Digital Privacy & Security

Transcript

1. Digital Privacy & Security

2. About me • Privacy & Security Engineer

3. None

4. 😢 Sorry: It’s a little complicated

5. 😺 But you CAN set up some good protections in

   a few minutes

6. ftc.gov/yourprivacy

7. ssd.eff.org

8. Security is a process, not a purchase …

9. “Threat-model” • What do you want to protect? • From

   whom do you want to protect it? • How likely is it that you need to protect it? • How bad are the consequences of failure? • How much trouble are you willing to go thru to prevent those?

10. What’s your threat model?

11. https://www.wired.com/2017/12/digital-security-guide/

12. When you think about your online data, who are you

    most worried about gaining unauthorized access? https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

13. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

14. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

15. https://qsurvey.mozilla.com/r/28049_5bca403f6bbd32.31628179

16. Average Consumer Profile • You want to protect Consumer PII:

    Bank Accounts, Passwords, Browsing History, Health Data, Search History, Location, etc. • You want to protect it from: hackers, bad websites, data brokers, and social networks • You are NOT a special target for any attackers • Total Identity Theft is your worst- case consequence • Risk Profile ~= Average Consumer

17. 📰 Good News! A few simple tools and techniques can

    go a long way.

18. http://www.consumerreports.org/privacy/the-consumer-reports-10-minute-digital-privacy-tuneup/

19. 🍰 Let’s go from easiest to hardest

20. 1. Turn on Automatic Updates and install them!

21. Automatic Updates protection • Bad websites or Hackers • Stealing

    any kinds of data: passwords, bank accounts, health, etc.

22. Malicious Software https://archive.org/details/protect-your-devices-from-hackers

23. How devices are infected • Email attachments • Malicious web

    link • USB drives or DVDs/CDs

24. Email Attachments https://archive.org/details/protect-your-devices-from-hackers

25. https://archive.org/details/protect-your-devices-from-hackers

26. https://archive.org/details/protect-your-devices-from-hackers Don’t visit suspicious links

27. Don’t use unknown drives

28. 1. Turn on Automatic Updates and install them!

29. None

30. 2. Learn to identify Phishing/Scamming

31. Phishing tries to get your username & password

32. https://ai.google/research/pubs/pub46437

33. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

34. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf

35. Your email account … • Does it use the same

    password as other accounts? • Can it reset your password at other accounts? • Paypal? • Your bank?

36. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

37. https://phishingquiz.withgoogle.com/

38. https://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/

39. None

40. A password manager can help prevent phishing (more on PW

    managers later)

41. 2-Factor Authentication can help prevent phishing (more on 2FA later)

42. 3. Use Screen Locks on every device

43. Screen Locks protection • Hackers • Stealing any kinds of

    data: bank, personal, health, etc.
44. None

45. Can your device … ? • Do your online banking?

    (Personal & work) • See & use all your email? (Personal & work) • Use email to reset passwords? • Show all your photos & videos? • Show your home address and map searches? • Show all your contacts? • Do 2-Factor Authentication?

46. 4. Always use HTTPS

47. None

48. HTTPS protection • Hackers • Stealing any kinds of data:

    bank, personal, health, etc.
49. None
50. None

51. 5. Make backups!

52. • Ransomware • Malware recovery

53. None
54. None
55. None

56. 6. Use Tracking Protection

57. Tracking Protection • Hackers, bad websites, online data brokers, social

    networks • Watching browsing history • Other data too

58. Private Browsing

59. Tracking Protection

60. More Tracking Protection uBlock Origin

61. Mobile Tracking Protection iOS Android

62. Mobile Tracking Protection iOS Android

63. 7. Mind your permissions

64. Permissions • Websites, online data brokers, social networks • All

    kinds of data: browsing, searching, location, etc.
65. None
66. None
67. None
68. None

69. 8. Check your Data-Breach Status

70. None

71. monitor.firefox.com

72. None
73. None
74. None
75. None
76. None

77. Change your breached password immediately

78. Update other logins using the same password

79. 8a. Use Strong & Unique Passwords

80. None

81. https://www.eff.org/dice

82. 8b. Start using a Password Manager

83. None
84. None
85. None

86. 8c. Use 2-Factor Authentication (2FA)

