Online Security 101Presented by Brad Frank

http://people.hmdc.harvard.edu/~bfrank/techtalk

Threats and attacks

Social engineeringA "Microsoft technician" cold calling and asking for money is never legit.

Phishing scamsA Nigerian prince offering you millions of dollars is never legit.

MalwareA website that claims your computer is infected with viruses is never legit.

Legitimate protection

Wisdom in generalKeep everything (OS, browsers, software) up-to-date.If it looks suspicious (bad spelling and grammar), don't click on it.Encrypt your computer: Bitlocker (Windows), FileVault (Mac), LUKS (Linux)

Windows specificUpgrade to Windows 7 or 8, ditch XP.Research anti-virus at www.av-test.org/en/tests/home-user.Harvard ESET available at www.eset.com/us/harvard.Malwarebytes Pro is worth paying for.If unsure about anything, search Google or ask an IT person!

Browsing securely

Use a modern browserChrome, Firefox, Safari, or IE9+ are excellent choices.

Disable built-in password managersPasswords are rarely encrypted.

Only use official add-onschrome.google.com, addons.mozilla.org, extensions.apple.com, iegallery.comIt's like an app store for your browser.

They are legitimate and vetted.

Enhancing security

Uninstall FlashChrome and IE10 "Metro" (Windows 8) include built-in Flash.Switch to HTML5 wherever possible (e.g. youtube.com/html5).

Use Incognito, Private Browsing, InPrivateNo information about your browsing history is saved.

Consider these add-onsWeb of Trust: http://www.mywot.com/DoNotTrackMe: https://www.abine.com/dntdetail.phpHTTPS Everywhere: https://www.eff.org/https-everywhereNoScript: http://noscript.net/

OpenDNS

Blocking compromised websitesMalware, botnet, and phishing websites are blocked.Pro version will monitor traffic out for known attacks.

Filtering undesirable websitesCustomizable for family filtering via categories (e.g. pornography).

What is HTTPS?

One part HTTPStands for Hypertext Transfer Protocol.The language all browsers use to talk to web servers.Information is transferred in plain text, and can be read by anyone.

One part Secure Sockets Layer (SSL)Now called Transport Layer Security (TLS).Only the browser and server can read information passed back and forth.Acts like an envelope with a wax seal.

HTTP + TLS/SSL = HTTPSAlways look for it.

How HTTPS works

Proving you are who you say you areWebsites purchase a digital certificate to prove their identity.Browsers download certificates from their respective website.Certificates contain the website's "public key".

Third party validationThe certificates are issued and validated by Certificate Authorities.Certificate Authorities undergo annual security audits.

Impersonation happensBrowsers check their Certificate Revocation List... in theory.

Compromised websites

Website No. of Accounts PasswordsRockYou.com 32,000,000 plain textGawker 1,200,000 hashedPlenty of Fish 28,000,000 plain textSony PSN 70,000,000 plain textTwitter 58,978 hashedLinkedIn 6,458,020 hashedeHarmony 1,500,000 hashedYahoo 400,000 plain textEvernote 50,000,000 hashedLivingSocial 50,000,000 hashedDrupal 1,000,000 mixed

240,616,998

Most common passwords

RockYou Gawker Sony123456 123456 seinfeld12345 password password123456789 12345678 123456Password lifehack princessiloveyou qwerty peanutprincess abc123 shadowrockyou 111111 ginger1234567 monkey michael12345678 consumer sunshineabc123 12345 tigger

Public disclosure

Compromised personal dataPersonal data includes social security numbers, credit card info, etc.Passwords get reused on other websites, including banking.Disclosure helps prevent fraud and theft.

DeterrentsRestitution to customers, cost of forensics and closing the security hole.Potentially bad PR or negative public image, and loss of customers.

RegulationNone in Alabama, Kentucky, New Mexico, and South Dakota.

Hashing passwords

The one-way hashThe process of taking variable length data, and storing it as fixed length.It is never reversible, and no two unique passwords have the same hash.

"Forgot my password"If the original password is sent, passwords are not hashed.

