Mc physics colloquium2018-03-30.-handouts
0 likes•32 views
This document provides a summary of Kevin W. Wall's security presentation titled "Don't Become a Victim: A Security Professional's Practical Tips for Staying Safe on the Internet". The presentation covers general security principles, PC/Mac security, mobile device security, and other topics. It includes tips such as enabling auto-updates, performing regular backups, using different strong passwords for each account, and employing two-factor authentication. The document aims to educate users on practical steps they can take to protect their digital safety and privacy.
![Use Different Strong Passwords Per Site (2/2)
● How:
– Think “pass phrase” rather than “pass word” or use combination of unrelated
words (e.g., “pUrp13di0d3$”)
– 12 characters should be your minimum length.
– Use a “password manager” to remember most of them.
● Carry ones you need in secure place (wallet) if you must.
– Use two-factor authentication where possible
– Password resets: Security questions and answers
● Lie!
● Use phrases.
– What is your favorite sports team?
● http://goodsecurityquestions.com/
Detour: Password Managers
● Single encrypted “data value” for all your secrets.
Typically support:
– Username & password
– Site URL
– Auto-login
● List of password managers:
https://en.wikipedia.org/wiki/List_of_password_managers
Good and Bad Password Examples
● Good:
– Phrase-based:
● “This password is better than the last one I used to have.”
● OR: “Tpibtt1][u2h.”
– Unrelated-words: “p1aiDi$ot0pe$” (plaid isotopes)
● Bad: “B33f $tew”
Why is this a bad password?
Two Factor Authentication (1/2)
●
Credentials for authentication (aka, login) has 3
possible factors
– What you know
– What you have
– Who you are
●
2FA is using credentials from 2 of the 3 possible
factors
Two Factor Authentication (2/2)
● Common examples of “what you have”:
– Random verification code sent via SMS text
– Google Authenticator app
– Hardware tokens
– X.509 client-side certificate
2FA: Common hardware tokens
● YubiKey family
● RSA SecurID](https://image.slidesharecdn.com/mcphysicscolloquium2018-03-30-180330004659/85/Mc-physics-colloquium2018-03-30-handouts-3-320.jpg)
Mc physics colloquium2018-03-30.-handouts
- 1. Don't Become a Victim: A Security Professional's Practical Tips for Staying Safe on the Internet Kevin W. Wall – March 30, 2018 Marietta College Physics Colloquium Copyright © 2018 – Kevin W. Wall – All Rights Reserved. Released under Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License as specified at http://creativecommons.org/licenses/by-nc-sa/3.0/us/ You Are Already a Victim ● Do you use the Internet? ● Do you use a smartphone? ● Better question: Are you alive? ● That free 1 yr credit monitoring will save me, right? ● Protecting yourself: – annualcreditreport.com – ssa.gov Who Am I and Why Should I Listen to this Guy? ● MC graduate, BS 1978, physics & math double major ● MS in CS, 1991, Case Western ● Started as developer at (then) AT&T Bell Labs in 1979 ○ Left there 1996 as DMTS to become independent consultant ● 1999-present: Switched to application security ○ With Wells Fargo since 2013, doing security code reviews ○ Specialize in defense (vs attacking) ● OWASP involvement ● Given many security talks at security conferences ● Email: [email protected] / Twitter: @KevinWWall Overview of Talk ➔General security principles ● PC / Mac security ● Mobile device security ● Bonus (IoT and cryptocurrencies – time permitting) General Security Principles ● What is your threat model? ● Enable auto-updates – Only install software that you need. – If privacy is not an issue, leverage cloud services. ● Perform regular backups ● Run anti-virus ● Choose different strong passwords for each site ● Keep at least 2 email addresses ● Be careful what you share, especially on social media What is your Threat Model? ● Assets: What do I need to protect? ● Threat sources: Who am I concerned about “attacking”? ● Identify & prioritize risks: – Where am I most vulnerable? – What are most relevant threats? – What attack vectors might I miss? ● Unconsciously do this in real life, but poor in cyber-space
