securingaclientMatsuzaki ‘maz’Yoshinobu

<maz@iij.ad.jp>

hardeningahost

Hardeningahost

• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground• Linux:variesbydistribution:

• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault

• BSD:userswillfigureitout• Changeswithtime

Generalconsideration

• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.

Generalpractices

• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible

• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.

Hardware

• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.• Considerremovinghardwareyouneveruse– saybluetooth.• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.• wakeonlan• Bluetoothdiscoverability• USBports?

• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable

antivirus

Malware

• Thegenerictermforcomputervirus,worms,spywareandothermalicioussoftware• Skilledattackercanmakeit,funattackercanuseit.• eventherearemalwarebuildtoolswithGUIL

Infection

• attackerstrytomakeyourdevicesinfectedinmanyways• securityholes,e-mail,web• USBmemory,fileservers

Causes

• vulnerability• 0-daysecurityholes• oldsecurityholesarestillusedtoinfect

• auto-executionforremovalmedia• USBmemory,CDloading

• users’carelessopen• infectedfiles• sometimeshappentoexecutemalwares

Detection

• signature-baseddetection• blacklistofmalwares• checkafilewiththesignatures• updateneededtodetectnewermalware

• heuristicsdetection• behavior,characteristiccode

When?

• writeoperationstakeplace• creatinganewfile,modifyinganexistingfile

• newmediaisinserted• USBmemory,CD

• periodicormanually• scanallorimportantfiles

Where?

e-mailserverfileserver

webproxyclient

finaltargethere

Hiding

• attackersmodifymalwares• nottobedetectedbyanti-virusdetectors• theycancheckthislocally

• updatingyoursignatureDBisneeded

Fakesecuritysoftware

• Donothing,orisjustamalware• alsoknownas‘scareware’

Compromisedsystem

• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect

Wipe

• Don’tusefilesinthecompromisedsystem• programs• documents• images

• Cleanupthestoragesthatwasconnectedtothesystem• HDD• SSD• flashmemory

Howcanwerescueinformationfromsuspiciousdatafiles•convertitintoanotherformat• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg

• infectedcodecannotsurvivesuchadrasticmodification

Wipetogiveaway

• dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata

• youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M

Recover

• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage

• applylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork

• installneededapplications• checkupgrades,ofcourse

Recover(cont.)

• disableunnecessaryservices• thesameashardeningprocedure

• checkconfigurations• ifanyweakness

• changeallpasswordonthesystem• anypasswordmightbestolen

Replacingmightbeyourchoice

• securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly

• justreplacethecompromisedsystem• sparehardware

Backups

• Encryption• Automation• Generations

Encryption

• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata

Automation

• Wearelazy!• easytoforget

• automatedbackupwillhelpyou• mostsystemshavescheduledbackup

Generations

• youshoud havea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion

• finda‘good’versionfromyourarchives

Off-sitearchives

• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem

• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed

e-mails

Thekeypoints

• AuthenticityofServers• EncryptedTransport

It’seasy

• Donotusepop,itisintheclear• Usepop3s,port995overTLS

• Donotuseimap,itisintheclear• Useimap4s,port993overTLS

• AndtheyAuthenticatetheServersusingX.509Certificates.CHECKIT!

fetchusingIMAP4S

SMTPoverTLS

AuthenticateServers

• AssumetheWireisTapped• AssumeSomeonewillSpoofServers• KnowYourServers’RootCertificates• ConfirmCertificatesonConfiguration• ChooseGoodPassphrases

EncryptCriticalE-Mail

• AssumetheWireisTapped• UseaPersonalX.509PKCS#12UserCertificatewithSMIME– T’Bird etc.• UseaPGPkeywithEnigma– T’Bird

Itunnel&email

$ ssh <ssh.server> -L 4465:<smtp.server>:465

ssh.serverMacBook

POP3S/SMTPS

StepHost

PortonMacBook

TunnelEndPoint

sshtunnel

$ ssh <ssh.server> -L 9955:<pops.server>:995

smtp.server pops.server

example:LocalForward

.ssh/config

$ssh mail

HostmailHostName <step.host>LocalForward 4465<smtp.server>:465LocalForward 9995<pops.server>:995

example:stephost

.ssh/config

$ssh internal

HoststephostHostName <step.host>

HostinternalHostName <internal.ssh.server>ProxyCommand ssh -W%h:%pstephost

webbrowsing

MicrosoftInternetExplore

• LongHistoryofVulnerabilities• FirstTargetbecauseofPopularity• MicrosoftisNotAlwaysConcernedwithYourPrivacy• ClosedSource,NoOneInspectsit

MicrosoftEdge

• brand-newwebbrowser• shippedwithWindows10• doesSandBoxing,soreasonablysafe

IuseGoogleChrome

• ProcessIsolationperTab,soscaleswell

• ButIworryaboutLeakingDatatoGoogle

IalsouseFireFox

• FreeandOpenSource(i.e.inspected)• StandardsCompliant,noProprietaryTrickstoLockYouIn• Popular,sohasRichExtensionCatalog• RunsonAllSignificantPlatforms

DoNotLetBrowserRememberPasswords• LoseLaptopandLoseyourBankAccount• PasswordDatabaseEncryptionisWeak

• recommendations• encryptedtextfile(pgp)• 1Password

Prefs

OnlyifyouuseNoScript!

NewFeature

Plug-Ins

1Password

• RunsonMostPlatforms• Plug-InsforMostBrowsers• Passwords,CreditCards,Addresses,…• KeepDataBase inDropBox/iCloudandyouhaveDataonPhone,Laptop,Tablet,…

• ItDoesCostMoneyL

AddBlock Plus

WithoutAddBlock

WithAddBlock

Collusion– WhoTracks

DoNotTrackPlus

NoScript – JavaScript

HTTPSEverywhere

• IfaSitehasHTTPandHTTPS,itForcesUseofHTTPS

• I.e.YougetAuthenticationofSite

• YourTrafficisEncrypted

Let’sdoit

RootCAcertificates

• YoursystemhasrootCAsbydefault• SomeapplicationsuseownCertificateStore• AnycertificatesissuedbytheseCAsaretrusted

• Checkitout• Execute‘certmgr.msc’onwindows• open’about:preferences#advanced’onFireFox

Windows10

• Execute“compmgmt.msc”andhavealook• disableGuestaccount• disableunusedsystemservices

• VerifytheLocalSecuritySetting• ChecktheWindowsFirewallSetting• Disablehidingoffileextensions• Start->FileExplorer->“Changefolderandsearchoptions”of“Viewtab”->uncheckthe“Hideextensionsforknownfiletypes”