personal cyber security - how to better protect yourself ... · how to better protect yourself...
TRANSCRIPT
Personal CyberSecurityHow to Better Protect Yourself Online
Steve McEvoySeptember 14th, 2019Fort Lauderdale, FL
The Internet has some scary s**t going on
This is a self defense course
Poll Results - Ransomware
Title
The Dental Record
How did it Happen?
Dental Office
How did it Happen?
Dental OfficeOver 400 !!
Discovered Monday Aug 26th
9 Days Later – Sept 3rd
17 Days Later – Sept 11th
• Have your own LOCAL backup strategy in addition to a Cloud based backup
• Talk about this to your IT Person and ask them if this can happen to them/you
• Care about this!
What Should You Do?
Windows 7 End of Life
Why Would You Care?
WannaCry Ransomware
WannaCry Ransomware
• Microsoft Discontinued Support of Windows XP in April 2014
• No Windows Updates after that time• WannaCry Ransomware deliberately
exploited a newly found weakness built into Windows XP (May 2017)
• NHS had opted to just keep using XP
Windows XP was fullof Security Holes
Why Would You Care?
Windows 7 will be fullof security holes
Time
Ris
k
• Ignore it– Eventually the PCs will be replaced
• “In Place” Upgrade to Windows 10– For a while they had been giving it away
• Upgrade to Windows 10– Reload your existing PCs from scratch
• Replace the PC– The new one will come with Windows 10
Your Options
• Windows 10 installs Overtop Windows 7• Generally a BAD idea
– Seen this go sideways many times– All your Applications and Drivers must be
Windows 10 Compatible• Software like Dolphin, Carestream, Ortho2, etc.• Scanners, Printers, and other hardware• X-ray machine applications
• Leaves behind a mess
In Place Upgrade
• Updating your Existing PCs Fresh• Deletes everything and Installs Windows
10 from scratch (Clean install)• You have to setup everything again (just
like if you had got a new PC)• If a computer is less than 4 years old you
might consider this• If a computer is 5+, don’t waste the $$$
Fresh Install of Windows 10
• Windows 10 has been out for 4 years• If your PC still runs Windows 7 it is likely
4+ years old.• Replace the old PC that probably has
‘personality’ with a new, much faster PC.
New PC
• Microsoft is offering Extended Support Updates (ESU) for a fee
• You can Pay for Windows Updates for the next 1, 2 or 3 years
• The Fees double each year:– $50 year 1– $100 year 2– $200 year 3
Pay for Updates?
• For X-Ray PCs that cannot be upgraded to Windows 10
• Maybe for Mid-Life PCs (3-4 years old) that you want to stretch for 1 more year– It doesn’t make sense to dump $450 into an
already 4 year old PC to try and make it live to 7 years old when a new PC is $600
When ESU Makes Sense
• Software companies like Carestream, Dolphin, Ortho2, etc. will Stop Supporting their applications on Windows 7– Ultimately this is reasonable
• They usually transition over the first few months– Windows 7 will become “Not Recommended”– After a few months will be “Not Supported”
More Motivation….
• Talk to your IT Person– Review your network can come up with a
plan
• Do this ASAP!– They are already super busy helping others
that got started sooner than you.
What to do Next
What about your Phone?
Always Update Your Phone
Help!
Ransomware
Email Phishing Attacks
Via email attachments
Best Practices for Emails:• Never click on a link in an email that
you aren’t 100% sure of the sender and where its taking you
• Never open an attachment on an email if you weren’t 100% expecting it
• When in doubt, open on a cell phone• When in doubt, check with the sender
What Should You Do?
RansomwarePhishing
RansomwarePhishing
Bitcoin
RansomwarePhishing
Bitcoin
Corporate Data Breaches
• Hacking peoples accounts one at a time is a slow, resource intensive process
• Hacking the websites full of user names AND passwords yields bulk results
• They never targeted you personally, but the result is they have your information
Bulk Hacking
How can you knowif your username & password have been
leaked into the wild?
• Security Expert from Microsoft• Searched the Dark Web• Compiled a list of 5 ~Billion hacked
accounts
• Created “Have I been pwned?” website– ‘Pwned’ is a slang term
• Securely check if your username and passwords has been stolen
Troy Hunt
www.HaveIBeenPwned.com
Is your Password Pwn’d?
