Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security at Borders

Security at Borders

Presentation for DieLinke LAG Netzpolitik

E80bb03522c1606b401d0a87266e8910?s=128

Hasan Tayyar BEŞİK

June 21, 2018
Tweet

Transcript

  1. Digital Security Anonymity at borders Securing your data Hasan Tayyar

    Besik hasantayyar.net
  2. This presentation focuses anonymity and security at borders by general

    and specific security advices.
  3. Contents ▪ Borders ▪ Digital Security ▪ Anonymity ▪ Tools

    ▪ Principles ▪ #EFAIL 3
  4. BORDERS “Borders are geographical boundaries of political entities or legal

    jurisdictions 4
  5. BORDERS Borders are sensitive temporal zones that security has its

    own definitions by government and political pressure. 5
  6. BORDERS “Mr. Elsharkawi, an American citizen, said in an interview

    that officers from the United States Customs and Border Protection repeatedly pressured him to unlock his phone so that they could scroll through his contacts, photos, apps and social media accounts. https://www.nytimes.com/2017/02/14/business/border-enforcement-airport-phones.html 6
  7. BORDERS “I opened the doors of hell when I asked

    for a lawyer,” he said. “They just started attacking me verbally. ‘Why do you need a lawyer? Are you a criminal? What are you hiding?’ ” After allowing the Homeland Security officer to examine his phone, he said, he was immediately released. 7
  8. “American border agents have the legal authority to conduct searches

    at the United States border that a police officer on the street wouldn’t. Laws that allow agents to search bags without a judge’s approval, for the purposes of immigration or security compliance, have been extended to digital devices. 8 BORDERS
  9. 9

  10. Not a solution 1. Power off your computer 2. Delete

    your entire hard drive before the trip 3. Encrypt entire data on hard drive 4. Change your login password and give the password to a friend. 5. Use a disposable computer for every trip? (like ChromeBook) 10
  11. What to do? 1. Hide your online traces in your

    digital daily life 2. Change your internet usage habits 3. Follow security best practices for communication and data transfer 4. No personal social media accounts and applications 5. No browser plugins (Except maybe EFF plugins) 6. Use internet like you are always being recorded. 7. Do not trust online services. 11
  12. Digital Security 1.

  13. Secure ▪ Data ▪ Connection ▪ Services ▪ Device(s) ▪

    Tools ▪ Environment Keep updated and ask https://security.stackexchange.com/ 13
  14. Strong data encryption According to a CIA documents leaked by

    wikileaks AES-256-gcm, AES-256-ctr or AES-256-cbc algorithms are strong enough to trust. It is one of the strongest algorithms. https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20 v1.1%20TOP%20SECRET.pdf 14
  15. Avoid unnecessary encryption tools Otherwise those tools will become a

    weight for your system or extend the attack surface of your system. 15
  16. Secure services Use 2FA in all of your services with

    a strong and randomly generated passphrase. Do not use personal email if not necessary. 1password.com haveibeenpwned.com 16
  17. HTTPS ▪ To avoid local network “wiretaps” ▪ Not a

    final solution but a “must” 17
  18. Secure your devices ▪ No unknown/untrusted/experimental applications ▪ No social

    media applications ▪ Important keys and 2FA apps on a backup phone. ▪ Encrypted disk/card ▪ Auto lock ▪ Disable auto connect to unknown public Wifis ▪ Hide your screen 18
  19. Secure your environment ▪ Do not trust public WiFis ▪

    Do not connect them if possible ▪ Watch your back ▪ Do not use mechanical keyboards, I love them but easy to extract from sound. ▪ Not too bright screen 19
  20. Anonymity 2.

  21. Anonymity “No identifying value that can link the information to

    the participant” 21
  22. Being Anonymous is getting hard Zimmermann's Law “The natural flow

    of technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months 22
  23. Security vs Anonymity ▪ You can be secure but not

    anonymous ▪ You can be anonymous but not secure 23
  24. Principles for Security 1. Auto update, follow updates, patch timely

    basis 2. Do not install or open unknown/suspicious files, websites (virustotal.com) 3. Do not plug in unknown physical devices. 4. Do not connect unknown WiFis 5. Do not believe everything in your inbox. 24
  25. Principles for Anonymity 1. Use different devices for different purposes

    2. No public WiFi, No Third-party plugins 3. No personal data through social media, reduce social media usage 4. Disable JS by default (also CSS if possible) 5. HTTPS & End to end encryption communications 6. Do not share your data 25
  26. Principles for Anonymity at Borders You should be prepared with

    your mobile device before the trip by 1. Using an encrypted cloud storage, store and use your files directly on the cloud. 2. Using online mail clients (E2E supported) 3. Creating disposable virtual environments in your OS 26
  27. Tools ▪ Wrong security tools can be more dangerous ▪

