Lavabit and End-point Security

coderman coderman at gmail.com
Sun Aug 11 05:45:02 PDT 2013


some questions, some answers, ...

On Sun, Aug 11, 2013 at 2:27 AM, coderman <coderman at gmail.com> wrote:
> ...
> 1. use a common distro, but rebuild critical components - bootloader,
> initramfs, openssl, openssh, the kernel, gnutls, libgmp, use 64bit,
> etc.

this means rebuild hardened versions of these libraries from source;
  excluding insecure cipher suites in an OpenSSL build for example,
  altering architecture optimizations, supported features, in others,

the goal being that an exploit targeted to a vanilla distribution will
more likely fail with observable error or crash, rather than succeed
silently.

many exploits are very brittle in this respect, with any change in
symbol offsets or capabilities rendering them completely ineffective.



> 2. use isolation and RBAC, Qubes, VirtualBox, VMWare, Parallels,
> remember that VM escapes are available and expected. defense in depth
> can never be too deep.

virtualization implies chained exploits for full compromise. combined
with the above you've drastically increased the cost of a successful
attack with modest effort. the likelihood of detection (by appearing
vulnerable yet not being so) is also increased.

remember that VMMs and hypervisors are themselves potentially
vulnerable software systems suitable for hardening and customization.



> 3. use constrained network access - identify anomalies, control
> bandwidth, firewall ingress and egress aggressively. this implies
> constant monitoring to detect such events. (another exercise left to
> the reader)

data exfiltration can be very visible via network behavior if you're
paying attention.  cross referencing connection state in your upstream
router vs. local OS view of sockets can identify discrepancies where
compromise has concealed covert connections. malware communicating
directly on an ethernet or wireless adapter outside of the OS is also
visible at this junction.



> 4. rootkit and backdoor your own systems - use the dirty tricks to
> observe and constrain your system before someone else uses dirty
> tricks to compromise your system.

this is mostly a variant of #1 at a kernel / system level.  like
notepad.exe connecting to the internet, there are some syscall, file
access, and network requests which are clearly anomalous and
indicators of compromise.



> 5. don't forget physical security - this is the universal oversight
> and most effective end run around all other operational and technical
> security measures. there is a reason physical access so often implies
> "game over" and why black bag jobs are still and will continue to be
> effective against all targets.

this is a storied tangent unto itself...


last but not least: you must develop a routine of continuous hardening
and improvement. these steps are not done once and finished; they are
elements within a larger strategy of operational rigor defending
against motivated and capable attackers. asking for my "hardened linux
build" is missing the point entirely!



More information about the cypherpunks mailing list