Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


8 Practices for Better Security & Privacy - Public

No description

Mark Swenson

on 12 October 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of 8 Practices for Better Security & Privacy - Public

8 Practices for Better Security & Privacy Have a Personal Password Policy Innoculate against
Viruses & Spyware Don't Fall Behind in Updates Be Suspicious Be Careful in Public Know Where Information Escapes Be Prepared Secure the Premises Doubt anything sensational:
to see if it is a myth or a common fraud. No matter how careful you are, it's possible to get hit by a virus

If you already have antivirus software, keep it up-to-date

If you don't have antivirus software download Microsoft Security Essentials (http://www.microsoft.com/Security_Essentials). It's free, lightweight, and good. Know the look and feel of your antivirus software Fake Real Router Firewall Wireless If you have your computer connected directly to a DSL or cable modem, add a router in between. They are not expensive (about $50), allow you to add more computers to your network, and act like a hardware firewall, protecting your home network

Always change the default password for your router. Many security threats take advantage of default passwords. All modern operating systems have a built-in firewall. Use it. It provides an extra layer of protection that can be useful, particularly if something happens with your router Secure your wireless network with WPA, not WEP

Use a strong wireless password No matter what you do... Viruses & malware may wind up on your computer

Your hard drive may crash

Your computer may get fried in a power surge

?????? Protect your important information by backing up Backup to CD, DVD, or external hard drive to keep a local copy

You can use a service like DropBox (http://www.dropbox.com), Wuala (http://wuala.com), or Windows Live Mesh (http://explore.live.com/windows-live-mesh) to synchronize information between mutiple computers using the Internet. Consider encryption before upload using TrueCrypt.

You can use a paid service like Carbonite ($55 a year, http://www.carbonite.com/ ) You probably know about cookies... Using a cookie (some information in a text file stored on your computer) a website can know who you are when you visit it again ...but what about 3rd party cookies... A 3rd party cookie stores information about you by a site other than the one you are currently visiting

For instance, if I go to Amazon.com, I expect to get a cookie from Amazon so they remember who I am the next time I visit.

I don't expect to get all of these: Firefox and other browsers will
let you restrict 3rd party cookies ...or Flash cookies... Adobe Flash uses its own cookies that are not affected by browser cookie settings

Banks frequently use them (even if they don't use Flash) to keep information about you on your computer that will survive the clearing of browser cookies You can use any embedded Flash object on a website (like a YouTube video) to take you to a website that lets you edit your Flash cookies. ...but websites don't need cookies to track you. A website that wants to track you can note:
Your operating system version
Your browser type
Your browser version
Your system clock time
The plugins you have installed
The versions of the plugins you have installed
Your screen resolution
Your IP address
Your time zone
Some of the items in your browser cache

To generate a profile which has a good probability of being unique So What Can You Do? If you are concerned about privacy you can:

Keep track of cookies stored on your machine and disable 3rd party cookies
Disable javascript if it is not needed (NoScript add-on for Firefox)
Install the Ghostery plugin and use it to manage 3rd party tracking.
Switch between different browsers and/or run browsers from within a virtual machine All of these can help mitigate the problem, but they can be complicated to do and may not always be effective. You are safest if you just never assume that you are completely anonymous on the web Windows
Updates It used to be the case that making sure that
Windows was up-to-date was all that
was necessary to make sure
your computer was
safe. iTunes Adobe Flash Quicktime Adobe Reader Firefox But as Microsoft has adopted a more proactive defense to fight security problems in its software... ...hackers have discovered ways to take advantage of bugs in other commonly installed applications... To get around the increased security in Windows and get viruses and malware on your computer So make sure the software you use stays up-to-date! Public Wireless is
Insecure by Nature Traffic on a public wireless network is almost always unencrypted

Anyone on a wireless network can see information being sent from and back to your computer

Your information is much more exposed on a small network (like a wireless hotspot) than it is once it's gotten out onto the Internet Protect Yourself
with Encryption If you are typing any logins and passwords, make sure that the page you are doing it on is using HTTPS (in Firefox you can use HTTPS Everywhere and Certificate Patrol)

If you can, use newer browsers that support HSTS like Chrome, Firefox 4+ (or Firefox with NoScript)

