cyber-security, privacy & identity … privacy & identity protection robert haar, ph.d. dec....
TRANSCRIPT
CYBER-SECURITY, PRIVACY & IDENTITY PROTECTION
ROBERT HAAR, PH.D.
DEC. 8, 2015
SCOPE • Protecting your computer and data • Protecting financial transactions • Protecting personal information
• Privacy • Fraud prevention
This presentation contains my personal recommendations, you will get different advice from other people.
• Details will vary depending on system that you use • I will talk mostly about general guidelines and principles.
You will have to translate for your specific computer system.
MY BACKGROUND - WHY YOU SHOULD LISTEN TO ME
• Ph.D. in Computer Science
• 45+ years professional experience in IT • Worked at DOD in design & analysis of secure
communications (crypto)
• GM IT Fellow and Enterprise Architect
• Designed and ran large secure web sites • Built the system that controls all internal user access
And I am a victim of Identity Theft
THE CIA MODEL
Security = C I A • Confidentiality
• Integrity • Availability
KEY POINTS
1. Nothing is a complete guarantee – but you can reduce your risk by following good practice
2. Technology – necessary but it is not enough by itself 3. Defense in depth – layered approach: e.g. moat, walls,
gate, archers, etc.
4. Humans are often the weak point
5. Your own behavior is critical
1. Awareness 2. Caution 3. Preparedness 4. Maybe a little paranoia
COMPUTER SECURITY
All computer systems have flaws and weaknesses (bugs) You need to stay ahead of the threats 1. Keep software up to date
1. Get updates only from the original source 2. Don’t click on web browser pop-ups for updates 3. Install security updates promptly (but maybe wait on others)
2. DO NOT install software from unknown sources!! 3. Run an anti-virus scanner
1. Keep virus signatures updated 2. Periodically, scan entire computer 3. Scan downloaded software before installation
4. Follow good password hygiene 5. Encrypt sensitive data with a separate password 6. Back up your data !!!!
HOME COMPUTER NETWORKS Internet -> ISP -> Modem -> Firewall -> Router
–> computer
-> Wi-Fi -> mobile devices
-> TVs, printers, etc.
1. Change default passwords on all these devices 2. Turn off admin from the Internet (WAN) for cable modems and routers 3. Use a firewall
1. network level is best but on your computers is pretty good 2. Prevents external access to your systems (but makes it harder to run a server at home) 3. Remember, even devices like TVs and game systems can be hacked
4. Use Network Address translation (NAT) in router 5. Consider using a service like OpenDNS, rather than your ISP default
1. DNS is the translation from system name to Internet numeric address. 2. This translation can be forged, sending you to malicious sites.
6. WiFi (wireless) 1. WPA2 security is the best for now 2. Set password name 3. Hide network name 4. Maybe have a separate network for guests
7. Modem, fire wall, router and wireless functions may be combined in one device. Check your manuals for capabilities. Many have security features turned off as factory defaults.
PERSONAL BEHAVIOR ON COMPUTERS
1. DO NOT run with admin privileges 1. Create an admin account – use only for system updates 2. Use a normal user account for everyday activities 3. If you have kids using your computer, give them separate accounts with
minimal privileges. 2. DO NOT install unverified or unofficial software
*** Be very careful with “free” stuff, check the source and reputation *** 3. DO NOT click on links in email
1. Faked email are common “phishing” scams 2. Check the URL (web address) 3. Type the URL by hand into a browser or use a saved bookmark
4. Put sensitive information into an encrypted file/folder/directory – and require password to open AES-256 is best general encryption algorithm available to the public today.
5. Secure erase deleted files, other wise they can be recovered. (Does not apply to Solid State Drives).
6. Use good Passwords !!! Password/PIN protect everything, including mobile devices
MALWARE 1. Software with a bad intention 2. Different types
1. Virus – infected data file 2. Trojan Horse – software that pretends to be something useful but
contains bad stuff 3. Worm – enters through the Internet with no user action 4. Ransomware – nasty, hope your back up is good 5. New threat – firmware worms, very nasty, almost impossible to remove.
3. Be suspicious of “free” – some sites that offer collections of free software distribute infected software
4. Never install pirated software 5. Use virus scanner and keep it updated 6. Use email SPAM filter, but check quarantine regularly 7. Use plain text email 8. Do NOT bypass computer security barriers
MOBILE DEVICES 1. Special risks:
1. Theft or loss 2. Lower security barriers
2. Use a good password/PIN
3. Biometrics, like finger prints, are better
4. Encrypt sensitive data (default on iPhones)
5. Back up 6. Install apps ONLY from trusted sources like the official
app store
7. Be aware of “shoulder surfing” in public places
8. Turn off automatic connect to Wi-Fi access points
1. Danger of “man in the middle” attacks
PASSWORD HYGIENE • Use complex passwords
• Mix upper/lower case, digits and special symbols • Longer is better • Do Not use birthdays, anniversaries, kid’s names, pets, etc. • Pass-phrase rather than password • Do Not use straight English text – substitute digits and
symbols for letters • BEST – use random string of letters and numbers
• Longer is better – makes brute force attacks more difficult • Change passwords periodically • Use a different password for each system • Create secondary security questions, but don’t use public
information • “security” questions are really back up passwords. • Don’t use easily found information or common names
PASSWORD DILEMMA • Complex passwords are difficult to remember
• Using a different password for each system means LOTS of passwords
• Changing passwords periodically multiplies the problem
How can anyone remember all the passwords?
