1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I'm needing a really good security system for my work. Any Ideas?

Discussion in 'BlackHat Lounge' started by Dajana, Jun 28, 2013.

  1. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    Hi to everyone, I was recomended to enter here, so I hope I'm in the right place cause I really need help on this.
    I´m working in a new project with some people of an organization. We know this organization it's quite spied. That´s a fact, but we really need to keep this new project hidden for security reasons.


    We have limited resources, so we need an inteligent solution for this situation more than an expensive - complex stuff.


    Anyway... I was talking with this foreigner guy that knows something about this topic and his solution (I will paste what he wrote to me) was:


    Get an encrypted VPN account for each person of the Team. Rent a computer located in other country that could be remoted be used by the team members (with something like Logmein or a safer alternative).
    One computer for each member. Get connected to the encrypted VPN and then enter remotely to one of the computers, then create gmail or outlook email accounts for each member (of course with fake names) and a main email account for the project (so the docs could be created in the cloud and stored there). To work, each member will have to connect to the encrypted VPN and then enter to one of the computers, once they are hooked to a remote controled machine, they could begin to work generating information, sharing docs, etc. Nothing related to te project should be worked, stored, searched (in google or any browser) in a local computer.


    What you think about this? could work? Any idea how this could be improved or changed to a better solution? Hope you could help me, I'm quite nervous with all this situation.
     
  2. etmcl

    etmcl Regular Member

    Joined:
    May 3, 2008
    Messages:
    345
    Likes Received:
    54
    I can help you but I charge $1000 :p
     
  3. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    Thanks for your reply. You have experience with this issues? I mean have you offered a secure system before for a similar situation?
     
  4. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    Security isn't an add-on. It depends on the requirements (what type of things do I want to keep safe, what roles will be allowed to share what, how many people need access, what is the sophistication of the attacker etc). And you haven't mentioned them, so...

    That said, reading the proposed solution, it 's based on the assumption that the local computers are safe (won't be hacked). Well, if they are, what 's the reason for using a VPN and remote computers instead of working directly with those? The VPNs and remote computers don't constitute a defence if the local computers get compromised - the attacker will simply use them as pivots and gain access there as well.
     
    • Thanks Thanks x 1
  5. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    Thanks a lot for your answer jazzc. Sorry for the lack of information, I'm not a tech girl at all and just posted what I thought was enough.


    We are ten people. We mostly want to keep ourselfs anonymous, i mean we don´t want to be recognized as the authors of the information we will generate. (investigation stuff).
    The Roles are 3 to 4 writers, 2 editors, One graphic designer, One webmaster (that will publish the info) and the director that will check everything before it's publication.
    We asume the sophistication of the attackers could be medium to high, they have a lot of money, so maybe they are using their financial resources wisely or not, we really don´t know.
    We are almost sure the computers of the office are not safe.
    Someone said yesterday that maybe we will have to buy some new computers just for this work, but dunno how this could help if the office is already compromised.


    So... reading your answer I asume the solution this guy gave me is useless right? What can we do? I will appreciate any idea...
     
  6. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    Oh I forgot the video guy. We will also post the generated content in the social profiles. So we need to log in and post stuff to a FB fan page, Twitter account, Youtube Account and Flickr account.
    Those accounts will have the name of the site, and same design of course, but we don´t want any of the team to be related to them.
     
  7. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    You 've got lots of points to cover. What I don't get is if you are already targeted, don't they already know who publishes your stuff? Doesn't that tie you to the the information? Or they need hard proof? Or is the website owner anonymous so far?
     
  8. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    We have not published anything yet, the project has not been launched yet. We are worried about the investigation stuff that will be published in some weeks. And for that, yes they will need names, as you said hard proof. I just talk to the tech guy a few minutes ago about the points you posted, and he clarify me that the information of the local computers are probably being seen, he talk to me about some kinda of equipment that could capture cell phone calls, sms, wifi, cookies info(?), ahh... i'm getting lost in all this.


    Maybe we are already fucked, maybe we are not yet but we will be soon even with our best effort to avoid this.... but we want to try, we really want do our best try to protect ourselfs.
     
  9. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    That kind of equipment isn't available to just anyone with enough money. If you 're going to become a serious target of some 3-letter agency, there 's no real defence in terms of anonymity. You can try, but don't bet your lives on it.
     
