DOCSLIB.ORG

Private Contact Discovery

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Private Contact Discovery Security Now! Transcript of Episode #631 Page 1 of 32 Transcript of Episode #631 Private Contact Discovery Description: This week we discuss some aspects of iOS v11, the emergence of browser hijack cryptocurrency mining, new information about the Equifax hack, Google security research and Gmail improvements, breaking DKIM without breaking it, concerns over many servers in small routers and aging unpatched motherboard EFI firmware, a new privacy leakage bug in IE, a bit of miscellany, some long-awaited closing-the-loop feedback from our listeners, and a close look into a beautiful piece of work by Moxie & Co. on Signal. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-631.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-631-lq.mp3 SHOW TEASE: It's time for Security Now!. I'm back. Steve Gibson's here. And we have a lot to talk about, including a little more information about how Apple's Face ID works. A judge who says, no, the FBI doesn't have to tell you anything about how it unlocked that iPhone. And Moxie Marlinspike in another discovery, this time Signals the victim. Plus the secret life of bees. It's all coming up next on Security Now!. Leo Laporte: This is Security Now! with Steve Gibson, Episode 631, recorded Tuesday, October 3rd, 2017: Private Contact Discovery. It's time for Security Now!, the show where we cover the latest news from the security front. It is a front. It's a war out there. Thank goodness General Gibson is here, Commander in Chief. Steve Gibson: Welcome back from your two-week cruise around the world, wherever it was you went? Leo: No, I just went up the river, that's all. Steve: Up the river, okay. Leo: Up the river. But it was a nice vacation. Security Now! Transcript of Episode #631 Page 2 of 32 Steve: Well, fortunately you came back down the river. Leo: Yeah, and thanks to Father Robert, who everybody agrees should be hosting the show from now on. It's okay. It's okay. It doesn't hurt my feelings much. But I am glad to be here. Steve: Well, you did announce you were loving your vacations and your travel. Leo: I'm not giving up this show. Steve: No. Leo: We've been doing this 13 years. Steve: Yes, we are in our 13th year. Leo: Unbelievable. And the good news is no security problems at all this week. Steve: Yeah, yeah. We're just going to... Leo: Did you see, there's one that just broke that is hysterical. It has nothing to say about it. But Yahoo now admits that every account was hacked. Three billion, with a "B," accounts were hacked in that 2013 exfiltration. Steve: And I liked your comment on MacBreak Weekly, that that would be the largest ever. And one reason is that there used to be much more concentration into a single provider. And now we have a much more heterogeneous environment, where not everybody is at Yahoo the way they used to be. So I think it is the case that no one outfit will be able to be as devastating. So Episode 631 today. As I was pulling things together, one interesting bit stood out that acquired the title, which is the reason this is called "Private Contact Discovery." Our friend Moxie Marlinspike and his gang working on Signal have tackled the problem of concealing contact metadata, which is an unsolved problem, really, until now. We've talked, for example, about how, even when, for example, email content is encrypted, the fact of the mail moving from person A to person B cannot really be hidden. And so it's often the case that who you're talking to is as much a useful piece of information and, unfortunately, a breach of privacy as what it is you say. And in the world of instant messaging, which Moxie's Signal protocol addresses - and we've talked about Signal's ratchet mechanism and what a perfect job they have done, so much so that other platforms have adopted the open Signal Protocol for themselves because it's so good. One of the remaining problems has been how does a new person join the Signal ecosystem, or the Signal universe, and discover who in their contacts are other Signal users without the central repository that glues all this together knowing that Security Now! Transcript of Episode #631 Page 3 of 32 they've done so, like knowing what contacts they have in common. Anyway, they figured how to do this. So we'll wrap up the podcast talking about that. But of course we do have our week's worth of news. We're going to talk about - I have to talk a little bit about my experiences with iOS v11. Won't take up much time, but I just want to kind of go on record with what I have found. Also, for a couple weeks there have been a number of stories about various instances of browser hijack cryptocurrency mining. And so I want to talk sort of generically about the emergence of this as a thing and what it means. We have some additional information about the Equifax hack, some amazing coverage thanks to Bloomberg. Google's security research is uncovering new problems. They have also, anonymously, some people at Google have announced some plans for improvements of Gmail security as a consequence essentially of this emerging awareness of how much Russia was involved in this past presidential election. There