Online Security 101

Presented by Brad Frank http://people.hmdc.harvard.edu/~bfrank/techtalk Threats and attacks

Social engineering A "Microsoft technician" cold calling and asking for money is never legit.

Phishing scams A Nigerian prince offering you millions of dollars is never legit.

Malware A that claims your computer is infected with viruses is never legit.

Legitimate protection

Wisdom in general Keep everything (OS, browsers, software) up-to-date. If it looks suspicious (bad spelling and grammar), don't click on it. Encrypt your computer: Bitlocker (Windows), FileVault (Mac), LUKS (Linux)

Windows specific Upgrade to Windows 7 or 8, ditch XP. Research anti-virus at www.av-test.org/en/tests/home-user. Harvard ESET available at www.eset.com/us/harvard. Malwarebytes Pro is worth paying for. If unsure about anything, search or ask an IT person! Browsing securely

Use a modern browser Chrome, , Safari, or IE9+ are excellent choices.

Disable built-in password managers Passwords are rarely encrypted.

Only use official add-ons chrome.google.com, addons.mozilla.org, extensions.apple.com, iegallery.com It's like an app store for your browser. They are legitimate and vetted. Enhancing security

Uninstall Flash Chrome and IE10 "Metro" (Windows 8) include built-in Flash. Switch to HTML5 wherever possible (e.g. youtube.com/html5).

Use Incognito, Private Browsing, InPrivate No information about your browsing history is saved.

Consider these add-ons Web of Trust: http://www.mywot.com/ DoNotTrackMe: ://www.abine.com/dntdetail.php HTTPS Everywhere: https://www.eff.org/https-everywhere NoScript: http://noscript.net/ OpenDNS

Blocking compromised Malware, botnet, and phishing websites are blocked. Pro version will monitor traffic out for known attacks.

Filtering undesirable websites Customizable for family filtering via categories (e.g. pornography). What is HTTPS?

One part HTTP Stands for Hypertext Transfer Protocol. The language all browsers use to talk to web servers. Information is transferred in plain text, and can be read by anyone.

One part Secure Sockets Layer (SSL) Now called (TLS). Only the browser and server can read information passed back and forth. Acts like an envelope with a wax seal.

HTTP + TLS/SSL = HTTPS Always look for it. How HTTPS works

Proving you are who you say you are Websites purchase a digital certificate to prove their identity. Browsers download certificates from their respective website. Certificates contain the website's "public key".

Third party validation The certificates are issued and validated by Certificate Authorities. Certificate Authorities undergo annual security audits.

Impersonation happens Browsers check their Certificate Revocation List... in theory.

Compromised websites

Website No. of Accounts Passwords RockYou.com 32,000,000 plain text Gawker 1,200,000 hashed Plenty of Fish 28,000,000 plain text Sony PSN 70,000,000 plain text Twitter 58,978 hashed LinkedIn 6,458,020 hashed eHarmony 1,500,000 hashed Yahoo 400,000 plain text Evernote 50,000,000 hashed LivingSocial 50,000,000 hashed Drupal 1,000,000 mixed 240,616,998 Most common passwords

RockYou Gawker Sony 123456 123456 seinfeld 12345 password password 123456789 12345678 123456 Password lifehack princess iloveyou qwerty peanut princess abc123 shadow rockyou 111111 ginger 1234567 monkey michael 12345678 consumer sunshine abc123 12345 tigger Public disclosure

Compromised personal data Personal data includes social security numbers, credit card info, etc. Passwords get reused on other websites, including banking. Disclosure helps prevent fraud and theft.

Deterrents Restitution to customers, cost of forensics and closing the security hole. Potentially bad PR or negative public image, and loss of customers.

Regulation None in Alabama, Kentucky, New Mexico, and South Dakota. Hashing passwords

The one-way hash The process of taking variable length data, and storing it as fixed length. It is never reversible, and no two unique passwords have the same hash.

"Forgot my password" If the original password is sent, passwords are not hashed.