    • Thanks Thanks x 1
  10. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    @OP

    1. You do not afford to make mistakes. One mistake is enough to get exposed.
    2. It is a matter of how good your enemy is. Is one thing to hide from a hacker and another way to hide from organized crime and yet another one to hide from police and yet another one to hide from FBI and another one to hide from NSA.
    3. Complete/perfect anonymity is possible but imposes extreme limitations and also may require you to break the law or find a way around paper trails and money trails.

    This forum is far from the best resource on this topic. I recommend you look over the stuff at Electronic Frontieer Foundation, hackforums.net, SANS, etc. I'm quite a noob in this area but I know enough to realize that getting this right 100% is an extremely demanding job. Especially since you're a team of people, one mistake from one of you can screw you up.

    VPNs hide you only from civilians, the will give up your data if they get a subpoena/court order.
    Proxies are EXTREMELY dangerous and you risk a lot using them. That unless you run your own proxy servers.
    Most techniques and software advertised as increasing security/anonimity, actually is a bigger security/anonymity hole if you don't understand its dangers and how to correctly use it and most importantly your enemy.

    Frankly, lacking even most basic knowledge like it seems is the case, you're an easy target for somebody skilled. I know that's not reassuring but is what I think. Is like expecting that somebody can teach you in 1 hour how to survive in the jungle during Vietnam War, against people that have been there fighting for years.
     
    • Thanks Thanks x 3
  11. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    GSM can be intercepted and spoofed easily if they are in proximity with you - they impersonate the carrier cell antenna by broadcasting a stronger signal and requesting a disconnect from the phone. Also GSM encryption algorithm has been cracked so is vulnerable.
    3G encryption afaik hasn't been cracked but don't know anything about posibility to spoof the carrier cell tower.
    WiFi triangulation is also possible without much effort.
    Credit Card, Passports with chip, etc. - the data on them can be stolen.
    Skype and many other software and services has governmental backdoors. Best best is with Linux and 100% open source software and encryption at every level (FDE/LUKS or TrueCrypt if you need plausible deniability).

    3-letter agencies can hack anything because they "own" the networks. They can even do voice recognition on cell phone or voip intercepts. They can even pickup radiation form your laptop's LCD from a block away and replicate the image you see on another computer.

    However, considering your lack of knowledge about even the most basic stuff, I think your greatest weakness is the human factor. With all the technology/encryption/anonymity in the world, if you the user don't know what is a hazard and what is safe then you're pretty much fucked and likely to make mistakes.

    If you want to do any disclosure of sensitive material, you best bet is to get help from somebody like WikiLeaks. That being said, do you truly trust WikiLeaks to be what it is advertised as being? Also, keep in mind they're targeted and watched all the time so by affiliation you become a target.
     
    • Thanks Thanks x 6
  12. Dajana

    Dajana Newbie

    Joined:
    Jun 28, 2013
    Messages:
    0
    Likes Received:
    0
    Wow, thanks for you reply madoctopus. Yeah you are right, my main worry is the human factor too (im very aware of my lack of knowledge) . Something that I have not clarify is that they are not a 3 letter agency. This situation is placed in my country, and is a local issue that worries only to these people, yeah they have good resources but I bet they are not the top guys on these stuff. So maaaybe we have a chance. I will check the stuff you posted. Thanks a lot!
     
  13. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    You should really just drop the idea, no need to get involved with your countries government over some bs that isn't going to make you any money and can land you in jail.
     
    • Thanks Thanks x 1
  14. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    Is this for real? That's crazy!
     
  15. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    That 's so old tech I remember reading about it when we still used CRT screens :) A faraday cage should stop it though. Some manufacturers make screens that radiate less, for gov use mostly.
     
    • Thanks Thanks x 1
  16. sirgold

    sirgold Supreme Member

    Joined:
    Jun 25, 2010
    Messages:
    1,260
    Likes Received:
    645
    Occupation:
    Busy proving the Pareto principle right
    Location:
    A hot one
    There was a PoC project on freshmeat some years ago that used to intercept AM frequencies from CRT, that was fun! :D

    A few pointers. PGP for encrypting your email is safe and in a team of 10 is more than acceptable. Put all on an offshore, disk encrypted VPS. It can still be accessed while on but there are workarounds for that too and that's why you need it offshore. Set a VPN from your offshore VPS: you decide the cipher and encryption, no matter who's listening they'll end up with a bunch of garbage that needs to be decrypted and it's not as trivial as some ppl might love to think. Here the red flag might be raised from your provider for the very reason you're tunneling right from the get go, but -again- there's not much they can do. Or any MITM entity, for that matter...