(starwars)
Pre-check your new passwords
(MyReallyHardPassword)
• Get notified if your email(s) show up in the future
Get Notified of pwnage
I was Notified of pwnage
How long will it take for a Hacker to
break through my password?
www.howsecureismypassword.net
What makes a GOOD Password??
• Recently updated their recommended digital identity standard (SP 800-63)
• Troy Hunt canvased NIST and others to derive what the collective wisdom is thinking
• 12 or more characters
• We can use short dictionary words
• 3 or 4 random words
Length Matters
dog
beerhat
red
tree
bill
head
Nothing Personal
spouse
kidsfood
movie
birthday
address
date
petsphone
dog
beerhat
red
tree
bill
head
3 or 4 Short Random Words
doghatbeerhead
Make ‘em Memorable• Think up something about the site• i.e. Wells Fargo
– dumb wagon horses– ripping off clients– stashing my cash
• dumbwagonhorses– 15 characters– 3 random words– dumbwagonhorses is better than Sj7$qq#56
But what is wrong with this?
• They ‘Evolve’
• Websites, banks, etc. will need to learn and adopt these standards
• dumbwagonhorses wouldn’t meet their current ‘complexity checker’
Standards Don’t Change Overnight
Starting TODAY! (2019 and on)– Three or Four unassociated dictionary words– At LEAST 12 characters in length– Capitalize First Letters– Add a 2 digit year to the end (reminder)
Steve’s Recommendation(Simple Complexity)
DumbWagonHorses19
• DumbWagonHorses19– 2 Trillion Years to Hack
– Should meet the Banks requirements– Much easier to remember
Simple Complexity Works
(Public WiFi in Particular)
• To hack you while on WiFi the hacker needs to be within range
Up Close and Personal
• White Hat Hackers that you hire to ‘PenTest’ your own business to find the weaknesses
• Toolkits are available online to purchase
• Of course, who are the biggest customers?
The Good Guy Hacker
Hak5
Hak5
• You don’t need to be an expert• Anyone with a Hobbyist level of computer
skills can use these tools effectively• (and get into trouble fast)
Hacker Hobbiest
Typical places we rely on WiFi include:• Home• Office• Coffee Shops• Hotels• Conferences ….
Where do we use WiFi?
• The convenience of our devices is their undoing
• It can be set to remember WiFi’sits been connected to and automatically reconnect
• They are constantly ‘beaconing’ out looking for those memorized zones
Remembered Connections
Hello?? Home WiFiZone Named “Steve’s WiFi” are you there??
Why Yes I am!“Steve’s WiFi” is ready to connect,
please doThanks!
All Connected
• Fool you into connecting to a ‘Open’ Free WiFi zone
• They advertise a convincing name:– Starbucks Free WiFi– Detroit Airport Free WiFi– UofM Free WiFi
Phishing you with a Freebie
Free WiFi! Come and get your Free WiFi‘AAO Free WiFi’
Cool! They arranged
Free WiFi for the meeting
• HTTP vs. HTTPS– http://www.google.com is unsecure– httpS://www.google.com is encrypted
• HTTP web surfing is like shouting across a room - ANYONE can listen in
Secure Surfing
• HTTPS web surfing is an encrypted connection• When you access the website they hand you
an encryption key• Your device goes through a process to verify
the key is legitimate through a 3rd party verification
• If it checks out you see a Lock symbol
Secure Surfing
• Banks
• Retailers
• Any place you have to ‘Login’– They should be in HTTPS mode by the time you
are on the login page.
Where would you expect it?
• This is your key defense to knowing if you are potentially being hacked
• An HTTPS website with a BROKEN lock symbol means you are at risk
Pay Attention to the Lock
Have you ever seen this?
Have you ever just Continued?
• “Damn computer is acting up again. I just need to get my work done”
• … and you click on Proceed Anyway …
Hackers count on our Reaction
• Do not proceed*• Close your Browser session and try again
SOMEWHERE else safer• Ask your IT person if it persists
What to do?
• Hacker gets in the middle of your HTTPS encrypted conversation
• They Hand you a FAKE certificate and you link encrypted to them!
• Then they connect to the website for you• They are of course now able to see all
your information passing through
Man in the Middle Attack
Fake SSL Certificate
• Forget WiFi zones you don’t need
What Should You Do?
• Don’t set zones to “Connect Automatically” if you don’t really need to– Hotels– Airports– Events
What Should You Do?
• Watch for HTTPS Warnings• Close out Browsing Session
What Should You Do?
• Limit your use Public WiFi
• Use your phone’s cellular data connection
What Should You Do?