1 / 31

WORKSHOP: Digital security

WORKSHOP: Digital security. Assoc. Prof. Sarphan Uzunoğlu UiT | The Arctic University of Norway sarphan.uzunoglu@uit.no https://twitter.com/sarphanuzunoglu. 8 basic things to know about cyber security. 1. Information is power 2. The weakest link matters the most

dharlow
Download Presentation

WORKSHOP: Digital security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WORKSHOP:Digital security Assoc. Prof. Sarphan Uzunoğlu UiT | The Arctic University of Norway sarphan.uzunoglu@uit.no https://twitter.com/sarphanuzunoglu

  2. 8 basic things to know about cyber security • 1. Information is power • 2. The weakest link matters the most • 3. Simpler systems are safer • 4. More expensive isn’t more secure (sometimes it is worse) • 5. It’s ok to trust someone but think who and why • 6. You need to have reasonable expectations • 7. Keep informed and updated about cyber security field • 8. Security is an issue of proactivity

  3. Some key reminders Depending on the security environment, any file can be considered sensitive. Control where information is shared and sent. Information should not be shared with anyone outside of a need-to-know basis, and controls should be in place to ensure that people receiving information do not share it repeatedly. Reviewing access and changing passwords at regular intervals is a good idea. * (not too often) In some places, just having these ICTs can be cause for arrest. Sensitive information on devices can be a target and a reason for profiling and arrest. Consider two sayings: “Even wall have ears”and “Loose lips sink ships.”

  4. Risk assesment 1. Identifying valuable assets (e.g., contact lists, research data, interview notes, or audiovisual files). 2. Determiningwhat threatens those assets and why do you have them in your digital device. 3. Assessing when and where the threats are likely to hit. 4.Weighing the potential consequences. • Think of layers: • Neighborhood. • Outside the office. • Start from the front door. • Consider your desk. • Your digital “space”. • Your “human network”.

  5. Ask yourself these questions! 1. Whocould your adversaries or potential attackers be? 2. What tools might your potential attackers possess? 3. How likely is your potential attacker to use their available tools against you? 4. What risks could arise, for you and those you communicate/work with, from a targeted attack? 5. What risks can be eliminated and how? Which should be addressed first? 6. What defence strategies are practical, safe, effective, and instructible for my sources and colleagues, in light of their evaluated risks and/or the risks incurred by our communication? * Threats change all the time as attack technologies evolve Levels of protection depend on sensitivity of data and your risk levels. ** Be inclusive in your planning and judicious with permissions and access

  6. How to protect your system? • Hardware threats: Theft, damage, physical capture, remote attack • OS: Malware, viruses, surveillance 'backdoors' • Middleware: programming that 'glues' together other programs; malicious code injection • Applications: Eavesdropping, password cracking, phishing Your computer model *Updating is the key!

  7. Malware (!) Any malicious software designed to disrupt or damage computer system, or use its resources for financial gain Includes viruses, trojans, ransomware, spyware, adware, etc. No protection against them is 100%, but we have tools to detect and remove it Anti-malware: Malware Bytes https://www.malwarebytes.com https://www.malwarebytes.com/mac/ Antivirus: Avast! https://www.avast.com/index

  8. Protecting your data • Risks • Loss of data • Corruption • Interception (may not be detectable) • Theft • Recovery of 'deleted' data • De-anonymising/compromising metadata Actions Authenticate securely Back up – USB, ext. harddrive, Cloud Encrypt – files or whole hard-disk Securely share – in-person, encrypted emails, file-sharing service (but beware Dropbox and Google drive) Securely delete – Ccleaner, BleachBit, TAILS Erase metadata

  9. Authentication • Application-level security • How do we login to accounts? • Password – what you know • Token, mobile phone – what you have • Biometric – what you are (see next slide for further details) • Combination of two is most secure – two-factor authentication – offered by Facebook, Twitter, Google, LinkedIn, Yahoo, Dropbox, Outlook… • Task: Pick one of those accounts and enable 2 Factor Authentication