were some specious rumors, well, actually stories about breaking DKIM, which is the email authentication protocol that we've actually been talking about not too long ago. Turns out it wasn't broken, but we'll explain what happened. Also there's some new concerns over many small servers in routers which are exploitable. And you also were talking on MacBreak about motherboard EFI firmware concerns, mostly focused on Apple, as you said, because the researchers were able to more easily explore various Apple Mac systems and the firmware that they had. But this - we're going to broaden it, of course, for this podcast and talk about also the impact on Windows and Linux-based hardware. There's a privacy leakage bug in IE. We'll do some miscellany. We've got a bunch of interesting, and I think pretty quick, closing-the-loop feedback from our listeners. And then we're going to take a close look at this beautiful work that Moxie and his group at Signal have done in order to protect the discovery of other people in your existing contacts who you want to converse with over Signal without disclosing the fact that you have found them, which turns out to be a much harder problem than one would expect. So I think a great podcast. Leo: Yes. Steve: Our Picture of the Week just cracked me up. It caught me by surprise. Someone tweeted it to me, and it's apropos of the data disclosures that we've been having lately. It shows some bees flying around in a hive, and the caption says, "Security Failure: EpiPen's Database of Everyone Who's Allergic to Bees Has Been Obtained by Bees." Leo: [Laughing] That's good. That's good. Steve: I just thought it was perfect. Leo: Oh, you're in trouble now, boy. The bees know who you are. Steve: Yeah, the bees know who you are. They know how to selectively sting because they only get one shot at that, I think. Security Now! Transcript of Episode #631 Page 4 of 32 Leo: That is funny. Steve: I thought that was great, yeah. Leo: Wow. Steve: So just briefly, on iOS 11, I don't know yet how 11.0.1 compares. But right out of the gate it was the buggiest release of iOS I have ever experienced. Leo: What problems did you experience? Steve: Oh, my god. Like everything I tried, every one of my devices - I have, I don't know, like seven pads and my phone - and they were all doing bizarre things. Leo: Oh, dear. Steve: Like I remember in iMessage one of the balloons got stuck so that, when I changed to a different message channel, the other ones were scrolling underneath this... Leo: Oh, I've seen, yeah, I've seen weird cosmetic things like that, yeah. Steve: Yes. And the dock got stuck on the vertical side. And as I rotated, everything else rotated around, but the dock just stuck where it was. And on one of my pads, whenever the preview, when the screen is locked where you're able to see things, every time I touch it to scroll it, it flashes white really briefly and then kind of settles down. I mean, just if Jobs were still around, heads would be rolling, or they wouldn't have shipped it. I don't know. But, I mean, I was just, you know, I love iOS. I use it as much as I use Windows. And it just completely collapsed. Leo: So what did you do? Did you roll back? Steve: No, I just kind of shook the pads more and turned - I often turn them off and back on, and then it's okay for a while. I mean, it's really - and I'm hoping that 11.0.1 that came out, what, late last week, hoping that it's going to be an improvement.
Load more

Recommended publications
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives
    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
    [Show full text]
  • Computer and Information Security Pointer​ to Homework 2
    Computer and Information Security (ECE560, Fall 2020, Duke Univ., Prof. Tyler Bletsch) Pointer to Homework 2 Updated 2020-09-07:​ Clarified SSH key format Question 0: Accessing the Homework (0 points, but necessary) Homework 2 is encrypted with three stages of encryption. You’ll need to use both your Windows VM and a new Kali Linux VM. The stages are: 1. The inner layer is a VeraCrypt encrypted disk image to be opened in Windows that ​ ​ contains a link to Homework 2; I explain how to find the key for this later in this document. You get to the inner layer by decrypting the outer layer. 2. The outer layer is encrypted with AES and is available for each student on the course ​ ​ site; the secret key is randomly generated per each student and is distributed by the Encrypted Thing Giver web app. ​ 3. The Encrypted Thing Giver accepts an RSA public key, encrypts the random secret ​ ​ key using this public key. As owner of the corresponding private key, you’ll be able to decrypt it in order to obtain the AES key for the outer layer. The steps below will walk you through this crypto journey. You will need to show your work later, so keep notes! Make an SSH key pair You will need an SSH key pair. If you already created one, you can use it as-is (provided it is RSA-based, but most are). If you don’t have an SSH key pair, research how to create one with ssh-keygen. You may wish to do this on your local system, as you can set it up to let you SSH into Duke machines without a password (optional -- see Appendix A at the end of this document).
