Keep it safe agm13

Keep IT safe!

AGM Mariborworkshop

Damian BuliraIT Committee

Identify a sensitive data• What do you want to protect

Identify applications that you store information in• Where do you want to store it

Identify parties that have access to the data• Who do you want to share it with

Secure and constrain access • How do you want to protect it

IT security in a nutshell

AGM Maribor - Security Workshop | Damian Bulira - ESN IT Committee | [email protected]


Identify a sensitive data• Personal data• Financial data• Photos ;)• Password file



Identify applications that you store information in• Local files

• Locally stored on your hard drive• How not to loose them?

• Mobile devices• Laptops, smartphones, USB drives• What if you loose them?

• Cloud services• Google docs, Facebook, e-mail


Identify parties that have access to the data• Family• Friends• Co-workers• Internet provider• Service providers• Public

Secure and constrain access • Access only to people that needs it• Protect your passwords, tokens, digital IDs



How would you store and share it?

ESN case


Protecting local files

Password protection• Office / OpenOffice -> embdedd function• Password archive protection• TrueCrypt protection

Remote copy• Dropbox folders• Scheduled backups


Backups

Avoid single point of failure• Store sensitive data in more than 1 place• Archive data (you never know when you want to bring

back some of it)

Dropbox, Google Drive• Store but remember about encryption• Easy sharing




CORRECT!


Sharing is caring

Similar stuff with Google Drive (docs)• Even better – more detailed control

Why?• Control over the contributors

• Someone leaves the organization• A „black sheep” problem• Version control – change tracking

• You share with the people that you explicitly invite


Mobile devices problem

Common scenario – lost smartphone:• Stored passwords to FB, Google etc.• All accounts and data have been took over!• Always lock your phone – pattern lock, password

Laptop • Hard disk fully encrypted

USB drive• Vault partition on flash drive with sensitive data


Password protection

How easy is to crack your password• Strong password policy

Never don’t share your password• No shared accounts!

Don’t repeat the password in different applications• Password system

• PIN codes



How to pick a good password

Bad ideas• Dates• Names• Common words• „Pallomeri” ;)

Good ideas• First letters of a poem, song• P4770.m3r1• Don’t reuse the passwords

TOP 2012

1. password 2. 1234563. 123456784. abc1235. qwerty6. monkey7. letmein8. dragon9. 11111110. baseball


How to share passwords

Password shall be a private and unique Share passwords only when it is necessary

DON’Ts• Send whole passwords by e-mail• Never send website, login and password together

DOs• Share wisely – you share the responsibility• Store passwords encrypted!• Share passwords on a regular basis


The biggest EVIL!


Plaintext passwordsThank you for signing up to Our Webpage, we hope that you will have a great time here! Please click the link below to authorise your username and password for use on the Our site. http://www.site.com/register.php?action=auth&[email protected]&auth=dnyhxn ***IF THIS LINK DOES NOT WORK, LOGIN AS NORMAL AND ENTER THE DETAILS BELOW*** Your username that you used to sign up with is: dbulira Your password you used to sign up with is: password12# The email that you signed up with is: [email protected]


PGP mail encryption


Single Site Login

Being able to log in to any website through existing proxy account


The security question

Helps with the password recovery, mostly to e-mail boxesExtremely important thing!Treat it as the second password

Cool story… http://www.foxnews.com/entertainment/2012/12/17/hollywood-hacker-honed-his-skills-for-years/


http://www.foxnews.com/entertainment/2012/12/17/hollywood-hacker-honed-his-skills-for-years/

http://www.foxnews.com/entertainment/2012/12/17/hollywood-hacker-honed-his-skills-for-years/

Identity dependency

ESN use case ;)• A jealous geeky boyfriend wants to spy on her

girfriend, he captures a google password (how?)• Later on he discovers some fishy e-mails so he goes

deeper• He changes the Google password and using lost

password feature generates a new password to Facebook (SSO!), Twitter, etc.

• He discovers even more… :>• Imagine what happens later…


Other day-to-day ESN security cases

PC in the ESN office• Private user accounts• Guest account

ESN Office key access• A case similar to password handling

• Track usage• Access list (checked regularly)


Internet privacy

When you upload something to the Internet, it stays there foreverThink before you post!Restrict you privacy in social media• Application access

Respect others privacy and don’t let people to desrespect yours



Exercise

Sending credit card credentials• You’ve forgot a credit card from your apartment and

urgently need to book a flight, fortunately your trustful roommate can send you all the necessary data, how do you proceed?


Join the IT Committee!

We always look for:• Programmers• Designers• Documentation Writers• Tutorial Makers• System Administrators• Linux Experts• Drupal Developers



Technology

Keep it safe agm13