Different processes (algorithms)Message-Digest family (e.g. MD4, MD5)Secure Hash (i.e. SHA-0, SHA-1, SHA-256/512, SHA-3)

[bfrank@rce-1 ~]$ md5sum <<< "password"286755fad04869ca523320acce0dc6a4

[bfrank@rce-1 ~]$ md5sum <<< "Password1"b1345a0ce47f743bc94c5e32cf547ac0

[bfrank@rce-1 ~]$ sha1sum <<< "password"c8fed00eb2e87f1cee8e90ebbe870c190ac3848c

[bfrank@rce-1 ~]$ sha1sum <<< "Password1"5753393fe0597e2b7515d624496ffa259b7730e2

[bfrank@rce-1 ~]$ sha256sum <<< "password"6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

[bfrank@rce-1 ~]$ sha256sum <<< "Password1"0693a3a41b7bda5568f205cc000bff5f3bf917f65535b721ae273b3a956ea0b5

Cracking passwords

The brute force attackIteratively hashing all password combinations.Classical brute force becomes too expensive at 8 characters.(e.g. 111111, 12345, abc123)

Dictionary attacksCompares hashes to dictionary words.(e.g. monkey, shadow, sunshine)

Rainbow tablesLists of precalculated hashes for commonly used passwords.(e.g. tigger, iloveyou, qwerty)

GPU-assisted cracking

The CPU is old schoolThe central processing unit runs the entire system.Originally designed to be faster and faster (GHz).Now designed with "cores" (usually dual or quad), that run in parallel.

GPU is perfect for the jobThe graphics processing unit lives on the video card.Renders polygons for 3D graphics using thousands of cores in parallel.The cores are put to work calculating hashes.

CPU vs GPUThink of the CPU as a CEO, and the GPU as the manual laborer.

The AMD Radeon 7970

Calculates 4.8 billion MD5 or 2.2 billion SHA1 hashes per second.Password cracking clusters built with 8 - 25 cards in parallel.Clusters run so hot they are submerged in mineral oil.Limited only by how fast hash lists can be fed to it.Made for enthusiasts; retails for less than $500.

New hashing algorithms

MD5 and SHA no longer cut itDesigned for data integrity checking, not encryption.Unadaptable; hardware has caught-up.

Introducing PBKDF2, bcrypt, scryptThe "work factor" property allows adjustments in strength over time.New versions work with old hashes, and vise versa.Hashing is slower as to require more time to crack, per password.

Adoption by websitesExtra time to calculate hash is negligible to the end user.Computationally expensive, servers now need GPU-like chips.

Better passwords

Password strengthMeasured in randomness, or bits of entropy.To be secure, passwords need to have an entropy of 65 - 70 bits.

Two schools of thoughtShort and complex: 13 - 20 characters, mixed case, numbers, symbolsLong and simple: sentences or phrases, at least five words long

General rulesNever use well known sentences or phrases (speeches, books, songs, etc).Write down hints, not the entire password.Use a fake but memorable answers to security questions.

Making strong passwords

Schneier method(0) the quick brown fox jumps over the lazy dog

(1) tqbfoxjotldog

(2) Tqbf0xJotld0g

(3) Tqbf0x,Jotld0g!

XKCD methodUses 4 random words, with spaces (e.g. "correct horse staple battery").Not enough entropy in 4 words, at least 5 words are needed.Try a unique and personal sentence or phrase.Online tools at xkpasswd.net or world.std.com/~reinhold/diceware.html

Managing passwords

Password overloadEven using the previous techniques, there is too much memorization.Password re-use across websites is still a concern.People create poor passwords when presented with too many rules.The solution is a password management tool.

Password managersCreate one master password using either technique.LastPass and 1Password generate and store website passwords for you.Both use PBKDF2 to encrypt data.Other options include KeePass, Pocket, pwSafe.

Two-factor authentication

An extra layer of securityLike having a second password you never have to memorize.Available for:GoogleFacebookDropboxTwitterEvernoteYahoo MailAmazon (AWS)LinkedInBattle.net

Public key infrastructure

Cornerstone of modern securityNo confidentiality; only proves you are who you say you are.Website SSL certificates, GPG email signing, public key authentication

Bob and Alice hash it outAlice creates two asymmetric "keys" (one private and one public).When Alice wants to send a message to Bob:

Alice gives Bob her public key.Alice's message is hashed; the hash is encrypted with her private key.Bob uses the public key to decrypt the hash Alice sent.Bob creates his own hash and compares it to Alice's hash.

Works in reverse for sending messages to the person.