DeepSec 2019 Talk: Still Secure. We Empower What We Harden Because We Can Conceal – Yury Chemerkin
The launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: “Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories… ‘Everything’ stores in iCloud service”.
Both cases are the same, designed in the same manner and driven by a similar idea to simplify the devices usage. It went even further with iOS and Android OS. Eventually, Microsoft and Apple have boldly described their OS as “the most secure OS ever.”
This research is based on three things: data leaks, hardening, and forensics.
Combining data leaks and hardening gives a data set with a goal and a vision of how to protect a system and make your use cases transparent. Forensics gives us excellent knowledge about valuable device security settings. Empowering the hardening with these anti-forensics techniques in terms of ‘anti-forensics hardening’ of a system makes it transparent what, when and why the whole device or its parts can or can not be accessed. To be entirely sure that all insecure gaps are closed and to verify how secure your system is, there is the option to rely on penetration testing additionally. Further more, we will talk about which insecure services are used to receive tracking data from your system, and which of them can be blocked without breaking the system and user use cases.
Outline
This talk will systematically review
- Pentest to fix gaps of security & privacy. What tools to use and why you should perform pentesting, how to read and use security report.
- Content Filtering. Mapping rogue sites, analytics and tracking services into granular activities to leverage privacy risks.
- Easy exploitation & post exploitation. Limits of AV solutions, risk of one vs. many browsers, add-ons & firewalls.
- Host & On-host network activities monitoring. Disassembling features of big enterprise solutions into lightweight tools and bring it to in-home/small companies.
- Data Protection. The security & privacy features hidden across different OS editions and builds, plus overlapping features & dependences.
- On the way to dedicated and centralized manageable solutions. Pentesting of dedicated solutions, automating security, whitelisting (native vs. vendor vs. third-party tools).
- Profiling and Use cases. The Future of forensically protected OS & devices
We asked Yury a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- The way how data is transferred directly strongly indicates the way how it is stored on servers
- Dedicated (self-hosted) solutions prevent a data leakage if you don’t forget to harden your security
- Forensic solutions give us excellent knowledge about valuable device security settings.
- Forensic solutions have a hidden love for leaked data sets (with credentials, travel routes, etc.)
- A real experiment with forensic solutions reveals many unexpected things, especially when it fails to break your security
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Experience in any field is like money-making in your life. At the beginning of a secure life, you have to use cheaper solutions to learn about their substantial background. Doing research gives you a knowledge of why this feature is here, why this protection technique works or doesn’t work, and if there is a correlation between them. Growing up, you tend to add one solution to another to increase your security level and reduce risk until you finish with almost all of them on your servers. Somewhere here, you continue to use cloud solutions, but you’re focused on reducing non-protected data sets and risks levels. Continuing to research you consider your risk level from a time viewpoint: each activity is bound to a time-frame when it actively and passively exists. If everything is supposed to be security, then daily use cases have a reduced risk level whatever you’re doing.
Why do you think this is an important topic?
This topic is aimed to show several things:
- how to read security bulletins (patch notes, etc.) and release notes of breaking tools
- how to shift the focus from daily software to forensic ones
- does it make sense to stay in the cloud or is it better to move on to self-hosted solutions
- a difference between On tools are bringing security and breaking security into the most real field: forensics vs. security
Is there something you want everybody to know – some good advice for our readers, maybe?
Many articles claim that forensic solutions are perfect in extracting your data and breaking into a system. Even though they are highly effective solutions, they fail when you’re ‘out of the box’ and have uncommon solutions or popular software & hardware that haven’t been supported for many years by forensic solutions.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I expect a lack of support of many applications and software solutions everyone uses daily; a little shift to several self-hosted solutions, they have become a bit popular. Also, the biggest issue in security now and in the future are services that cannot be limited by the amount data they store like good sellers, travel, and any healthy-ish and sport-ish apps; securing this data sets will be a new challenge.
Yury Chemerkin has ten years of experience in information security. He is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He’s published many papers on mobile and cloud security, and speaks regularly at conferences such as CyberCrimeForum, DefCamp, HackerHalted, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, RootCon, PHDays, etc.