– Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
– US Senator John D Rockefeller, Chairman of Committee with oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”
Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
Snoopy proof of concept • Drones collect probe SSIDs • Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view
Not-so-nice restaurants • Widely varying resources • Widely varying education levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated
Acceptable level of risk “CDC estimates that each year in the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html
Wash your hands • Use a password manager • Use multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment
Crash course in encryption Everything reduces to a key management problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London
Go for walks keylogger on a sysadmins laptop stolen ssh private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it
Play with others Group cognition Elevation of privilege game, Cornucopia game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits
• Wash your hands - take reasonable basic precautions • Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD
statik
itohiro73
77web
manfredsteyer
mackee
weddingpark
yutootsuka
okashoi
t_keshi
mrstsgk
alexandresalome
sh1n0g1
kazutan
philhawksworth
schacon
erikaheidi
mojombo
afnizarnur
smashingmag
soudai
brettharned
paigeccino
keithpitt
aarron
deanohume