defcon crypto village - opsec concerns in using crypto

OPSEC CONCERNS IN USING CRYPTOGRAPHYOR:HOW YOUR BAD TECH DECISIONS HELP ME PUT YOU IN JAIL

JOHN BAMBENEKCRYPTO & PRIVACY VILLAGE, DEFCON 24

BIO

• Manager, Threat Systems @ Fidelis Cybersecurity• Lecturer in CS @ University of Illinois Urbana-Champaign• Run several takedown oriented groups on malware threats• Crafter of Artisanal Molotov Cocktails

DEMO

• Who here has a cell phone?

TL;DR - PATTERNS AND NORMALCY

• Surveillance does not scale for large datasets:• People, malware, packets on the internet, etc.

• There has to be multiple layers of filtering and scoring to determine priority of tasking resources.• Some targets are specifically and explicitly tasked,

everything else is all subject to some level of pattern matching and prioritization.

REMINDER

• You are not a normal.• This is a normal:

WHAT IS OPSEC?

• Operational security: keep what you don’t want known unknown.• Part is keeping secrets.• Another (more important part) is not looking like you have secrets

worth having.

• Basic security matters (we’re still not using passphrase-less keys are we?)• Compartmentalization: everyone has compartments.• Signaling vs. Communication

RISK ASSESSMENT?

• Who are we hiding from? What are their interests and capabilities? What is “sufficiency”?

• Intelligence services, law enforcement, and their friends (like me)• Criminals or other malicious actors• Comcast

DON’T THINK YOU ARE A TARGET?

• How many people here have admin/root on infrastructure they don’t own?

• Our government has already said that is the exact kind of people they are targeted (even before those of you how have 0-days, etc).

• You don’t think the US is the only one who does this, do you?

WHY OPSEC CONCERNS WITH CRYPTO?

• Thought process starting in tracking mobile malware, Android Apps need to be signed.• As an investigator and intel analyst, I LOVE free-form text

fields. (more later)• As technologists, crypto is hard and many of us still don’t

understand it’s limitations.• Encrypt all the things may not be the best option in certain

circumstances.

WHY OPSEC CONCERNS WITH CRYPTO?

• Two parts of OPSEC:• Want to hide the secrets• Want to hide the fact you have secrets

• Crypto is great at the first one.• Crypto often loudly yells that you are the second guy.• Note- Everyone I’ve helped put in jail is there because they

screwed up their OPSEC.

WHAT’S WRONG WITH THIS?

OPSEC PROBLEM #1 WITH ENCRYPTION

• Not everything is encrypted.• Above example, the DNS request which is “good enough” to know

what you’re doing.

• Even in a “perfect” crypto world, the session metadata isn’t encrypted.• Source, Destination, Time, Inferences of size of communication…• If I know who you are calling/texting, sometimes that’s enough to

make inferences.• The HEIST attack at RSA, while overhyped, is an example.

CAREER DECISIONSFrom: Kevin Mandia kevin.mandia@fireeye.comTo: John Bambenek john.bambenek@fidelissecurity.comSubject: Job Offer for VP role

-----BEGIN PGP MESSAGE-----Version: GnuPG v2hQEMA/RALgVP0CqhAQf+K6nsUfJ2JZKEJQIqcuywV3xwtpRR4bQhZblCPQcSJwbPzgh/q4zoIZi/yy5XLTGQ6p2WrQH+0UfmQmyu44v1VPBF+3JFReG1IJvJNXPQPcH13gGiyLRj4A1r32EgieHIxbfN+TWvrrl4M1BOQ0dQ2UXkrInj2/5xLFl2HunrDZiqSQcpZrqwTCJf+CJXlZJJKmQRNz76ohQzVbJFyqV/zIKD26DBMGKRB0v2gYjhTRWV9cuHLf9JSNA5ZdmyskcEM0PFCzSnv9Mx6VprsbWGeb6dbkwW1kM+xgdbcSnyEuRyVFUoOPTb1E0q5rDNwVZknUZAq1pjYnn+D+zoVRyz99LA0AFLgF8T3gQaQqIQErW3OlVxQKb58DKv6lM4x5oxlI4sv1je6HT7+PKnCvmbhRRWFpWVkyot5Fam0xILWR2UbE+/1a3nSDySnGnzNNq2e2EDrKA+CNVFGXd3HfFZgzAp2foEP/Z+kbU9O/2QvwS/jBbclti9SPK0PNuPa321TpD/Qoz0yuPWhpOrYp/kxN7nJ9FW5OWI+r5dEB29yasAeeCoMsxJzyzo7TnKQEOP5Ty/Sae+K0yY4Do7oakGQVKyEkQUzQlOc0bwAwINavXJsov2nlGmV7eRJgr8xzDc6DCHuZm3URfqKvt37Vbr1kpPs6mjtHSw0iJJ1tvk9tbiElfAQvXr3KyQlGhqNjtPC8TEYnWeIlq27OfQ6iLarTtkYX3oJLW5NlIlvSVLICzB+yejDP+8HMVKF1s8Nc6D9V78dyHBPdx8wafPUYf4XeImux1m1SFdRJjvYhaU5famV0hPR22Tui+eEPSvzKWDa4VDT/jIENl9TSPH3LqpXEQVYoL2Cw/+0lBpWE90+Hlw2w8==Iidd-----END PGP MESSAGE-----