    [Show full text]
  • Encryption Disk Full Disk and Hidden OS in EFI V1.2 Revisions N Date Name Comment
    Encryption disk Full disk and hidden OS in EFI v1.2 Revisions N Date Name Comment 1.2 28-mar-17 kavsrf Hidden OS. Simplified 1.1 28-feb-17 kavsrf Hidden OS. Developer way. 1.0 28-jan-17 kavsrf Started. Encryption disk..............................................................................................................................1 Full disk and hidden OS in EFI..................................................................................................1 v1.1.............................................................................................................................................1 1 Full disk encryption....................................................................................................................1 1.1 Boot from local hard disk....................................................................................................1 1.1.1 Final disk structure........................................................................................................1 1.1.2 Installation scenario (It is proposal)..............................................................................1 1.1.3 Developer way. To test PoC..........................................................................................2 2 Hidden OS installation................................................................................................................2 2.1 Installation in addition to already encrypted OS..................................................................2 2.1.1 Prepare disk state..........................................................................................................2
    [Show full text]
  • Draft Version
    Zurich of University the at Security IT on lecture the for reading complementary as ISBN: 978-1-63081-846-3 used be can This text is extracted from the book “Cryptography 101: From Theory to Practice” that was writtentext by Rolf Oppliger and published by Artech House in June 2021 (in its Information Security and Privacy book series). This Zurich of Chapter 1 University the at Introduction Security In this chapter, we pitch the field and introduce the topicIT of the book, namely cryp- tography, at a high operating altitude and level ofon abstraction. More specifically, we elaborate on cryptology (including cryptography) in Section 1.1, address crypto- graphic systems (or cryptosystems for short) in Section 1.2, provide some historical background information in Section 1.3, andlecture outline the rest of the book in Section 1.4. The aim is to lay the basics to understand and put into proper perspective the the contents of the book. for 1.1 CRYPTOLOGY reading The term cryptology is derived from the Greek words “krypt´os,” meaning “hidden,” and “l´ogos,” meaning “word.” Consequently, the term cryptology can be paraphrased as “hidden word.” This refers to the original intent of cryptology, namely to hide the meaning of words and to protect the confidentiality and secrecy of the respective data accordingly. As will (hopefully) become clear throughout the book, this viewpoint is too narrow,complementary and the term cryptology is currently used for many other security- related purposesas and applications in addition to the protection of the confidentiality and secrecy of data. More specifically, cryptology refers to the mathematical science and field of used study that comprises cryptography and cryptanalysis.
