Security at Borders

Transcript

1. Digital Security Anonymity at borders Securing your data Hasan Tayyar

   Besik hasantayyar.net

2. This presentation focuses anonymity and security at borders by general

   and specific security advices.

3. Contents ▪ Borders ▪ Digital Security ▪ Anonymity ▪ Tools

   ▪ Principles ▪ #EFAIL 3

4. BORDERS “Borders are geographical boundaries of political entities or legal

   jurisdictions 4

5. BORDERS Borders are sensitive temporal zones that security has its

   own definitions by government and political pressure. 5

6. BORDERS “Mr. Elsharkawi, an American citizen, said in an interview

   that officers from the United States Customs and Border Protection repeatedly pressured him to unlock his phone so that they could scroll through his contacts, photos, apps and social media accounts. https://www.nytimes.com/2017/02/14/business/border-enforcement-airport-phones.html 6

7. BORDERS “I opened the doors of hell when I asked

   for a lawyer,” he said. “They just started attacking me verbally. ‘Why do you need a lawyer? Are you a criminal? What are you hiding?’ ” After allowing the Homeland Security officer to examine his phone, he said, he was immediately released. 7

8. “American border agents have the legal authority to conduct searches

   at the United States border that a police officer on the street wouldn’t. Laws that allow agents to search bags without a judge’s approval, for the purposes of immigration or security compliance, have been extended to digital devices. 8 BORDERS

9. 9

10. Not a solution 1. Power off your computer 2. Delete

    your entire hard drive before the trip 3. Encrypt entire data on hard drive 4. Change your login password and give the password to a friend. 5. Use a disposable computer for every trip? (like ChromeBook) 10

11. What to do? 1. Hide your online traces in your

    digital daily life 2. Change your internet usage habits 3. Follow security best practices for communication and data transfer 4. No personal social media accounts and applications 5. No browser plugins (Except maybe EFF plugins) 6. Use internet like you are always being recorded. 7. Do not trust online services. 11

12. Digital Security 1.

13. Secure ▪ Data ▪ Connection ▪ Services ▪ Device(s) ▪

    Tools ▪ Environment Keep updated and ask https://security.stackexchange.com/ 13

14. Strong data encryption According to a CIA documents leaked by

    wikileaks AES-256-gcm, AES-256-ctr or AES-256-cbc algorithms are strong enough to trust. It is one of the strongest algorithms. https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20 v1.1%20TOP%20SECRET.pdf 14

15. Avoid unnecessary encryption tools Otherwise those tools will become a

    weight for your system or extend the attack surface of your system. 15

16. Secure services Use 2FA in all of your services with

    a strong and randomly generated passphrase. Do not use personal email if not necessary. 1password.com haveibeenpwned.com 16

17. HTTPS ▪ To avoid local network “wiretaps” ▪ Not a

    final solution but a “must” 17

18. Secure your devices ▪ No unknown/untrusted/experimental applications ▪ No social

    media applications ▪ Important keys and 2FA apps on a backup phone. ▪ Encrypted disk/card ▪ Auto lock ▪ Disable auto connect to unknown public Wifis ▪ Hide your screen 18

19. Secure your environment ▪ Do not trust public WiFis ▪

    Do not connect them if possible ▪ Watch your back ▪ Do not use mechanical keyboards, I love them but easy to extract from sound. ▪ Not too bright screen 19

20. Anonymity 2.

21. Anonymity “No identifying value that can link the information to

    the participant” 21

22. Being Anonymous is getting hard Zimmermann's Law “The natural flow

    of technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months 22

23. Security vs Anonymity ▪ You can be secure but not

    anonymous ▪ You can be anonymous but not secure 23

24. Principles for Security 1. Auto update, follow updates, patch timely

    basis 2. Do not install or open unknown/suspicious files, websites (virustotal.com) 3. Do not plug in unknown physical devices. 4. Do not connect unknown WiFis 5. Do not believe everything in your inbox. 24

25. Principles for Anonymity 1. Use different devices for different purposes

    2. No public WiFi, No Third-party plugins 3. No personal data through social media, reduce social media usage 4. Disable JS by default (also CSS if possible) 5. HTTPS & End to end encryption communications 6. Do not share your data 25

26. Principles for Anonymity at Borders You should be prepared with

    your mobile device before the trip by 1. Using an encrypted cloud storage, store and use your files directly on the cloud. 2. Using online mail clients (E2E supported) 3. Creating disposable virtual environments in your OS 26

