Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Similar documents
FAQ: Privacy, Security, and Data Protection at Libraries

Keeping Important Data Safe and Secure Online. Norm Kaufman

COMPUTING FUNDAMENTALS I

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

Authentication KAMI VANIEA 1

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Improving Password Management. Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL

Internet Quick Start Guide. Get the most out of your Midco internet service with these handy instructions.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

How to Stay Safe on Public Wi-Fi Networks

If your Mac keeps asking for the login keychain password

6 TIPS FOR IMPROVING YOUR WEB PRESENCE

Instructions Hack Ipod Touch Password Without Losing Data

Instructions I Lost My Iphone 4 Password Yahoo

How to Build a Culture of Security

How Do I Sync My Iphone To Another Computer Without Losing Everything

Password Managers. Victor (Vic) Daniel. Handout Page 1/38

FACEBOOK SAFETY FOR JOURNALISTS. Thanks to these partners for reviewing these safety guidelines:

Password Management. Eugene Davis UAH Information Security Club January 10, 2013

Company System Administrator (CSA) User Guide

Protecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series

Authentication CHAPTER 17

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Alexa, what did I do last summer?

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

KeePass - to improve your process

BEST PRACTICES FOR PERSONAL Security

Your Auth is open! Oversharing with OpenAuth & SAML

Configuring Mobile Devices at Micah

Definitions Know What I Mean?

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

What I Do After Clicking Publish

QCon - New York. New York 18th June 2012 (June 18th for Americans)

Chapter 5 Local Area Networks. Computer Concepts 2013

Security and Privacy

Octopus Online Service Safety Guide

Mobile Banking FAQ. 1 P a g e 1 0 / 1 9 /

Password & Tutorials Packet

Security. 1 Introduction. Alex S. 1.1 Authentication

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

Controlling Website Account Information. A recent survey done by Privacy Rights Clearinghouse shows that in the past five years

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

Workshop #10 Wifi & WhatsApp

Authentication Technology for a Smart eid Infrastructure.

Welcome to Facebook. Presented by Suzi Huisman

USER GUIDELINES. Q 2. Is it necessary to configure password retrieval question and answer? How can I do that? Q 3. How can I change password?

/ 1. Online Banking User Guide SouthStateBank.com / (800)

Ready Theatre Systems RTS POS

NEW MAYBANK APP FAQ GENERAL

Google 2 factor authentication User Guide

The Table Privacy Policy Last revised on August 22, 2012

Ages Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk

PNC Prepaid Card Programs Cardholder Website How-To Manual

lifeid Foundation FAQ v.1

ipasssafe User Guide 1. Getting started Setup your first password

Table of Contents. Blog and Personal Web Site Policy

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Most Common Security Threats (cont.)

Reduce Data Usage. 01 Cellular Data for Certain Apps Go to Settings > Cellular. Dad s iphone Tips Version: 1/1/2018 6:43:00 AM

Cyber Security Guide. For Politicians and Political Parties

Guide to Getting Started. Personal Online Banking & Bill Pay

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Cyber Security Guidelines for Public Wi-Fi Networks

DER GOBBLE. Good Secure Crypto Wallet Practices. What is your wallet?

Communication using

CS November 2018

Manual Sync Contacts On My Iphone To Gmail Account Without Itunes

Welcome to First Security Mobile

FREQUENTLY ASKED QUESTIONS

Upgrading Your Home Network Security

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

Adobe Spark. Schools and Educators. A Guide for. spark.adobe.com

MUG NNAPLES MACFRIENDS USER GROUP

WHITE PAPER. Authentication and Encryption Design

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

So, why not start making some recommendations that will earn you some cash?

Cyber Hygiene Guide. Politicians and Political Parties

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Passwords. Secure Software Systems

Password Manager for SAP Single Sign-On Implementation Guide

Course Outline (version 2)

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

DOWNLOAD PDF BACK UP YOUR SELL

Introduction to the Internet. Part 1. What is the Internet?

Windows 10 Setup Guide

Keep Track of Your Passwords Easily

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Keeping Your PC Safe. Tips on Safe Computing from Doug Copley

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

Business Mobile Banking.

