1 00:00:00,677 --> 00:00:02,541 In the section on security domains, 2 00:00:02,575 --> 00:00:04,746 we talked about physical security 3 00:00:04,856 --> 00:00:08,797 in terms of a separate device like a secure laptop, 4 00:00:08,867 --> 00:00:11,397 or a secure USB, or SD card. 5 00:00:11,490 --> 00:00:15,287 Now we’re going to dig a little deeper in relation to privacy and anonymity, 6 00:00:15,423 --> 00:00:17,860 and physical security domains. 7 00:00:18,039 --> 00:00:21,954 So let’s start with devices and their hardware serial numbers. 8 00:00:22,084 --> 00:00:27,956 So devices have hardware serial numbers that can uniquely identify them. 9 00:00:28,055 --> 00:00:32,447 These unique identifiers can then possibly trace back to you 10 00:00:32,547 --> 00:00:35,411 through a money trail or potentially other methods, 11 00:00:35,521 --> 00:00:38,287 if the hardware wasn’t bought anonymously. 12 00:00:38,361 --> 00:00:41,807 If you care about non-attribution and staying anonymous, 13 00:00:42,010 --> 00:00:46,387 then you need isolation of the unique hardware identifier 14 00:00:46,464 --> 00:00:49,638 so it cannot be enumerated by your adversaries. 15 00:00:49,696 --> 00:00:53,432 The first unique hardware ID that you need to be aware of, 16 00:00:53,434 --> 00:00:55,717 if you’re not already, is the MAC address. 17 00:00:55,756 --> 00:00:59,666 An adversary could get your MAC address off your network card, 18 00:00:59,695 --> 00:01:01,702 which is always a unique number. 19 00:01:01,842 --> 00:01:05,687 This method was used by the NSA to deanonymize TOR users 20 00:01:05,777 --> 00:01:09,061 through a Firefox exploit on the TOR browser. 21 00:01:09,101 --> 00:01:12,540 And this is a write up here of how that happened, if you’re interested. 22 00:01:13,234 --> 00:01:18,399 The MAC address is like an IP address, but for your local network only. 23 00:01:18,451 --> 00:01:20,995 If an adversary has access to your machine, 24 00:01:21,125 --> 00:01:23,495 they can view the unique MAC. 25 00:01:23,520 --> 00:01:24,998 If they know the unique MAC, 26 00:01:25,058 --> 00:01:27,243 that can be potentially traced back to you 27 00:01:27,325 --> 00:01:29,331 through the purchasing of that device. 28 00:01:29,431 --> 00:01:32,446 So in Windows, if you want to look at your Mac address, 29 00:01:32,594 --> 00:01:37,010 you simply type in ipconfig/all. 30 00:01:38,352 --> 00:01:41,463 I have a lot of adaptors on this because it’s a virtual machine, 31 00:01:41,512 --> 00:01:44,763 but let’s scroll up and see if we can find the physical addresses, 32 00:01:44,803 --> 00:01:45,586 the Mac address. 33 00:01:45,636 --> 00:01:47,148 There’s one of them. 34 00:01:47,419 --> 00:01:51,244 So for this network adaptor, that’s the physical address, 35 00:01:51,296 --> 00:01:52,932 unique physical address. 36 00:01:53,614 --> 00:01:55,409 You may only have one network card, 37 00:01:55,459 --> 00:01:58,935 so you may only see one physical address. 38 00:01:59,015 --> 00:02:01,402 There you go, there’s the Mac address. 39 00:02:04,412 --> 00:02:05,821 And there’s another one. 40 00:02:05,871 --> 00:02:08,452 And yours will probably say Ethernet adaptor 41 00:02:08,752 --> 00:02:11,743 or wireless adaptor and you'll see it here. 42 00:02:12,096 --> 00:02:15,355 On both Mac and Linux, you can use ifconfig. 43 00:02:15,537 --> 00:02:19,670 We'll need sudo to run it or root permissions. 44 00:02:24,160 --> 00:02:25,435 And there it is, 45 00:02:25,732 --> 00:02:31,554 the hardware unique MAC address, on both Linux and Mac OS X. 46 00:02:32,402 --> 00:02:35,137 It’s also possible to see it using IP tool. 47 00:02:36,928 --> 00:02:38,555 So you can see it there. 48 00:02:40,042 --> 00:02:42,843 IP is like the new ifconfig. 49 00:02:45,006 --> 00:02:49,432 And now just specify eth0 so you can see the hardware address. 50 00:02:49,735 --> 00:02:50,590 It’s the same thing, 51 00:02:50,650 --> 00:02:53,338 just another way to find the hardware address. 52 00:02:54,303 --> 00:02:59,303 The first three bytes of a MAC address are the manufacturer’s ID. 53 00:02:59,361 --> 00:03:01,355 So if you have an Apple laptop, 54 00:03:01,415 --> 00:03:04,034 then it'll be the ID of Apple. 55 00:03:04,134 --> 00:03:07,730 If you’ve got a Lenovo laptop, then it'll be the ID of Lenovo. 56 00:03:07,860 --> 00:03:10,825 And the last three bytes of your MAC address, 57 00:03:10,947 --> 00:03:13,665 this is specific and unique to the net, 58 00:03:13,715 --> 00:03:15,977 to the network card, to the Wi-Fi card, 59 00:03:16,087 --> 00:03:17,040 to the Ethernet card, 60 00:03:17,090 --> 00:03:21,068 so it’s this last three that will be unique to your device. 61 00:03:21,208 --> 00:03:25,436 If you’re looking for privacy, anonymity, non-attribution, 62 00:03:25,556 --> 00:03:27,814 then you need to change your MAC address. 