PaulyD
-
Posts
20 -
Joined
-
Last visited
Posts posted by PaulyD
-
-
Ok, we've all seen Darren and Kos go after Android. My question is, how do you tech users protect your phone while out and about...while keeping high tech usability? I'm going to list my setup and I'd like to see where you guys see vulnerability. I know it will be worse than a stock phone, but how bad?
Galaxy Nexus running a custom AOSP based ROM (Rasbean Jelly 4.2.1). Franco kernel. Rooted, with SuperSU and Busybox installed. TWRP Custom Recovery. Bootloader locked, but unlockable within OS with BootUnlocker App. JB encryption enabled with a 16 character, full ASCII, non-dictionary password using every character type. Pre-boot password changed with EncPassChanger App, to 35 characters, same as above. Debug off. All Developer Options off. All permissions removed from adb in system/bin on the phone.
I wish Darren would go over protection as well as exploitation, more.
Thanks!
-
I haven't done much Windows anti-forensics research, in fact, you've given me some things to look up. One option you could consider is porting my scripts over and running them via cygwin or gnuwin32. If you've got FDE and you're running these wipes in cycles, you should be pretty well set. I haven't seen any Windows stuff that attacks inserted USB devices, but it would be a surprise if such software didn't already exist. Sorry to not be of much help on this one.
Awesome, thanks for weighing in on this. Looking forward to what you come up with when you find the time.
Pauly
-
Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :)
That's why int0x80's USB Attack Code was interesting.
-
To me it does sound like, you are doing something illegal and you are trying to cover up your tracks.
As most mentioned, encryption should be enough, just remember to set a complex password.
Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this.
Thanks.
-
I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted).
Thanks.
-
That is, people whose computers you're going through can see plenty of your data even if you try to encrypt.
I disagree with this part. If I tunnel a VPN over Tor, all the exit node see's is the encrypted tunnel...much the same as what an ISP would see from a regular VPN connection. How are you thinking the exit node is breaking OpenVPN?
PD
-
The guys that don't make mistakes...haven't been caught. There are a lot more members of these groups, than the 5-10-15 that have been caught recently. If you do it right, you're chances are good. Unfortunately, doing it 'right', every time, all the time is hard. It's exactly the opposite of physical security. Normally the good guys have to be right 100% of the time...whereas the bad guys have to only get lucky once. In this case, you are in the good guy role and have to be perfect...LE just has to get lucky. If you tunnel a paid for in cash or Bitcoin VPN through Tor, the VPN doesn't know you, and the exit node can't sniff you. If you pick the right VPN, in a privacy friendly country, there is nothing to 'give' to the friendly detective. Heck, Riseup, based out of Seattle, has fought, and won, in the courts, over protecting their users...and that's in the land of the National Security Letter. Never from home...never. You're going to have to put miles on your car. And never from the same place twice. The full weight of the USA still took 10 years to find OBL...so I'm not fully convinced of their omnipotence. The Sabu thing is a perfect example. He screwed up and they got his address. He screwed up again and they sniffed his true MAC. Big boy rules...you can never screw up...ever...and that's a hard thing not to do.
PD
-
If you have a lot of private/confidential information, I'd use a combination of the IronKey with TrueCrypt, don't forget to set a very complex and long password, so it hard for the bad guys to crack it.
If you're going to stick to a removable drive, TrueCrypt is the most popular solution. If you want to do your Linux install, a dm-crypt/LUKS LVM install, with /boot on a USB or SD Card is what I do. If you want two factor authentication, get a Yubikey and set one of the slots to 'Static Password' mode (slot 1 is easiest to use). Memorize a 32 character pass phrase and put a 32 character random string (generated with KeePass, for example) into the Yubikey. Right now in the US, the courts are 50/50 with compelling a user to reveal a pass phrase, so splitting it up between your brain and the Yubikey is a good practice...the Yubikey Nano is easily 'lost' :D
PD
-
If there is indeed 2 USB ports: https://www.yubico.com/yubikey-nano ?
