Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Digital Privacy & Security

luke crouch
January 18, 2020

Digital Privacy & Security

Tips, techniques, and tools for protecting your online privacy & security. Pulled together from Mozilla, EFF, Wired, and Consumer Reports resources. First presented at Tulsa Library.

luke crouch

January 18, 2020
Tweet

More Decks by luke crouch

Other Decks in Technology

Transcript

  1. Digital
    Privacy & Security

    View Slide

  2. About me
    • Privacy & Security Engineer

    View Slide

  3. View Slide

  4. 😢
    Sorry:
    It’s a little complicated

    View Slide

  5. 😺
    But you CAN set up some
    good protections
    in a few minutes

    View Slide

  6. ftc.gov/yourprivacy

    View Slide

  7. ssd.eff.org

    View Slide

  8. Security is a process,
    not a purchase …

    View Slide

  9. “Threat-model”
    • What do you want to protect?
    • From whom do you want to protect it?
    • How likely is it that you need to protect it?
    • How bad are the consequences of failure?
    • How much trouble are you willing to go thru to
    prevent those?

    View Slide

  10. What’s your threat
    model?

    View Slide

  11. https://www.wired.com/2017/12/digital-security-guide/

    View Slide

  12. When you think about your online data,
    who are you most worried about gaining
    unauthorized access?
    https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

    View Slide

  13. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

    View Slide

  14. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

    View Slide

  15. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

    View Slide

  16. Average Consumer Profile
    • You want to protect Consumer PII:
    Bank Accounts, Passwords,
    Browsing History, Health Data,
    Search History, Location, etc.
    • You want to protect it from:
    hackers, bad websites, data
    brokers, and social networks
    • You are NOT a special target for
    any attackers
    • Total Identity Theft is your worst-
    case consequence
    • Risk Profile ~= Average Consumer

    View Slide

  17. 📰
    Good News!
    A few simple tools and
    techniques can go a
    long way.

    View Slide

  18. http://www.consumerreports.org/privacy/the-consumer-reports-10-minute-digital-privacy-tuneup/

    View Slide

  19. 🍰
    Let’s go from easiest
    to hardest

    View Slide

  20. 1. Turn on
    Automatic Updates
    and install them!

    View Slide

  21. Automatic Updates protection
    • Bad websites or Hackers
    • Stealing any kinds of data:
    passwords, bank accounts, health, etc.

    View Slide

  22. Malicious Software
    https://archive.org/details/protect-your-devices-from-hackers

    View Slide

  23. How devices are infected
    • Email attachments
    • Malicious web link
    • USB drives or DVDs/CDs

    View Slide

  24. Email Attachments
    https://archive.org/details/protect-your-devices-from-hackers

    View Slide

  25. https://archive.org/details/protect-your-devices-from-hackers

    View Slide

  26. https://archive.org/details/protect-your-devices-from-hackers
    Don’t visit suspicious links

    View Slide

  27. Don’t use unknown drives

    View Slide

  28. 1. Turn on
    Automatic Updates
    and install them!

    View Slide

  29. View Slide

  30. 2. Learn to identify
    Phishing/Scamming

    View Slide

  31. Phishing tries to get your
    username & password

    View Slide

  32. https://ai.google/research/pubs/pub46437

    View Slide

  33. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

    View Slide

  34. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf

    View Slide

  35. Your email account …
    • Does it use the same password as other
    accounts?
    • Can it reset your password at other accounts?
    • Paypal?
    • Your bank?

    View Slide

  36. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

    View Slide

  37. https://phishingquiz.withgoogle.com/

    View Slide

  38. https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/

    View Slide

  39. View Slide

  40. A password manager can
    help prevent phishing
    (more on PW managers later)

    View Slide

  41. 2-Factor Authentication
    can help prevent phishing
    (more on 2FA later)

    View Slide

  42. 3. Use Screen Locks
    on every device

    View Slide

  43. Screen Locks protection
    • Hackers
    • Stealing any kinds of data:
    bank, personal, health, etc.

    View Slide

  44. View Slide

  45. Can your device … ?
    • Do your online banking? (Personal & work)
    • See & use all your email? (Personal & work)
    • Use email to reset passwords?
    • Show all your photos & videos?
    • Show your home address and map searches?
    • Show all your contacts?
    • Do 2-Factor Authentication?