63 00:03:27,866 --> 00:03:30,403 It can be potentially got out via malware 64 00:03:30,485 --> 00:03:35,036 and it can be seen on local networks as well Ethernet and Wi-Fi. 65 00:03:35,993 --> 00:03:39,633 For Windows you can use this tool here to change the Mac address. 66 00:03:39,798 --> 00:03:42,653 It’s a pretty good tool, works very well, it’s free. 67 00:03:43,796 --> 00:03:45,834 In Linux there’s a tool called MAC Changer. 68 00:03:45,879 --> 00:03:47,025 This is available in Kali, 69 00:03:47,085 --> 00:03:50,552 but won’t be available in Debian and other distributions straight away, 70 00:03:50,632 --> 00:03:52,358 so you'll need to install it. 71 00:03:57,919 --> 00:04:00,288 And you can select whether you want to set it up 72 00:04:00,398 --> 00:04:02,667 to automatically change the MAC address. 73 00:04:02,817 --> 00:04:05,228 I’m going to select No here, but you can select Yes. 74 00:04:07,548 --> 00:04:09,090 So we need to change the MAC. 75 00:04:09,243 --> 00:04:12,581 To change the MAC we need to down the network interface. 76 00:04:12,708 --> 00:04:15,497 The network interface on this one is eth0. 77 00:04:19,170 --> 00:04:21,373 That’s taking eth0 down. 78 00:04:24,166 --> 00:04:26,501 So we can see there just the local loopback, 79 00:04:26,651 --> 00:04:30,548 eth0 isn’t there anymore, so now we can change the MAC address. 80 00:04:33,677 --> 00:04:35,639 The -r means random, 81 00:04:35,699 --> 00:04:39,374 so it’s randomly changing the eht0 MAC address, 82 00:04:39,499 --> 00:04:42,503 and now it’s changing to the new MAC address that you can see now. 83 00:04:45,510 --> 00:04:47,916 As you can see, the interface is still not there, 84 00:04:47,976 --> 00:04:50,070 so we need to bring it up again. 85 00:04:52,603 --> 00:04:56,094 And that will bring it up. And let’s see if it’s up. 86 00:04:57,611 --> 00:05:02,050 And there it is with its new hardware address, 87 00:05:02,200 --> 00:05:03,935 its new MAC address. 88 00:05:05,370 --> 00:05:09,487 On a Mac, you can change your MAC address using a command line as well. 89 00:05:09,661 --> 00:05:11,516 And that would be like this. 90 00:05:13,632 --> 00:05:15,554 en0 would be the name of the interface, 91 00:05:15,714 --> 00:05:17,874 so whatever the name of the interface is. 92 00:05:20,978 --> 00:05:23,407 And then you specify at the end there the MAC address 93 00:05:23,573 --> 00:05:27,795 and that will change the MAC address on a Mac OS X. 94 00:05:28,156 --> 00:05:31,516 But I’m on Debian here, so I’m not going to run that command. 95 00:05:31,797 --> 00:05:33,328 If you don’t want to do it on the command line, 96 00:05:33,352 --> 00:05:36,748 with Mac OS X you can download MacDaddy X. 97 00:05:36,954 --> 00:05:39,448 That will enable you to change the MAC. 98 00:05:40,188 --> 00:05:42,157 And there’s actually another tool as well 99 00:05:42,430 --> 00:05:46,562 called WiFiSpoof which will enable you to change the MAC address. 100 00:05:48,926 --> 00:05:51,415 Virtual machines hide your real MAC 101 00:05:51,475 --> 00:05:55,640 and also allow for the setting of the MAC address. 102 00:05:56,605 --> 00:05:58,454 Example here, 103 00:06:00,429 --> 00:06:02,548 so you can see the MAC address here. 104 00:06:02,891 --> 00:06:05,093 And we can generate a new, random one there. 105 00:06:05,336 --> 00:06:06,908 That’s VirtualBox. 106 00:06:07,065 --> 00:06:09,227 But if you fear a knock at the door, 107 00:06:09,297 --> 00:06:13,368 you need to change the virtual MAC through the VM frequently. 108 00:06:13,450 --> 00:06:17,283 You don’t want a static MAC that ties you to a virtual machine 109 00:06:17,333 --> 00:06:20,471 even if it is just a virtual MAC address. 110 00:06:20,655 --> 00:06:23,861 But the best option is to have anonymously purchased hardware 111 00:06:23,921 --> 00:06:26,173 like laptops, and network cards, 112 00:06:26,253 --> 00:06:28,413 and Wi-Fi, and network dongles; 113 00:06:28,726 --> 00:06:31,135 the devices that have MAC addresses. 114 00:06:31,264 --> 00:06:36,203 You could purchase a whole bunch of cheap USB network adaptors 115 00:06:36,324 --> 00:06:40,459 and use a MAC changer in combination to mitigate the risk. 116 00:06:40,589 --> 00:06:43,177 This would be the best way of MAC mitigation: 117 00:06:43,284 --> 00:06:46,095 anonymous hardware plus MAC Changer. 118 00:06:46,753 --> 00:06:49,492 Tails, another security focused operating systems, 119 00:06:49,503 --> 00:06:52,601 use MAC Changers as default. 120 00:06:52,671 --> 00:06:56,008 But do check to make sure they don’t show the real MAC 121 00:06:56,128 --> 00:06:58,366 of your device’s network card. 122 00:06:58,552 --> 00:07:01,606 You know how to check that now, so when you’re not using Tails, 123 00:07:01,686 --> 00:07:03,148 check out what the MAC is. 124 00:07:03,320 --> 00:07:04,688 Then, when you’re in Tails, 125 00:07:04,768 --> 00:07:07,820 run ifconfig or sudo ifconfig 126 00:07:07,930 --> 00:07:10,459 and see if the MAC address has changed.