security best practices for regular users
TRANSCRIPT
![Page 1: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/1.jpg)
Security Best Practices For Regular
UsersGeoffrey Vaughan
@mrvaughanSecurity Engineer
![Page 2: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/2.jpg)
Whoami• Geoffrey Vaughan @MrVaughan• Security Engineer @SecurityInnovation• Appsec pentesting/advisory at all areas of SDLC• Former High School/Prison/University Teacher• Occasionally I’m let out of my basement• Travelled from Toronto to be here with you today
![Page 3: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/3.jpg)
Why This Talk?• I care about you and your data• I’m tired of regular users suffering for mistakes made by
large organizations (data breaches) or being caught by the simplest of phishing scam• Often small adjustments in user behavior has a large
impact on security / privacy
![Page 4: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/4.jpg)
Tldr; If you only read one slideGiving it all away at the beginning:1) Use a password manager2) Keep your devices up to date3) Use 2-Factor Authentication on all your accounts4) Free Wi-Fi Comes at a cost – Don’t connect to untrusted networks5) Lock and encrypt your devices (phones + computers)
For more info I wrote a Guide: https://web.securityinnovation.com/essential-guide-to-online-security
![Page 5: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/5.jpg)
Beyond the Basics: How Paranoid Should I be?• Protecting your data and privacy online can take a lot of
effort• Complete anonymity is really hard• It will always be a trade off between usability and
security/privacy
How Paranoid should I be?It greatly depends on your personal threat model
![Page 6: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/6.jpg)
Threat Model?Simplified Definition:Identify and quantify your weaknesses so you can come up with appropriate defenses.
![Page 7: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/7.jpg)
Threat Modelling on Easy Mode• What assets are you trying to protect?• What threats are the assets under?• What is the likelihood of a threat being realized?• What measures can help mitigate or decrease the risk
associated with the threat?
![Page 8: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/8.jpg)
Assets to Protect• Personal Information - Name, Age, DOB, Spouse, Children, Parents• Personal Pictures, videos, documents• Financial Information - Banking, loan, credit• Your Location - Home address, places you frequent, or where you are
right now• Social Media accounts and data• Physical Devices• Business Assets on your devices• Personal Communications/Conversations - Emails, Text Messages, Chat
etc, phone calls• Data about Data – When you called someone, who you text messaged
![Page 9: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/9.jpg)
Threats?• Which of the assets are most important for you to
protect?• How might an attacker target each of those assets?
![Page 10: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/10.jpg)
Personal InformationThreats
• Information obtained through public searchable resources (Google, phone/address look up)• Attacker reads
information leaked by peers (tagged pictures, connections)• Social Media post leaks
info
Defenses• Hack yourself – See what’s out
there• Harden your social media
security/privacy settings• Use fake names / complete
alter ego online• Draw a very clear line between
your public and private life.• Ask friends not to tag you
![Page 11: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/11.jpg)
Social Media Settings
![Page 12: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/12.jpg)
Personal Pictures, Videos, DocumentsThreats• Malware compromises
mobile/desktop device• Cloud backup account is
compromised• ‘Auto post’ feature
publishes content automatically• Data shared with a friend
gets shared with others
Defenses• Keep your devices up to date• Use strong passwords on all
online accounts• Use multi-factor
authentication wherever possible• Be aware of all
security/privacy settings for the applications you are using
![Page 13: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/13.jpg)
https://twofactorauth.org/
![Page 14: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/14.jpg)
Financial Information
Threats• Attacker compromises online banking
account (Guesses PVQ, Weak password, Compromised email allows password reset)
• Attacker acquires enough information to perform credit/loan applications on your behalf
• Website you used improperly stores your information and your credit card/information gets compromised
• You use a malicious POS device and your credit card gets skimmed
• Paypal (or other) account is compromised
Defenses• Lie on all PVQ questions• Strong passwords (password
managers)• Use multi-factor authentication• Never give out SIN/SS/Personal
Code unless you are sure that the request is legitimate• Big retailers are probably safer
than mom/pop shops as they likely spend much more on security*
![Page 15: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/15.jpg)
Password Managers
To name a few:• LastPass• 1Password• KeePass• Built-in to browsers (ex.
