570 likes | 572 Vues
Getting Hit by an 18-wheeler: Privacy & Anonymity in the Modern Age By: Cody Hofstetter. Disclaimer. This presentation is for educational purposes only. I am not a lawyer even if I sound like one. Seek legal advice from someone who is. CC-BY-SA.
E N D
Getting Hit by an 18-wheeler:Privacy & Anonymity in the Modern AgeBy: Cody Hofstetter
Disclaimer • This presentation is for educational purposes only. • I am not a lawyer even if I sound like one. Seek legal advice from someone who is.
CC-BY-SA • Explicitly NOT covered by the CC-BY-SA in this presentation • All logos, trademarks , taglines , et al associated with any company.
Overview • Introduction • Privacy & Anonymity Differences • Top Level Ideas • Tracking • Privacy/Anonymity Enhancement Tools • Closing Points to Remember
About Cody Hofstetter • From Software Pirate to Freedom Advocate
Privacy & Anonymity • Privacy concerns content. E.g. the contents of an email or text message. • Anonymity concerns your identity. E.g. the sender and recipient of an exchange.
Privacy & Anonymity • When you’re communicating with your lover/girlfriend/wife (vice versa), you may not care who knows (anonymity) but you may want to keep the content of the messages between yourselves (privacy). • A whistle-blower may want their identity (anonymity) to remain anonymous for fear of reprisal, but they want the content (privacy) of their message to be known.
Top Level 1 - Know Your Adversary • Individual • Corporation • Nation-state
Getting hit by two 18-wheelersDropped out of a plane& Set on Fire: Your friendly Government & You
Top Level 2 - If you aren’t paying for the product... YOU ARE THE PRODUCT
Top Level 3 - Logs • If you don’t have logs, you can’t be compelled to produce them • If a company doesn’t have logs, they can’t be compelled to produce them • Know what you absolutely need to comply with the law and protect your yourself and customers as much as possible
Tracking • MAC Address • Unique Browser Fingerprint • Email Collection • GPS (trilateration – distances) • Cellular (triangulation - angles) • Content Delivery Network (CDN)
Media Access Control (MAC) Address • Used as a unique identifier for network interfaces - IEEE 802 technologies (e.g. Ethernet/Wifi/Bluetooth) • The first three octets (6 total) identifies the manufacturer aka the Organizationally Unique Identifier (OUI) • 00-03-93 | Apple88-12-4E | Qualcomm Atheros • Apple randomizes MAC addresses in iOS devices when scanning for networks
Browsers • Internet Explorer/Edge (Just no) • Google Chrome • Firefox • Safari
Unique Browser Fingerprint • Number of add-ons and extensions • Types of add-ons and extensions • Screen resolution • Timezone • Language • Platform • Fonts installed on the system • Touch support
Surveillance Methodology • 1) You have an IP address • 2) Match IP address to location • 3) Traditional surveillance is brought in to monitor location • 4) Match access logs with presence of individual(s) • The US Government indicted 5 Chinese military officials using this technique
Email Collection • Gmail • AOL - (yes some people still use it?) • Yahoo • If it’s unencrypted it’s being collected, parsed, and used to build your ad profile
GPS • GPS requires three (3) satellites to determine a 2-dimensional position and four (4) satellites to determine a 3-dimensional position
Google Maps https://maps.google.com/locationhistory
IMSI-catchers • International Mobile Subscriber Identity-catchers • AKA Stingrays • Some models also pull content (call details, text messages, email, and more) • No discrimination. A stingray can gather information on anyone connecting to the tower, not just the target
Baseband Processors • The device in your pocket is always talking and we don’t know what it’s saying • Proprietary codebase • No independent audits, no problem! We’ll just put our security holes and backdoors in there.
