Monday, April 21, 2014

Privacy, Hacking, and Information Security Tools: A Primer for Legal Professionals (Part I)

I thought it might be useful to describe some commonly used tools in the Information Security sphere that should be on every attorney's radar, for myriad reasons. Perhaps you are defending a client who has used such a tool; or, you wish to uphold your obligations under the Model Rules to truly make your attorney-client communications confidential.

This may become a multi-part post, given the plethora of tools out there (and further posts will, to some extent, depend on whether people find this post to be useful - so feedback would be great).

1.   To start, a tool used by hackers, privacy enthusiasts, and others is Tails, "The Amnesic Incognito Live System." It is a LiveCD/Bootable OS that comes packed with baked-in privacy tools; the most important feature being that the network configuration forces all traffic through the Tor Network. From the Tails page, the OS allows you to:

-use the Internet anonymously and circumvent censorship;
-all connections to the Internet are forced to go through the Tor network;
-leave no trace on the computer you are using unless you ask it explicitly;
-use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
So, you can boot with the LiveCD, do all of your surfing anonymously in the Tails OS (modified Linux), and then restart back into your regular operating system without leaving forensic tidbits on the hard drive; the OS operates in running memory, so upon reboot the memory is wiped (RAM does not persist a reboot, with some caveats). The "Warning" page gives a good synopsis of various gotchas that can limit your anonymity and/or complicate the goal of covering your tracks.

Some people, like yours truly, use Tails in a bootable VM image. There are some drawbacks to that approach (it makes it easier to leave forensic artifacts). Thankfully, I'm not doing anything illegal, so I really don't care. It's a good way to get on Tor and ensure all traffic does indeed travel through onion routing.

**Side note - most people are familiar, at least superficially with Tor (given the press surrounding Silk Road). However, there are other closed/anonymous peer-to-peer networks out there, most notably, I2P. **

2. A lot of people are lulled into a false sense of security when they sign-up for offshore or self avowed "totally anonymous" VPN providers. HideMyAss, a popular VPN provider, didn't hide the ass of a LulzSec member, instead providing information to the FBI that assisted in his arrest. More nuanced yet, is that even if you use a VPN provider rgR does not keep logs (an assertion I always take with a grain of salt), VPN users often misconfigure their VPN tunnel and accidentally send DNS requests via their regular ISP. So, your traffic is going over the VPN, but if you are also sending DNS traffic to your ISP over VPN, it is possible to track, at the very least, what sites you are going to (but not, to be sure, the actually content of the traffic itself). Enter the next tool: DNSLeakTest. This tool will run a test against your configuration to show whether or not you are actually using the DNS servers you want to/need to/assumed were set up. For example - when I run the Extended Test using my home internet connection, I receive, inter alia, the following result:

What this image shows is that my DNS is being routed to Charter (my provider), in Wisconsin. To be expected when I am surfing without attempting anonymity. But, I would not want this to show up if I am trying to be anonymous. Using a common VPN provider, I receive the following results, showing my DNS queries are going through their servers:

The key here is that if you are arguing that you never visited (insert site with criminal ties here), and there is a DNS request around the time of the specific activity, you've got a credibility (and evidentiary problem) that is hard to refute. Granted, you are once again trusting the anonymity ("short memory") of the VPN provider's DNS records.

3. When it comes to chatting, many users swear by Cryptocat. The app is described as follows:
Cryptocat is a fun, accessible app for having encrypted chat with your friends, right in your browser and mobile phone. Everything is encrypted before it leaves your computer. Even the Cryptocat network itself can't read your messages.
With the following caveats:
Cryptocat is not a magic bullet. Even though Cryptocat provides useful encryption, you should never trust any piece of software with your life, and Cryptocat is no exception.
Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor. 
Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn't mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party. 
Cryptocat does not protect against untrustworthy people: Parties you're conversing with may still leak your messages without your knowledge. 
Cryptocat aims to make sure that only the parties you're talking to get your messages, but that doesn't mean these parties are necessarily trustworthy.
4. With respect to mobile messaging apps, it also should be noted there are various other apps advertising the same anonymity. See the following:
  • Confide - "Your Off-the-Record Messenger" -- From the website: "Spoken words disappear after they're heard. But what you say online remains forever. With confidential messages that self-destruct, Confide takes you off the record."
5. On the hacking side of things, there are a few popular LiveCDs that bundle common hacking tools into an easy to use interface. The following distros are worth taking a look at:
  • Kali Linux - "The most advanced penetration testing distribution, ever" -- (formerly Backtrack) -- Kali is a LiveCD used by penetration testers, hackers, and information security professionals to streamline various hacking/recon/exploitation tasks. It includes Metasploit, the most used exploitation tool out there. Metasploit is the tool of choice for "script kiddies," essentially allowing exploitation of systems with no coding; a hacker normally must only provide a few parameters and choose a payload before the ownage of systems can commence.
6. Finally, much has been made of social engineering as the easiest, most-effective, and hardest to defend method of enterprise infiltration. (In security, the weakest link is often the human element). Social engineering has been used to gain ownership of Twitter accounts (too many examples to note), the RSA breach, etc. See this article from Dark Reading for more evidence: Socially Engineered Behavior To Blame For Most Security Breaches.

The toolkit of choice for script kiddies, penetration testers, and various others is TrustedSec's Social-Engineer Toolkit (SET). TrustedSec's website notes:
The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. 
The Toolkit makes it trivial to create webpages that are identical to real enterprise websites that require credentials (allowing login/password harvesting), and also allowing Man-in-the-Middle attacks where the engineered website is passed off as a legitimate portal while the SSL traffic is stripped in the middle (allowing the "hacker" to obtain unencrypted credentials without alerting the user). The toolkit also automates phishing and has various tools and tips to help trick enterprise users into giving up the keys to the kingdom.


Post a Comment