Embed Size (px)
Citation preview
Security Awareness Month:Security Tips for Protecting Ourselves Online
Friday, October 30th, 2009
Brian Allen [email protected]
Network Security Analyst,Washington University in St. Louis
http://nso.wustl.edu/presentations/
Let’s Talk About…• Home Wireless Router Security:• Facebook/Social Network Security:• Password Security:• AV Products:• Laptop Security:• Parental Control software:• Browsing with Firefox Addons:• Online Banking:
pics1
Twitter Phish 1 of 2
Twitter Phish 2 of 2
Password Topics
Parents’ Password Cracked On First Try The Onion News Feb 27, 2002
• REDONDO BEACH, CA – Nick Berrigan, 14, successfully hacked into his parents’ AOL account on the first try Tuesday, correctly guessing that “Digby” was their password. “They actually used the dog’s name,” said Berrigan, deactivating the parental controls on his AOL account.
• Experts advise parents to secure Internet accounts with any password besides the name of a family pet
Free Password Managers
1. Password Safe: www.schneier.com/passsafe.html– Bruce Schneier’s Project
2.KeePass: keepass.info3.LastPass: lastpass.com
- Firefox Plugin4.Mac KeyChain:5.PassPack: www.passpack.com
– An online password manager
Commercial Password Managers
● 1Password - 1passwd.com● Keeps track of all web passwords, automates
sign-in, guards from identity theft for $39.95
● Roboform - www.roboform.com● $29.95 for the Professional version
Some Key Threats to Passwords
● Brute force or dictionary attacks
● Keystroke loggers
● Social engineering/Phishing
Three KeePass Features
1. Require two factor authentication to access your keepass database
KeePass – Opening the Database
KeePass – The Main Interface
KeePass – Individual Entry
A Few KeePass Features
1. Require two factor authentication to access your keepass database
2. Drag and drop username and passwords into forms
Drag & Drop
A Few KeePass Features
1. Require two factor authentication to access your keepass database
2. Drag and drop username and passwords into forms
3. Autotype username and passwords into forms – a bit advanced
Some Solutions● You really need two factor authentication to protect the
password database
● Don't trust any machine other than your own to enter a password that protects anything sensitive
● Using a machine you don’t trust? Carry a Live CD of your favorite flavor of linux and boot off that
Long Password ExpirationsCan Be Good
1. Prevention of brute force password theft primarily comes from having strong passwords, not from regularly changed passwords
2. Strong passwords are more likely to be remembered if they are not changed often
Extra Long Password Expirations Could Be Bad
● We assume users will share their passwords:● with Students● with Staff● with Friends● with Family, etc.
● Putting a ceiling on the life of a password will keep these from lasting forever
Antivirus
• I look for:– the fastest– update themselves automatically– have an easy to use interface
• Symantec Endpoint• AVG = http://free.avg.com• AntiVir = http://www.free-av.com• Avast = http://www.avast.com
Symantec Endpoint (Symantec 11)
From CNET.com Editor ReviewsAVG Popularity: * Total downloads 227,792,675 * Downloads last week 1,737,919AntiVir Popularity: * Total downloads 61,994,231 * Downloads last week 905,902 Avast Popularity: * Total downloads 60,978,532 * Downloads last week 737,028
Avira Interface
AVG Interface
AVG Will Check Every Email
AVAST Interface
Home Wireless Router Tips
• Change Default Password• Firewall is on by Default• WPA2, not WPA or WEP• MAC Address Filtering• Leave SSID on• No personal info in SSID like Smith_Family
Change The Default Password
Firewall Is On By Default
WPA2
MAC Address Filtering
Home Wireless Router Tips
• Change Default Password• Firewall is on by Default• WPA2, not WPA or WEP• MAC Address Filtering• Leave SSID on• No personal info in SSID like Smith_Family
Laptop Tracking Software
Key Questions to Consider
• How hard is it to disable or remove the software?
• Who will have access to the collected data?– A department?– The company?– Individuals?
• What type of data is collected?• How many laptops are lost or stolen every year?
LoJack Pros
• Very difficult to disable• Asset tracking • The company, only with the user’s permission
can log in to:– Take pictures– Erase the hard drive
• Will work with police to recover the laptop
LoJack Bios Compatibility
AsusDellGammatechGetacGatewayGeneral Dynamics
HPFujitsuLenovo (IBM
Thinkpad)Motion ComputingPanasonicToshiba
LoJack Cons
• Bios compatibility does not include Macintosh– 40% student machines are Macs
• Most Expensive - $49 per laptop• The company can get access into laptops,
although it is only to be initiated by the owner after it is reported stolen
FireFox Addon: AdBlock Plus
The Top Firefox Addon (By Far)
Without AdBlock Plus
With AdBlock Plus
Laptop/USB Encryption
• USB Hardware Encryption – IronKey $$$
• Laptop/USB Encryption – TrueCrypt (Free!)
Parental Control Software
OpenDNS?
Don’t Take My Word For It
OpenDNS
OpenDNS Blocked A Site
Online Banking Tips
• Never type your bank url into a browser• Or click on a url that looks like your bank
• Always let Google find it for you– Should be the first link
MINT.COM - Discussion
Trends, Transactions, Etc.
Is It Safe?
• They Say:– Mint does not require any personally identifiable
information– Sensitive numbers are not sent to or stored by
Mint.com– Mint provides a strictly “read only” view of your
transaction information– VeriSign Security Seal
