Sex, Lies and Instant Messenger

sex, lies and instant messenger @alecmuffett

this slide intentionally left blank

1


sex, lies, & instant-messenger@alecmuffett

www.alecmuffett.com

green lane securitywww.greenlanesecurity.com

2


disclaimer

3


by following these rules you mayor may not get away with an affair...

4


...but there are amusing mistakeswhich you can/should avoid

5


DON’T

6


do not use secrets as passwords

7


my history• Crack

• First “smart” password cracker• 1991..96• http://tinyurl.com/2jnzpy

•CrackLib• password checking library

• 1994..now

8


issuepasswords are secret, but...

9


issuesecrets make bad passwords

10


passwordsguessable

11


passwordsbrute-forceable

12


passwordsreveal stuff you don't want revealed

13


your passwordreveals something about you?

14


your passwordreflects your tastes?

15


your passwordis known to your spouse?

16


password reuse=self-incrimination(which is bad)

17


do not Skype

18


Skype• “peer to peer” architecture

• robust, replicated, flexible• excellent security

• ...unless you’re up against the USA• ...or China• ...and maybe the UK

19


virtually impossible to expungea recent conversation

20


brute-force Skype deletionmakes things worse

messages resurrect from the dead

21


losing control of information is not good

22


do not XMPP/Jabber• Google chat,

• some Facebook chat• other systems

23


do not XMPP/Jabber• Initial message is “multicast”

• to all logged-in instances• eg: “hello sexy”

• ...arrives on the Home PC• ...when you are at work

24


-

25


do not Twitter

26


do not Twittertoo many risks

27


D alice can i have you for dinner?

28


@alice can i have you for dinner?

29


...and, worse...

30


D bob Nude! http://twitpic.com/b0gu5

31


Twitter App Risks• Apps can get access to DMs

• Twitpic? Flickr? Yfrog?• Is that really wise?

32


do not Facebook

33


too easy to get wrong

34


friends-of-friends != friends

35


Homepage displays whom you communicate with frequently

36


Your own Facebook account istoo rich a software ecosystemto viably trust it with secrets

37


beware Google

38


do not use Google services / your normal Google account

• Mail = heavily stored / indexed• Chat = Mail• Chrome Bookmarks = Docs• Toolbar = Docs• Android = Google Everything

39


do not smartphone

40


massive comedy potential

41


iPhone screenlock

42


applications which pop-upalerts above the screenlock

43


Locked?

44


...and the punchline is...

45


don’t combine this with Skype

46


iPhone• All backed up by iTunes:

• SMS• call logs• geolocation (see recent press)

• ...possibly with password

47


Android• basically ditto

• ...but backed up on Google

48


Smartphone Apps• backed up on network

• or on iTunes• same story as elsewhere

49


the problem is with data getting out of your control

50


Geolocation

51


avoid sharing geolocation• Foursquare, Twitter, etc

• “...but your Twitter messages said that you were in Essex?”

• Do you have an in-car GPS?• Learn to wipe that, too

• Does your spouse expect GPS?• Oops.

52


do not MMORPG

53


MMORPG• WoW• SecondLife• EQ• EVE Online

54


held to lower standard than IM

55


heavily-integrated software• game• voice• webcam• other third party stuff

56


game logs• comprehensive• intricate• messy

• ...therefore hard to clean up

57


Most important...

58


do not send porny pictures to each other

59


do not use the shared family computer

60


do not use work-related hardware

61


work hardware• not your machine

• not your data?• automated backups• network access logged• may be taken from you

• eg: bankruptcy, fired, updated• old hardware auctioned

62


and...

63


do not post an accurate description of yourself

• including grammatical quirks• to a swingers/fetish website

• in the public members index• where Google can cache it

• bookmarking it• on the family computer

• with photos

64


Why?

65


Things Geeks Do• Enumerate all possible URLs:

• tinyurl.com• bit.ly• is.gd• t.co

• ...and save the good ones

66


Things Geeks Do• Trawl...