- 2. Enable Auto-Updates ● Lot's of advice to the contrary out there – Bad “patches” locking up systems, etc. – Updates that take forever and a day ● But, most exploits don't come out until after bad guys have had chance to analyze and “reverse engineer” the patches. – Depending on complexity, exploits start appearing as early as 3-5 days after patch becomes available – Exploits become automated and self-spreading shortly after. ● May not be as clear cut on mobile updates (covered later) Perform Regular Backups ● Why? ● Frequency depends on your comfort level & threat model : – How much data are you willing to lose? – General approach: full backups, followed by incremental backups ● Where to back up? – External hard drive (don't leave permanently connected) – Cloud services ● Periodically verify your backup: – Try to recover a few random files Ransomware (1/2) Ransomware (2/2) Run Antivirus / Anti-spyware ● First, the bad news: – All AV solutions suck: ● Any given 1 might detect only 30% of malware ● Collectively do little better, but you can only run 1 :( – 2015 study by Tripwire ● https://www.tripwire.com/state-of-security/latest-security-news/70-of-malware-infections-go- undetected-by-antivirus-software-study-says/ ● Took AV products 1 month to detect 93% of malicious files analyzed, and more than 1/2 year for 100% of the malware to be discovered ● Good news: – It still helps, especially on Windows and Android – MacOS and iOS is targeted less, but still useful Use Different Strong Passwords Per Site (1/2) ● Why: – Because your passwords will be divulged because of breaches: https://haveibeenpwned.com/ – Or, you will be phished. – Attackers try your Facebook password at your bank, on Gmail, etc.
- 3. Use Different Strong Passwords Per Site (2/2) ● How: – Think “pass phrase” rather than “pass word” or use combination of unrelated words (e.g., “pUrp13di0d3$”) – 12 characters should be your minimum length. – Use a “password manager” to remember most of them. ● Carry ones you need in secure place (wallet) if you must. – Use two-factor authentication where possible – Password resets: Security questions and answers ● Lie! ● Use phrases. – What is your favorite sports team? ● http://goodsecurityquestions.com/ Detour: Password Managers ● Single encrypted “data value” for all your secrets. Typically support: – Username & password – Site URL – Auto-login ● List of password managers: https://en.wikipedia.org/wiki/List_of_password_managers Good and Bad Password Examples ● Good: – Phrase-based: ● “This password is better than the last one I used to have.” ● OR: “Tpibtt1][u2h.” – Unrelated-words: “p1aiDi$ot0pe$” (plaid isotopes) ● Bad: “B33f $tew” Why is this a bad password? Two Factor Authentication (1/2) ● Credentials for authentication (aka, login) has 3 possible factors – What you know – What you have – Who you are ● 2FA is using credentials from 2 of the 3 possible factors Two Factor Authentication (2/2) ● Common examples of “what you have”: – Random verification code sent via SMS text – Google Authenticator app – Hardware tokens – X.509 client-side certificate 2FA: Common hardware tokens ● YubiKey family ● RSA SecurID
- 4. Keep at Least 2 Email Addresses ● Minimally, one that you use for contacts and important financial & health services – These are emails that you don't want to miss – But don't use your company email for these! ● Another email for everything else – Social networks – Passing out to merchants & vendors – Etc. ● Which email are you going to give out for a user name? Overview of Talk ● General security principles ➔ PC / Mac security ● Mobile device security ● Bonus (IoT & cryptocurrencies) PC / Mac Security (1/2) ● Browser choices – Chrome or Mozilla Firefox – Install ad-blocker – Consider EFF's “HTTPS Everywhere” add-on – Configure plug-ins like Adobe Flash to “ask” or disable them. – Consider “NoScript” for Firefox ● Create separate admin account. – Use limited access account for daily work – Use admin account only for installing / updating software – Do NOT disable User Account Control (UAC) PC / Mac Security (2/2) ● Email choices – Consider Gmail or other web-based ● Leave personal firewall enabled ● Consider – VPN and/or Tor if concerned about surveillance – Full-disk encryption if laptop has sensitive data – Webcam cover & clipped 3.5mm microphone jack Ad-blocking for Browsers ● Malvertising factory with 28 fake ad agencies delivered 1 billion ads https://arstechnica.com/information- technology/2018/01/malvertising-factory- with-28-fake-agencies-delivered-1-billion- ads-in-2017/ Recognizing Phishing (1/2) ● Gmail and other similar services help here – Will put suspect email into Spam / Junk folder ● Never click on links or open attachments from friends: – Unless you are expecting it. – Unless you have confirmed they sent it.
