Privacy & Security Workshops: The Basics

Transcript

1. Privacy + Security Workshop By Future Ada

2. housekeeping@psworkshop • Thank you for your cooperation! • Chat will

   be open during exercises for questions • Any questions or comments after the workshop? [email protected]

3. emilie@psworkshop:~$ whoami • Security ambassador for Future Ada • Ethically

   hacking 6+ years • Twitter: ◦ @FutureAda ◦ @L4bF0x

4. Privacy

5. None
6. None
7. None

8. Define: Privacy

9. Define: privacy The state or condition of being free from

   being observed or disturbed by other people.

10. Define: online privacy The state or condition of having our

    personal data and actions being free from being observed or disturbed by other people or organizations.

11. How can we achieve privacy when online? By having control

    over our data.

12. Define: Security

13. Define: security The state of being free from danger or

    threat.

14. Define: security The state of feeling safe, stable, and free

    from fear or anxiety.

15. Exercise 1

16. Order the Probability 1. Death by fireworks 2. Going blind

    after laser eye surgery 3. Death from heart disease 4. Being attacked by a shark in the US 5. Being called to “Come on Down” at the Price is Right 6. Being stalked 7. Being injured by a toilet 8. Audited by IRS

17. Order the Probability 3. Death from heart disease: 1 in

    6 6. Being stalked: 1 in 6 for women, 1 in 19 for men 5. Being called to “Come on Down” at the Price is Right: 1 in 36 8. Audited by IRS: 1 in 184 7. Being injured by a toilet: 1 in 5,000 1. Death by fireworks: 1 in 340,733 2. Going blind after laser eye surgery: 1 in 5 million 4. Being attacked by a shark in the US: 1 in 11.5 million

18. Data Collection

19. How data is collected

20. Exercise 2

21. Exercise 2: Google yourself • “Jane Smith” Spokane • [email protected]

    • 509-555-5555 • 123 Drury Lane, Spokane WA • Bookmark Results to Remove

22. Define: Digital Footprint

23. Define: Digital Footprint The information about a particular person that

    exists on the Internet as a result of their overall activity.

24. Digital Footprint Attacks

25. Phishing

26. Hi, I was speaking with some folks from the Spokane

    Wordpress meetup this weekend. One of the attendees has a son who’s looking for an internship and tossed me his resume. Do you think he'd be a good fit? I'm meeting up with them again this Friday and would love to hear your thoughts. I've uploaded his resume to our secure FTP. Thank you!! Ada Lovelace

27. Jane, I was speaking with some folks from the Spokane

    Wordpress meetup this weekend, including John Smith. He's a local web developer at STCU and mentioned his son Michael, who's finishing up his C.S. Bachelor’s at Gonzaga, is looking for an internship. Do you think he'd be a good fit? I'm meeting up with them again this Friday and would love to hear your thoughts. I've uploaded his resume to our Kiteworks. Thank you!! Ada Lovelace -------------------- CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

28. Vishing

29. Vishing: Step 1 Googled “I am an “Insurance Company” customer”.

    *Using Manulife as an Example

30. Vishing: Steps 2 + 3 Forum profile with unique username

    and general location. Same username on different website listed name and wife’s name.

31. Vishing: Step 4 Facebook profile listed vehicle make, model and

    license plate, and wedding anniversary date.

32. Vishing: Steps 5 + 6 Public records had vehicle VIN#,

    model and year. People search engine gave addresses, birthday and phone numbers.

33. Vishing: Final Step Posed as wife, called insurance company and

    confirmed I could cancel the vehicle coverage. Could this happen to you?

34. Exercise 3

35. Exercise 3: Locking Down Social Media Google: https://myaccount.google.com/privacycheckup Facebook: Upper

    right-hand corner under the (?) > Privacy Checkup Twitter: https://twitter.com/settings/safety LinkedIn: https://www.linkedin.com/psettings/ Instagram: Profile > Settings > Make account private. TikTok: Profile > Settings > Privacy and Safety > Private Account

36. Privacy and Security

37. Password Attacks

38. Password Attack: Step 1 Collected online information from data brokers.

39. Password Attack: Step 2 Made a list of all their

    external-facing logins, including Outlook.

40. Password Attack: Step 3 Made a list of weak passwords:

    • Summer2019 • July2019! • HealthCareCo123 • BreachPassword1 Success!! I’m in.

41. Exercise 4

42. Exercise 4: Checking For Compromise • Go to https://haveibeenpwned.com/ and

    sign-up with any e-mail(s) you currently use. • Confirm your e-mail(s). • Note the sites with the previous breaches you may be a part of. You will be alerted if your data is found in a new breach.

43. Stepping-Up Security

44. Password Managers

45. Getting a Password Manager • Sign-up for a Password Manager,

    such as: ◦ Dashlane - 5$/mo per user ◦ 1Password - 3$/mo per user; 5$/mo for 5 users ◦ LastPass - Free; 3$/mo per user; 4$/mo for 6 users

46. Creating a Password Passphrase • RaNd0M • Looooooooong • Make

    1 long passphrase, like so: IWillTake200$WorthOfChocolate Please!