But is logging in 'dismounted' and then docking, really a problem? YubiKey looks like the solution.
PD
-
Mullvad here. Takes Bitcoin. So does Air.
PD
-
For Windows Users:
I wonder how Defense Wall would handle the USB? It quarantines all USB drives by default. It does really well on all the tests I've seen (as in 100%). Not 64bit though.
PD
-
If an adversary has access to a (dismounted) TrueCrypt volume at several points over time, he may be able to determine which sectors of the volume are changing. If you change the contents of a hidden volume (e.g., create/copy new files to the hidden volume or modify/delete/rename/move files stored on the hidden volume, etc.), the contents of sectors (ciphertext) in the hidden volume area will change. After being given the password to the outer volume, the adversary might demand an explanation why these sectors changed. Your failure to provide a plausible explanation might indicate the existence of a hidden volume within the outer volume
this from truecrypt itself , thou i asume nobody of us would give the feds access to our tc volume multiple times so i guess this isnt a worrying factor overall
Yeah, physical access is a killer to almost everything. The container containing the hidden container is "out there" to grab, true...but in the case of the Hidden OS, getting that container (2nd partition) from a powered down laptop, is a little tougher. I'm thinking some sort of malware for the former...but the latter requires you to 'not know where your laptop is', multiple times. You can security tape the laptop shell, and grind out the phillips head slots and fill with JB Weld if you want...no more upgrades though :)
PD
-
exactly hence the need for plausible deniability aka hidden volume within a volume ;), problem is as far as ive heard that if you add or substract anything from your hidden volume it will show and thus destroy your plausible deniability :(
The CO case will hopefully be overturned on appeal. Another fact in that case was that the lady was given complete immunity. Now, that judge was still a freedom hating moron, but who knows if he would have ruled the same had she not been given immunity.
You don't need to remember 3 good pass phrases....just one, for the Hidden OS. The other two are expendable and don't have to be massive.
You can add or delete from the Hidden Volume with no worries, where did you see that? Writing to an unprotected Outer Volume can damage the Hidden, but that's it.
A variation I'm working on now is to boot only off of external media...if not, it boots into an unencrypted Windows install...why advertise at the checkpoint, if you don't have to.
PD
-
Tormail would be first, you can even set up Thunderbird. http://www.tormail.net
Privat DE Mail would be next. http://privatdemail.net/en/
Riseup.net, but they require an application and a long wait.
Running your own server can be free with hMail Server http://www.hmailserver.com/ or Axigen Mail Server http://www.axigen.com/mail-server/free/
Or you can pay about $100 once and get something like Ability Mail Server http://www.code-crafters.com/abilitymailserver/
No-IP.com offers free MX records.
Countermail seems great too, but is it $60 a year, or once?
There is COTSE.net, again for pay.
All but the first 3 are about privacy, not anonymity, so combine the two: Tormail for anonymous messages, and the rest to keep BigGov out of your mailboxes...cuz they're in there, no doubt...Hotmail/Live Mail don't even charge LE to snoop.
PD
-
Windows: TrueCrypt with Hidden OS option, various containers for different stuff. DefenseWall, Sandboxie, KeePass, LastPass.
Alternate on other boxes, Comodo in Proactive Security mode, or Online Armor with Avast! 6.
Linux: Sacrificial Windows OS that logs on automatically. Behind that, Ubuntu 11.10 on encrypted LVM. /boot on a an SD Card (anti Evil Maid). SD Card in wallet when not in use. Hardened with some tutorials from essayboard.com (Installment 2) GUFW for the firewall. ClamAV, rkhunter, and chkroot. Thinking about trying out Avast! for Linux.
I'm new to Linux.
PD
-
Yes, this is only for WPS Pins. I had a vulnerable Buffalo running DD-WRT. After disabling all WPS related options (also called AOSS on Buffalo), the only way in was the 256bit WPA2 key.
Note:I did not run the tool, just changed the settings so that WPS wasn't an option that was offered when connecting.