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

Wireless-N. User Guide. USB Network Adapter WUSB300N WIRELESS. Model No.

OAuth securing the insecure

Mobile Banking FAQs. Frequently Asked Questions. Contact Us. Security. Signing In

Password Storage. By Steve Maynard 10 July, 2018

Transcription:

Personal Internet Security Basics Dan Ficker Twin Cities DrupalCamp 2018

Overview Security is an aspiration, not a state. Encryption is your friend. Passwords are very important. Make a back-up plan.

About Me Computer geek since age 11 PHP Developer for 13 years Drupal Developer for 8+ years Blog: http://da-man.com/ Twitter: @deliriousguy Currently employed by

Image: maltaanon.com Let s Talk Encryption Math That Keeps Your Data Private

Why Encryption? The Internet is a series of data packets passed between computers. Much like the mail, many computers (and their owners) are sent this data and pass it along. Without encryption, they could open the data and read your correspondence. Encryption acts like a secret code between the sender and receiver.

One-Way Encryption Unencrypted Text: Also known as hashing, a process of turning some text into some other text that is indecipherable from random data. The process is irreversible there s no way to get back to the original data if you only know the end result. This is commonly used for passwords or other data you want to use to verify but not actually keep. password1 Encryption Algorithm Encrypted Text: 5e884898da28047151d0e56f8dc62927 0b14d501a594442a01c6859541bcb3e8 73603d0d6aabbdd62a11ef721d1542d8 164d183d32937b851835442f69d5c94e

Public Key Encryption The Private Key must be secret while the Public Key can be given freely. Public Key can decrypt messages encrypted with the Private Key. Public Key can encrypt messages that can only be decoded with the Private Key. Great for storing/transmitting data that can be sensitive.

Public Key Encryption Not Great for Public Transmission Unencrypted Data Unencrypted Data Encryption Algorithm Random- Looking Data Encryption Algorithm Public Key Private Key Great for Public Transmission

When Is Data Encrypted? Image: Universal Pictures

HTTPS = Encrypted Most major websites and apps use HTTPS. The S means secure. Encryption keeps data secret between your browser and the web server. Browsers often show a padlock next to the URL when HTTPS enabled. Image: Animaweb

HTTPS (Continued) Without HTTPS, anything entered on the website can be viewed/copied by any computer between you and the server. Yes, that includes passwords! Without HTTPS, any router or computer between you and the server can see what page and file resources you are requesting. With HTTPS, they only can see what server you are requesting data from. E-mail can be sent to & from e-mail servers in an encrypted manner using TLS, but there s no real guarantees that this will happen. E-mail should be considered insecure. At this point, just because HTTPS is not used does not mean someone will see your data. But it is a risk you take if not encrypting communications.

Wi-Fi Wireless Internet means you re publicly sending data over radio waves between you and the access point. Anyone who can pick up that radio signal may be able to get some info about you. Only Wi-Fi Networks that require a password and use WPA encryption create a secure tunnel between your computer and the access point.

Image: Information Age Let s Talk Passwords Verifying your digital identity since 1961

Passwords (Traditional) Come up with one or a few passwords that you can remember. Use them for everything. Add on a number or symbol at the end. Change it occasionally. Forget the password and then have to go through a reset process.

Password Problems It used to be you had passwords for a few work things and the bank account, but now we used hundreds of sites, each with a password. Some of these sites get hacked and the passwords get out. Now you should probably change that same password on every site. You only have one/few passwords because they re hard to remember.

Passwords Get Loose In 2009, I bought a fun little game for my iphone from a small app studio. I wanted to see how my score stacked up against others so I made an account on their website. I used my standard e-mail address and password. They did not use one-way encryption; they just stored my password unencrypted. In February, I got the e-mail to the right. My e-mail address and password was out.

Passwords Loose! Two days later, I get an e-mail from Netflix that notified me that someone logged into my account and changed the e-mail address. I didn t do that and oh crap! I used that same password that was recently disclosed. A phone call to Netflix confirmed that someone had changed the e-mail, the phone to some number in Peru. They just wanted to watch TV on my expense.