• My solution: DON’T! Instead, use a password manager program
• I recommend 1Password from https://agilebits.com • See https://www.youtube.com/watch?v=8HSxWUqwpzU
for a tutorial
BACK UPS 1. Do it! Set up a regular cycle of back ups. Otherwise, your personal data
is at risk. ***All hardware fails eventually*** 2. Run anti-virus scan first 3. Multi-level
1. Remember that even backup devices can fail, so have multiple copies on different hardware
2. Automatic is best, but they can save corrupt files without telling you. 3. On-site, external storage 4. Off-site full backups
1. USB drives that you exchange 2. Cloud storage – OK, but encrypt your data first
5. Maybe copy Critical files to keychain USB drive 4. Scan important papers and keep those electronic copy as part of you
back up set. 5. Keep computer back ups and copies of important papers in either a safe
deposit box or a fire/water resistant safe 6. Two types of computer users
1. Those that have lost data 2. Those that will
INTERNET SAFETY 1. Do not use public computers for anything sensitive 2. Be careful on free Wi-Fi – airports, restaurants, etc.
1. Turn on firewall security on your laptop (always good, but especially important in public places).
2. Use VPN service if you must do sensitive interactions, 3. Secure websites (https://) reduce the risk. 4. Use web mail, not email client.
3. Turn off web browser features – Flash, third party cookies, JAVA, Javascript, Windows Media
4. Use multiple email addresses 1. Professional 2. Friends & Family 3. Financial 4. Throw away
5. Don’t store credit card numbers on web sites if you can help it. 6. Use Pay Pal where you can (web stores don’t see your credit card numbers) 7. Use two-factor authentication where possible (PayPal supports this).
1. Will send confirmation request to your phone 8. Use Chrome, Firefox or Safari web browsers, not MS Internet Explorer
SHOPPING & FINANCIALS 1. Create web user accounts for all services that have that option. If you don’t,
someone else can take control. This applies to bank accounts, credit cards, utilities, and other services.
2. If you can, turn on change notifications and suspicious activity alerts for on-line accounts, particularly address/email changes
3. File income tax early. If you eFile for federal Income Tax, create and use a PIN. States are notoriously unsecure so file on paper there.
4. Credit Cards: 1. Do not use debit cards for purchases – little protection. And be cautious at ATMs. 2. Have one credit card that you use only for online purchases, another for daily use,
another for travel 3. Use “chipped” credit cards. Chip & Pin is best, Chip & Signature is OK 4. Don’t let credit cards out of your sight if you can help it 5. Keep a record of the card numbers and the phone numbers for the service 6. Use Apple Pay – even better than chipped credit cards
5. Check your statements and credit reports 6. Consider a credit watch or identity theft protection service 7. IMPORTANT – Be alert and report all fraud and questionable actions
PRIVACY 1. Why bother?
1. Personal information can be used for identity theft 2. Advertisers are getting more intrusive 3. Does the world really need to know everything?
2. Key point – Limit your exposure 3. Be careful with social media – don’t broadcast too much
information. 1. Don’t say that you will be away from home. 2. Limit the audience to family & close friends. 3. Be sure who you accept as friends.
4. Use Duck Duck Go for search, not Google 5. If someone asks for personal information ask why they need it and
how it is protected 1. Birth date 2. Social Security Number 3. Account / credit card numbers
6. Do not respond to blind calls or emails, initiate the contact yourself using known phone numbers or URLs
7. Shred any paper with personal information
MISC. TOPICS 1. DNS “spoofing” – faking the web site name to address
translation 2. Great Chinese Canon – Chinese hackers are inserting
malicious code into web page content. Images, etc. for sites hosted in the U.S may be somewhere else.
3. Buy your own cable modem and control the settings 4. Don’t use Flash. 5. Secure erase storage on old devices – don’t just delete.
Or physically destroy the hard disks. 6. Be careful with your U.S. mail – don’t let it sit in your
mailbox. 7. Secure personal paperwork – home safe or safety deposit
box 8. 90 % of security incidents trace back to PEBKAC and
1D10T errors • http://www.computerworld.com/article/2910316/
PEBKAC
SECURITY EXPERT BEHAVIOR (GOOGLE STUDY)
HELPFUL LINKS 1. http://www.onguardonline.gov 2. http://www.dhs.gov/stopthinkconnect 3. http://www.pcworld.com/article/130330/article.html 4. http://www.macworld.com/article/2048160/how-the-nsa-
snoop-proofs-its-macs.html 5. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 6. http://www.pcworld.com/article/2043095/heres-what-an-
eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html
7. https://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights
8. http://www.computerworld.com/article/2943119/security/security-suites-choosing-the-best-one-for-you.html
9. http://snopes.com/fraud/topscams.asp 10. https://www.reddit.com/r/scams
POLITICAL SOAP BOX
1. Support the “Consumer’s Privacy Bill of Rights” 2. Be careful with companies that track what you do
1. I am more worried about Google than the Feds 2. Complain if a web site requires third party cookies or a
particular web browser (MSIE) 3. Support moving to more secure credit card systems
1. Chip & PIN 4. Support more stringent credit rules
1. Why are credit cards and loans issued without verifying identity?
5. Oppose government push to have back-door access to encrypted data on personal devices
SUMMARY 1. It takes some work – no pain, no gain
2. Take responsibility - Be • Aware of threats • Alert • Suspicious • Proactive
3. Take control. Be responsible for your own safety. 4. Last words
! I hang out in the OPC Mac and iPhone groups. ! My email: [email protected]