    View Slide

  46. 4. Always use HTTPS

    View Slide

  47. View Slide

  48. HTTPS protection
    • Hackers
    • Stealing any kinds of data:
    bank, personal, health, etc.

    View Slide

  49. View Slide

  50. View Slide

  51. 5. Make backups!

    View Slide

  52. • Ransomware
    • Malware recovery

    View Slide

  53. View Slide

  54. View Slide

  55. View Slide

  56. 6. Use Tracking
    Protection

    View Slide

  57. Tracking Protection
    • Hackers, bad websites, online data brokers,
    social networks
    • Watching browsing history
    • Other data too

    View Slide

  58. Private Browsing

    View Slide

  59. Tracking Protection

    View Slide

  60. More Tracking Protection
    uBlock Origin

    View Slide

  61. Mobile Tracking Protection
    iOS Android

    View Slide

  62. Mobile Tracking Protection
    iOS Android

    View Slide

  63. 7. Mind your
    permissions

    View Slide

  64. Permissions
    • Websites, online data brokers, social networks
    • All kinds of data: browsing, searching,
    location, etc.

    View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. View Slide

  69. 8. Check your
    Data-Breach Status

    View Slide

  70. View Slide

  71. monitor.firefox.com

    View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. View Slide

  77. Change your
    breached password
    immediately

    View Slide

  78. Update other logins using
    the same password

    View Slide

  79. 8a. Use Strong &
    Unique Passwords

    View Slide

  80. View Slide

  81. https://www.eff.org/dice

    View Slide

  82. 8b. Start using a
    Password Manager

    View Slide

  83. View Slide

  84. View Slide

  85. View Slide

  86. 8c. Use 2-Factor
    Authentication
    (2FA)

    View Slide

  87. View Slide

  88. View Slide

  89. View Slide

  90. Is SMS/text-based
    2-factor auth secure?

    View Slide

  91. SMS/Text 2FA Attacks
    • SIM porting
    • Stingray/femtocell interception

    View Slide

  92. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

    View Slide

  93. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

    View Slide

  94. https://www.digitaltrends.com/mobile/femtocell-verizon-hack/
    https://en.wikipedia.org/wiki/Femtocell

    View Slide

  95. View Slide

  96. View Slide

  97. View Slide

  98. View Slide

  99. Average Consumer Protections
    • Install your updates
    • Train to beware of phishing
    • Lock your screens
    • Use HTTPS
    • Use Tracking Protection
    • Mind permissions
    • Use strong passwords
    (Password Manager)
    • Use 2-factor auth

    View Slide

  100. Public Figure Profile
    • You need extra protection:
    Browsing & Search History,
    Online & Offline activity,
    location, etc.
    • You ARE a special target for
    some adversaries
    • Online harassment is a real
    risk for you, maybe offline
    “real-life” harassment or even
    detainment

    View Slide

  101. Use a passcode
    (Not Fingerprint or Face Recognition)
    to unlock device

    View Slide

  102. http://time.com/3558936/fingerprint-password-fifth-amendment/

    View Slide

  103. Use a privacy screen

    View Slide

  104. View Slide

  105. Cover Your Cameras

    View Slide

  106. Cimkiz WB01 Webcam
    Cover Slider

    View Slide

  107. View Slide

  108. Encrypt everything

    View Slide

  109. Encrypt & Back up
    Your Drives
    (Hard Drive & USB)

    View Slide

  110. Mac
    Windows
    BitLocker™
    (Pro & Enterprise) FileVault
    www.veracrypt.fr

    View Slide

  111. Use End-to-End Encryption
    (E2EE)
    for messaging

    View Slide

  112. http://money.cnn.com/2013/07/15/technology/security/femtocell-phone-hack/index.html

    View Slide

  113. View Slide

  114. View Slide

  115. Signal

    View Slide

  116. https://www.signal.org/

    View Slide

  117. Use Protonmail or
    Tutanota for email

    View Slide

  118. https://www.privacytools.io/#email

    View Slide

  119. Don’t use public WiFi
    networks

    View Slide

  120. http://insights.dice.com/2014/02/18/home-routers-pose-biggest-consumer-cyberthreat/