PD
-
Thanks guys. Yes, I'm putting in a 'normal' MAC and filtering isn't active on the router. I haven't tried another distro, but I can try BackTrak on a Live CD. I haven't sniffed the packets (brand new to Linux, coming from Win7), can I do this from the terminal or do I need to install WireShark? I also got an Intel 6200 series card at the same time. I'm going to swap that in and try...and maybe drive down to Starbucks to test...could be my router (DD-WRT based Buffalo). I'll keep you posted.
PD
-
There are obvious things about cellphone use. If I don't want to ping a tower, I can remove the battery. *I* choose if I want to reveal something. If I don't want somebody reading my texts, *I* choose to use TextSecure. If I don't want my conversation interceptable,*I* choose to use RedPhone. If I don't want my ISP seeing where I surf, *I* choose to use OrBot and OrWeb. Or I use my VPN provider. Notice all those I's? If CarrierIQ can in any way mitigate the technology I choose to use to protect my privacy, then I want to see jail time or at least have them as my check out clerks at WalMart.
Jokes are fine, but it is a known fact that Bush was flat out busted conducting illegal wire tapping. It is a known fact that the Telco's were granted retroactive immunity from lawsuits arising from said illegal wiretapping. Room 641A exists and I tend to believe a nobody engineer with nothing to gain (and a whole lot to lose) over the beloved Das Fatherland.
Jason and Darren both said you have to trust someone. Yup, but I sure as heck trust my foreign VPN provider a heck of a lot more than the land of Gitmo and the Patriot Act...and the NDAA 2012 featuring the new and improved 'indefinite detention for Americans'.
I think you guys are waaaaay off .
PD
-
Copy and paste from UbuntuForums...no action over there:
__________________________________________________________________
MAC Changing Trouble
Ubuntu 11.10 on an Acer TimelineX 11.6" I swapped out the OEM Broadcom card with an Intel 633 Centrino-N 450mbs card. The swap went well, even adding the third antenna, and I have the card working fine. I connect to a Buffalo 450mbs router.
My problem is with changing the MAC. This is about privacy and not anything malicious. I'd just like to decrease my footprint when connecting to AP's that aren't my own, that's all.
Using the Terminal I can do:
ifconfig wlan0 down
ifconfig wlan0 hw ether ad:dr:es:sh:er:ex
ifconfig wlan0 up
...and receive no errors. If I then ifconfig, it shows the new address, so far, so good. I'm very familiar with when it doesn't work, having tried the Broadcom card and getting SOIFFIOC (sp?) errors about too many files open
I can also use macchanger -r or the macchanger-gtk GUI and also change the address with no errors.
The problem comes when I try to re-acquire my Buffalo AP. It will sit there scanning for a long while, eventually pop up the password screen (which I assume means it see's the new MAC) but then never connect. It just keeps popping up the password box again, and again.
Should this just 'work', or do I need to do something in the Network Manager GUI where it lists the wireless networks? Right now there is just my original AP, Auto Connect, DHCP Automatic, and it lists the wlan0 card and the burned in MAC. I've also tried 'Cloning' from here, but again, no connection.
Thanks in advance,
P
Edit: P.S. There is no MAC filtering on the router, and I've even tried clearing out the DHCP reservation for the old MAC/IP.
_______________________________________________________________________________________________________________________________
Thanks, glad to be here. Been watching for years.
PD
Chainloading from a Dongle to an encrypted USB Linux-distro
in Security
Posted
Can someone walk me through this? I have tried for the past two days, to get both Mint 15 and Ubuntu 13.04 to install /boot to an SD Card. I keep getting "grub-install failed" errors. I've done this before with Ubuntu 11.04 when I had Windows on the first partition, but on this fresh disk, I get the error. The SD is fine, GParted can work on it, no problem. I'm stuck.
As an alternate, can I just copy /sda1 (DD?) to the MicroSD and then delete sda1? I think I'd need to edit fstab, correct?
Also, anyone know how to change the encryption from AES to Twofish? No alternate .iso's for the latest builds, and 12.04 LTS uses CBC instead of XTS. (lvm2?)
Thanks guys.