    [Show full text]
  • Veracryptcrypt F R E E O P E N - S O U R C E O N - T H E - F L Y E N C R Y P T I O N User’S Guide
    VERAVERACRYPTCRYPT F R E E O P E N - S O U R C E O N - T H E - F L Y E N C R Y P T I O N USER’S GUIDE veracrypt.codeplex.com Version Information VeraCrypt User’s Guide, version 1.19 Released by IDRIX on October 17th, 2016 Legal Notices THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY. THE ENTIRE RISK AS TO THE QUALITY, CORRECTNESS, ACCURACY, OR COMPLETENESS OF THE CONTENT OF THIS DOCUMENT IS WITH YOU. THE CONTENT OF THIS DOCUMENT MAY BE INACCURATE, INCORRECT, INVALID, INCOMPLETE AND/OR MISLEADING. IN NO EVENT WILL ANY AUTHOR OF THE SOFTWARE OR DOCUMENTATION, OR ANY APPLICABLE COPYRIGHT OWNER, OR ANY OTHER PARTY WHO MAY COPY AND/OR (RE)DISTRIBUTE THIS SOFTWARE OR DOCUMENTATION, BE LIABLE TO YOU OR TO ANY OTHER PARTY FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, ANY DIRECT, INDIRECT, GENERAL, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, CORRUPTION OR LOSS OF DATA, ANY LOSSES SUSTAINED BY YOU OR THIRD PARTIES, A FAILURE OF THIS SOFTWARE TO OPERATE WITH ANY OTHER PRODUCT, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR BUSINESS INTERRUPTION), WHETHER IN CONTRACT, STRICT LIABILITY, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE) OR OTHERWISE, ARISING OUT OF THE USE, COPYING, MODIFICATION, OR (RE)DISTRIBUTION OF THIS SOFTWARE OR DOCUMENTATION (OR A PORTION THEREOF), OR INABILITY TO USE THIS SOFTWARE OR DOCUMENTATION, EVEN IF SUCH DAMAGES (OR THE POSSIBILITY OF SUCH DAMAGES) ARE/WERE PREDICTABLE OR KNOWN TO ANY (CO)AUTHOR, INTELLECTUAL-PROPERTY OWNER, OR ANY OTHER PARTY.
    [Show full text]
  • Sicheres Coworking in Zeiten Von Corona
    Sicheres Coworking in Zeiten von Corona Ein Leitfaden von PwC Cyber Security & Privacy 20. März 2020 Herausforderungen Pandemie Sicherheit Viele Unternehmen stehen auf Grund der aktuellen Ad-hoc aufgebaute Strukturen sind anders als die etablierten Strukturen Bedrohungslage von Covid-19 vor der Herausforderung, nicht auf Sicherheitslücken getestet und bergen damit nicht zu ihre Mitarbeiter remote anzubinden. unterschätzende Risiken in Bezug auf Datenschutz und Datensicherheit. Infrastruktur Lösung Üblicherweise sind die Infrastrukturen von Firmen nicht auf die Dieser Leitfaden soll Sie Anbindung aller Mitarbeiter an das Firmennetz ausgelegt. unterstützen, die richtige Eine Möglichkeit zur Fortführung der Tätigkeiten der Mitarbeiter Coworking Lösung für Ihr muss schnellstmöglich zur Verfügung gestellt werden. Unternehmen zu finden. Sicheres Coworking in Zeiten von Corona 20. März 2020 PwC Cyber Security & Privacy 2 Risiken, Prioritäten und Compliance Risiken bei der Bereitstellung von Ad-hoc Lösungen Auslastung Monitoring Nachvollziehbarkeit Evtl. sehr hohe Auslastung Verlagerung der Prioritäten Fehlende Koordination und von IT-Services, IT-Infrastruktur, innerhalb der IT-Organisation mangelhafte Kommunikationswege. Bandbreiten durch vermehrte und dadurch fehlendes oder Fehlender Fokus auf die Remote-Zugriffe auf das unzureichendes Monitoring von Dokumentation der Implementierung Unternehmensnetzwerk. Sicherheitsvorfällen. von Ad-hoc Lösungen. Fokus auf der Bereitstellung von Services, nicht auf Funktions- und Sicherheitstests vor Inbetriebnahme.
    [Show full text]
  • Encryption of Data - Questionnaire
    Council of the European Union Brussels, 20 September 2016 (OR. en) 12368/16 LIMITE CYBER 102 JAI 764 ENFOPOL 295 GENVAL 95 COSI 138 COPEN 269 NOTE From: Presidency To: Delegations Subject: Encryption of data - Questionnaire Over lunch during the informal meeting of the Justice Ministers (Bratislava, 8 July 2016) the issue of encryption was discussed in the context of the fight against crime. Apart from an exchange on the national approaches, and the possible benefits of an EU or even global approach, the challenges which encryption poses to criminal proceedings were also debated. The Member States' positions varied mostly between those which have recently suffered terrorist attacks and those which have not. In general, the existence of problems stemming from data/device encryption was recognised as well as the need for further discussion. To prepare the follow-up in line with the Justice Ministers' discussion, the Presidency has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings. 12368/16 MK/ec 1 DGD2B LIMITE EN On the basis of the information be gathered from Member States' replies, the Presidency will prepare the discussion that will take place in the Friends of the Presidency Group on Cyber Issues and consequently in CATS in preparation for the JHA Council in December 2016. Delegations are kindly invited to fill in the questionnaire as set out in the Annex and return it by October 3, 2016 to the following e-mail address: [email protected].