    If you're worried about the human error or laptop loss, you might want to implement a mechanism similar to those banking devices that generate a random number that's time-dependent. I'm not aware of anything ready, but the algos are on the wild so it's not too compicated if security is your absolute priority.

    There are many more things to take into account, but this should be a good start ;)
     
    Last edited: Jun 28, 2013
  17. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    Does it only apply to CRT, or would LCD,LED and OLED also emit enough to detect a block away?
     
  18. RedStain

    RedStain Regular Member

    Joined:
    Oct 19, 2012
    Messages:
    201
    Likes Received:
    67
    Location:
    US
    I suggest to learn about top security protocols download the TOR engine. www.torproject.com . Check out some forums there where all of the members are experienced criminals who hide from the government. They will help you learn or guide you in the right direction to resources where you can learn about this stuff. Even if you arent hiding from the government, obviously if you can hide from the government you hide from just about anyone.
     
  19. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,249
    Likes Received:
    3,498
    Occupation:
    Full time IM
    @ShadeDream & jazzc & Roparadise - yes it is possible with LCD. Initially was for CRTs which radiated a lot and there are papers and studies on that. Then people thought doesn't works for LCDs but I found a paper from a university that did a DOD sponsored project which included finding a solution to do this on LCD and they were "partially succesful" which tells me by now the method works pretty well. Same concept can be used on a variety of EM radiation systems - from data cables to complex devices.

    While I'd suspect is harder to do and more environment-dependent (signal vs noise), I am pretty sure can be done for LCDs and other flat panels too. They don't pick up necessarily the EM of the panel but the EM of the signal cable or VGA/HDMI/DVI port and/or internal circuitry of the monitor. I think this is how the university did it IIRC.

    @sirgold: You can not do VPS full disk encription (FDE) because the underlying virtual machine manager can be hooked into and the encryption keys extracted. You can only do FDE on a dedicated server but is useless because FDE only protects when the computer is turned off. If the computer is on, they can do a Firewire attack and acces the RAM data or even if you shut it down, within a window of several minutes to an hour (if RAM is frozen/cooled) an attacker can do a cold boot attack.

    @RedStain TOR is not really that secure. If you control enough nodes (and there aren't many) you can access the information. For certain purposes and for a certain usage is secure enough but not for everything.

    @OP For mor einfo on what private security companies can do, google "WikiLeaks Spy Files" and read through the huge amount of data. I recommend at least the proposal for Lybia.

    There are a huge number of attacks that can be done - from social engineering, hands-on hardware/phisical access (if it happens and they have skills this is the most dangerous), network intercepts, drive-by data gathering, etc.

    Keep in mind that governments, law enforcement aencies and intelligence agencies of most if not all countries save traffic logs for ALL users. These are being extracted from the wire at the country-level internet connectivity nodes and sent through VPN wherever the agencies have their data center(s). Most keep these logs 1 year. Some more, some less. Stuff they save - all email traffic, all URLs visited, all IRC/chat, all established P2P connections (SSH connects, etc), etc.

    Even if you're not going against a government but against a private entity if they have money, knowledge and influence they have access to tech and skilled people.

    It is very very hard to give you any usable advice because I have no info (and don't think I care to know) on who is your enemy, what kind of money they have, what kind of influence, etc. and what you're trying to do and how.

    Good luck but think hard and think long before you fuck up your life by going and poking the bear with a stick. Maybe you found amazin things that would expose politicians or whatever, maybe you found they like to rape little girls, maybe you found they do money laundring, whatever. Nothing new under the sun - happens now, happened 1000 years ago, will happen for the next 1000 years. Get over it and live your life and enjoy the nice things. The bear doesn't attack you if you don't go in his den to poke him with a stick.
     
    • Thanks Thanks x 4
  20. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    I don't agree with this, sometimes it 's worth to fight for what you deem important regardless of the price.
     
    • Thanks Thanks x 2