• 1 Malware considered superharmful
• 1.1 Why?
• 1.1.1 wiretapping is more and more defated by network encryption
• 1.1.2 Wiretapping is not enough
• 1.1.3 seizure makes investigations over
• 1.1.4 disk encryption defeats seizure
• 1.1.5 seizure is hard on embedded devices
• 1.1.6 seizure is (sometimes) not enough

Più sotto c’è un indice dei contenuti (in Italiano) che possiamo utilizzare come traccia per lo sviluppo dei contenuti. Vai in fondo alla pagina.

Malware considered superharmful¶

Viri, trojans, worms and other kinds of malwares are nothing new: they are here
since decades and everyone knows basically what they are.

What we aim to say is that their importance is greatly increasing and that they
can be considered the number one security menace.

Why?¶

That’s a complex question. We’ll analyze what the other kind of interception
were missing. Let’s remember what they are:

• Internet connection wiretapping (both passive and active)
• Asking data from companies that run commercial services that Alice (the
  victim) uses. That’s tipically email, social networks and so on.
• Physically getting the computer to check what’s in

We argue that malware have considerable advantages over each one of these
techniques

wiretapping is more and more defated by network encryption¶

While the CA system is rotten and certainly exploitable by a powerful attacker, wiretapping is harder than before; the most important enemy of network wiretapping is certificate pinning.
Certificate pinning is certainly nothing new, but mobile devices make heavy use of it, and that’s certainly a big advantage of the app-centric model.

Wiretapping is not enough¶

You cannot intercept what is not on the wire; and a wise internet user will not send sensitive data over the wire. Also, wiretapping only collects data handled after the investigations; for some crimes, this is non-sense.

This problems ask for a more powerful technique of evidence collection; a typical solution is disk seizure.

seizure makes investigations over¶

Seizure is powerful, because it is relatively easy to do, and lot of data can be gathered which have never been on the wire, or from years ago.
But when a computer is seized, the person under investigation know about the investigation, and this can make it more careful about his movements.

Seizure must be the very last attempt.

disk encryption defeats seizure¶

Disk encryption is very easy to use and, while it’s worth nothing against wiretapping, it seems to be really effective against disk seizure: for the major disk encryption tools, there is just no way to break it without forcing the owner to reveal the passphrase.

seizure is hard on embedded devices¶

seizure is (sometimes) not enough¶

---

Indice dei contenuti da sviluppare:

• Intro: i malware sono il nemico pubblico numero uno
• Il movente
  • I problemi con le altre tecniche di controllo
    • Crittografia sempre meglio supportata
    • Il MITM è limitato (non puoi intercettare ciò che i computer non mandano)
      • Il sequestro vanifica l’effetto sorpresa
      • Il sequestro non trova ciò che non è mai stato memorizzato
      • Il sequestro è soggetto alla cifratura del disco
      • Il sequestro è complicato su dispositivi strani (furbofoni)
  • I vantaggi del malware
    • Non si tolgono (facilmente)
    • Controllano a monte del processo di comunicazione cifrata
      • Seguono dovunque ci si sposti: un mitm si può fare solo sapendo le connessioni da intercettare
      • Si prestano a un utilizzo di massa
  • I difetti dei malware
    • Pochi protocolli, tanti sistemi: servono backdoor differenti!
  • Perché prima no e ora si?
• Le evidenze
  • Di interesse
    • SpyFiles
• I vettori d’attacco
  • java/flash/update vari