    The best tool may not be the most used one ▪ Believe in math and science, not in ‘comments’ and ‘reviews’ 27
  28. Tools Qubes OS Tails Live OS TOR NextCloud DuckDuckGo Maillists

    28
  29. Qube OS Offers a complete isolations between the environments that

    you created. You can also create completely disposable environments. 29
  30. Qube OS 30

  31. TAILS Offers live and anonymity focused operating system. Better to

    have a Tails flash disk when you need to use a device that does not belong to you. 31
  32. TOR/ORBOT An open network that protects you from network analysis.

    32
  33. TOR not a privacy solution! Anonymizes only your network data!

    Anonymity ≠ Privacy 33
  34. TOR Network “A Tor client picks a random path through

    the network, using a directory server to get a list of active nodes. For each hop along that path, it negotiates a separate session key. It encrypts the packet data, along with a destination address, once per node in the path, building up a packet with multiple layers of encrypted information. https://lwn.net/Articles/249388 34
  35. TOR Be aware: “Tor will encrypt your traffic to and

    within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. ” More on https://www.eff.org/pages/tor-and-https 35
  36. TOR https://www.hacker9.com/can-hide-online-using-tor-network.html 36

  37. TOR Be aware: Tor nodes can be compromised, they can

    not protect all the nodes. Tor is just an extra layer for anonymity. 37
  38. TOR Better with Privoxy + Tor A complicated but strong

    solution. End users might do some configurations wrong and they might end up with no anonymization over network. 38
  39. DuckDuckGo is an anonymity first company. They provide a search

    engine and a mobile browser. 39 DuckDuckGo
  40. On Google, Search for ‘toilet brush’ and all the ads

    across all your devices and applications acts like you are a toilet brush fetish. You will see all kinds of toilet brushes and even maybe candies shaped like toilet brushes. Google does this with and agreement of the users. But we do not read. 40 DuckDuckGo
  41. Nextcloud, with newest release, security oriented, End-to-end Encryption supported private

    cloud storage management solution. 41 NextCloud
  42. Exceptional Browser Plugins HTTPS Everywhere Privacy Badger ? uBlock Origin

    ? Js Switcher 42
  43. #EFAIL In other words: OpenPGP and S/MIME Mail Client Vulnerability

    43
  44. #EFAIL Public disclosure 14.05.2018 The PGP or GPG encryption or

    S/Mime is not broken by design. It’s how the messages are processed by the user’s email client that introduces the vulnerability. The many of the implementations are wrong. 44
  45. #EFAIL 1. “Direct Exfiltration” Attack 2. Ciphertext Modification Attack Both

    two type of these attacks are about integrations of the encryption software. 45
  46. #EFAIL - timeline Thomas H.Ptacek prepared a long timeline to

    combine public sources regarding when various PGP vendors were notified about Efail. Starting from 2017.10.25 with Thunderbird contact by Efail team. http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html 46
  47. S/Mime vs PGP A flame war started EFAIL team was

    like trying to blame GPG (but it was not like that). So the developers started to defend S/Mime or (G)PGP ▪ S/Mime by IEFT uses AES for encryption (symmetric encryption) ▪ PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography. PGP also supports asymmetric 47
  48. GPG Defending 48 Koch from GnuPG defended GPG very well

    in the maillist. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060320.html
  49. S/Mime - PGP As summary: Both methods has strong encryptions

    but different approach while creating trust. ▪ PGP has high complexity in implementation ▪ S/Mime is relatively easy to implement and configure 49
  50. Complexity = Bugs To avoid EFAIL attacks, it was suggested

    to decrypt and encrypt messages using a separate application and disabling automatic decryption process in mail clients. Because of the complexity of integrating encryption softwares into mail clients, developers may follow some non-standard ways. 50
  51. EFAIL - current situation Including Thunderbird many of the clients

    updated their softwares. But it is always good to disable HTML. It is still suggested not to use PGP just to create a clean ecosystem. “Sending PGP messages to others also increases the risk that your recipients will turn to a vulnerable client to decrypt these messages. Until enough clients are reliably patched, sending PGP-encrypted messages can create adverse ecosystem incentives for others to decrypt them.” https://www.eff.org/ 51
  52. Conclusion I believe in absolute digital security in an environment

    with no electricity. 52
  53. Questions and Discussion 53

  54. Thanks 54