considerations and resources for practical securityconsiderationsandresourcesforpracticalsecurity...
TRANSCRIPT
Considerations and Resources for Practical Security
Evan Misshula
2018-02-25
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 1 / 48
what to expect
a lot of this presentation is humorousreal references at the endsecurity is incrementalperfect is the enemy of getting better
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 2 / 48
what this is not
not about physical securitynot a tutorialnot what to do if the FBI, CIA of FSB is after you
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 3 / 48
what we will cover some important security problems
passwords
ssh keysfile security
mobile/wifi
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 4 / 48
what we will cover some important security problems
passwords
ssh keysfile security
mobile/wifi
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 4 / 48
what we will cover some important security problems
passwords
ssh keysfile security
mobile/wifi
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 4 / 48
what we will cover some important security problems
passwords
ssh keysfile security
mobile/wifi
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 4 / 48
my exposure
I worked for three years for Center for Cybercrime Studies
I took at the GC:Secure Operating SystemsAdvanced Penetration Testing
I went to Eastern Regional Security Camps for the US Cyberchallengefor 2011 and 2012
I designed the curriculum for the High School for NSF/NSACybercamp at John Jay
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 5 / 48
my exposure
I worked for three years for Center for Cybercrime Studies
I took at the GC:Secure Operating SystemsAdvanced Penetration Testing
I went to Eastern Regional Security Camps for the US Cyberchallengefor 2011 and 2012
I designed the curriculum for the High School for NSF/NSACybercamp at John Jay
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 5 / 48
my exposure
I worked for three years for Center for Cybercrime Studies
I took at the GC:Secure Operating SystemsAdvanced Penetration Testing
I went to Eastern Regional Security Camps for the US Cyberchallengefor 2011 and 2012
I designed the curriculum for the High School for NSF/NSACybercamp at John Jay
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 5 / 48
my exposure
I worked for three years for Center for Cybercrime Studies
I took at the GC:Secure Operating SystemsAdvanced Penetration Testing
I went to Eastern Regional Security Camps for the US Cyberchallengefor 2011 and 2012
I designed the curriculum for the High School for NSF/NSACybercamp at John Jay
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 5 / 48
my exposure
I worked for three years for Center for Cybercrime Studies
I took at the GC:Secure Operating SystemsAdvanced Penetration Testing
I went to Eastern Regional Security Camps for the US Cyberchallengefor 2011 and 2012
I designed the curriculum for the High School for NSF/NSACybercamp at John Jay
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 5 / 48
password problem
different for each entitylonger is betterrandom is better
humans need help
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 6 / 48
password problem
different for each entitylonger is betterrandom is better
humans need help
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 6 / 48
What we all think
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 7 / 48
What about a really good password
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 8 / 48
What about a really good password
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 8 / 48
or with a nerd’s imagination
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 9 / 48
terrible implications
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 10 / 48
terrible implications
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 10 / 48
One more problem
I will show you the solution I useBut there is one more problem
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 11 / 48
too short
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 12 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 13 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 14 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 15 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 16 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 17 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 18 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 19 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 20 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 21 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 22 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 23 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 24 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 25 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 26 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 27 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 28 / 48
A small slide-show from intel on passwords
:PROPERTIES: :BEAMERenv: frame :END:x
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 29 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 30 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 31 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 32 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 33 / 48
A small slide-show from intel on passwords
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 34 / 48
So the problem for IT
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 35 / 48
So how does everyone do it?
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 36 / 48
Tutorials on ssh keys
OS X and LinuxSearch: standard unix password managerhttps://www.passwordstore.org/
WindowsSearch: keeperhttps://keepersecurity.com/personal.html
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 37 / 48
How a password manager works
one very strong passwordit keeps all of your other usernames and passwordsit generates long random passwordsyou login by copying and pasting from your manager to the website
Don’t lose your laptop
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 38 / 48
How a password manager works
one very strong passwordit keeps all of your other usernames and passwordsit generates long random passwordsyou login by copying and pasting from your manager to the website
Don’t lose your laptop
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 38 / 48
Keys
ssh keys are a pair of two large numberscall one: publiccall the other: private
that multiply to a very large number
That very large number is only divisible each of theseIt is equivelent to a 670 random character password
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 39 / 48
Tutorials on ssh keys
OS XSearch: osx generate ssh keyshttps://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
WindowsSearch: windows generate ssh keyshttps://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users
LinuxSearch: ubuntu generate ssh keys
https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 40 / 48
So
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 41 / 48
And now:
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 42 / 48
But of course:
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 43 / 48
File security
We can use our keys to encode a file even if the whole drive is notThe encoded file is called Ciphertext
We can also use our private key to encode emailgmail has plugins to automatically use our private keys so all email isencrypted
search: gmail encrypted emailhttps://support.google.com/mail/answer/6330403?hl=en
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 44 / 48
File security
We can use our keys to encode a file even if the whole drive is notThe encoded file is called Ciphertext
We can also use our private key to encode emailgmail has plugins to automatically use our private keys so all email isencrypted
search: gmail encrypted emailhttps://support.google.com/mail/answer/6330403?hl=en
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 44 / 48
File security
We can use our keys to encode a file even if the whole drive is notThe encoded file is called Ciphertext
We can also use our private key to encode emailgmail has plugins to automatically use our private keys so all email isencrypted
search: gmail encrypted emailhttps://support.google.com/mail/answer/6330403?hl=en
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 44 / 48
Basic email security
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 45 / 48
Check before you click
1 Did this come from someone you know?2 What is file extension?
don’t click on anything that "pdf.exe", "docx.exe", "pptx.exe"3 Videos (Adobe Flash) can execute arbitrary code on your computer
1 Do not ever watch porn on a computer you need to keep secure
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 46 / 48
Check before you click
1 Did this come from someone you know?2 What is file extension?
don’t click on anything that "pdf.exe", "docx.exe", "pptx.exe"3 Videos (Adobe Flash) can execute arbitrary code on your computer
1 Do not ever watch porn on a computer you need to keep secure
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 46 / 48
Mobile/wifi
Don’t do your banking at Starbucks on their wifi
Anything you share in plaintext is vulnerable
Don’t let your phone automatically connecthackers use strong signals to get a shot at your mobile data
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 47 / 48
Mobile/wifi
Don’t do your banking at Starbucks on their wifi
Anything you share in plaintext is vulnerable
Don’t let your phone automatically connecthackers use strong signals to get a shot at your mobile data
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 47 / 48
Mobile/wifi
Don’t do your banking at Starbucks on their wifi
Anything you share in plaintext is vulnerable
Don’t let your phone automatically connecthackers use strong signals to get a shot at your mobile data
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 47 / 48
Great resources on security
Verne Paxsonhttp://www.icir.org/vern/
Avinash Kakhttps://engineering.purdue.edu/kak/compsec/Lectures.html
Evan Misshula Considerations and Resources for Practical Security 2018-02-25 48 / 48