Actions

Computer Security Mental Model

From Whonix



Mentalcomputer4801544640.png

Threat Modeling[edit]

Definition[edit]

Various wiki chapters reference the concept of threat modeling. Statements like "Conduct a personal threat assessment before proceeding" often appear before instructions that install additional software or change specific system configurations. Despite this warning, many users are unfamiliar with the concept or unsure how to conduct a proper assessment in their circumstances. In simple terms, threat modeling refers to: [1] [2]

A threat model is a list of the most probable threats to your security/privacy endeavors. Since it’s impossible to protect yourself against every attack(er), you should focus on the most probable threats. In computer security, a threat is a potential event that could undermine your efforts to stay private and secure. By focusing on the threats that matter to you, this narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.

Threat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment. The fundamental principle underlying threat modeling is that there are always limited resources for security and it is necessary to determine how to use those limited resources effectively.

Threat Model Examples[edit]

Devising a threat model requires a realistic assessment of probable threats (adversaries) and the available mitigations that are feasible to apply. Adversaries will have varying motivations, skill and resources at their disposal. The Electronic Frontier Foundation (EFF) has noted proper security planning necessitates answering five key questions to determine what should be protected, from whom, and the potential consequences of a breach: [3]

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

To better understand these concepts, consider these questions in further detail below.

Table: Threat Modeling Concepts [1]

Concept Description
What I want to protect In terms of computing and digital security, this refers to protecting "assets" which is a type of information like browsing history, files, messages, emails, personal contacts and so on. To determine your assets, take note of what data is stored and where, who potentially has access to it, and what protections are in place to prevent unwanted access.
Who I am protecting it from Consider who might target you or your information; this is your "adversary". Potential adversaries include: family, friends or ex-partners; employers; business competition; researchers; government entities; malicious hackers; advertisers; corporations; and the IC.
How likely protection is required A proper risk assessment is required. To determine the probability of threats being actualized, consider the capabilities of adversaries and their motivation, for example: [4]
  • Family, friends and ex-partners are likely to be unskilled and unmotivated threats.
  • Advertisers and employers are generally unskilled and motivated threats.
  • Some corporations are skilled, but unmotivated threats (such as a mobile device provider).
  • Security researchers, other corporations (like Google and Facebook), competent hackers and law enforcement are skilled and motivated threats. They also have access to limited global resources.
  • The IC are highly skilled, highly motivated and have significant global resources.
Impact of an adversary breach Skilled adversaries have multiple opportunities to access, exfiltrate, delete or corrupt data, but the motives and tactics will differ depending on the specific adversary. For example, advertisers will remain focused on highly detailed profiling, government may focus on reading private communications of journalists, the IC may seek to establish full monitoring of systems associated with political activists and so on. Consider how harmful a successful breach by an adversary would be -- what they can do with private data -- and the probability of this occurring; the likelihood obviously increases with more skilled adversaries. [5]
Effort exerted on improved security Security is a process and not an end product. Every individual has different priorities, threats, resources, and capabilities. This means the "right" strategy is a balance of personal time, convenience, privacy and cost. Threat models and mitigation strategies will be very different for:
  • A journalist willing to disclose whistleblower secrets, since this requires protection from government entities.
  • A member of the public who is simply seeking to thwart profiling by online advertisers/global technology companies.
  • Managers protecting themselves against potential hackers employed by competitors for the purpose of corporate espionage.

Threat Model Guides[edit]

To better protect yourself against surveillance by adversaries, it is recommended to consult the following EFF "Security Scenarios". Detailed advice is provided for various user groups regarding appropriate resources, tools and tips to mitigate potential threats: [6]

To learn more about the Whonix ™ threat model, see here.

Mental Model Overview[edit]

Introduction[edit]

For effective computer security it is crucial to construct a rough mental model of how the computer broadly functions on a technical level. The majority of program code that is run on a computer is from diverse sources. Some software is sourced from "trusted" [7] vendors (out of necessity), while others stem from less-trusted or untrusted sources. The spectrum of trust arises because it is required for useful functionality in general computing. [8]

When a computer boots, there are four basic steps:

  1. If a computer is fully powered off and it previously did not have a battery or power cord connected, when it is powered on the first thing that occurs is the hardware initialization (which is invisible to the user).
  2. During the boot process, the first visible sign to the user is the BIOS. It is an essential skill to visually recognize the BIOS. [9]
  3. The next visible sign is the bootloader, such as grub on Linux.
  4. Disregarding intermediary steps, [10] the next visible sign most users will see is the operating system desktop environment.

By booting any computer with an operating system and associated software:

  1. The hardware, BIOS is ultimately trusted. [7]
  2. The operating system is highly trusted. [7] [11]
  3. Less trusted are applications like web browsers, for example Firefox, Chrome or Tor Browser.
  4. Least trusted are the contents shows by applications such as a website in a web browser.

Based on the simplified model above, it is therefore important to know which program code (application or program) usually [12] has associated permissions to draw windows in certain places.

Threat Assessment[edit]

When an appropriate mental model has been adopted, it becomes easier for users to detect legitimate threats or those which are most likely false alarms. As an example, consider the following image which is genuine.

