Defcon Crypto Village - OPSEC Concerns in Using Crypto
OPSEC CONCERNS IN USING
HOW YOUR BAD TECH DECISIONS
HELP ME PUT YOU IN JAIL
CRYPTO & PRIVACY VILLAGE, DEFCON 24
• Manager, Threat Systems @ Fidelis Cybersecurity
• Lecturer in CS @ University of Illinois Urbana-Champaign
• Run several takedown oriented groups on malware threats
• Crafter of Artisanal Molotov Cocktails
TL;DR - PATTERNS AND NORMALCY
• Surveillance does not scale for large datasets:
• People, malware, packets on the internet, etc.
• There has to be multiple layers of filtering and scoring to
determine priority of tasking resources.
• Some targets are specifically and explicitly tasked, everything
else is all subject to some level of pattern matching and
• You are not a normal.
• This is a normal:
WHAT IS OPSEC?
• Operational security: keep what you don’t want known
• Part is keeping secrets.
• Another (more important part) is not looking like you have secrets worth
• Basic security matters (we’re still not using passphrase-less
keys are we?)
• Compartmentalization: everyone has compartments.
• Signaling vs. Communication
• Who are we hiding from? What are their interests and
capabilities? What is “sufficiency”?
• Intelligence services, law enforcement, and their friends (like
• Criminals or other malicious actors
DON’T THINK YOU ARE A TARGET?
• How many people here have admin/root on infrastructure they
• Our government has already said that is the exact kind of
people they are targeted (even before those of you how have 0-
• You don’t think the US is the only one who does this, do you?
WHY OPSEC CONCERNS WITH CRYPTO?
• Thought process starting in tracking mobile malware, Android
Apps need to be signed.
• As an investigator and intel analyst, I LOVE free-form text
fields. (more later)
• As technologists, crypto is hard and many of us still don’t
understand it’s limitations.
• Encrypt all the things may not be the best option in certain
WHY OPSEC CONCERNS WITH CRYPTO?
• Two parts of OPSEC:
• Want to hide the secrets
• Want to hide the fact you have secrets
• Crypto is great at the first one.
• Crypto often loudly yells that you are the second guy.
• Note- Everyone I’ve helped put in jail is there because they
screwed up their OPSEC.
OPSEC PROBLEM #1 WITH ENCRYPTION
• Not everything is encrypted.
• Above example, the DNS request which is “good enough” to know what
• Even in a “perfect” crypto world, the session metadata isn’t
• Source, Destination, Time, Inferences of size of communication…
• If I know who you are calling/texting, sometimes that’s enough to make
• The HEIST attack at RSA, while overhyped, is an example.
From: Kevin Mandia email@example.com
To: John Bambenek firstname.lastname@example.org
Subject: Job Offer for VP role
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
AND THERE’S MORE
$ gpg -vvvv text.gpg
gpg: using character set `utf-8’
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v2
:pubkey enc packet: version 3, algo 1, keyid F4402E054FD02AA1
data: [2046 bits]
gpg: public key is 4FD02AA1
:encrypted data packet: length: 400 mdc_method: 2
gpg: encrypted with RSA key, ID 4FD02AA1
gpg: decryption failed: secret key not available
IF YOU HAVE THE KEY, YOU GET MORE
:secret key packet: version 4, algo 1, created 1442844965,
expires 0 skey: [4096 bits] skey: [17 bits] iter+salt
S2K, algo: 3, SHA1 protection, hash: 2, salt: 1edfd8aa175bb427
protect count: 65536 (96) protect IV: 8a d6 c0 76 0e
c4 86 5c encrypted stuff follows keyid:
0F3B1D99BBB8C31E:user ID packet: "John Bambenek
Anonymity with PGP is hard. See Tom Ritter’s Deanonymizing
Alt.Anonymous.Messages talk: https://ritter.vg/p/AAM-
• With a Key ID, you can cross-search keyservers to find the
• Old keys never die.
• Many people have multiple emails tied to the same key (not
usually a good idea).
• People reuse same SSH keys for authentication across
• Silk Road – Dread Pirate Roberts compartmentalization screw-
ups should be required reading.
• The argument for shutting down “safe spaces” for terrorists to
communicate is stupid. Never drive a known into an unknown
without some return.
• Lots of useful data still available in metadata.
• Required reading: @thegrugq
OPSEC PROBLEM #2 WITH CRYPTO
• SSL/TLS Certificates, Signing Certs create all sorts of new
• Geolocation, Identity, Serial Number, Creation/Expiration Dates
• CAs have one job: to verify identify of the owner of certs they
• Have I said I love free-form text fields?
YOU HAVE ONE JOB
# ./letsencrypt-auto certonly --standalone -d gmail.com
An unexpected error occurred:
Policy forbids issuing for name
# ./letsencrypt-auto certonly --standalone -d fireeye.com
# ./letsencrypt-auto certonly --standalone -d illinois.gov
IT GETS WORSE
• What happens when someone gets a wildcard certificate?