27. Tools ▪ Wrong security tools can be more dangerous ▪

    The best tool may not be the most used one ▪ Believe in math and science, not in ‘comments’ and ‘reviews’ 27

28. Tools Qubes OS Tails Live OS TOR NextCloud DuckDuckGo Maillists

    28

29. Qube OS Offers a complete isolations between the environments that

    you created. You can also create completely disposable environments. 29

30. Qube OS 30

31. TAILS Offers live and anonymity focused operating system. Better to

    have a Tails flash disk when you need to use a device that does not belong to you. 31

32. TOR/ORBOT An open network that protects you from network analysis.

    32

33. TOR not a privacy solution! Anonymizes only your network data!

    Anonymity ≠ Privacy 33

34. TOR Network “A Tor client picks a random path through

    the network, using a directory server to get a list of active nodes. For each hop along that path, it negotiates a separate session key. It encrypts the packet data, along with a destination address, once per node in the path, building up a packet with multiple layers of encrypted information. https://lwn.net/Articles/249388 34

35. TOR Be aware: “Tor will encrypt your traffic to and

    within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. ” More on https://www.eff.org/pages/tor-and-https 35

36. TOR https://www.hacker9.com/can-hide-online-using-tor-network.html 36

37. TOR Be aware: Tor nodes can be compromised, they can

    not protect all the nodes. Tor is just an extra layer for anonymity. 37

38. TOR Better with Privoxy + Tor A complicated but strong

    solution. End users might do some configurations wrong and they might end up with no anonymization over network. 38

39. DuckDuckGo is an anonymity first company. They provide a search

    engine and a mobile browser. 39 DuckDuckGo

40. On Google, Search for ‘toilet brush’ and all the ads

    across all your devices and applications acts like you are a toilet brush fetish. You will see all kinds of toilet brushes and even maybe candies shaped like toilet brushes. Google does this with and agreement of the users. But we do not read. 40 DuckDuckGo

41. Nextcloud, with newest release, security oriented, End-to-end Encryption supported private

    cloud storage management solution. 41 NextCloud

42. Exceptional Browser Plugins HTTPS Everywhere Privacy Badger ? uBlock Origin

    ? Js Switcher 42

43. #EFAIL In other words: OpenPGP and S/MIME Mail Client Vulnerability

    43

44. #EFAIL Public disclosure 14.05.2018 The PGP or GPG encryption or

    S/Mime is not broken by design. It’s how the messages are processed by the user’s email client that introduces the vulnerability. The many of the implementations are wrong. 44

45. #EFAIL 1. “Direct Exfiltration” Attack 2. Ciphertext Modification Attack Both

    two type of these attacks are about integrations of the encryption software. 45

46. #EFAIL - timeline Thomas H.Ptacek prepared a long timeline to

    combine public sources regarding when various PGP vendors were notified about Efail. Starting from 2017.10.25 with Thunderbird contact by Efail team. http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html 46

47. S/Mime vs PGP A flame war started EFAIL team was

    like trying to blame GPG (but it was not like that). So the developers started to defend S/Mime or (G)PGP ▪ S/Mime by IEFT uses AES for encryption (symmetric encryption) ▪ PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography. PGP also supports asymmetric 47

48. GPG Defending 48 Koch from GnuPG defended GPG very well

    in the maillist. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060320.html

49. S/Mime - PGP As summary: Both methods has strong encryptions

    but different approach while creating trust. ▪ PGP has high complexity in implementation ▪ S/Mime is relatively easy to implement and configure 49

50. Complexity = Bugs To avoid EFAIL attacks, it was suggested

    to decrypt and encrypt messages using a separate application and disabling automatic decryption process in mail clients. Because of the complexity of integrating encryption softwares into mail clients, developers may follow some non-standard ways. 50

51. EFAIL - current situation Including Thunderbird many of the clients

    updated their softwares. But it is always good to disable HTML. It is still suggested not to use PGP just to create a clean ecosystem. “Sending PGP messages to others also increases the risk that your recipients will turn to a vulnerable client to decrypt these messages. Until enough clients are reliably patched, sending PGP-encrypted messages can create adverse ecosystem incentives for others to decrypt them.” https://www.eff.org/ 51

52. Conclusion I believe in absolute digital security in an environment

    with no electricity. 52

53. Questions and Discussion 53

54. Thanks 54