sex, lies & instant messenger v3

sex, lies and instant messenger @alecmuffett

sex, lies, & instant-messenger

@alecmuffettwww.alecmuffett.com

green lane securitywww.greenlanesecurity.com

What should come of this?

When using the Webfor private communication...

be aware1) what can go wrong unexpectedly?

be aware2) what risks you protecting against?

be aware3) what must you do/not do?

Goal“Keep control of your data.”

disclaimer (1)Almost all examples appearing in this work

are fictitious. Any resemblance to real events or to real persons, living or dead,

is probably coincidental.

disclaimer (2)Advice given here is necessarily

incomplete; information security is a huge discipline and a full set of risks cannot be

conveyed in 30 minutes.

1) what can go wrong unexpectedly?

passwords!

do not use secrets as passwords!

my history• Crack

• First “smart” password cracker• 1991..96

• http://tinyurl.com/2jnzpy

• CrackLib• password checking library

• 1994..now

issuepasswords are secret, but...

issue...secrets make bad passwords

passwordsguessable

000000 1 1111 11111 111111 11111111 112233 123 123123 123321 1234 12345 123456 1234567 12345678 123456789 123abc 123qwe 1q2w3e 1q2w3e4r 222222 55555 654321 666666 7777 7777777 a aaaaaa abc123 adidas admin amanda andrew angel angel1 angels anthony apple asdf asdfasdf asdfgh ashley asshole austin baby bailey

banana bandit baseball batman benjamin biteme blabla blahblah blessed blessing blink182 bubbles buster canada cassie charlie cheese chelsea chicken chris christ church cocacola compaq computer cookie cool corvette creative dakota dallas daniel danielle david destiny dexter diamond digital dragon eminem

emmanuel enter faith flower foobar football football1 forever forum freedom friend friends fuckoff fuckyou fuckyou1 gateway genesis george ginger god google grace green guitar hahaha hallo hannah happy hardcore harley heaven hello hello1 helpme hockey hope hotdog hunter ilovegod iloveyou iloveyou! iloveyou1 iloveyou2 internet james jasmine jason jasper jennifer jessica jesus jesus1 john john316 jordan jordan23 joseph joshua junior justin killer kitten knight letmein london looking love lovely loving lucky maggie master matrix matthew maverick maxwell

merlin michael michelle mickey microsoft mike monkey mother muffin mustang mylove myspace1 nathan nicole nintendo none nothing onelove online orange pass passw0rd password password1 peace peaches peanut pepper phpbb pokemon poop power praise prayer prince princess purple qazwsx qwert qwerty qwerty1 rachel rainbow red123 richard robert rotimi samantha sammy samuel saved scooby scooter secret shadow shalom silver single slayer smokey snoopy soccer soccer1 sparky spirit startrek starwars stella summer sunshine superman taylor test testing testtest thomas thunder tigger trinity trustno1 victory viper welcome whatever william

winner wisdom zxcvbnm

250 top passwords - http://goo.gl/xPCq

“You’ll never guess my password,it’s in Klingon!”

passwordsbrute-forceable

from: AAAA

to: zzzzzzzzzzzz

via:t5gn9LF$*RJ#

more than 1,000,000 guesses/second!

sometimes more than9 billion guesses/second

google:

imhoff password cracking

hashcat performance

however...

passworda window into your mind?

passwordreveals something about you?

passwordreflects your tastes?

passwordis known to your spouse?

also• reuse = self-incrimination

• ...which is bad...• ...more later...

basic password discipline• use a password management tool

• use 12/more random characters• use different passwords at each website

• never reuse passwords• never share passwords• change annually/more often

• change when someone discovers one!

next: instant messenger!

do not Skype IM with your lover!

Skype• peer to peer architecture

• robust, replicated, flexible• excellent security

• ...unless you’re up against the USA• ...or China• ...or maybe the UK

virtually impossible to expungea recent conversation

deletion can make things worsemessages resurrect from the dead!

