those in VT too
WHAT TO DO ABOUT IT ALL?
• It depends on what adversary you care about.• Free-form text fields are your worst enemy.• Layers help.• Compartmentalize (if you’re doing interesting things while using
tor from home, you’re doing it wrong).• Look and smell like a normal. Sometimes waiting or not
encrypting is a better option.
TOOL 1 – ANDROID-CERT-GENERATOR
• https://github.com/uiucseclab/Android-Cert-Generator from UI Security Lab students.• I wanted to figure out how to defeat my own analytics.• Problem: Android malware requires you to write a fully-functioning app
or to trojanize an existing app but have to resign it. Need a way to create believable but fake signed APKs because you lack the private key.• Uses same details as previous signed cert.• Checks google play store and wolfram alpha to generate the information.
BOTTOM LINE
• #DFIU
QUESTIONS?
• For Fidelis: [email protected]• For Univ. of Illinois: [email protected]