What We Learned You give your password to the company that manages that account. They might not even encrypt that password correctly. The company may give this password to others, intentionally or unintentionally. If used in many places, this can be a problem. Hacking my Netflix account, they can t get much useful info about me, just hope I pay for their binges for a bit. So not a huge security risk. But what if it was my bank? My e-mail? My Apple/Amazon account?

Has Your Data Leaked? Visit HaveIBeenPwned.com. Enter your e-mail address. This sites aggregates data from hundreds of website hacks and tells if your e-mail address and maybe more of your account information is in there. Most likely, your address and your passwords are in here. That means the hackers have them too.

Better Passwords Should be random with alphabet, numbers, and even special characters. Should be long: 20-30+ characters long. The more the better. Should be unique for each site or service. No need to change password regularly with above recommendations. Government recommended: NIST Digital Identity Guidelines (June 2017)

Password Managers These passwords are impossible to remember. That s a good thing. A Password Manager is an encrypted vault of all your passwords. You need to remember just one password to get into your vault. Optionally, use multiple factors as well to protect this vault of data.

Password Managers The best available: LastPass (Free service, Premium $24/year) 1Password ($35/year) icloud Keychain (Included free with Apple Devices) KeePass (Open Source)

Password Manager Features Plug-in integration with common browsers to auto-fill logins. Offers to save any login entered into the browser. Apps for desktop & phone OSes to access the password vault. Random password generator for new/updated accounts. Notes area for storing other data related to the account.

Multi-Factor Authentication Security on top of Security

Factor Types Authentication is the process of verifying you are the account holder. Three factors of authentication: Something you know. (e.g., password, PIN/access code) Something you have. (e.g., card, fob, token) Something you are. (e.g., fingerprint, face, DNA)

Multiple Factors Sometimes, one of the factors is used as a quicker, temporary way to login. For example, iphones allow for fingerprint/face recognition instead of passwords for some operations. Legally, something you have or are may be easier for enemies to get than something you know. Even better, require two factors for better security. Even if someone gets your password ( know ), they also need a key fob or token ( have ) so it s somewhat useless without it.

Two-Step Verification Some secondary verification is still something you know. It s not something you have or are, but some other message you should be able to know if you are who is expected. This includes getting a code on another device then entering it when prompted. Not multiple factors, but two-step verification can still be more secure.

Other Security Considerations

Phone Number Verification Problem: Phone Numbers can be somewhat insecure. Customer Service people may do the wrong thing when coerced. The backend phone network is mostly insecure. Bad actors may be able to add themselves to your account. Solution: Don t do verification via SMS. Do it via an app on your phone. Google, Twitter, Facebook, etc. all offer this option. Note: Need to remember to deal with this when changing phones.

Password Recovery Problem: If your passwords are good, the weak spot is the company s policy for recovering your password. Your mother s maiden name, your birth date, your city of birth, maybe even your first pet are things that bad actors may be able to figure out. Solution: Create some random words (that can be said to customer service over phone, if needed) that have nothing to do with the question. Store the question and your answer in password manager notes area.

Trust vs. Security Who do you trust to keep your data safe? To some extent, you have to trust: Your Internet Service Providers Your Phone Company Your Cloud Service Providers (if any) Beyond that, make sure encryption of data is happening.

Trust No One Systems can be built so that you hold all the keys the providers can t look at your data even if they want to without your password. For example, if you lose your 1Password or LastPast login/password, they really can never get that data back for you. This means you control your destiny and security. With great power comes great responsibility. Keep the keys safe!

Back Up! Have an automated back up plan of important data. Back up data on-site as well as occasionally off-site. For really important data, maybe even put it in a safe deposit box or something.

Thank You! Any Questions?

The Steve Gibson Slide Host of Security Now! Podcast 650+ in-depth episodes spanning 13 yrs Much presented in session learned here Security Researcher, Developer New idea for a slick, password-less login system, SQRL Gibson Research Corp: GRC.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback