|Noisebridge | About | Visit | 272 | Manual | Contact | Guilds | Resources | Events | Projects | 5MoF | Meetings | Donate | (Edit)
|Guilds | Meta | Code | Electronics | Fabrication | Games | Sewing | Music | AI | Neuro | Philosophy | Funding | Art | Security | Ham | Brew | (Edit)
|Security | Bay Area Hackers' Association | OHSNAP | Crypto | SecureDrop | Locksport | Password manager | Aaron Swartz | Security Camera | Edit
|Security is a major area of interest to hackers of all stripes, be they creative hackers making stuff that they want to keep secure, or security hacker hackers specializing in securing by learning how to exploit security.
- INFOSEC: Information security. Countermeasures against compromise of computer systems.
- OPSEC: Operational security. Keeping one's visibility mouth shut and visibility minimal while limiting the leaking or inferring of sensitive information.
- SIGSEC: Signal security. Countermeasures against eavesdropping or failure of radio communications equipment such as encryption and disaster radio.
Recommended INFOSEC Security Measures
There are a bunch of free things you can do to improve your computer security.
- Password manager: Keep passwords secure, updated and remembered by using a password manager app you trust. Although coming up with a good password is nice, you're far more secure if you use a password manager like LastPass, KeyPass or 1Password. The best password is one you don't remember.
- Vigilance: Never open links in unsolicited messages without checking the URL for likely phishing attack. Phising relies on looking official and making an appeal to your sense of urgency or excitement to motivate you to click. Not all phishing attacks require you to download and run or install a compromising executable. A messaging or browser exploit zero day could own you just by clicking a link. Be careful!
- Beware USB Drives: Never pick up strange USB drives, smart cards or other storage devices and plug them into a secure system. This is a common pentesting technique to implant rootkits through compromised devices left around for a target to pick up.
- Encrypted Messaging: Apps like Signal are good alternatives to regular text messaging as they offer stronger cryptography and privacy.
- VPN: A VPN helps mask your IP address by bouncing your traffic through their relay.
- ProtonVPN: Proton is known for very secure Swiss-hosted encryptede email and ProtonMail accounts also work for ProtonVPN, with both offering good free service tiers.
- Proxied Browsers: Many censorship and spying threats make browsing securely difficult or impossible for some activists and in some countries that block sites. Proxied browsers employ different strategies to get your traffic to you so research their security implications to make sure they work for your needs.
- Tor: Tor is an onion network that bounces traffic through multiple relays till it reaches the destination, creating additional layers of anonymization beyond a regular one-bounce VPN. It can be slower and is not immune to unmasking by state-level agencies that may control enough Tor nodes to find people, but it is better than using no VPN or a VPN alone.
- Anti-Censorship Browsers: Anti-censorship browsers don't provide anonymity but they can make sites accessible in places that block them.
- CENO: Censorship.no browser proxies blocked sites so people in censored regions can access it. Using it in uncensored places helps proxy it for the others who need it!
- GPG Keys: GPG / PGP is a free public key cryptography system for encrypting and certifying communications like emails.
Recommended General Security:
- If you use Google, two factor authentication is vastly more secure than just a password.
- Using more secure search engines that don't track you (DuckDuckGo is a great option) you won't have google tracking you everywhere you go.
- If someone gets their hands on the physical machine, all bets are off. Try to avoid strange USB sticks and CDs, even if they look shiny. Also, encrypting your drive protects you from these attacks pretty well(as long as you don't leave your machine laying around unencrypted, see links below)
Recommended OPSEC Measures
OPSEC means keeping your mouth shut.
- Need to know means nobody needs to know.
- Pseudonyms: Limit how much personally identifying information is available to minimize doxxing risks. Keep things separate to protect the leakage of one nym with another.
- Do not put yourself in a position to be blackmailed.
- Don't get leave incriminating stuff on devices.
- Don't carry illegal stuff that could get you searched.
- Don't do sketchy things that could get you searched.
- Don't use weird codes that make no sense.
- Do use code names for nouns so if someone intercepts they have a hard time figuring out what you're talking about.
OPSEC For Freedom Fighters
- VIDEO: #HITB2012KUL D1T3 - The Grugq - OPSEC for Freedom Fighters: Because Jail is for wuftpd
- SLIDES: OPSEC slides
Recommended SIGSEC Measures
Remember that unencrypted calls can be eavesdropped on and telcos and ISPs are not guaranteed to work in emergencies.
- Hambridge: Encrypted disaster resilient radio such as LoRa and HAM radios can work off batteries and solar in emergencies even when power, ISPs and telcos fail.
- Burner Phones: Cheap disposable smartphones or dumb phones to communicate with less risk of being tracked.
- Security: When well defined objectives are met through the appropriate use of controls and defenses to deter and prevent vulnerabilities to assets. PDF of Introductory presentation by Stan Osborne at Omni Ballroom, 2015: File:Intro-20150127up.pdf
The network at Noisebridge - like any public network - should be regarded as potentially hostile. This means that you should assume that any unencrypted communications over the network could be (and most likely are) monitored by others. Examples of vulnerable communications include POP3/IMAP email clients, most web browsing, IRC/AIM and similar chat protocols that are often not encrypted. While no issues have come up to date, and our code of conduct opposes malicious monitoring of others, it is wise to be aware of the potential. Stick to using SSL or secure tunnels or VPNs for anything that uses a password or that you otherwise wouldn't want other people to read. If you don't know how to protect your communications with encryption, many people at Noisebridge would be glad to help you out!
Attempt at a Semi Decent Network Security Guide
The most secure option you have is to set up an SSH tunnel to a remote server, and then use a proxy server like Polipo to forward all your HTTP through that server. Done properly, this will encrypt all your traffic without any further worries. If you do not have SSH access to a remote server, then you can use Tor or similar to encrypt your traffic without exposing it to the Noisebridge network.
The fallback position is to ensure that as many services as possible use HTTPS by default (especially webmail) and at least have browser based solution to protect against CRSF/XSS attacks for everything else. This may happen even if the website itself is solid -- if you're on a compromised internal network, the attacker can inject content into any HTML page that you're reading.
Recommended Firefox Addons:
- Certificate Patrol: https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
- Perspectives: https://www.networknotary.org/firefox.html
- HTTPS Everywhere: https://www.eff.org/https-everywhere
- Noscript (even with "all access" it still catches many CSRF/XSS attacks): https://addons.mozilla.org/en-US/firefox/addon/noscript/
- UBlock Origin (this one does block adds if that is a concern): https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
- DuckDuckGo Privacy Essentials: https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-for-firefox/
- Privacy Possum: https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/
Recommended Chrome Extensions:
- KB SSL Enforcer: https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof
- NotScripts: https://chrome.google.com/extensions/detail/odjhifogjcknibkahlpidmdajjpkkcfn
- UBlock Origin (this one does block adds if that is a concern): https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
- DuckDuckGo Privacy Essentials:
- Privacy Possum: https://chrome.google.com/webstore/detail/privacy-possum/ommfjecdpepadiafbnidoiggfpbnkfbj