Content Delivery Network (CDN) • You make a request to the website • A CDN geographically closer responds to the request • The webpages and other content load faster for the user • A referer HTTP header reveals to the CDN what page you are looking for • Your IP address and browser fingerprinting can be used to determine your identity
Damn Extremists • Leaked 2014 XKeyscore configuration shows you were suspected as an "extremist" for searching: • Linux • IRC • TAILS • Tor • Truecrypt
Start Simple 1) Evaluate your needs 2) Evaluate the needs of your family 3) Make a solution that fits within each person’s needs
Panopticlick • Test your browser against: • Ad-blocking • Trackers • Fingerprinting • https://panopticlick.eff.org/tracker
Browser Extensions • HTTPS Everywhere • Privacy Badger • Ublock Origin • NoScript (Firefox) • Self Destructing Cookies (legacy – replacement is Cookie Autodelete)
CDN Redirection • Redirects requests for CDN providers to local resources • Decentraleyes • Bundled with commonly used files and serves them locally whenever a site tries to retrieve them from a CDN. Saves bandwidth and protects your anonymity/privacy. • Supported Networks: Google Hosted Libraries, Microsoft Ajax, Yandex, Baidu CDN, CDNJS (Cloudflare), etc
Signal • Wickr/Telegram/WhatsApp • Secure Messaging App • Encrypted communications (end to end and perfect forward secrecy) • Disappearing messages
KeePass • A password manager stores all the passwords • KeePassDroid - Android • MiniKeePass – iOS • Difference between LastPass and KeePass
F-Droid • F-Droid repo is like the Google Play Store • OpenCamera (FANTASTIC job) • Document Viewer/LibreOffice Viewer • NextCloud
Recommended Email Providers • Protonmail • Riseup
Recommended Email Providers – Continued • Darkmail - (Ladar Levison) • Ladar’s company (Lavabit) was the email provider for Edward Snowden and rather than give access to the Feds, he shut down his company. • DIME (Dark Internet Mail Environment) • Magma, DIME capable free and open source mail server - https://github.com/lavabit/magma
Live USB D D Command • TAILS • Rufus • UnetBootin • DD command (be extremely careful with this command)
Proxy • User → Proxy → Website • The website will see the IP address of the proxy not the user • The proxy operator will be able to see all unencrypted traffic passing through • If the website/service uses encryption, the proxy operator can see where you are going but not what you are looking at
Proxy • Most proxies uses HTTP/HTTPS and SOCKS (Socket Secure) protocols • SOCKS 4 vs 5 – SOCKS4 only supports TCP applications while SOCKS5 also supports UDP, DNS, and various authentication methods
Proxy Chains • No Proxy • User → Webpage • Proxy • User → Proxy → Webpage • Proxy Chain • User → Proxy →Proxy → Proxy → Webpage
Virtual Private Network (VPN) • User creates an encrypted tunnel to the VPN server • All internet traffic goes through this tunnel • Unless you have a DNS leak
VPN vs Proxy • Proxies are designed to protect browser traffic whereas VPNs are designed to protect all traffic • Proxies must be configured for each application (browser, email, third-part apps, etc) • If a single proxy in the chain is broken, the entire chain crashes
Free Proxies/VPNs • DO NOT USE THEM • YOU ARE THE PRODUCT • IT IS HIGHLY LIKELY THEY ARE: 1) Collecting browsing data to sell 2) Injecting HTML or Javascript to monetize by showing you ads.
Recommended VPNs • Private Internet Access • TorGuard • ProtonVPN • RiseupVPN
Access through the TorBrowser (a modified version of Firefox) or TAILS • Works by encrypting each hop in the network and randomly choosing the servers connected to • The final connection point at the last relay in the chain can be compromised if the requested site does not use SSL.
VPNs and TOR • VPNs and TOR may be used together • The main drawback is the connection will be slowed significantly
Domain Name Service (DNS) • Translates IP addresses into human readable addresses • What is 8.8.4.4 and 8.8.8.8? • Google Public DNS
Domain Name System Security Extensions (DNSSEC) • Provides origin authentication • Authenticated denial of existence (to prevent zone enumeration) • Data integrity • Does not provide • Encryption • Availability • Confidentiality
DNSCrypt • Designed by OpenDNS to provide encrypted DNS queries • DNSCrypt is the wrapper providing encryption and DNSSEC sits inside proving authentication • List of DNSCrypt resolvers • https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
DNS Caching Server • Dnsmasq • Provides small network infrastructure (DNS, DHCP, router advertisement and network boot) • apt-get install (distribution specific) dnsmasq • Edit /etc/resolv.conf with wanted nameservers (2) • /etc/init.d/dnsmasq start • Test with “dig (website name)” twice. If the second returns a query time of 0 msec it works!