Different processes (algorithms) Message-Digest family (e.g. MD4, MD5) Secure Hash (i.e. SHA-0, SHA-1, SHA-256/512, SHA-3) [bfrank@rce-1 ~]$ md5sum <<< "password" 286755fad04869ca523320acce0dc6a4

[bfrank@rce-1 ~]$ md5sum <<< "Password1" b1345a0ce47f743bc94c5e32cf547ac0

[bfrank@rce-1 ~]$ sha1sum <<< "password" c8fed00eb2e87f1cee8e90ebbe870c190ac3848c

[bfrank@rce-1 ~]$ sha1sum <<< "Password1" 5753393fe0597e2b7515d624496ffa259b7730e2

[bfrank@rce-1 ~]$ sha256sum <<< "password" 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

[bfrank@rce-1 ~]$ sha256sum <<< "Password1" 0693a3a41b7bda5568f205cc000bff5f3bf917f65535b721ae273b3a956ea0b5 Cracking passwords

The brute force attack Iteratively hashing all password combinations. Classical brute force becomes too expensive at 8 characters. (e.g. 111111, 12345, abc123)

Dictionary attacks Compares hashes to dictionary words. (e.g. monkey, shadow, sunshine)

Rainbow tables Lists of precalculated hashes for commonly used passwords. (e.g. tigger, iloveyou, qwerty) GPU-assisted cracking

The CPU is old school The central processing unit runs the entire system. Originally designed to be faster and faster (GHz). Now designed with "cores" (usually dual or quad), that run in parallel.

GPU is perfect for the job The graphics processing unit lives on the video card. Renders polygons for 3D graphics using thousands of cores in parallel. The cores are put to work calculating hashes.

CPU vs GPU Think of the CPU as a CEO, and the GPU as the manual laborer. The AMD Radeon 7970

Calculates 4.8 billion MD5 or 2.2 billion SHA1 hashes per second. Password cracking clusters built with 8 - 25 cards in parallel. Clusters run so hot they are submerged in mineral oil. Limited only by how fast hash lists can be fed to it. Made for enthusiasts; retails for less than $500. New hashing algorithms

MD5 and SHA no longer cut it Designed for data integrity checking, not encryption. Unadaptable; hardware has caught-up.

Introducing PBKDF2, bcrypt, scrypt The "work factor" property allows adjustments in strength over time. New versions work with old hashes, and vise versa. Hashing is slower as to require more time to crack, per password.

Adoption by websites Extra time to calculate hash is negligible to the end user. Computationally expensive, servers now need GPU-like chips. Better passwords

Password strength Measured in randomness, or bits of entropy. To be secure, passwords need to have an entropy of 65 - 70 bits.

Two schools of thought Short and complex: 13 - 20 characters, mixed case, numbers, symbols Long and simple: sentences or phrases, at least five words long

General rules Never use well known sentences or phrases (speeches, books, songs, etc). Write down hints, not the entire password. Use a fake but memorable answers to security questions. Making strong passwords

Schneier method (0) the quick brown fox jumps over the lazy dog (1) tqbfoxjotldog (2) Tqbf0xJotld0g (3) Tqbf0x,Jotld0g!

XKCD method Uses 4 random words, with spaces (e.g. "correct horse staple battery"). Not enough entropy in 4 words, at least 5 words are needed. Try a unique and personal sentence or phrase. Online tools at xkpasswd.net or world.std.com/~reinhold/diceware.html Managing passwords

Password overload Even using the previous techniques, there is too much memorization. Password re-use across websites is still a concern. People create poor passwords when presented with too many rules. The solution is a password management tool.

Password managers Create one master password using either technique. LastPass and 1Password generate and store website passwords for you. Both use PBKDF2 to encrypt data. Other options include KeePass, Pocket, pwSafe. Two-factor authentication

An extra layer of security Like having a second password you never have to memorize. Available for: Google Facebook Dropbox Twitter Evernote Yahoo Mail Amazon (AWS) LinkedIn Battle.net Public key infrastructure

Cornerstone of modern security No confidentiality; only proves you are who you say you are. Website SSL certificates, GPG email signing, public key authentication

Bob and Alice hash it out Alice creates two asymmetric "keys" (one private and one public). When Alice wants to send a message to Bob: Alice gives Bob her public key. Alice's message is hashed; the hash is encrypted with her private key. Bob uses the public key to decrypt the hash Alice sent. Bob creates his own hash and compares it to Alice's hash. Works in reverse for sending messages to the person.