Sex, Lies and Instant Messenger v2

this slide intentionally left blank

@alecmuffett sex, lies and instant messenger

sex, lies, & instant-messenger

@alecmuffett
www.alecmuffett.com

green lane security
www.greenlanesecurity.com

v2.0

What should come of this?


When using the Web
for private communication...


be aware
1) what can go wrong unexpectedly?


be aware
2) what risks you protecting against?


be aware
3) what must you do/not do?


Goal
“Keep control of your data.”


disclaimer (1)
All examples appearing in this work are
fictitious. Any resemblance to real events
or to real persons, living or dead,
is mostly coincidental.


disclaimer (2)
Advice given here is necessarily
incomplete; information security is a huge
discipline and a full set of risks cannot be
conveyed in 30 minutes.


1) what can go wrong unexpectedly?


passwords!


do not use secrets as passwords!


my history
• Crack
• First “smart” password cracker
• 1991..96
• http://tinyurl.com/2jnzpy
• CrackLib
• password checking library
• 1994..now


issue
passwords are secret, but...


issue
...secrets make bad passwords


passwords
guessable


000000 1 1111 11111 111111 11111111 112233 123 123123 123321 1234 12345 123456
1234567 12345678 123456789 123abc 123qwe 1q2w3e 1q2w3e4r 222222 55555 654321
666666 7777 7777777 a aaaaaa abc123 adidas admin amanda andrew angel angel1
angels anthony apple asdf asdfasdf asdfgh ashley asshole austin baby bailey
banana bandit baseball batman benjamin biteme blabla blahblah blessed blessing
blink182 bubbles buster canada cassie charlie cheese chelsea chicken chris
christ church cocacola compaq computer cookie cool corvette creative dakota
dallas daniel danielle david destiny dexter diamond digital dragon eminem
emmanuel enter faith flower foobar football football1 forever forum freedom
friend friends fuckoff fuckyou fuckyou1 gateway genesis george ginger god google
grace green guitar hahaha hallo hannah happy hardcore harley heaven hello hello1
helpme hockey hope hotdog hunter ilovegod iloveyou iloveyou! iloveyou1 iloveyou2
internet james jasmine jason jasper jennifer jessica jesus jesus1 john john316
jordan jordan23 joseph joshua junior justin killer kitten knight letmein london
looking love lovely loving lucky maggie master matrix matthew maverick maxwell
merlin michael michelle mickey microsoft mike monkey mother muffin mustang
mylove myspace1 nathan nicole nintendo none nothing onelove online orange pass
passw0rd password password1 peace peaches peanut pepper phpbb pokemon poop power
praise prayer prince princess purple qazwsx qwert qwerty qwerty1 rachel rainbow
red123 richard robert rotimi samantha sammy samuel saved scooby scooter secret
shadow shalom silver single slayer smokey snoopy soccer soccer1 sparky spirit
startrek starwars stella summer sunshine superman taylor test testing testtest
thomas thunder tigger trinity trustno1 victory viper welcome whatever william
winner wisdom zxcvbnm

250 top passwords - http://goo.gl/xPCq


“You’ll never guess my password,
it’s in Klingon!”


passwords
brute-forceable


from: AAAA


to: zzzzzzzzzzzz


via:
t5gn9LF$*RJ#


more than 1,000,000 guesses/second!


sometimes more than
2 billion guesses/second

( google: imhoff password cracking )


however...


password
a window into your mind?


password
reveals something about you?


password
reflects your tastes?


password
is known to your spouse?


also
• reuse = self-incrimination
• ...which is bad...
• ...more later...


basic password discipline
• use a password management tool
• use 12/more random characters
• use different passwords at each website
• never reuse passwords
• never share passwords
• change annually/more often
• change when someone discovers one!

next: instant messenger!


do not Skype IM with your lover!


Skype
• peer to peer architecture
• robust, replicated, flexible
• excellent security
• ...unless you’re up against the USA
• ...or China
• ...or maybe the UK


virtually impossible to expunge
a recent conversation


deletion can make things worse
messages resurrect from the dead!


(zombie data is not good)


Avoid XMPP with a lover...
• Also called Jabber Protocol
• Implementations:
• GoogleChat
• Some Facebook chat
• Other systems


XMPP
• Initial message is multicast
• sent to all logged-in instances
• eg: “hello sexy”
• ...also arrives on the home PC
• ...whilst you are at work


Other IM systems?
• Not really wise...
• AIM now multicast
• YIM likewise
• Go for something simple
• Avoid specialist IM-client software
• Use web-based systems


next: social media!


do not Twitter with your lover!


typos of doom!


D alice can i have you for dinner?


@alice can i have you for dinner?


...and, worse...


D bob Nude! http://twitpic.com/b0gu5


Twitter App Risks
• Third-party apps get access to DMs
• Twitter clients...
• Web Apps...
• Proliferation of data is unwise
• more backups
• more caches
• more access


do not Facebook your lover!


too easy to get wrong


Dropping Hints
homepage displays with whom you
communicate frequently


“Transitive trust”
friends-of-friends may not be friends


Facebook Software Ecology
Facebook is not really Facebook


Analogy
if you want to be private,
don’t throw your diary
into a pub full of gossips and journalists


next: phones!


do not smartphone with your lover!


massive comedy potential


iPhone screenlock


applications which pop-up
alerts above the screenlock


Locked?


punchline:


Don’t combine this with Skype


do not go gaming with your lover!


MMORPGs
• EQ
• SecondLife
• EVE Online
• Warhammer
• WoW
• etc...


held to lower standard than IM


heavily-integrated software
• game
• voice
• webcam
• other third party stuff


game logs
• logfiles are...
• comprehensive
• disparate
• spattered all over the hard drive
• ...and therefore hard to remove


next...


