Defcon Crypto Village - OPSEC Concerns in Using Crypto

  • View

  • Download

Embed Size (px)


OPSEC Concerns IN USING CRYPTOGRAPHY Crypto & Privacy Village, Defcon 24

OPSEC Concerns IN USING CRYPTOGRAPHYor:how your bad tech decisions help me put you in jailJohn BambenekCrypto & Privacy Village, Defcon 24

BioManager, Threat Systems @ Fidelis CybersecurityLecturer in CS @ University of Illinois Urbana-ChampaignRun several takedown oriented groups on malware threatsCrafter of Artisanal Molotov Cocktails

DEMOWho here has a cell phone?

TL;DR - Patterns and NORMALCYSurveillance does not scale for large datasets:People, malware, packets on the internet, etc.There has to be multiple layers of filtering and scoring to determine priority of tasking resources.Some targets are specifically and explicitly tasked, everything else is all subject to some level of pattern matching and prioritization.

reminderYou are not a normal.This is a normal:

What is opSEC?Operational security: keep what you dont want known unknown.Part is keeping secrets.Another (more important part) is not looking like you have secrets worth having.Basic security matters (were still not using passphrase-less keys are we?)Compartmentalization: everyone has compartments.Signaling vs. Communication

RISK ASSESSMENT?Who are we hiding from? What are their interests and capabilities? What is sufficiency?

Intelligence services, law enforcement, and their friends (like me)Criminals or other malicious actorsComcast

Dont think you are a target?How many people here have admin/root on infrastructure they dont own?

Our government has already said that is the exact kind of people they are targeted (even before those of you how have 0-days, etc).

You dont think the US is the only one who does this, do you?

Why OPSEC CONCERNS with Crypto?Thought process starting in tracking mobile malware, Android Apps need to be signed.As an investigator and intel analyst, I LOVE free-form text fields. (more later)As technologists, crypto is hard and many of us still dont understand its limitations.Encrypt all the things may not be the best option in certain circumstances.

Why OPSEC CONCERNS with Crypto?Two parts of OPSEC:Want to hide the secretsWant to hide the fact you have secretsCrypto is great at the first one.Crypto often loudly yells that you are the second guy.Note- Everyone Ive helped put in jail is there because they screwed up their OPSEC.

Whats wrong with this?

OPSEC Problem #1 with EncryptionNot everything is encrypted.Above example, the DNS request which is good enough to know what youre doing.Even in a perfect crypto world, the session metadata isnt encrypted.Source, Destination, Time, Inferences of size of communicationIf I know who you are calling/texting, sometimes thats enough to make inferences.The HEIST attack at RSA, while overhyped, is an example.

Career DecisionsFrom: Kevin Mandia kevin.mandia@fireeye.comTo: John Bambenek john.bambenek@fidelissecurity.comSubject: Job Offer for VP role

-----BEGIN PGP MESSAGE-----Version: GnuPG v2hQEMA/RALgVP0CqhAQf+K6nsUfJ2JZKEJQIqcuywV3xwtpRR4bQhZblCPQcSJwbPzgh/q4zoIZi/yy5XLTGQ6p2WrQH+0UfmQmyu44v1VPBF+3JFReG1IJvJNXPQPcH13gGiyLRj4A1r32EgieHIxbfN+TWvrrl4M1BOQ0dQ2UXkrInj2/5xLFl2HunrDZiqSQcpZrqwTCJf+CJXlZJJKmQRNz76ohQzVbJFyqV/zIKD26DBMGKRB0v2gYjhTRWV9cuHLf9JSNA5ZdmyskcEM0PFCzSnv9Mx6VprsbWGeb6dbkwW1kM+xgdbcSnyEuRyVFUoOPTb1E0q5rDNwVZknUZAq1pjYnn+D+zoVRyz99LA0AFLgF8T3gQaQqIQErW3OlVxQKb58DKv6lM4x5oxlI4sv1je6HT7+PKnCvmbhRRWFpWVkyot5Fam0xILWR2UbE+/1a3nSDySnGnzNNq2e2EDrKA+CNVFGXd3HfFZgzAp2foEP/Z+kbU9O/2QvwS/jBbclti9SPK0PNuPa321TpD/Qoz0yuPWhpOrYp/kxN7nJ9FW5OWI+r5dEB29yasAeeCoMsxJzyzo7TnKQEOP5Ty/Sae+K0yY4Do7oakGQVKyEkQUzQlOc0bwAwINavXJsov2nlGmV7eRJgr8xzDc6DCHuZm3URfqKvt37Vbr1kpPs6mjtHSw0iJJ1tvk9tbiElfAQvXr3KyQlGhqNjtPC8TEYnWeIlq27OfQ6iLarTtkYX3oJLW5NlIlvSVLICzB+yejDP+8HMVKF1s8Nc6D9V78dyHBPdx8wafPUYf4XeImux1m1SFdRJjvYhaU5famV0hPR22Tui+eEPSvzKWDa4VDT/jIENl9TSPH3LqpXEQVYoL2Cw/+0lBpWE90+Hlw2w8==Iidd-----END PGP MESSAGE-----