Try and avoid doing things of a sensitive nature in a public wireless environment if you can What is HTTPS?? Regular web browsing uses HTTP (Hyptertext transfer protocol) to load web pages. Pages loaded like this can be seen by someone else on a network (if they are spying on you) HTTPS means secure HTTP. These pages are authenticated and encrypted using a certificate. "Authentication" means that someone has verified that this website really is who it says it is. "Encrypted" means that the content has been encoded in such a way that only someone with special knowlege can read it. For computer encryption this means something much more sophisticated that "Illiois" > "Vyyvabvf" More about HTTPS Some companies pay for special HTTPS certificates where the company that creates the certificate does extra work to make sure the website really is who they say they are. Your browser will let you know that it's using a certificate like this with green highlighting. Sometimes you'll find an HTTPS page where you get an error for some reason. Your browser warns you about this and tries to disuade you from using the site. This means that there's something strange about the certificate. In these cases the site is encrypted but not authenticated (meaning the browser isn't really sure that the site is who it says it is). Be cautious if you see this, it could be someone interfering with you connection. What is HSTS? HSTS stands for HTTP Strict Transport Security. It is a brand new standard that is being implemented in newer web browsers. With HSTS a website (like PayPal) tells your browser to always connect to it using HTTPS and never connect to it using HTTP. This prevents some common attacks that can occur in public networks like hotspots.

You don't need to do much to turn it on, it's built into the browser, and only a handful of websites are using it yet (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) but it is an important new security technology. What is Online Security? When am I Secure? If you are secure online you are free from danger of online attack and free from the risk of having your information intercepted and misused by untrusted parties.

Convenience is the enemy of security. The more convenient something is the less secure. The more secure it is, the less convenient.

Security is not a state but a process. You can strive toward good security practice, but (particularly in the land of networked computers) you'll never reach a security nirvana. A Password Should be:
A mix of characters
Unique Length

Bad guys can use fancy equipment to check BILLIONS of passwords a second. Character Mix

You can increase alphabet size by adding different characters:

agxre = Uses a 26 character alphabet
AgXre = Uses a 52 character alphabet
AgXr3 = Uses a 62 character alphabet
Ag%r3 = Uses a 95 character alphabet How can you have long, mixed-character, unique passwords for every site and remember them? Easy to remember doesn't mean short or simple. Take something you can remember:


mix up the characters a bit


and then you can choose garbage repeating text (of your choosing) to pad it out:

l1N(3n$ER$ER$ER$ER$ER$ER How to avoid reusing the same password for dozens of sites?

Use password managment software:
LastPass (Free / Premium $12 a year)
KeePass (Free)

Generate complex passwords for each site and use your long, easy to remember password to secure those.

Alternatively you could modify your password for every site you go to in a hard to identify but predictable way:


for www.amazon.com (taking the second and second to last letters and repeating them), although there is a risk an attacker might be able to figure this pattern out if they found your password somewhere. Don't click on links in email. Exception: If you know who sent it to you
you know why they sent it
you are VERY careful - then MAYBE you can click on a link in email If your email service/program gives you the option, stop pictures from loading automatically. agxre = 5 letter password.
Possible passwords of that length = 26^5 = 11,881,376

Can be brute forced is 0.000124 seconds asldfjioojewrvnxasdrd = 21 letter password.
Possible passwords of that length = 26^21 = 518,131,871,275,444,637,960,845,131,776

Can be brute forced in 1.71 billion centuries Uniqueness

Reusing passwords is risky If I like Tw1x=T4stee
as my password and I use it for

Website A (login mswenson@winnetkalibrary.org)
Bank B (login mswenson@winnetkalibrary.org)

What happens???? Website A gets H@CK3D What Website A should have been doing?

Store my password as a hash Cryptographic Hash


is saved in Website A's database as


This can't be reversed back into Tw1x=T4stee without a lot (at least a few years) of work What Website A Did?

Stored my password in plain text:

Tw1x=T4stee The H@ck3rs have my login & password for Bank B This is called using a "Password Haystack" (hiding a short high-entropy password in a long low-entropy password)

For more on Password Haystacks see: https://www.grc.com/haystack.htm If people use a weak password or their computer gets compromised, someone else can use their account

A common scam is to ask for money in a dire situation ("I'm in Madrid and my wallet was stolen. Please wire money to...."). Ask yourself if this person really would communicate with you in this way (rather than calling) if they were stuck in Europe with no money. Be suspicious of messages from people you know if they are out of character
Full transcript