• Picasa• Twitpic• Yfrog

• etc...

• ...to much the same ends

67


Things Geeks Do• buy hardware from Ebay

• “undelete” files • desktops• laptops• printers• storage

• hard disks• thumb drives

68


Things Geeks Do• buy phones from Ebay

• restore deleted SMS• retrieve e-mail passwords

69


recreational computer forensics for teh lulz

70


What to do!

71


create a disposable identity

72


use a fake, boring, common pseudonym• good

• edward wilson• carole smith

• bad• sexxxy4uinwokingham• anything that’s unique

73


legal?• You’re probably breaking

contractual “terms of service”• Is it criminal to lie?

• maybe?

74


avoid linkingreal/fake identities

• use a random password• never used before• never use anywhere else

75


avoid intermingled filestore• set up different “users”

• keep sensitive files in one place• ...hopefully• ...mostly• ...except for logs

76


cryptography• try to get encrypted swap

• avoid sleep/hibernation• try to get full disk encryption

• at least encrypted home directory• bundled with OSX• avoid “master keys”

77


use a secure browser• do not use your daily browser

78


example workflow

79


Chrome“day-to-day”

80


Safari• Guests and visitors• Logging into a website without

logging-out of Facebook first

81


Firefox• Ideal for...

• dubious e-mail links• porn• shagging• security malware research

82


browser configuration

83


browser settings• clear cookies• clear history• don't accept 3rd-party cookies• block popups

84


more browser settings• don't save form input• don't save history• switch off autosuggest• set to private browser mode

• ...permanently, if possible• else auto/delete cookies on exit

85


major surgery• SSL Everywhere

• if available for the browser• will cause hassle

• Disable Java• might cause hassle• nb: not JavaScript (see NoScript)

86


Firefox extensions• NoScript• AdBlock Plus• Ghostery

• “block all web-bugs” mode• Tor / Torbutton

• or: Tor browser bundle• advanced, but worth it

87


Safari plugins• ClickToFlash• ...others?

88


Flash• Flash Player

• global security settings panel• purge flash cookies / sites• set flash db size to zero

89


HTML5• set HTML5 db size to zero• watch for other/new issues

90


this also applies to your phone browser

91


do use webmailfrom the secure browser

• use HTTPS/SSL at minimum• use Tor if/when possible

92


do not bookmarknor save the password of your secret webmail

93


where not to save passwords• not in Keychain.app• not in “1password”• not in browser• not in phone browser• not in phone mail app

94


keep it in your brain

95


why?• rubber-hose cryptanalysts

• or divorce lawyers• prettymuch the same thing

96


Suggestions

97


Use a Gmail accountto set up a Yahoo account

98


Yahoo for webmail• Less obvious than Google• Less temptingly integrated with

phone

99


AIM for IM• can enforce 1 session at a time• remote session disconnect• use “OTR”

100


übergeeks• “truecrypt”• “live-cd”• “virtualisation”

101


use a PAYG dumbphone• pay cash (where possible)• top-up with cash• enable PIN lock• avoid ...

• paper billing• web integration

102


use voice calls

103


do not leave voicemails

104


dumbphone SMS• lowest common denominator

• phone-to-phone is good• messages still logged on backend

• but overall exposure is less

105


wipe your SMS messages regularly

106


if you must use smartphone• dont’ link to your real GoogleID• check out....

• WhatsApp• TigerText

107


decommission old hardware• computers

• DBAN - Darik’s Boot & Nuke• phones

• Remove SIM• SMS may be on SIM as well as phone• check if “factory reset” works

• if not, drive a car over it repeatedly

108


bottom linethe more copies of data existthe harder it is to remove them

& when data escapes from your controlit's available forever

109


remember• your lover has the same data

• but may not be taking care of it• educate them gently

• his/her systems will also one day be sold on eBay

110


when mistakes happen...clean up calmly, and

do not amplify the mistake

111


bonne chance

112

Education

Sex, Lies and Instant Messenger