And theres more$ gpg -vvvv text.gpg gpg: using character set `utf-8gpg: armor: BEGIN PGP MESSAGEgpg: armor header: Version: GnuPG v2:pubkey enc packet: version 3, algo 1, keyid F4402E054FD02AA1data: [2046 bits]gpg: public key is 4FD02AA1:encrypted data packet:length: 400mdc_method: 2gpg: encrypted with RSA key, ID 4FD02AA1gpg: decryption failed: secret key not available

If you have the key, you get more:secret key packet:version 4, algo 1, created 1442844965, expires 0skey[0]: [4096 bits]skey[1]: [17 bits]iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 1edfd8aa175bb427protect count: 65536 (96)protect IV: 8a d6 c0 76 0e c4 86 5cencrypted stuff followskeyid: 0F3B1D99BBB8C31E:user ID packet: "John Bambenek

Anonymity with PGP is hard. See Tom Ritters Deanonymizing Alt.Anonymous.Messages talk:

KEYSERVERSWith a Key ID, you can cross-search keyservers to find the identity.Old keys never die.Many people have multiple emails tied to the same key (not usually a good idea).People reuse same SSH keys for authentication across environments.Silk Road Dread Pirate Roberts compartmentalization screw-ups should be required reading.

Bottom lineThe argument for shutting down safe spaces for terrorists to communicate is stupid. Never drive a known into an unknown without some return.Lots of useful data still available in metadata.Required reading: @thegrugq

OPSEC PROBLEM #2 WITH CRYPTOSSL/TLS Certificates, Signing Certs create all sorts of new metadataGeolocation, Identity, Serial Number, Creation/Expiration Dates

CAs have one job: to verify identify of the owner of certs they sign

Have I said I love free-form text fields?

YOU HAVE ONE JOB# ./letsencrypt-auto certonly --standalone -d An unexpected error occurred:Policy forbids issuing for name

# ./letsencrypt-auto certonly --standalone -d fireeye.comInstallation succeeded.

# ./letsencrypt-auto certonly --standalone -d illinois.govInstallation succeeded.

It gets worseWhat happens when someone gets a wildcard certificate?

What about when a security company gets their own CA certificate?

More certificate funCertificate: Data: Version: 1 (0x0) Serial Number: fa:21:6b:2c:8e:6c:35:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/ Validity Not Before: Jan 6 16:33:13 2015 GMT Not After : May 23 16:33:13 2042 GMT Subject: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/

More certificate FUNMalware builder always used the above cert when it resigned trojanized app.Now its trivial to find the many apps in the Google Play store with that malware.Basic statistically analysis, hunting for geographic oddities, etc makes hunting mobile malware easy.

How to fail at TLS Data: Version: 3 (0x2) Serial Number: 522427837 (0x1f239dbd) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, O=assylias.Inc, CN=assylias Validity Not Before: Jan 17 05:26:19 2015 GMT Not After : Dec 24 05:26:19 2114 GMT Subject: C=FR, O=assylias.Inc, CN=assylias

How to fail at TLS

One last pointSSL/TLS certification information is searchable with Shodan and a few other tools specifically for archiving observed SSL/TLS certs.

If you re-use certs, it makes it easy to correlate your activities and break your compartmentalization.

OPSEC Problem #3 With encryptionEncryption (to some) is inherently suspicious.

What is actually suspicious is abnormal behavior.

All profiling (and surveillance) is based on this concept because it is impossible to monitor everyone completely. Target selection is important.

Example #1

Example #2

VPNSI may not know what youre saying, but I know when youre saying it.All the privacy VPN services are known and their IP space is profiled.You could set up your own VPN, but you immediately lose the privacy using a common service provides.And dont think all those bitcoin services will help you either. Bitcoin is anonymous but it is NOT private.

Making Encryption MainstreamWere already doing it with Lets Encrypt and other aspects of PRISM fallout.Google now sends email over TLS (**if other side supports it**)Tor is not normalVPNs to non-corporate endpoints are not normalEncrypted email is not normal, nor is WhatsApp, Signal, et al yet.But they can be. We may not look like a sheep, but maybe we can make the sheep look like us.

Sometimes ENCRYPTION IS NOT WORTH ITWhen traveling in less friendly locations, it may be better not to draw attention. Border checkpoints are not your friends.Tor may hide what you are looking at but it stands out on a network.Many criminal and intelligence professionals use electronic means for signaling and then have a conversation in a preferred secure location.

Sometimes encryption is not worth itHow many people here have secure wifi at home?

Note, digital forensics is good at figuring out the bits. It can be hard to figure out whats going on in actual meat space.

Sometimes ambiguity is your friend.

OPSEC Problem #4 with encryptionEncryption doesnt protect you against stupid mistakes. Including by others.Its the stupid stuff that gets you.

Password re-use, even when hashed and salted can taint compartmentalization.

Passphrase-less keys publicly available on the web

STUPID MISTAKES BY OTHERSAll security is based on trust.Using a hacker bulletin board? How can you be sure they are fully patched and havent had their dat