Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Privacy and Security Online: it's not being paranoid if they really are out to get you!

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US
by

Julian Egelstaff

on 17 April 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Privacy and Security Online: it's not being paranoid if they really are out to get you!

Passwords
Payments
URLs
Email and Spam
Social Media
Protecting your Website
Are you ever
really anonymous online?

Protecting your Devices
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
1. Hackers liked his Twitter account - @mat
2. Twitter account profile contained a link to his personal website
3. Personal website disclosed his Gmail address
4. Hacker tried Google's reset-my-password page, and Google disclosed that the alternate non-google e-mail address for the account was m---n@me.com
The Epic Hacking of Mat Honan
Senior Writer at Wired
8. Hacker called AppleCare tech support, claiming to be Mat Honan. To verify his identity, Apple asked for the billing address, and the last four digits of his credit card.
5. Hacker called Amazon.com and asked them to add a credit card to Mat's account. Amazon did this over the phone, because the hacker knew the name, billing address and e-mail address associated with the account.
6. Hacker called Amazon.com back and asked to add an e-mail to the account. Amazon did this over the phone, because the hacker knew the name, billing address and a credit card number associated with the account.
7. Hacker logged in to Mat's Amazon.com account where it shows the last four digits of all credit card numbers you have on file.
9. With a temporary password provided by Apple, the hacker logged in to Mat's me.com e-mail address. With this access, they could reset Mat's Gmail password.
10. With access to Mat's Gmail account, the hacker could reset Mat's Twitter password, and take over that account.
11. To make it harder to find the evidence of what they'd done, the hacker then wiped Mat's iPhone and iPad and MacBook (Apple lets you remotely wipe all information from the devices you have associated with your AppleID). The hacker also deleted his Gmail account.
Personal info revealed:
Twitter name
Personal info revealed:
Twitter name
personal website address
Personal info revealed:
Twitter name
personal website address
Gmail address
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
last four digits of a credit card
Accounts compromised:
Accounts compromised:
Accounts compromised:
Accounts compromised:
Accounts compromised:
Accounts compromised:
Amazon.com
Accounts compromised:
Amazon.com
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
last four digits of a credit card
Accounts compromised:
Amazon.com
Apple / me.com
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
last four digits of a credit card
Accounts compromised:
Amazon.com
Apple / me.com
Gmail
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
last four digits of a credit card
Accounts compromised:
Amazon.com
Apple / me.com
Gmail
Twitter
Personal info revealed:
Twitter name
personal website address
Gmail address
me.com address (mat.honan?)
last four digits of a credit card
Accounts compromised:
Amazon.com
Apple / me.com
Gmail
Twitter
Data lost:
Gmail
Phone, tablet and laptop contents
Ghost in the Wires
By Kevin Mitnick
http://www.amazon.ca/Ghost-Wires-Adventures-Worlds-Wanted/dp/0316037702
Was there any super-programmer, evil genius that wrote an unstoppable computer virus to make this possible?!
No!
This was accomplished using "social-engineering," which has always been the most potent tool in the hacker's arsenal.
http://www.google.com/?gfe_rd=cr....
Top Level Domain (TLD)
Domain name
Subdomain (mostly irrelevant)
https://easywebsoc.td.com/waw/idp/login.htm?execution=e1s1
Protocol (often hidden)
https://easywebsoc.td.com.banksite.cc/login.htm?execution=e1s1
Domain name is the one that belongs to TD Canada Trust
Domain name is 'banksite' and TLD is .cc ?? Run!
http://keepass.info/
Backups!
On your computer, keep your virus scanner up to date
Don't open suspicious attachments
(Your friends get viruses, that send messages to everyone in their address book...so if a message doesn't contain information that only the sender would know, then it is suspicious.)
http://preyproject.com/
https://www.grc.com/misc/truecrypt/truecrypt.htm
nCo5"1A#iM@,h0CQW:=&JPcf/
This is what a secure password looks like:
Careful what you let your browser remember for you!
Don't use the same password everywhere!
Use "two factor" or "two step" authentication when possible, for really important stuff!
https
If there's no https and no "lock" symbol, you're not on a secure connection!
Comic courtesy of Randall Munroe, Creative Commons
Don't ever store credit card information on a website!
Except PayPal??
How much convenience is worth how much risk?
https://www.torproject.org/
Not really
When you request some information, like a webpage, a server on the internet needs to know where to send the information you asked for. So you are always revealing your "IP address" (think of it as your "internet phone number")
You also leave behind clues on your own computer, like "browser cookies."
And "flash cookies" (Google for "how to clear flash cookies")
"Private browsing" modes will not store cookies (but will still store flash cookies). They also don't prevent your IP address from being left behind in logs at your ISP and on the web servers you visit.
Pay attention to the privacy settings! They are always changing too.
And remember, once it's out there, you can't take it back.
If you put it on the Internet, consider it about as private as talking to your friends on the subway.
This Tweet was later "deleted"
Also, your physical location might be revealed!
(See the example under
Protecting Your Computer
for more info)
Software on your computer has access to what your computer is doing....
Prey does this to help you find your computer or phone. But viruses are software on your computer too, and they can do this without your consent. That's exactly why you never want them anywhere near your computer!!
It's easy to fake e-mail! But you can check the headers, for at least a sanity check:
Have someone who knows what they're doing, keep the site up to date with security patches! Most attacks are automated and take advantage of known holes that have known fixes.
Make sure that all the computers where anyone makes changes to the website, are completely clean and secure.
Use strong passwords for all access points to the website! (FTP, server control panel, website administrator accounts, etc)
Make sure the people building your website understand what "XSS" and "SQL Injection" and "CSRF" mean.
Software you install on your computer, it is a secure "password safe" for storing all your passwords (instead of writing them all down)
Software you install on your computer or phone, so you can remotely monitor it when it's stolen
A program you install on your computer, for scrambling the information on your hard drive, so it can't be read if your computer is stolen
Software you install on your computer, that you can use to make your activities online much harder (nearly impossible?) to track
What you don't want to happen!
Julian Egelstaff
I have worked in the computer industry for 20 years.

