Becoming More Secure Online:

Passwords & Social networking

Walid Al-Saqaf

For the Workshop: Secure Information Gathering, Storing, and Sharing

Istanbul, Turkey23-25 January, 2011

Passwords are your first line of defense- Every password is a vulnerability due to keyloggers, phishing, etc.

- Exposure of passwords of email accounts could be devastating

- Victims of password theft could be unaware for some time that their password is compromised (identity theft, spamming, hoaxes, etc.)

- Brute-force password crackers available for free and can be planted by trojans

The top 25 stolen passwords*

Technology makes password hacking easier

No one is immune from password hacking!

Best practices and useful tips

- should be changed regularly

- should be long enough, yet easy to remember for the user

- should include UPPER and lower cases plus non-alphanumeric characters

- can be stored through Password managers if memorizing is not possible

- should be long & tough to guess (for others) [no dictionary words]

- should never be transmitted through unencrypted channels

- should not be used in public cafes unless you verify security settings

- should be different for different platforms/applications

- should normally not be stored on servers (do not use ‘remember me’)

- should not be allowed to be stored in your browser/client application

- should never be shared

Securing passwords

- Securing passwords is extremely important (can’t be emphasized enough)

- Using password management is possible if you have too many to remember:

- offline (e.g., KeePass, RoboForm, Sxipper [FF add-on])

- online (e.g., Passpack, Clipperz)

- alternatives to multiple passwords (e.g., OpenID)

- You need to weigh the risks to reward ratio before proceeding

Social networking: Risk vs. Reward

- Despite many advantages, social networking is insecure because:

- They require that you give up some information publicly- The only secure method of access is a username and password- They may be accessible through browsers that have vulnerabilities

- Misunderstanding/misinterpreting privacy terms could be devastating

- You cannot control what information about you posted by your friends

- You need to read the EULA, Privacy Agreement and Terms of Use

- You have to Understand the privacy settings carefully

- You should be cautious when installing software recommended by them

- Think before you post anything to the public (e.g., CNN’s Nasr)

- Assess risk of using social networking websites at cafes & public places

The dark side of social networking

- The longer you communicate, the more likely that you would reveal information about yourself

- The more data/pictures you put online, the more you endanger your privacy

- The more friends you have, the easier you could be tracked, exploited

- Bullying, abuse, exploitation, threats, intimidation, etc. are on the rise

“Facebook seems to be a place where people aren't being cautious enough” - DeDomenico-Payne (The dark side of

social media)

Social Network addiction is no

joke

Social networking could cause liability

Social networks not suitable for sensitive data

- Social networks are public and aim at exposing information

- Sensitive data needs to be encrypted, protected with multiple methods, which are not available in networks

- Website transmission encryption (HTTPS) needs to be used for social networking websites when possible

- Proxy/tunneling encryption (e.g., Tor) could be useful

The dark side of social networking

- The longer you communicate, the more likely that you would reveal information about yourself

- The more data/pictures you put online, the more you endanger your privacy

- The more friends you have, the easier you could be tracked, exploited

- Bullying, abuse, exploitation, threats, intimidation, etc. are on the rise

“Facebook seems to be a place where people aren't being cautious enough” - DeDomenico-Payne (The dark side of

social media)

Exercise

1- Review all your passwords and find which ones do not meet the security requirements based on good practice mentioned here

2- Change those passwords and ensure that the new ones meet those criteria

3- Read the privacy-related instructions of the two major social networking sites that you use (e.g., Facebook, Twitter)

4- Mark the points that you think could be of potential concern for activists in your country or region

5- Discuss how those points could prevent users in your country to register with fake/anonymous identities and what that would mean to activists in your country and the risk associated with revealing their identities and their private chatting messages.