87. None
88. None
89. None

90. Is SMS/text-based 2-factor auth secure?

91. SMS/Text 2FA Attacks • SIM porting • Stingray/femtocell interception

92. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

93. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

94. https://www.digitaltrends.com/mobile/femtocell-verizon-hack/ https://en.wikipedia.org/wiki/Femtocell

95. None
96. None
97. None
98. None

99. Average Consumer Protections • Install your updates • Train to

    beware of phishing • Lock your screens • Use HTTPS • Use Tracking Protection • Mind permissions • Use strong passwords (Password Manager) • Use 2-factor auth

100. Public Figure Profile • You need extra protection: Browsing &

     Search History, Online & Offline activity, location, etc. • You ARE a special target for some adversaries • Online harassment is a real risk for you, maybe offline “real-life” harassment or even detainment

101. Use a passcode (Not Fingerprint or Face Recognition) to unlock

     device

102. http://time.com/3558936/fingerprint-password-fifth-amendment/

103. Use a privacy screen

104. None

105. Cover Your Cameras

106. Cimkiz WB01 Webcam Cover Slider

107. None

108. Encrypt everything

109. Encrypt & Back up Your Drives (Hard Drive & USB)

110. Mac Windows BitLocker™ (Pro & Enterprise) FileVault www.veracrypt.fr

111. Use End-to-End Encryption (E2EE) for messaging

112. http://money.cnn.com/2013/07/15/technology/security/femtocell-phone-hack/index.html

113. None
114. None

115. Signal

116. https://www.signal.org/

117. Use Protonmail or Tutanota for email

118. https://www.privacytools.io/#email

119. Don’t use public WiFi networks

120. http://insights.dice.com/2014/02/18/home-routers-pose-biggest-consumer-cyberthreat/

121. http://www.tulsalibrary.org/wifi.htm

122. Don’t use your real email address

123. Temporary email addresses 10minutemail.com

124. Public inboxes mailinator.com

125. Burner addresses burnermail.io

126. Public Figure Profile • Privacy Screen • Cover webcams •

     Passcodes, not biometrics • Encrypt Disks • End-to-end Encrypted Messaging • Encrypted Email • Be careful on WiFi • Don’t use your real email address

127. “Spy” Profile • Maximum Protection • You are engaged in

     cybersecurity work

128. Book

129. Podcast

130. Don’t use your real phone number

131. Use burner credit cards

132. Use Tor

133. https://www.eff.org/pages/tor-and-https

134. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

     on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

135. https://www.eff.org/pages/tor-and-https Location = IP Address

136. protects the user/pw & data from the intermediaries

137. https://www.eff.org/pages/tor-and-https

138. None
139. None
140. None
141. None
142. None

143. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

     on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

144. How do we protect location + destination from intermediaries?

145. None

146. is a browser patched with The Onion Router

147. The Onion What?

148. https://www.torproject.org/about/overview.html.en

149. https://www.torproject.org/about/overview.html.en

150. None
151. None
152. None
153. None
154. None
155. None
156. None

157. Tor protection from DNS + HTTP internet threats • Hackers-in-the-middle

     • ISPs snooping on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

158. Download Tor !

159. Demo

160. More • Use a VPN • Hide your Personally-Identifiable Information

     • “Threat-modeling”

161. http://www.consumerreports.org/privacy/66-ways-to-protect-your-privacy-right-now/

162. • What do you want to protect? • Emails? Messages?

     Files? • From whom do you want to protect it? • Boss? Government? Hackers? • How likely is it that you need to protect it? • E.g., unlikely: mobile phone carrier publishing your data online • How bad are the consequences of failure? • Risk ~= how likely * how bad Threat-modeling: Your Risk Profile

163. Changes in Risk Profiles • Graduating? • New job? (e.g.,

     Journalist, Police Officer, Lawyer) • Moving to a new country? • Changes in company policies or laws?

164. • https://ssd.eff.org • https://www.consumerreports.org/privacy/the- consumer-reports-10-minute-digital-privacy- tuneup/ • https://www.wired.com/2017/12/digital-security- guide/