In 2003 I co-founded Freeform Solutions, which is a not-for-profit organization that helps other not-for-profits use IT better, so they can meet their missions more effectively.

Since 2016, I have continued to help not-for-profits develop and maintain effective data management systems, as an independent consultant and developer.
Privacy and Security Online
It's not being paranoid if they really are out to get you!
The "Cloud"
The Cloud is probably more secure than "local" storage systems that you're using right now.
That's because it's (supposed to be) always up to date with the latest security patches, has the best firewalls, has people monitoring the security logs daily, is physically secured, and the data is being backed up regularly.
It is also super convenient to have access to all your stuff, no matter where or what device you're using.
But, it's got obvious privacy implications. They might pledge never to look at your data, but the fact is, it's not on a computer you control anymore.
Photo courtesy of Daniel Boyd, Creative Commons
julian@polygon.red
@jegelstaff
Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US
Update!
Sadly, almost nothing is hard for computers to guess anymore...with "GPUs" and other tools, attackers can make
billions
of guesses each
second
!!
"...readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, and numbers, and aren't part of a pattern."
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Surprise! Even without GPS, a computer can often be geo-located based on its Internet connection!!
Software on your computer can access all the resources and information on your computer, from the camera, to the files, to what you're typing!!
The problem is not people sitting at a keyboard guessing your password.
The problem is people stealing lists of "hashes" (encrypted passwords).
Then they use computers to basically guess what all the passwords are. With enough guesses, they can get most of the passwords.
The bottom line is the links. (See URLs)
If the domain and TLD in the link is suspicious, don't click! (learn to read URLs!)
aka: links, addresses, site names...
http://business.financialpost.com/2014/03/18/ottawa-bitcoin-exchange-defrauded-of-100000-in-easiest-heist-ever/
Oct 1 2013 - Thief steals $100,000 in bitcoins, by asking nicely
According to a text copy of the chat session obtained by the [Ottawa] Citizen, at no point during the nearly two-hour-long conversation was the caller asked to verify his identity. After being asked, the technical support worker gained access to Grant’s locked server pen, plugged in a laptop and then manually gave the fraudster access to Canadian Bitcoins servers, where he cleaned out a wallet containing 149.94 bitcoins, valued at around $100,000.
also:
.org
.net
.ca
.gov
.edu
.tv
.coop
.biz
.name
.info
.fm
.ly
etc......
*
Version 7.1a is OK for now, but no future versions are planned.
Some alternatives worth looking at:
https://veracrypt.codeplex.com/releases/
https://diskcryptor.net/
built in tools in Windows (Bitlocker), Mac (FileVault) and Linux (something with LUKS and dm-crypt)
(there can be more than one)
Ignore everything after the first slash!
Maintaining a website costs time and money. You get what you pay for.
Public WiFi
"Not in range"
How does it know that?
Because it's checking! All the time.
Your device reveals information about itself and you, just by being out in the world.
It will automatically connect to a network, if it thinks it has connected to that network before.
What you don't know is, "Who is listening?"
But it isn't hard to "spoof" network names. Are you sure the "Starbucks" network you're connecting to is the real Starbucks WiFi?
Whoever controls the network, can listen to all the information you send over that network, even if it is encrypted (
https
).
Even if it is the real Starbucks WiFi, think hard about what you are broadcasting to the world.
Who supports this?
Google
Apple/iCloud
Microsoft
PayPal
Twitter
Huh?!
Basically, besides entering your password, the site/service can send a code to your phone, and you have to enter that too.
So stealing a password is not enough. Attackers need your unlocked phone too.
Dropbox
Facebook
Some banks
Various other services
More all the time...
"I have a hard time deciding how far in the sand to stick my head when it comes to privacy and security."
—My friend Laura Meil
This is a huge topic. There is a lot to know! It's hard to decide what to do about it all.
To learn what the actual URL behind a link is, copy the link location and paste it somewhere.

You can do this by right-clicking (PC) or control-clicking (Mac) on the link, and selecting "Copy location," "Copy address," "Copy URL" or whatever your software calls this option.
The "status bar" at the bottom of the window can be spoofed in some situations! Copy-Paste is the most reliable way to check.
The "status bar" at the bottom of the window can be spoofed in some situations! Copy-Paste is the most reliable way to check.
What about your phone?
There is no equivalent of TrueCrypt for your phone.

Since iOS 8, iPhones are fully encrypted if you use a passcode to lock them. Older versions also have some encryption features too.

Android encryption varies from phone to phone, but generally there is something you can turn on.
Goals!
1. Learn what you can control
2. Learn how they try to get you
3. Stick your head less far in the sand
Where you go, the info you leave behind, the software you use. Read URLs and use Two-Factor Authentication!
Surveillance
Prey on ignorance, trick you to give up info, trick you to activating their software.
Find the right convenience/risk tradeoff for you, for each situation. Once you've learned what's stupid, don't do anything stupid!
Android phones are listening all the time, in case you say "OK Google," just like Amazon's Alexa.

No one knows how much of that audio they are recording, what they are doing with it, or who they're sharing it with.
Google records all your activity online. Look it up at https://myactivity.google.com
Plus, maybe your location too!
https://www.google.com/maps/timeline
Apple records similar information from your iPhone, they just tend to make it less easily accessible.
"What Orwell failed to predict was that we'd buy the cameras ourselves, and that our biggest fear would be that nobody was watching."
-Comedian Keith Jensen
Full transcript