• What about when a security company gets their own CA
MORE CERTIFICATE FUN
Version: 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle
Not Before: Jan 6 16:33:13 2015 GMT
Not After : May 23 16:33:13 2042 GMT
Subject: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle
MORE CERTIFICATE FUN
• Malware builder always used the above cert when it resigned
• Now it’s trivial to find the “many” apps in the Google Play store
with that malware.
• Basic statistically analysis, hunting for geographic oddities, etc
makes hunting mobile malware easy.
HOW TO FAIL AT TLS
Version: 3 (0x2)
Serial Number: 522427837 (0x1f239dbd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, O=assylias.Inc, CN=assylias
Not Before: Jan 17 05:26:19 2015 GMT
Not After : Dec 24 05:26:19 2114 GMT
Subject: C=FR, O=assylias.Inc, CN=assylias
ONE LAST POINT
• SSL/TLS certification information is searchable with Shodan and
a few other tools specifically for archiving observed SSL/TLS
• If you re-use certs, it makes it easy to correlate your activities
and break your compartmentalization.
OPSEC PROBLEM #3 WITH ENCRYPTION
• Encryption (to some) is inherently suspicious.
• What is actually suspicious is abnormal behavior.
• All profiling (and surveillance) is based on this concept because
it is impossible to monitor everyone completely. Target
selection is important.
• I may not know what you’re saying, but I know when you’re
• All the “privacy” VPN services are known and their IP space is
• You could set up your own VPN, but you immediately lose the
privacy using a common service provides.
• And don’t think all those bitcoin services will help you either.
Bitcoin is anonymous but it is NOT private.
MAKING ENCRYPTION MAINSTREAM
• We’re already doing it with Let’s Encrypt and other aspects of
• Google now sends email over TLS (**if other side supports it**)
• Tor is not ”normal”
• VPNs to non-corporate endpoints are not “normal”
• Encrypted email is not ”normal”, nor is WhatsApp, Signal, et al…
• But they can be. We may not look like a sheep, but maybe we
can make the sheep look like us.
SOMETIMES ENCRYPTION IS NOT WORTH IT
• When traveling in “less friendly” locations, it may be better not
to draw attention. Border checkpoints are not your friends.
• Tor may hide what you are looking at but it stands out on a
• Many criminal and intelligence professionals use electronic
means for signaling and then have a conversation in a preferred
SOMETIMES ENCRYPTION IS NOT WORTH IT
• How many people here have secure wifi at home?
• Note, digital forensics is good at figuring out the bits. It can be
hard to figure out what’s going on in actual meat space.
• Sometimes ambiguity is your friend.
OPSEC PROBLEM #4 WITH ENCRYPTION
• Encryption doesn’t protect you against stupid mistakes.
Including by others.
• It’s the stupid stuff that gets you.
• Password re-use, even when hashed and salted can taint
• Passphrase-less keys publicly available on the web
STUPID MISTAKES BY OTHERS
• All security is based on trust.
• Using a hacker bulletin board? How can you be sure they are
fully patched and haven’t had their database dumped?
• Are you sure your encrypted messenger isn’t just giving your
data away anyway?
• Think it can’t happen? Look at Wall of Sheep upstairs. Or ask
• Important point, password hashes become identifiers.
ALL ENCRYPTION NEEDS TO BE
• Cracking crypto is hard… attacking endpoints is easy. Attacking
people’s stupid mistakes is trivial.
• If I already own your box, all your encrypted comms are
• You may be in a scenario to have to give up your files… if your
keys are there it’s game over.
• Virustotal keeps all files that are submitted to it and makes
them available via commercial API.
• You can use Yara to find things, like all files that have “BEGIN
RSA PRIVATE KEY”.
• The search “maxes” out the results at 10,000. Of those, over 85% had no
• SSH keys don’t have targeting information in them directly.
• PGP keys do though, and you can search for those in VT too
WHAT TO DO ABOUT IT ALL?
• It depends on what adversary you care about.
• Free-form text fields are your worst enemy.
• Layers help.
• Compartmentalize (if you’re doing interesting things while
using tor from home, you’re doing it wrong).
• Look and smell like a normal. Sometimes waiting or not
encrypting is a better option.
TOOL 1 – ANDROID-CERT-GENERATOR
• https://github.com/uiucseclab/Android-Cert-Generator from UI
Security Lab students.
• I wanted to figure out how to defeat my own analytics.
• Problem: Android malware requires you to write a fully-functioning
app or to trojanize an existing app but have to resign it. Need a way
to create believable but fake signed APKs because you lack the
• Uses same details as previous signed cert.
• Checks google play store and wolfram alpha to generate the information.