  10. FAQ: Is biometric authentication secure? • Biometric identification is a technology that identifies and authenticates individuals based on physical characteristics. • A biometric identification system includes fingerprint identification, iris and retina, facial recognition, gait, or voice. But are these systems secure? • I think they are not since… Biometrics aren’t private Biometrics are hackable Biometrics Hacks May Have Greater Consequences

  11. Passwords • Risks • Forgetting and losing passwords • Overriding passwords by backdoors • 'Hacking' (unsophisticated pw theft) • Password cracking (more sophisticated way of accessing accounts) • Key loggers • Coercion into revealing passwords (physical threat) Actions Use encryption and hidden volumes for important documents Use 2FA First and foremost, create strong passwords Q: what makes a good password?

  12. FAQ: How should we manage our passwords? • Unique for each account • Cannot be guessed • Strong – minimum of 16 characters and combination of letters, numbers, special characters, or … a passphrase • Howsecureismypassword.net – test yours but don’t be fool! • Q: Is it better to remember or store passwords? • Password managers – standalone or browser-based • Some options: KeePass, LastPass, Dashlane…

  13. Key issues we’ll try to cover today Web browsing & Public WiFi Email Communication & Encryption Voice & Video Calls Secure Deletion of Files TAILS OS & Accessories

  14. Web browsing • Risks: data collection – PID, passwords, location; malware; access blocks • Mitigation: use Chrome for daily activities, with privacy-enhancing add-ons, and Tor for anonymous browsing, surveillance evasion and disguising your location • HTTP vs HTTPS – how to tell the difference and why does it matter? • HTTPS everywhere - https://www.eff.org/https-everywhere • If unsure about safety of a page you want to visit, copy link and paste into www.virustotal.com or www.urlvoid.com – the sites will scan it for you

  15. Web browsing • Facebook container – Don’t let Facebook track other tabs on your browser. • Cookie auto delete - When a tab closes, any cookies not being used are automatically deleted. Whitelist the ones you trust while deleting the rest. Support for Container Tabs. • Bloody Vikings - Simplifies the use of temporary e-mail addresses in order to protect your real address from spam. • Ghostery – Privacy ad blocker. • Firefox Multi-Account Containers - Lets you keep parts of your online life separated into color-coded tabs that preserve your privacy.

  16. Public WiFi: Public threat! • What are the risks associated with connecting to WiFi in a café hotel, airport? • 1st rule: Don’t connect unless necessary • Verify name of WiFi you are connecting to • Turn off sharing on network • Don’t use it for sensitive information • Keep WiFi off when not needed • If you have to use it, use VPN (encrypted tunnel between two devices that allows you to access internet privately) – but many providers banned in Turkey

  17. Man in the middle (MITM)

  18. Email Communication • Risks • Reading email content • Reading subjects • Seeing who and when you are contacting • Intercepting attachments • Tracking location • 'Man in the middle' attacks Actions Strong authentication Using trustworthy email provider Email encryption Verifying keys Minimise info in subjects Email from TAILS Use anonymous email addresses that cannot be related to you

  19. E-mail encryption! FIRST OF ALL, ASK YOURSELF: DO I REALLY NEED IT? • Uses asymmetric encryption – public and private keys • Private key – decrypts messages; must not be shared with anyone other than the owner • Public key – used to encrypt message; is shared with whoever you’d like to exchange encrypted emails with • Pretty Good Privacy (PGP) – provides good standard of encryption and is easy to use • Does not encrypt subject line or protect metadata • Mailvelope – Chrome/Firefox add-on for email encryption: https://www.mailvelope.com/en/

  20. How e-mail encryption works?

  21. E-mail encryption with Mailvelope 1. Install Mailvelope on your browser 2. Generate private and public keys using strong password. You can choose to store your public keys in one of the open databases (keyservers) for people to find more easily. 3. Exchange keys – send and receive via email (copy-paste or as .asc attachments) or search public keyserver 4. Save recipient's public key 5. Go back to your email window and compose new email, mailvelope icon will pop up. Don't compose email in the main window and don't navigate away from the pop up. https://www.mailvelope.com/en/help Subjects and other metadata are not encrypted so be vague

