View
1
Download
0
Category
Preview:
Citation preview
securingaclientMatsuzaki ‘maz’Yoshinobu
<maz@iij.ad.jp>
hardeningahost
Hardeningahost
• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground• Linux:variesbydistribution:
• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault
• BSD:userswillfigureitout• Changeswithtime
Generalconsideration
• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.
Generalpractices
• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible
• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.
Hardware
• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.• Considerremovinghardwareyouneveruse– saybluetooth.• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.• wakeonlan• Bluetoothdiscoverability• USBports?
• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable
antivirus
Malware
• Thegenerictermforcomputervirus,worms,spywareandothermalicioussoftware• Skilledattackercanmakeit,funattackercanuseit.• eventherearemalwarebuildtoolswithGUIL
Infection
• attackerstrytomakeyourdevicesinfectedinmanyways• securityholes,e-mail,web• USBmemory,fileservers
Causes
• vulnerability• 0-daysecurityholes• oldsecurityholesarestillusedtoinfect
• auto-executionforremovalmedia• USBmemory,CDloading
• users’carelessopen• infectedfiles• sometimeshappentoexecutemalwares
Detection
• signature-baseddetection• blacklistofmalwares• checkafilewiththesignatures• updateneededtodetectnewermalware
• heuristicsdetection• behavior,characteristiccode
When?
• writeoperationstakeplace• creatinganewfile,modifyinganexistingfile
• newmediaisinserted• USBmemory,CD
• periodicormanually• scanallorimportantfiles
Where?
e-mailserverfileserver
webproxyclient
finaltargethere
Hiding
• attackersmodifymalwares• nottobedetectedbyanti-virusdetectors• theycancheckthislocally
• updatingyoursignatureDBisneeded
Fakesecuritysoftware
• Donothing,orisjustamalware• alsoknownas‘scareware’
Compromisedsystem
• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect
Wipe
• Don’tusefilesinthecompromisedsystem• programs• documents• images
• Cleanupthestoragesthatwasconnectedtothesystem• HDD• SSD• flashmemory
Howcanwerescueinformationfromsuspiciousdatafiles•convertitintoanotherformat• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg
• infectedcodecannotsurvivesuchadrasticmodification
Wipetogiveaway
• dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata
• youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M
Recover
• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage
• applylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork
• installneededapplications• checkupgrades,ofcourse
Recover(cont.)
• disableunnecessaryservices• thesameashardeningprocedure
• checkconfigurations• ifanyweakness
• changeallpasswordonthesystem• anypasswordmightbestolen
Replacingmightbeyourchoice
• securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly
• justreplacethecompromisedsystem• sparehardware
Backups
• Encryption• Automation• Generations
Encryption
• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata
Automation
• Wearelazy!• easytoforget
• automatedbackupwillhelpyou• mostsystemshavescheduledbackup
Generations
• youshoud havea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion
• finda‘good’versionfromyourarchives
Off-sitearchives
• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem
• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed
e-mails
Thekeypoints
• AuthenticityofServers• EncryptedTransport
It’seasy
• Donotusepop,itisintheclear• Usepop3s,port995overTLS
• Donotuseimap,itisintheclear• Useimap4s,port993overTLS
• AndtheyAuthenticatetheServersusingX.509Certificates.CHECKIT!
fetchusingIMAP4S
SMTPoverTLS
AuthenticateServers
• AssumetheWireisTapped• AssumeSomeonewillSpoofServers• KnowYourServers’RootCertificates• ConfirmCertificatesonConfiguration• ChooseGoodPassphrases
EncryptCriticalE-Mail
• AssumetheWireisTapped• UseaPersonalX.509PKCS#12UserCertificatewithSMIME– T’Bird etc.• UseaPGPkeywithEnigma– T’Bird
Itunnel&email
$ ssh <ssh.server> -L 4465:<smtp.server>:465
ssh.serverMacBook
POP3S/SMTPS
StepHost
PortonMacBook
TunnelEndPoint
sshtunnel
$ ssh <ssh.server> -L 9955:<pops.server>:995
smtp.server pops.server
example:LocalForward
.ssh/config
$ssh mail
HostmailHostName <step.host>LocalForward 4465<smtp.server>:465LocalForward 9995<pops.server>:995
example:stephost
.ssh/config
$ssh internal
HoststephostHostName <step.host>
HostinternalHostName <internal.ssh.server>ProxyCommand ssh -W%h:%pstephost
webbrowsing
MicrosoftInternetExplore
• LongHistoryofVulnerabilities• FirstTargetbecauseofPopularity• MicrosoftisNotAlwaysConcernedwithYourPrivacy• ClosedSource,NoOneInspectsit
MicrosoftEdge
• brand-newwebbrowser• shippedwithWindows10• doesSandBoxing,soreasonablysafe
IuseGoogleChrome
• ProcessIsolationperTab,soscaleswell
• ButIworryaboutLeakingDatatoGoogle
IalsouseFireFox
• FreeandOpenSource(i.e.inspected)• StandardsCompliant,noProprietaryTrickstoLockYouIn• Popular,sohasRichExtensionCatalog• RunsonAllSignificantPlatforms
DoNotLetBrowserRememberPasswords• LoseLaptopandLoseyourBankAccount• PasswordDatabaseEncryptionisWeak
• recommendations• encryptedtextfile(pgp)• 1Password
Prefs
OnlyifyouuseNoScript!
NewFeature
Plug-Ins
1Password
• RunsonMostPlatforms• Plug-InsforMostBrowsers• Passwords,CreditCards,Addresses,…• KeepDataBase inDropBox/iCloudandyouhaveDataonPhone,Laptop,Tablet,…
• ItDoesCostMoneyL
AddBlock Plus
WithoutAddBlock
WithAddBlock
Collusion– WhoTracks
DoNotTrackPlus
NoScript – JavaScript
HTTPSEverywhere
• IfaSitehasHTTPandHTTPS,itForcesUseofHTTPS
• I.e.YougetAuthenticationofSite
• YourTrafficisEncrypted
Let’sdoit
RootCAcertificates
• YoursystemhasrootCAsbydefault• SomeapplicationsuseownCertificateStore• AnycertificatesissuedbytheseCAsaretrusted
• Checkitout• Execute‘certmgr.msc’onwindows• open’about:preferences#advanced’onFireFox
Windows10
• Execute“compmgmt.msc”andhavealook• disableGuestaccount• disableunusedsystemservices
• VerifytheLocalSecuritySetting• ChecktheWindowsFirewallSetting• Disablehidingoffileextensions• Start->FileExplorer->“Changefolderandsearchoptions”of“Viewtab”->uncheckthe“Hideextensionsforknownfiletypes”
Recommended