Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Digital Privacy & Security

Ec25d046746de3be33779256f6957d8f?s=47 luke crouch
January 18, 2020

Digital Privacy & Security

Tips, techniques, and tools for protecting your online privacy & security. Pulled together from Mozilla, EFF, Wired, and Consumer Reports resources. First presented at Tulsa Library.

Ec25d046746de3be33779256f6957d8f?s=128

luke crouch

January 18, 2020
Tweet

Transcript

  1. Digital Privacy & Security

  2. About me • Privacy & Security Engineer

  3. None
  4. Sorry: It’s a little complicated

  5. But you CAN set up some good protections in a

    few minutes
  6. ssd.eff.org

  7. Security is a process, not a purchase …

  8. “Threat-model” • What do you want to protect? • From

    whom do you want to protect it? • How likely is it that you need to protect it? • How bad are the consequences of failure? • How much trouble are you willing to go thru to prevent those?
  9. What’s your threat model?

  10. https://www.wired.com/2017/12/digital-security-guide/

  11. When you think about your online data, who are you

    most worried about gaining unauthorized access? https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179
  12. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

  13. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

  14. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

  15. Average Consumer Profile • You want to protect Consumer PII:


    Bank Accounts, Browsing History, Health Data, Search History, Location, etc. • You want to protect it from:
 bad websites, data brokers, hackers, and social networks • You are NOT a special target for any attackers • Total Identity Theft is your worst- case consequence • Risk Profile ~= Average Consumer
  16. Good News! A few simple tools and techniques can go

    a long way.
  17. http://www.consumerreports.org/privacy/the-consumer-reports-10-minute-digital-privacy-tuneup/

  18. Let’s go from easiest to hardest

  19. 1. Turn on Automatic Updates and install them!

  20. Automatic Updates protection • Bad websites or Hackers • Stealing

    any kinds of data:
 passwords, bank accounts, health, etc.
  21. Malicious Software https://archive.org/details/protect-your-devices-from-hackers

  22. How devices are infected • Email attachments • Malicious web

    link • USB drives or DVDs/CDs
  23. Email Attachments https://archive.org/details/protect-your-devices-from-hackers

  24. https://archive.org/details/protect-your-devices-from-hackers

  25. https://archive.org/details/protect-your-devices-from-hackers Don’t visit suspicious links

  26. Don’t use unknown drives

  27. USB Power Outlets

  28. Bonus points: USB Data Blockers

  29. 1. Turn on Automatic Updates and install them!

  30. None
  31. 2. Learn to identify Phishing

  32. https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/

  33. https://ai.google/research/pubs/pub46437

  34. Phishing tries to get your username & password

  35. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf

  36. Your email account … • Does it use the same

    password as other accounts? • Can it reset your password at other accounts? • Paypal? • Your bank?
  37. https://phishingquiz.withgoogle.com/

  38. None
  39. A password manager can help prevent phishing (more on PW

    managers later)
  40. 2-Factor Authentication can help prevent phishing (more on 2FA later)

  41. 3. Use Screen Locks on every device

  42. Screen Locks protection • Hackers • Stealing any kinds of

    data:
 bank, personal, health, etc.
  43. None
  44. Can your device … ? • Do your online banking?

    (Personal & work) • See & use all your email? (Personal & work) • Use email to reset passwords? • Show all your photos & videos? • Show your home address and map searches? • Show all your contacts? • Do 2-Factor Authentication?
  45. https://www.bleepingcomputer.com/news/security/new-offensive-usb-cable-allows-remote-attacks-over-wifi/

  46. 4. Always use HTTPS

  47. None
  48. HTTPS protection • Hackers • Stealing any kinds of data:


    bank, personal, health, etc.
  49. None
  50. None
  51. 5. Make backups!

  52. Backups protections • Ransomware • Malware recovery

  53. None
  54. None
  55. None
  56. 6. Use Tracking Protection

  57. Tracking Protection • Hackers, bad websites, online data brokers, social

    networks • Watching browsing history • Other data too
  58. Private Browsing

  59. Tracking Protection

  60. More Tracking Protection uBlock Origin

  61. Mobile Tracking Protection iOS Android

  62. 7. Mind your permissions

  63. Permissions • Websites, online data brokers, social networks • All

    kinds of data: browsing, searching, location, etc.
  64. None
  65. None
  66. None
  67. None
  68. 8. Check your Data-Breach Status

  69. None
  70. monitor.firefox.com

  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None
  78. Change your breached password immediately