AND THERE’S MORE

$ gpg -vvvv text.gpg gpg: using character set `utf-8’gpg: armor: BEGIN PGP MESSAGEgpg: armor header: Version: GnuPG v2:pubkey enc packet: version 3, algo 1, keyid F4402E054FD02AA1data: [2046 bits]gpg: public key is 4FD02AA1:encrypted data packet:length: 400 mdc_method: 2gpg: encrypted with RSA key, ID 4FD02AA1gpg: decryption failed: secret key not available

IF YOU HAVE THE KEY, YOU GET MORE

:secret key packet: version 4, algo 1, created 1442844965, expires 0 skey[0]: [4096 bits] skey[1]: [17 bits] iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: 1edfd8aa175bb427 protect count: 65536 (96) protect IV: 8a d6 c0 76 0e c4 86 5c encrypted stuff follows keyid: 0F3B1D99BBB8C31E:user ID packet: "John Bambenek <john.bambenek@fidelissecurity.com>”

Anonymity with PGP is hard. See Tom Ritter’s Deanonymizing Alt.Anonymous.Messages talk: https://ritter.vg/p/AAM-defcon13.pdf

KEYSERVERS

• With a Key ID, you can cross-search keyservers to find the identity.• Old keys never die.

• Many people have multiple emails tied to the same key (not usually a good idea).• People reuse same SSH keys for authentication across

environments.• Silk Road – Dread Pirate Roberts compartmentalization screw-

ups should be required reading.

BOTTOM LINE

• The argument for shutting down “safe spaces” for terrorists to communicate is stupid. Never drive a known into an unknown without some return.• Lots of useful data still available in metadata.• Required reading: @thegrugq• https://medium.com/@thegrugq/intelligence-services-are-

scary-af-40f7646ea117#.o6hszwm7g

OPSEC PROBLEM #2 WITH CRYPTO

• SSL/TLS Certificates, Signing Certs create all sorts of new metadata• Geolocation, Identity, Serial Number, Creation/Expiration Dates

• CAs have one job: to verify identify of the owner of certs they sign

• Have I said I love free-form text fields?

YOU HAVE ONE JOB

# ./letsencrypt-auto certonly --standalone -d gmail.com An unexpected error occurred:Policy forbids issuing for name

# ./letsencrypt-auto certonly --standalone -d fireeye.comInstallation succeeded.

# ./letsencrypt-auto certonly --standalone -d illinois.govInstallation succeeded.

IT GETS WORSE

• What happens when someone gets a wildcard certificate?

• What about when a security company gets their own CA certificate?

MORE CERTIFICATE FUN

Certificate: Data: Version: 1 (0x0) Serial Number: fa:21:6b:2c:8e:6c:35:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/emailAddress=admin@oracle.com Validity Not Before: Jan 6 16:33:13 2015 GMT Not After : May 23 16:33:13 2042 GMT Subject: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/emailAddress=admin@oracle.com

MORE CERTIFICATE FUN

• Malware builder always used the above cert when it resigned trojanized app.• Now it’s trivial to find the “many” apps in the Google Play

store with that malware.• Basic statistically analysis, hunting for geographic oddities,

etc makes hunting mobile malware easy.