Chrome/Safari keychain)
Consider the Features• Local encrypted database• Remote ‘cloud’ features• In browser extensions• Share passwords across
devices or users
![Page 16: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/16.jpg)
Your Location
Threats• Government/ISP/App developer is able to
ascertain your exact location at a particular time
• General pubic is able to ascertain your location• Social media posts leaks location• Image data leaks location• Misconfigured app leaks location• Content of image leaks location (OSINT)• Connected to untrusted wireless
• Motivated attacker is able to ascertain your location• Compromised mobile device• Phishing email• Compromised mobile application/account
Defenses• Complete burner phone + number,
Tor/VPN user, completely separate accounts for burner device
• Harden security settings, disable EXIF image metadata, be careful of the content of your posts
• Previously mentioned device defense strategies:• Keeping devices up to date• Don’t click untrusted links• Strong passwords
![Page 17: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/17.jpg)
Image Content / Open Source Intelligence
http://blog.ioactive.com/2014/05/glass-reflections-in-pictures-osint.html
• Tweeted a picture from a hotel• Previous tweet said they were
in Miami• Hacker used hotel room
images on travel websites to find the hotel based on window structure and reflections• Used Google earth to render
similar views and get an estimation on floor and building area.
![Page 18: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/18.jpg)
Tinder API
http://blog.includesecurity.com/2014/02/how-i-was-able-to-track-location-of-any.html
• In 2014 Tinder API allowed trilateration of a users exact location• Used in conjunction with
GPS spoofing
![Page 19: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/19.jpg)
Social Media Accounts and Data
Threats• Social media account gets
compromised resulting in information disclosure, posting on your behalf, or data loss
Defenses• Strong Passwords• 2-Factor Authentication• Restrict third party app
access• Review security settings• Protect your email account
similarly (password resets)• Avoid Phishing Scams
![Page 20: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/20.jpg)
Physical Devices
Threats• Lost or stolen device
results in all data being lost/compromised• Your device is inspected at
a border crossing• Your device is
compromised while being unattended
Defenses• Strong device password• Full disk encryption (usually enabled
by default on mobile devices when you apply a password)
• Restrict what data you keep on your device (if concerned)
• Consider implications of online vs. local backups
• Use and test a “lost my device” app• Enable remote wipe capabilities
(never a guarantee)
![Page 21: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/21.jpg)
Business Assets• All other threats/defenses apply except now the
implications are more severe• Greater care needs to be taking with corporate assets• Consider implications on personal assets if a BYOD
policy allows remote management/monitoring/removal of your data• Recommend separating business and pleasure or revise
your threat model to consider additional threats
![Page 22: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/22.jpg)
Personal Communications/ConversationsThreats• Attacker/ISP/App
Provider/Nation State intercepts communication data in transit and reads conversation• Receiver forwards conversation
to third party• App Provider is compromised
leaking all conversation logs• Government requests app
provider to turn over data
Defenses• Gold Star: Signal Messenger (now
with disappearing messages)• Decent: Wickr• Getting Better: Facebook
Messenger, WhatsApp• Avoid: SMS• A couple companies that have
proven they have your back: OpenWhisper (Signal), Apple, Facebook
![Page 23: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/23.jpg)
Data About Data
Threats• You consider information
about who you are talking to and when sensitive information• Attacker/ISP/App
Provider/Nation State/Untrusted Wireless is able to collecting metadata about your communication/activity
Defenses• Anonymity is hard. At this level
even the best get caught• Burner phones / accounts• Full Tor/VPN would make it difficult
for organizations to collect data• Time delayed messages might
mask some traffic• Create additional noise in
communications, talk to more people more often
![Page 24: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/24.jpg)
ResourcesI wrote a paper:
https://web.securityinnovation.com/essential-guide-to-online-security
![Page 25: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/25.jpg)
Another talk today:I’m also presenting one other talk today on a completely unrelated subject:Catching IMSI Catchers: Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray?
![Page 26: Security best practices for regular users](https://reader035.vdocuments.mx/reader035/viewer/2022081521/5870bf1f1a28ab0b4a8b6b15/html5/thumbnails/26.jpg)
Thank youGeoffrey Vaughan@mrvaughan@SecurityInnovation