    [Show full text]
  • Co-Ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin, Ksenia Ermoshina, Francesca Musiani
    Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin, Ksenia Ermoshina, Francesca Musiani To cite this version: Harry Halpin, Ksenia Ermoshina, Francesca Musiani. Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols. SSR 2018 - Security Standardisation Research Conference, Nov 2018, Darmstadt, Germany. hal-01966560 HAL Id: hal-01966560 https://hal.inria.fr/hal-01966560 Submitted on 28 Dec 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols Harry Halpin1, Ksenia Ermoshina2, and Francesca Musiani2 1 Inria 2 Rue Simone Iff [email protected] 2 Institute for Communication Sciences, CNRS 20 rue Berbier-du-Mets 75013 Paris, France Abstract. Due to the increased deployment of secure messaging pro- tocols, differences between what developers \believe" are the needs of their users and their actual needs can have real consequences. Based on 90 interviews with both high and low-risk users, as well as the developers of popular secure messaging applications, we mapped the design choices of the protocols made by developers to the relevance of these features to threat models of both high-risk and low-risk users.
    [Show full text]
  • ZERO TRACE DARKNET CARDER's GUIDE Table of Contents Introduction 2 Security 2 Spoofing
    ZERO TRACE DARKNET CARDER'S GUIDE Table of Contents Introduction 2 Security 2 Spoofing Spoofing Software 11 Other Factors 23 A brief overview about carding 35 How to organize your Illegal data 36 Checking Cards like a Pro AVS and BINs 38 39 Sourcing Fullz@ JayFountains 41 Personal Bank Drops Business Bank account 42 52 3Dsecure Phone carding 52 Mobile carding 63 Physical items carding 64 66 Digital items carding Self-carding: Stripe 66 PayPal 68 How to process carded PayPal transfers 70 Venmo 77 86 Final words 98 100 1 Introduction Thanks for putting you trust on me I’m 100% confident this guide will be a HUGE time saver, especially for a newbie rand above all,, if you actually put the effort, will make you a ton of money THIS GUIDE IS FOR EDUCATIONAL PURPOSES ONLY. Security ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE@ JayFountains TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ ★ PURCHASE TO UNLOCK ★ 2 Hardware: you will require a burner laptop, avoid at cost desktop pcs, as you can` t bring them with you, plus if there is a raid going on from LE, you will find it harder to get rid of it/hide it. Here are the general specs that you will need to work proficiently: a minimum of a 6GB laptop will be enough to handle all the apps and processes running into the VM. I personally have a refunded Alienware 17, that`s kind of expensive though in general, you can find the same specs for a much lower price.
    [Show full text]
  • Extracting Ransomware's Keys by Utilizing Memory
    EXTRACTING RANSOMWARE’S KEYS BY UTILIZING MEMORY FORENSICS By Pranshu Bajpai A DISSERTATION Submitted to Michigan State University in partial fulfillment of the requirements for the degree of Computer Science – Doctor of Philosophy 2020 ABSTRACT EXTRACTING RANSOMWARE’S KEYS BY UTILIZING MEMORY FORENSICS By Pranshu Bajpai Ransomware continues to evolve and has established itself as the cyber weapon-of-choice for the financially motivated cybercriminals. The current state of ransomware threats necessi- tates the deployment of defense-in-depth strategies. Particularly, more response and recovery solutions are required to thwart ransomware in the late stages of the attack. To that end, we introduce pickpocket which exploits a side-channel vulnerability in ransomware: in- memory key exposure during encryption. Perpetrators do not control the host performing the encryption and thus this “white box” system affords access to the decryption keys by facilitating an in-memory attack on ransomware. Since it is these keys that are ransomed, the user’s ability to extract the keys cripples the attack. Such key extraction is the only recourse in the frequent scenario where both intrusion prevention and backups have failed. The novelty of pickpocket is the extraction of cryptographic material from system memory during the process of malicious encryption. The primary insight of this work is that con- ventional implementations of cryptographic algorithms deployed by ransomware are highly vulnerable when a hostile entity controls the execution environment. Our work differs from existing solutions in that we provide response and recovery when all existing solutions have failed, that is, we provide the last line of defense.