(zombie data is not good)

Avoid XMPP with a lover...• Also called Jabber Protocol• Implementations:

• GoogleChat• Some Facebook chat• Other systems

XMPP• Initial message is multicast

• sent to all logged-in instances• eg: “hello sexy”

• ...also arrives on the home PC• ...whilst you are at work

Other IM systems?• Not really wise...

• AIM now multicast• YIM likewise

• Go for something simple• Avoid specialist IM-client software• Use web-based systems

next: social media!

do not Twitter with your lover!

typos of doom!

D alice can i have you for dinner?

@alice can i have you for dinner?

...and, worse...

D bob Nude! http://twitpic.com/b0gu5

Twitter App Risks• Third-party apps get access to DMs

• Twitter clients...• Web Apps...

• Proliferation of data is unwise• more backups• more caches• more access

do not Facebook your lover!

too easy to get wrong

Dropping Hints

homepage displays with whom you communicate frequently

“Transitive trust”friends-of-friends may not be friends

Tommy Jordan!

YouTube Video:Facebook Parenting: For the troubled teen

Facebook Software EcologyFacebook is not really Facebook

Analogyif you want to be private,

don’t throw your diaryinto a pub full of gossips and journalists

next: phones!

do not smartphone with your lover!

massive comedy potential

iPhone screenlock

applications which pop-upalerts above the screenlock

Locked?

punchline:

Don’t combine this with Skype

do not go gaming with your lover!

MMORPGs• EQ• SecondLife• EVE Online• Warhammer• WoW

• etc...

held to lower standard than IM

heavily-integrated software• game• webcam• voice

• third party stuff• Ventrillo• Mumble• ...

game logs• logfiles are...

• comprehensive• disparate• spattered all over the hard drive

• ...and therefore hard to remove

next...

Geolocation can hurt you!

avoid sharing geolocation• Foursquare, Twitter, etc

• “...but your Twitter messages saidthat you were in Essex?”

Do you have an in-car GPS?...and do you know how to wipe it?

next, an obvious thing that’s often missed:

do not send porny naked picturesof yourselves, to each other

homebrew porn• webcam temporary copy

• potentially restorable

homebrew porn• desktop copy

• backup/time machine copy• image-management tool copy

homebrew porn• IM server copy

• or: duplicate Skype transfers• plus: transfer logs

homebrew porn• remote copies

• remote backup/time machine• remote image-management tool

homebrew porn• Took it with iPhone?

• backed up to iTunes• backed up to iCloud?

homebrew porn• boyfriend’s archive copies

• ...for sharing when you break up

do not use the family computer

there’s a reason it’s calleda family computer

do not use work-related hardware

work hardware• not your machine

• thus: “not your data”• may be taken from you

• eg: bankruptcy, fired, updated• old hardware auctioned

• automated backups?• network access logged?

summary

If you are going to live a double lifethen please do it right.

2) what risks are you protecting against?

(apart from spouses and lawyers)

recreational computer forensics!

for teh lulz!

Things Geeks Do• Enumerate all possible URLs:•tinyurl•bit.ly•is.gd•t.co

• ...and save the good ones

Things Geeks Do• Trawl...

• Picasa• Twitpic• Yfrog

• ...to much the same ends

Things Geeks Do• buy hardware from Ebay

• undelete data files • desktops• laptops• printers (!)• storage

• hard disks• thumb drives• SD cards

Things Geeks Do• buy phones from Ebay

• restore deleted SMS• retrieve e-mail passwords

Find hardware in the street...

...investigate it...

...discover secrets.

Your challenge is to make that hard

3) what must you do/not do?

do use separate identities,do not link identities!

create a disposable identity,start with an e-mail address

use a fake, boring, common pseudonym

• good• edward wilson• carole smith

• bad• sexxxy4UinBasingstoke• anything else that’s unique

is this legal?• probably breaking terms of service

• is it criminal to lie?• maybe...

idea:Use a disposable Gmail accountto set up a fake Yahoo account

or vice-versa.

do not bookmark your secret identity

do use a random password• never used before• never use anywhere else• keep the password in your brain

do not store the secret identity passwordin your normal password manager!

do minimise data proliferation,do not leave footprints!

do not access your secret identityfrom your normal phone

iPhone• All backed up by iTunes:

• SMS• call logs• geolocation (see recent press)

• ...possibly password protected• You’re using a different password, yes?