Geolocation can hurt you!


avoid sharing geolocation
• Foursquare, Twitter, etc
• “...but your Twitter messages said
that you were in Essex?”


Do you have an in-car GPS?
...and do you know how to wipe it?


next, an obvious thing that’s often missed:


do not send porny naked pictures
of yourselves, to each other


homebrew porn
• webcam temporary copy
• potentially restorable


homebrew porn
• desktop copy
• backup/time machine copy
• image-management tool copy


homebrew porn
• IM server copy
• or: duplicate Skype transfers
• plus: transfer logs


homebrew porn
• remote copies
• remote backup/time machine
• remote image-management tool


homebrew porn
• Took it with iPhone?
• backed up to iTunes
• backed up to iCloud?


homebrew porn
• boyfriend’s archive copies
• ...for sharing when you break up


do not use the family computer


there’s a reason it’s called
a family computer


do not use work-related hardware


work hardware
• not your machine
• thus: “not your data”
• may be taken from you
• eg: bankruptcy, fired, updated
• old hardware auctioned
• automated backups?
• network access logged?


summary


IF YOU ARE GOING TO LIVE
A DOUBLE LIFE,
THEN PLEASE DO IT RIGHT.


2) what risks are you protecting against?


(apart from spouses and lawyers)


recreational computer forensics!


for teh lulz!


Things Geeks Do
• Enumerate all possible URLs:
• tinyurl
• bit.ly
• is.gd
• t.co
• ...and save the good ones


Things Geeks Do
• Trawl...
• Picasa
• Twitpic
• Yfrog
• ...to much the same ends


Things Geeks Do
• buy hardware from Ebay
• undelete data files
• desktops
• laptops
• printers (!)
• storage
• hard disks
• thumb drives
• SD cards

Things Geeks Do
• buy phones from Ebay
• restore deleted SMS
• retrieve e-mail passwords


Find hardware in the street...


...investigate it...


...discover secrets.


Your challenge is to make that hard


3) what must you do/not do?


do use separate identities,
do not link identities!


create a disposable identity,
start with an e-mail address


use a fake, boring,
common pseudonym
• good
• edward wilson
• carole smith
• bad
• sexxxy4UinBasingstoke
• anything else that’s unique


is this legal?
• probably breaking terms of service
• is it criminal to lie?
• maybe...


idea:
Use a disposable Gmail account
to set up a fake Yahoo account
or vice-versa.


do not bookmark your secret identity


do use a random password
• never used before
• never use anywhere else
• keep the password in your brain


do not store the secret identity password
in your normal password manager!


do minimise data proliferation,
do not leave footprints!


do not access your secret identity
from your normal phone


iPhone
• All backed up by iTunes:
• SMS
• call logs
• geolocation (see recent press)
• ...possibly password protected
• You’re using a different password, yes?


Android
• basically ditto
• ...but backed up on Google instead


Do not access your secret identity
using your normal laptop “login”


avoid intermingled filestore


set up different “users”
• keep sensitive files in one place
• ...hopefully
• ...mostly
• ...except for logs


set up encrypted hard disks
resistant to post-Ebay forensics


use browsers which support
private browsing modes,
which delete cookies & history on exit


example workflow


Chrome
“day-to-day”


Safari
• Guests and visitors
• Logging into a website without
logging-out of Facebook first


Firefox
• Ideal for...
• porn
• shagging
• dubious e-mail links
• security malware research


technical reference


browser settings (1)
• clear cookies on exit
• clear history on exit
• don't accept 3rd-party cookies
• block popups


browser settings (2)
• don't save form input
• don't save history
• switch off autosuggest
• set to private browser mode
• ...permanently, if possible
• else auto/delete cookies on exit


plugins / similar
• Flash Player
• Visit the security settings panel
• purge Flash cookies and sites
• set Flash db size to zero
• HTML5 settings
• set HTML5 db size to zero
• watch for other/new issues


Firefox extensions
• Tor
• better: Tor Browser Bundle
•SSL Everywhere
•NoScript
•RequestPolicy
•AdBlock Plus
•Ghostery

Adium / Pidgin for IM
• use OTR encryption
• not the same as “OTR” in GoogleChat!
• can solve the point-to-point chat issue


remember:


all this also applies to your phone


speaking of phones...


use a PAYG dumbphone
• pay cash (where possible)
• top-up with cash
• enable PIN lock
• avoid ...
• paper billing
• web integration


use voice calls


do not leave voicemails


wipe your SMS messages regularly


dumbphone SMS
• lowest common denominator
• messages still logged on backend
• but overall exposure is less


if you must use smartphone
• don’t link to your normal Google
Account


if you must use smartphone
• check out:
• WhatsApp
• TigerText
• other SMS replacements


finally...


decommission old hardware!
• computers
• DBAN - Darik’s Boot & Nuke
• Free suicide pill / CDROM for PCs
• phones
• Remove SIM
• SMS may be on SIM as well as phone!
• Check whether factory reset actually works
• if not, smash it and drive a car over it repeatedly


bottom line
• the more copies of data exist
• the harder it is to remove them
• when data escapes your control
• it's available forever


when mistakes happen...
• clean up calmly
• do not amplify the mistake


remember
• your lover has the same data
• but may not be taking care of it
• educate them gently
• his/her systems will also
one day be sold on eBay


so why must you actually know all this?


answer...


1) shagging


2) journalists and sources


3) employees and whistleblowers


4) activists in repressive regimes


5) separating work and home data/life


6) good data hygiene


bonne chance


Sex, Lies and Instant Messenger v2

Recomendados

Recomendados

Más contenido relacionado

Más de Alec Muffett

Más de Alec Muffett (6)

Último

Último (20)

Sex, Lies and Instant Messenger v2