Figure: Tor Browser DuckDuckGo Website in VirtualBox VM Utilizing Whonix ™ Xfce

Tor browser duckduckgo2.png

In contrast, the following image is an example of a scam which "alerts" the user with a false alarm.

Figure: Internet Explorer systembrowsing.com Scam Popup in Windows [13]

Systembrowsing-com-popup.jpg

More experienced users with the proper mental model will quickly categorize the systembrowsing.com alert as a scam. The reason is systembrowsing.com is just a website inside the browser window, without broader access to the user's operating system (in order to possibly detect local viruses). [14]

It is important to mentally compartmentalize the different parts of a computer system:

  • operating system: Windows
  • application: Internet Explorer
  • website: systembrowsing.com (scam)

By adopting a skeptical mindset and the mental model above, experienced users quickly realize the image's warning cannot be trusted, solely because it states a virus has been detected; it is just text on a website. This means the website is also the source of the message, while the browser is just the messenger. Finally, the operating system and computer display the final message destination, but the message is not actually generated by a virus scanner.

Website messages stating your computer is infected with viruses or other malware are almost always false. This does not mean your computer is not actually infected, it could be for completely unrelated reasons. But even in this case the website would be unaware of it -- websites only have permission to show text, images or audio in the web browser. [15] Simply put, web browsers are neither designed, nor supposed to scan for viruses; if that was the case, it would be well documented.

Similar to bulk phishing attempts, scam websites that resort to these tactics do not usually possess the skill to exploit vulnerabilities in web browsers or operating systems. If they did, they would just compromise the victim's computer instead of relying on a ruse. [16] A highly skeptical user will disregard such messages, or possibly seek advice or conduct appropriate research before taking any action, thereby staying safe from such attacks. Always remember that various psychological techniques are relied upon by attackers (including urgent instructions), leading to security compromises.

The take-home messages is while users must trust their operating system and less so their applications, utmost skepticism should be the default position concerning claims made by websites. Users who are unaware of this concept remain a highly vulnerable target.

Best Practices[edit]

When any information, text, audio or image is displayed by the computer, consider the following questions:

  • Which program code is likely generating this message?
  • Which program code is likely drawing this window or part of it?
  • Does this application have access to this information?
  • How does this application have access to this information? [17]

This mental model is useful to avoid potential threats, and also helps to diagnose and fix issues. The concepts documented in the following, related wiki chapters can also deepen understanding of this topic: Social Engineering and (Spear) Phishing, Cryptocurrency Hardware Wallet: Threat Model and Login Spoofing.

As an example, the following ClamTK Virus Scanner screenshot is legitimate.

Figure: ClamTK Virus Scanner [18]

ClamTk 4.30.png

By asking the questions further above, a user will notice these are "real" windows. The window decoration (minimize to tray, maximize, close buttons) as well as the window itself are drawn by the operating system. Further, the ClamTK application is responsible for the window title and content of the window and has the necessary permissions to perform a scan of system files. For these reasons, greater trust can be placed in the application's output (scanning results).

See Also[edit]

External[edit]

Footnotes[edit]

  1. 1.0 1.1 https://www.privacyguides.org/threat-modeling/ [archive]
  2. https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf [archive]
  3. https://ssd.eff.org/en/playlist/academic-researcher [archive]
  4. This is admittedly a subjective process which is different for every individual. Even though some risks are low, they may be unacceptable to specific people. On the other hand, some people disregard probable threats, because the consequences are assessed as inconsequential.
  5. For example, mobile phone providers can access all phone records, unencrypted communications are vulnerable to hackers on Wi-Fi networks, and government agencies can likely backdoor any Internet-connected device.
  6. https://ssd.eff.org/en/module-categories/security-scenarios [archive]
  7. 7.0 7.1 7.2 "Trusted" here refers to enforced trust, not because it is an individual decision to trust.
  8. In contrast, in the example of a classic washing machine -- without an Internet connection, sophisticated software or remote controls -- the only trusted program code by the washing machine vendor is that which is used to draw information on the display.
  9. Theoretically, when rebooting it is not guaranteed the real BIOS will present itself. It is possible a user could be presented with a fake reboot, whereby the real operating system keeps running normally but shows a graphical simulation of a full reboot sequence. However, there is no evidence this technique has ever been deployed in practice.
  10. Such as kernel initialization, initramfs or dracut, systemd, and single user mode in Linux.
  11. Unless there is hardware, firmware or BIOS level malware it is always possible to replace a compromised operating system with a clean operating system.
  12. Aside from malware-compromised code.
  13. https://malwaretips.com/blogs/systembrowsing-com-removal/ [archive]
  14. The only exception to this rule is some special URLs in Firefox, Chrome and Tor Browser such as about:config or about:preferences. Content of these is not generated by websites but by the browser itself.
  15. Ignoring deprecated, dangerous technologies such as Internet Explorer with ActiveX.
  16. In other words, the attacker would not need to instruct users to compromise themselves.
  17. For example, browsers can ask for permission to use the microphone, or for access to the IP address to determine a user's location.


Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Mental Model&body=./Mental_Model link=https://reddit.com/submit?url=./Mental_Model&title=Mental Model link=https://news.ycombinator.com/submitlink?u=./Mental_Model&t=Mental Model link=https://mastodon.technology/share?message=Mental Model%20./Mental_Model&t=Mental Model

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.