47. • Download a browser extension and app • Import your

    accounts where possible (Chrome, Firefox, Edge, Internet Explorer) • Make sure to set it up for all accounts related to you: work, school, volunteering, gaming, etc. Setting Up Your Password Manager

48. Prioritizing • Change the affected accounts listed by haveibeenpwned.com first

    • Go through the list of accounts. How many are there? Do you still need/use the account? • Over time, change the passwords for each account 1 2 3

49. Multi-Factor Authentication

50. Define: Multi-Factor Auth (MFA/2FA) Something You Have Something You Know

    Something You Are Location

51. Why is MFA AWESOME!? • Even if your password is

    breached, leaked or guessed a malicious person still needs access to your phone • Can alert you if someone is trying to login • Makes you feel like you’re about to access something top-secret** ** Ok it’s a stretch, but might as well have fun

52. Setting-Up MFA • Start with your email and financial accounts,

    then go by order of importance (ex: any account that has your SSN, then financial info, then medical, etc.) • An app like Google authenticator, Okta or Duo is more secure than a text message

53. Hardening Devices

54. Overview of Hardening • Keep your software up-to-date to prevent

    new and common/old attacks on all devices • Be able to detect threats on your device, such as malware or spyware • Configure devices securely: encryption, screen lock, passwords, remote wipe, etc. 1 2 3

55. Keep All Software Updated • Android System: https://support.google.com/android/answ er/7680439?hl=en •

    Android Apps: https://support.google.com/googleplay/an swer/113412?hl=en

56. Keep All Software Updated • iOS System: https://support.apple.com/en-us/HT20420 4 •

    iOS Apps: https://support.apple.com/en-us/HT20218 0#automatic

57. Keep All Software Updated • Windows 10, 8.1: https://support.microsoft.com/en-us/help/ 15081/windows-turn-on-automatic-app-up

    dates • macOS: https://support.apple.com/guide/mac-help /get-macos-updates-mchlpx1065/mac • Don’t forget your applications!

58. Detecting Malicious Activity • Android | Bitdefender - Free or

    $15/year https://www.bitdefender.com/solutions/m obile-security-android.html • Android | Sophos - Free https://www.sophos.com/en-us/products/ free-tools/sophos-mobile-security-free-edit ion.aspx

59. Detecting Malicious Activity • iOS: Keep everything up-to-date, keep an

    eye out on spam emails and calls. Keep your phone locked with a secure passcode and no need for an additional app.

60. Detecting Malicious Activity • Windows 10: Keep Real-Time Protection on

    at all times and up-to-date • Windows 7: Upgrade to Windows 10 as it became EoL January 14 • macOS: Little Snitch 4 https://www.obdev.at/products/littlesnitch /index.html

61. Browsing Securely

62. None

63. Browsing Securely and Privately • uBlock Origin: Block ads and

    malicious content. • Privacy Badger: Block trackers which may be collecting your information. • HTTPS Everywhere: Make sure you’re connected securely where possible. • NoScript: Automatically block scripts unless you specifically trust them. (Might break things)

64. What About VPN’s? What They Do: • Keep your data

    encrypted when surfing the web, especially useful over untrusted networks • Help curb censorship and surveillance from network administrators • Prevent your ISP from knowing which websites you visit What They Don’t Do: • Keep you from browsing malicious websites or downloading malware

65. Behaving Securely

66. Behaving with Security in Mind • Being suspicious of random

    links in emails and websites that have a ton of ads • Being suspicious of phone calls or text messages that sound too good to be true • Staying away from pirated or free software

67. Behaving with Security in Mind • Not plugging in USB’s

    or drives you don’t trust into your devices • Locking your screens when away • More tips: https://www.howtogeek.com/173478/10-importa nt-computer-security-practices-you-should-follow/

68. Factory Resets If the following happens: • Your device is

    running incredibly slowly and battery drains quickly • It is behaving unusually (lots of alerts/pop-ups, fake anti-virus) • No matter how many times you change your passwords, your accounts are being compromised • An untrusted person has had access to your device

69. Perform a Factory Reset

70. Resources

71. Local Resources Spokane Public Libraries. So much resources available for

    free for residents! Including: Appy Hour: Free IT tech support and help on Wednesdays from 3:30 - 5:30 pm. http://www.spokanelibrary.org/appy-hour/ Business Library: Access to a vast amount of resources to conduct Open Source INTelligence (OSINT) gathering. http://spokanebusiness.org/

72. Additional Resources Surveillance Self-Defense. Lots of how-to’s on setting up

    security tools and security basics: https://ssd.eff.org/en Watch your hack. An easy-to-read guide on security: https://watchyourhack.com/ Extreme Privacy. A guide to remove yourself from popular people search engines and the ultimate privacy workbook: https://inteltechniques.com/data/workbook.pdf

73. Signing-Up for Credit Monitoring • Create an account with Credit

    Karma: https://www.creditkarma.com/ • Under Profile & Settings > Email Communications, check both boxes to be alerted for: ◦ Changes to your credit ◦ Suspicious activity related to your activity. • Under Security Settings > Additional Login Security for Web, check yes.

74. Upcoming Events Security Saturdays: https://calendly.com/fa-openoffice Online Harassment Workshop: May 31st

    at 1 pm PST. Details to follow

75. Questions? @L4bF0x @FutureAda [email protected] https://futureada.org/ https://medium.com/future-ada