    [Show full text]
  • Privacy, Security & Anonimity
    Privacy, security & anonimity Foo-Manroot Foo-Manroot https://foo-manroot.github.io/ Foo_Manroot The need of security on Information Systems ● CIA: – Confidentiality – Integrity Defined on ISO 27000 – Availability ● Surveillance programs: – PRISM (U.S.A): revealed by E. Snowden in 2013. – Data Retention Directive (E.U.): The telecommunications data has to be stored for 6 to 24 months to be accessed by the police and security agencies (declared invalid on 2014) – Facebook, Google, Microsoft, Apple… all follow the U.S.A. laws (at least, when it suits them → PRISM vs San Bernardino). ● Enterprises sell and buy personal information: – On ToS there are usually clauses where the enterpirse is granted permission to share data with third parties to “provide an optimal experience” ● Common criminals: – Phising, malware… – Easy attacks. Greater threat than state agents ToS de Facebook There’s no perfect security, but the risk can be minimized. Security policies can’t be applied with retroactive effect → After a breah, there’s little than can be done Some previous definitions ● Software – Free Software (as in ‘freedom’) ● VPN ● Privacy ≠ anonimity ● Encryption – OpenPGP standard Personal security Good practices ● The objective is to minimize the exposition surface. ● Keep software up to date. ● Use HTTPS: – Available on ~41% of web pages – Guarantees confidentiality (even though the ISP can still see the traffic’s destination), integrity and authenticity – It’s important to check the certificate (very easy) ● Full disk encryption: – Easy and transparent
    [Show full text]
  • Intro Some General Sources/Big Thanks
    Guide: Anonymity and Privacy for Advanced Linux Users Created by: beac0n brought to you by DeepDotWeb.com Intro The goal is to bring together enough information in one document for a beginner to get started. Visiting countless sites, and combing the internet for information can make it obvious your desire to obtain anonymity, and lead to errors, due to conflicting information. Every effort has been made to make this document accurate. This guide is image heavy so it may take some time to load via Tor. Some general sources/Big Thanks For more general guides checkout: EFF Surveillance Self-Defense project Riseup.net Security Guide Security in a box TAILS Documentation – for those looking for a solid starting place TAILS OS is a great choice. Thanks! securityinabox.org Deepdotweb.com EFF and EPIC riseup.net For educational purposes. Not legal advice or call to action. Table of Contents 1 Intro 2 Some general sources/Big Thanks 3 Technical Information 3.1 Strong Passwords 3.2 Internet Connectivity 3.2.1 Firewall 3.2.2 Changing MAC Address 3.2.3 Intrustion Detection 3.2.4 Disk Encryption 3.2.5 Browsers 3.2.6 Router Configuration 3.2.7 Anonymity Networking 3.2.8 VPN 3.2.9 Proxy Chains 3.3 Operating Systems 3.3.1 Flash Firmware 3.3.2 Enabling a BIOS boot password 3.3.3 USB Bootable Operating Systems: 3.3.4 Linux (image files can be found at http://distrowatch.org) 3.4 Secure Data-Wiping Linux 3.5 Physical Destruction 3.6 Cold-Boot Attack 3.7 Basic Communications 3.7.1 Images 3.7.2 Email Providers 3.7.3 Jabber_XMPP/OTR 3.7.4 Alternative Messaging Options 3.8 GNUPG/PGP Basics 3.8.1 TAILS PGP 3.8.2 Additional reading on PGP 3.8.3 PGP Versions 3.9 Validating Files with MD5 or SHA1: 3.9.1 SHA1 Sum 3.9.2 MD5 Sum Technical Information Strong Passwords It’s difficult to remember many passwords.
    [Show full text]