Upload
carmel-ellis
View
222
Download
1
Embed Size (px)
Citation preview
Becoming More Secure Online:
Passwords & Social networking
Walid Al-Saqaf
For the Workshop: Secure Information Gathering, Storing, and Sharing
Istanbul, Turkey23-25 January, 2011
Passwords are your first line of defense- Every password is a vulnerability due to keyloggers, phishing, etc.
- Exposure of passwords of email accounts could be devastating
- Victims of password theft could be unaware for some time that their password is compromised (identity theft, spamming, hoaxes, etc.)
- Brute-force password crackers available for free and can be planted by trojans
The top 25 stolen passwords*
Technology makes password hacking easier
No one is immune from password hacking!
Best practices and useful tips
- should be changed regularly
- should be long enough, yet easy to remember for the user
- should include UPPER and lower cases plus non-alphanumeric characters
- can be stored through Password managers if memorizing is not possible
- should be long & tough to guess (for others) [no dictionary words]
- should never be transmitted through unencrypted channels
- should not be used in public cafes unless you verify security settings
- should be different for different platforms/applications
- should normally not be stored on servers (do not use ‘remember me’)
- should not be allowed to be stored in your browser/client application
- should never be shared
Securing passwords
- Securing passwords is extremely important (can’t be emphasized enough)
- Using password management is possible if you have too many to remember:
- offline (e.g., KeePass, RoboForm, Sxipper [FF add-on])
- online (e.g., Passpack, Clipperz)
- alternatives to multiple passwords (e.g., OpenID)
- You need to weigh the risks to reward ratio before proceeding
Social networking: Risk vs. Reward
- Despite many advantages, social networking is insecure because:
- They require that you give up some information publicly- The only secure method of access is a username and password- They may be accessible through browsers that have vulnerabilities
- Misunderstanding/misinterpreting privacy terms could be devastating
- You cannot control what information about you posted by your friends
- You need to read the EULA, Privacy Agreement and Terms of Use
- You have to Understand the privacy settings carefully
- You should be cautious when installing software recommended by them
- Think before you post anything to the public (e.g., CNN’s Nasr)
- Assess risk of using social networking websites at cafes & public places
The dark side of social networking
- The longer you communicate, the more likely that you would reveal information about yourself
- The more data/pictures you put online, the more you endanger your privacy
- The more friends you have, the easier you could be tracked, exploited
- Bullying, abuse, exploitation, threats, intimidation, etc. are on the rise
“Facebook seems to be a place where people aren't being cautious enough” - DeDomenico-Payne (The dark side of
social media)
Social Network addiction is no
joke
Social networking could cause liability
Social networks not suitable for sensitive data
- Social networks are public and aim at exposing information
- Sensitive data needs to be encrypted, protected with multiple methods, which are not available in networks
- Website transmission encryption (HTTPS) needs to be used for social networking websites when possible
- Proxy/tunneling encryption (e.g., Tor) could be useful
The dark side of social networking
- The longer you communicate, the more likely that you would reveal information about yourself
- The more data/pictures you put online, the more you endanger your privacy
- The more friends you have, the easier you could be tracked, exploited
- Bullying, abuse, exploitation, threats, intimidation, etc. are on the rise
“Facebook seems to be a place where people aren't being cautious enough” - DeDomenico-Payne (The dark side of
social media)
Exercise
1- Review all your passwords and find which ones do not meet the security requirements based on good practice mentioned here
2- Change those passwords and ensure that the new ones meet those criteria
3- Read the privacy-related instructions of the two major social networking sites that you use (e.g., Facebook, Twitter)
4- Mark the points that you think could be of potential concern for activists in your country or region
5- Discuss how those points could prevent users in your country to register with fake/anonymous identities and what that would mean to activists in your country and the risk associated with revealing their identities and their private chatting messages.