Android• basically ditto

• ...but backed up on Google instead

Do not access your secret identityusing your normal laptop “login”

avoid intermingled filestore

put no pseudonym filesamongst personal files

set up different “users”• keep sensitive files in one place

• ...hopefully• ...mostly• ...except for logs

set up encrypted hard disks

resistant to post-Ebay forensics;do this prior to any usage

use browsers which supportprivate browsing modes, and

which delete cookies/history on exit

Example workflow:

Chrome

“day-to-day”

Safari• Guests and visitors• Logging into a website without

logging-out of Facebook first

Firefox• Ideal for...

• porn• shagging• dubious e-mail links• security malware research

technical reference

browser settings (1)• clear cookies on exit• clear history on exit• don't accept 3rd-party cookies• block popups

browser settings (2)• don't save form input• don't save history• switch off autosuggest• set to private browser mode

• ...permanently, if possible• else auto/delete cookies on exit

plugins / similar• Flash Player

• Visit the security settings panel• purge Flash cookies and sites• set Flash db size to zero

• HTML5 settings• set HTML5 db size to zero• watch for other/new issues

Firefox extensions• Tor

• better: Tor Browser Bundle

•SSL Everywhere•NoScript•RequestPolicy•AdBlock Plus•Ghostery

Adium / Pidgin for IM• use OTR encryption

• not the same as OTR in GoogleChat!• solves the point-to-point chat issue

• beware local logfiles

remember:

all this also applies to your phone

speaking of phones...

use a PAYG dumbphone• pay cash (where possible)• top-up with cash• enable PIN lock• avoid ...

• paper billing• web integration

use voice calls

do not leave voicemails

wipe your SMS messages regularly

dumbphone SMS• lowest common denominator

• messages still logged on backend• but overall exposure is less

if you must use smartphone• do not link this phone to your usual

Google Account

if you must use smartphone• check out:

• WhatsApp• TigerText• ...other SMS replacements

• take time to understand how they work

finally...

decommission old hardware• computers

• DBAN - Darik’s Boot & Nuke• Free suicide pill / CDROM for PCs

• phones• Remove SIM

• SMS may be on SIM as well as phone!• Check whether factory reset actually works

• if not, smash it & drive a car over it repeatedly

bottom lines• the more copies of data exist

• the harder it is to remove them• when data escapes your control

• it's available forever

when mistakes happen...• clean up calmly• do not amplify the mistake

remember• your lover has the same data

• but may not be taking care of it• educate them gently

• his/her systems will also one day be sold on eBay

So why must you actually know all this?

Well...

- shagging

- journalists and sources

- employees and whistleblowers

- activists in repressive regimes

- good data hygiene

- separating work and home data/life

Future

bonne chance

sex, lies & instant messenger v3

Technology

inc - internal network communication instant messenger für...

web-based instant messengeracharles/documentation4.pdf ·...

sex, lies and instant messenger mk ii

factsheet - singtel secure enterprise messenger 4pp ·...

instant messenger in higher education

worldclient instant messenger · worldclient instant...

aol instant messenger screen name - chester f. carlson...

security analysis of instant messenger torchat

planetary scale v iews on an instant messenger ...

instant messenger and messaging integration - case study

elevator advertising and lead generation with instant...

smart instant hku context-aware instant messenger for mobile...

energy efficient group messaging for mobile instant...

vipole secure instant messenger

24im messenger - inbitinbit.com/imc.pdfwelcome to 24im...

by boobox - spectralcoding · 3306 mysql 4000 icq 5010...

web-based instant messenger by charles atuchukwu a

icewarp unified communications instant messaging service ·...

the advantages and disadvantages of aol instant messenger...

worldclient instant messenger - setup instructions