Agenda

• Staying Safe: Software Updates
• The risks of sharing your computer
• Avoiding Social Engineering
• Privacy on the web
• Passwords
• App Safety

This talk references real-world security tools

Software Updates

• Update your Operating System
• Update your Apps

Safely sharing your PC

Things to think about when sharing your computer

• Friends could install malicious software accidentally or intentionally
• Your sensitive files could be copied
• Sensitive data in the browser could be accessed

If you are going to share access to your computer:

Does a browser's INCOGNITO mode(AKA Do-not-track) keep me private?

• Not exactly
• It will delete session history after window is closed
• It will wipe cookies after window is closed
• Websites still have a log of your requests
• Unencrypted incognito traffic can be intercepted by people on the network
• There are no technical controls that force sites to honor do-not-track

How to create guest accounts for OSX & Windows 10

• Windows 10
• OSX

Why shouldn't friends have access to my account?

Extracting a password saved by the browser

College Orientation

Social Engineering

College ice-breaker questions

• Where did you grow up?
• What kind of music do you like?
• Pets?
• Favorite book/movie?

Common Website Password Reset questions

Be wary of unexpected password reset emails

• Unexpected emails could be a phish
• Could be someone trying to login to your account too!
• Don't Panic. Use 2FA and make life hard for hackers.

Know the clues of dangerous web sites:

• Links can be misleading!
• Network hackers can run attacks that change links for sites using ARP Poisoning
• Hover over link & evaluate if it makes sense

Avoiding Social Engineering

• Be careful about your password reset questions!
• Use 2 factor authentication on your email
• Beware of unexpected password ”Verification” emails or texts
• Be careful about what you share online, with friends, etc.
• Use a password manager
• Hover over links & confirm the destination address

Check for HTTPS

Non-HTTPS password demo

What a "Man-in-the-middle" attacker sees

MITM attack with wireshark

The PASSW0RD

Plan for stolen passwords

• Don’t reuse passwords
• Avoiding pw reuse reduces risk of additional compromise when sites leak passwords
• Don't use site-related algorithms- ie. facebook.SECRET, google.SECRET
• Use a password manager with mobile syncing
• Use password manager to generate random passwords
• Wonder if a website leaked your email address? haveibeenpwned.com

Potentially Dangerous Web Sites

• Look at the certificates and try to understand if they make sense
• Want a future in computer networking? Read IETF RFC’s! Understand what certs do and how they work:
• RFC 6290 (Internet x.509 Public Key Infrastructure & Certificate Revocation List Profile)
• RFC 791 (Internet Protocol)
• RFC 1122 (Requirements for Internet Hosts -- Communication Layers)

Checking Certificates

How to check certificates

Apps

• Jailbreaking/rooting breaks your phone’s security & privacy
• Android: be wary of enabling “Unknown sources” for installing apps from the web.
• Pay attention to the permissions an app requests
• Apps with “expiring” content (e.g. Snapchat) only reliably expire content on non-jailbroken devices.
• Don't assume anything you send automatically deletes.

Wrapping-up

• Apply OS & Apps software updates regularly
• If you share access to your computer, use a guest account
• Be mindful of social engineering attempts
• Always check to see if sites use HTTPS
• Don’t reuse passwords. Ever.
• Think twice about which apps you trust

@PatrickMcCanna

* PS: was this site private?