- 5. Recognizing Phishing (2/2) ● For links from “businesses” use your best intuition: – Sound too good to be true? – Spelling / grammar errors? – Hover over links; what do they show? – Look at original Received: email headers Detecting phishing links in email ...if it were only that simple ● URL shorteners such as bit.ly, Google's goo.gl, Twitter's t.co, etc. – Hide redirects to harmful phishing sites where they generally mirror the site they're posing as ● IDN homoglyphs attacks – Exploit fact that some characters or combinations thereof look similar (e.g., paypa1.com, rnarietta.edu) – https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/ – https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html ● Fake domains (e.g., bankofamericabanking.com) – Or intentional typos in names (e.g., wellsfagro.com) Some security browser tweaks ● Firefox: – Enter 'about:config' in address bar and confirm – Search for “network.IDN_show_punycode” and change value to “true” – Restart Firefox (might not be needed) ● Chrome: – Enter 'chrome://flags/#enable-site-per-process' in address bar – Enable “Strict site isolation” – Restart Chrome (supposedly required) Who you calling Puny, Punk? ● Panel 1: status bar ● Panel 2: punycode disabled ● Panel 3: punycode enabled 1. 2. 3. Safe browser habits ● When doing any financial transactions: – First completely close ALL your browser windows – Open new browser window (consider 'private browsing window!) to go to web site – Perform financial transaction and close browser window ● Don't do at Wi-Fi hot spots or library / kiosk PCs
- 6. Consider changing your DNS provider ● DNS maps host names to IP addresses, which is how Internet works – Your default provider determined by your ISP – Usually it is your ISP's DNS server ● Consider changing to OpenDNS, Dyn, Cloudfare, Google, etc. Overview of Talk ● General security principles ● PC / Mac security ➔ Mobile device security ● Bonus (IoT & cryptocurrencies) Mobile device security: General ● For phones, prefer iPhone over Android – If you must buy Android, go with Google brand (unlocked) or high- end Samsung Galaxy ● For tablets: – With cellular: prefer iPad over any Android – For Wi-Fi only: iPad or Amazon Kindle (little experience with others) ● Don't give businesses your cell # (unless you must) Mobile device security: Apps ● Disable option to download apps from non-standard sites. Standard downloads from iTunes, Google Play, Amazon Kindle store safer. ● Don't root / jailbreak your device. ● Careful of what you download & their requested permissions. ● Install AV (especially for Android) ● Consider enabling remote wipe and tracking ● Don't opt for auto-login for financial apps ● Consider doing all financial transactions on separate device Mobile devices: Auto-updates ● Auto-updates generally a major win, but some software distributors take advantage: – Request additional permissions that you may not want them to have ● E.g., updated app requests “fine grain location” (GPS) or access to Bluetooth or to your Contacts list – Causes dilemma if also security fixes Examples: Undesired permissions Beware of requests for additional permissions! Ask yourself: ● Why are they needed? ● How could they be abused? YouTube USA Today
- 7. Bonus #1: Internet of Things (IoT) ● Just. Don't. ● If you must: – Change default passwords – Turn off or disconnect from Internet when not using – Make sure you keep firmware updated: ● Likely needs to be done manually ● Schedule on calendar every 6 months or so. Bonus #2: Cryptocurrencies ● Highly unregulated – Pump and dump, ponzi schemes, and other fraud – More gambling than investment – Over 200 variations at last count! ● Cryptocurrency exchanges have lost ~35% of investments because of hackers ● John Oliver on cryptocurrencies (parental warning!): https://www.youtube.com/watch?v=g6iDZspbRMg Where to go for more info: ● Electronic Frontier Foundation – https://sec.eff.org/ ● OWASP Consumer Best Practices – https://www.owasp.org/index.php/Consumer_Best_Practices ● Kevin Wall – http://users.wowway.com/~kwwall/presentations/security/safe- surfing.ppt Questions? ?