    View Slide

  121. http://www.tulsalibrary.org/wifi.htm

    View Slide

  122. Don’t use your
    real email address

    View Slide

  123. Temporary email addresses
    10minutemail.com

    View Slide

  124. Public inboxes
    mailinator.com

    View Slide

  125. Burner addresses
    burnermail.io

    View Slide

  126. Public Figure Profile
    • Privacy Screen
    • Cover webcams
    • Passcodes, not biometrics
    • Encrypt Disks
    • End-to-end Encrypted
    Messaging
    • Encrypted Email
    • Be careful on WiFi
    • Don’t use your real email address

    View Slide

  127. “Spy” Profile
    • Maximum Protection
    • You are engaged in
    cybersecurity work

    View Slide

  128. Book

    View Slide

  129. Podcast

    View Slide

  130. Don’t use your
    real phone number

    View Slide

  131. Use
    burner credit cards

    View Slide

  132. Use Tor

    View Slide

  133. https://www.eff.org/pages/tor-and-https

    View Slide

  134. IP, DNS, & HTTP threats
    • Hackers-in-the-middle
    • ISPs snooping on customers’ online activity
    • Governments censoring sites
    • Corporations scanning web logs for their
    competitors’ IP addresses
    • Criminal sites scanning web logs for law
    enforcement IP address

    View Slide

  135. https://www.eff.org/pages/tor-and-https
    Location
    =
    IP Address

    View Slide

  136. protects the
    user/pw & data
    from the intermediaries

    View Slide

  137. https://www.eff.org/pages/tor-and-https

    View Slide

  138. View Slide

  139. View Slide

  140. View Slide

  141. View Slide

  142. View Slide

  143. IP, DNS, & HTTP threats
    • Hackers-in-the-middle
    • ISPs snooping on customers’ online activity
    • Governments censoring sites
    • Corporations scanning web logs for their
    competitors’ IP addresses
    • Criminal sites scanning web logs for law
    enforcement IP address

    View Slide

  144. How do we protect
    location + destination
    from intermediaries?

    View Slide

  145. View Slide

  146. is a browser
    patched
    with
    The
    Onion
    Router

    View Slide

  147. The Onion What?

    View Slide

  148. https://www.torproject.org/about/overview.html.en

    View Slide

  149. https://www.torproject.org/about/overview.html.en

    View Slide

  150. View Slide

  151. View Slide

  152. View Slide

  153. View Slide

  154. View Slide

  155. View Slide

  156. View Slide

  157. Tor protection from
    DNS + HTTP internet threats
    • Hackers-in-the-middle
    • ISPs snooping on customers’ online activity
    • Governments censoring sites
    • Corporations scanning web logs for their
    competitors’ IP addresses
    • Criminal sites scanning web logs for law
    enforcement IP address

    View Slide

  158. Download Tor !

    View Slide

  159. Demo

    View Slide

  160. More
    • Use a VPN
    • Hide your Personally-Identifiable Information
    • “Threat-modeling”

    View Slide

  161. http://www.consumerreports.org/privacy/66-ways-to-protect-your-privacy-right-now/

    View Slide

  162. • What do you want to protect?
    • Emails? Messages? Files?
    • From whom do you want to protect it?
    • Boss? Government? Hackers?
    • How likely is it that you need to protect it?
    • E.g., unlikely: mobile phone carrier publishing your data online
    • How bad are the consequences of failure?
    • Risk ~= how likely * how bad
    Threat-modeling:
    Your Risk Profile

    View Slide

  163. Changes in Risk Profiles
    • Graduating?
    • New job? (e.g., Journalist, Police Officer, Lawyer)
    • Moving to a new country?
    • Changes in company policies or laws?

    View Slide

  164. • https://ssd.eff.org
    • https://www.consumerreports.org/privacy/the-
    consumer-reports-10-minute-digital-privacy-
    tuneup/
    • https://www.wired.com/2017/12/digital-security-
    guide/

    View Slide