HOW TO FAIL AT TLS

Data: Version: 3 (0x2) Serial Number: 522427837 (0x1f239dbd) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, O=assylias.Inc, CN=assylias Validity Not Before: Jan 17 05:26:19 2015 GMT Not After : Dec 24 05:26:19 2114 GMT Subject: C=FR, O=assylias.Inc, CN=assylias

HOW TO FAIL AT TLS

ONE LAST POINT

• SSL/TLS certification information is searchable with Shodan and a few other tools specifically for archiving observed SSL/TLS certs.

• If you re-use certs, it makes it easy to correlate your activities and break your compartmentalization.

OPSEC PROBLEM #3 WITH ENCRYPTION

• Encryption (to some) is inherently suspicious.

• What is actually suspicious is abnormal behavior.

• All profiling (and surveillance) is based on this concept because it is impossible to monitor everyone completely. Target selection is important.

EXAMPLE #1

EXAMPLE #2

VPNS

• I may not know what you’re saying, but I know when you’re saying it.• All the “privacy” VPN services are known and their IP space is

profiled.• You could set up your own VPN, but you immediately lose the

privacy using a common service provides.• And don’t think all those bitcoin services will help you either.

Bitcoin is anonymous but it is NOT private.

MAKING ENCRYPTION MAINSTREAM

• We’re already doing it with Let’s Encrypt and other aspects of PRISM fallout.• Google now sends email over TLS (**if other side supports it**)

• Tor is not ”normal”• VPNs to non-corporate endpoints are not “normal”• Encrypted email is not ”normal”, nor is WhatsApp, Signal, et al… yet.

• But they can be. We may not look like a sheep, but maybe we can make the sheep look like us.

SOMETIMES ENCRYPTION IS NOT WORTH IT• When traveling in “less friendly” locations, it may be better

not to draw attention. Border checkpoints are not your friends.• Tor may hide what you are looking at but it stands out on a

network.• Many criminal and intelligence professionals use electronic

means for signaling and then have a conversation in a preferred secure location.

SOMETIMES ENCRYPTION IS NOT WORTH IT• How many people here have secure wifi at home?

• Note, digital forensics is good at figuring out the bits. It can be hard to figure out what’s going on in actual meat space.

• Sometimes ambiguity is your friend.

OPSEC PROBLEM #4 WITH ENCRYPTION

• Encryption doesn’t protect you against stupid mistakes. Including by others.• It’s the stupid stuff that gets you.

• Password re-use, even when hashed and salted can taint compartmentalization.

• Passphrase-less keys publicly available on the web

STUPID MISTAKES BY OTHERS

• All security is based on trust.• Using a hacker bulletin board? How can you be sure they are fully

patched and haven’t had their database dumped?• Are you sure your encrypted messenger isn’t just giving your data away

anyway?• Think it can’t happen? Look at Wall of Sheep upstairs. Or ask Ashley

Madison. • Important point, password hashes become identifiers.

ALL ENCRYPTION NEEDS TO BE EVENTUALLY DECRYPTED• Cracking crypto is hard… attacking endpoints is easy.

Attacking people’s stupid mistakes is trivial.

• If I already own your box, all your encrypted comms are worthless.

PASSPHRASE-LESS KEYS• You may be in a scenario to have to give up your files… if your keys are

there it’s game over.• Virustotal keeps all files that are submitted to it and makes them

available via commercial API.• You can use Yara to find things, like all files that have “BEGIN RSA

PRIVATE KEY”.• The search “maxes” out the results at 10,000. Of those, over 85% had no

passphrase.• SSH keys don’t have targeting information in them directly.

• PGP keys do though, and you can search for those in VT too

WHAT TO DO ABOUT IT ALL?

• It depends on what adversary you care about.• Free-form text fields are your worst enemy.• Layers help.• Compartmentalize (if you’re doing interesting things while using

tor from home, you’re doing it wrong).• Look and smell like a normal. Sometimes waiting or not

encrypting is a better option.

TOOL 1 – ANDROID-CERT-GENERATOR

• https://github.com/uiucseclab/Android-Cert-Generator from UI Security Lab students.• I wanted to figure out how to defeat my own analytics.• Problem: Android malware requires you to write a fully-functioning app

or to trojanize an existing app but have to resign it. Need a way to create believable but fake signed APKs because you lack the private key.• Uses same details as previous signed cert.• Checks google play store and wolfram alpha to generate the information.

BOTTOM LINE

• #DFIU

QUESTIONS?

• For Fidelis: john.bambenek@fidelissecurity.com• For Univ. of Illinois: bambenek@illinois.edu