  79. Update other logins using the same password

  80. 8a. Use Strong & Unique Passwords

  81. None
  82. https://www.eff.org/dice

  83. 8b. Start using a Password Manager

  84. None
  85. None
  86. None
  87. None
  88. None
  89. 8c. Use 2-Factor Authentication (2FA)

  90. None
  91. None
  92. None
  93. Is SMS/text-based 2-factor auth secure?

  94. SMS/Text 2FA Attacks • SIM porting • Stingray/femtocell interception

  95. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

  96. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

  97. https://www.digitaltrends.com/mobile/femtocell-verizon-hack/ https://en.wikipedia.org/wiki/Femtocell

  98. None
  99. None
  100. None
  101. None
  102. Average Consumer Protections • Install your updates • Train to

    beware of phishing • Lock your screens • Use HTTPS • Use Tracking Protection • Mind permissions • Use strong passwords
 (Password Manager) • Use 2-factor auth
  103. Public Figure Profile • You need extra protection:
 Browsing &

    Search History, Online & Offline activity, location, etc. • You ARE a special target for some adversaries • Online harassment is a real risk for you, maybe offline “real-life” harassment or even detainment
  104. Use a passcode (Not Fingerprint or Face Recognition) to unlock

    device
  105. http://time.com/3558936/fingerprint-password-fifth-amendment/

  106. Use a privacy screen

  107. None
  108. Cover Your Cameras

  109. Cimkiz WB01 Webcam Cover Slider

  110. None
  111. Encrypt everything

  112. Encrypt & Back up Your Drives (Hard Drive & USB)

  113. Mac Windows BitLocker™ (Pro & Enterprise) FileVault www.veracrypt.fr

  114. Use End-to-End Encryption (E2EE) for messaging

  115. http://money.cnn.com/2013/07/15/technology/security/femtocell-phone-hack/index.html

  116. None
  117. None
  118. Signal

  119. https://www.signal.org/

  120. Use Protonmail or Tutanota for email

  121. https://www.privacytools.io/#email

  122. Don’t use public WiFi networks

  123. http://insights.dice.com/2014/02/18/home-routers-pose-biggest-consumer-cyberthreat/

  124. http://www.tulsalibrary.org/wifi.htm

  125. Don’t use your real email address

  126. Temporary email addresses 10minutemail.com

  127. Public inboxes mailinator.com

  128. Burner addresses burnermail.io

  129. Public Figure Profile • Privacy Screen • Cover webcams •

    Passcodes, not biometrics • Encrypt Disks • End-to-end Encrypted Messaging • Encrypted Email • Be careful on WiFi • Don’t use your real email address
  130. “Spy” Profile • Maximum Protection • You are engaged in

    cybersecurity work
  131. Book

  132. Podcast

  133. Don’t use your real phone number

  134. Use burner credit cards

  135. Use Tor

  136. https://www.eff.org/pages/tor-and-https

  137. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  138. https://www.eff.org/pages/tor-and-https Location = IP Address

  139. protects the user/pw & data from the intermediaries

  140. https://www.eff.org/pages/tor-and-https

  141. None
  142. None
  143. None
  144. None
  145. None
  146. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  147. How do we protect
 location + destination from intermediaries?

  148. None
  149. is a browser patched with The Onion Router

  150. The Onion What?

  151. https://www.torproject.org/about/overview.html.en

  152. https://www.torproject.org/about/overview.html.en

  153. None
  154. None
  155. None
  156. None
  157. None
  158. None
  159. None
  160. Tor protection from DNS + HTTP internet threats • Hackers-in-the-middle

    • ISPs snooping on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  161. Download Tor !

  162. Demo

  163. More • Use a VPN • Hide your Personally-Identifiable Information

    • “Threat-modeling”
  164. http://www.consumerreports.org/privacy/66-ways-to-protect-your-privacy-right-now/

  165. • What do you want to protect? • Emails? Messages?

    Files? • From whom do you want to protect it? • Boss? Government? Hackers? • How likely is it that you need to protect it? • E.g., unlikely: mobile phone carrier publishing your data online • How bad are the consequences of failure? • Risk ~= how likely * how bad Threat-modeling: Your Risk Profile
  166. Changes in Risk Profiles • Graduating? • New job? (e.g.,

    Journalist, Police Officer, Lawyer) • Moving to a new country? • Changes in company policies or laws?
  167. • https://ssd.eff.org • https://www.consumerreports.org/privacy/the- consumer-reports-10-minute-digital-privacy- tuneup/ • https://www.wired.com/2017/12/digital-security- guide/