  22. Internet Voice and Video Calling (VoIP) • Skype still most popular yet doesn't offer much security – transport, but not end to end encryption (i.e. Microsoft sees everything) • Ordinary calls from Skype to phones are not encrypted • Google Hangout – password protected and transport encrypted, but... Google • Jitsi – open source, encrypted, low bandwidth, without need to install anything but be wary of sites pretending to be them! • https://meet.jit.si/

  23. Can I really get rid of my sensitive files? • Delete doesn't remove files, only the filename that identifies it • You can physically destroy the device – by fire, or hammer (Mr. Robot was here!) • For mobile phones there is factory reset but with the right tools data can be recovered – physical destruction is the only secure way but a lot of us back up into Cloud • Anything that is in the Cloud cannot be reliably removed as the service provider and your connections will still have it; also, deleting account may raise suspicion • 3rd party tools – Ccleaner, BleachBit, Eraser (Are they always secure, apparently no!)

  24. An alternative secure OS: Tails • Amnesic, incognito, live operating system used for greatest security • Boots from a USB stick – bypasses harddrive • Connects to internet anonymously via Tor browser • Built-in encrypted email and chat – Pidgin, Thunderbird • Built-in file encryption – LUKS - you can store files on same USB but this is not hidden • Password Protection – KeePass, PWGen • Includes open source editing software – LibreOffice etc • Automatically updates • File sharing – Onion Share

  25. A more interesting alternative:Kali Linux • Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. • It is maintained and funded by Offensive Security Ltd. Mati Aharoni, Devon Kearns and Raphaël Hertzog are the core developers. • The logo of Kali Linux appears on the background in the TV series Mr. Robot (2015) in episode 5 of season one. • You may use dozens of hacking codes easily through Kali Linux. (It is easier to hack your neighbor’s WiFi now)

  26. TOR Browser: Public enemy number one • Internet traffic is routed via network of volunteers' computers thus preventing internet providers from tracking you and storing information • Forces encrypted connections and avoids unsafe features (Flash etc.) • It will inevitably slow down your connection • Do not open documents downloaded from internet while still running Tor • Make sure it is up to date • Tor is banned in many countries, incl. Turkey, however this can be overcome by using 'bridged' mode (Tor Network settings – tick 'My ISP blocks connections to the Tor network' then get bridges from https://bridges.torproject.org ) • https://www.torproject.org/

  27. Mobile security • Risks • Logging of your current and past locations • Automatic collection of metadata • Theft and loss of data • Remote access to phone data over Wi-Fi, or anytime a phone is on • Tapping, intercepting, recording over mic or camera • In short, mobile phones are not easily securable – if you want more security use burner phone

  28. Android vs. iPhone • Android is mostly open-source, so by nature more vulnerable • Apple doesn't release its source code • Software creators focus on mobile and release frequent patches – UPDATE • Apps in Apple have limited permissions • App Store and Google Play Store – Apple has always been better but recently Google Play Protect improved security – switch on scans • Privacy – Orbot for Android, Hide.me or ProtonVPN from iOS

  29. Mobile security - actions • PIN is a must (passcode is better) • Use encryption if available • Set lock screen timeout • Back up data • Prevent messages from showing on lock screen • Incognito browsing • Close applications after use • Do not connect to Wi-Fi and use flight mode when phone isn't needed • Delete browsing history • Use open source apps for encrypted communication (Signal)

  30. Metadata in documents and images Author, date, software used to write, sometimes previous versions, location You can change setting of your Word, LibreOffice to not store this data if you go to Properties/Preferences When taking pictures with your phone, have your location switched off Check properties before uploading online Test if your images have any metadata: https://isc.sans.edu/tools/exif.html

  31. Most common attacks • Phishing and spear-phishing attacks • Malware and spyware • Man in the Middle • Account hijacking • Devices seized • DDoS – against websites

More Related