paranoid habits
play

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / - PowerPoint PPT Presentation

Apr 22, 2023 •104 likes •531 views

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this about? Topics: Authentication Phishing PGP SSH USB Networking Can I trust you, Denis? Trust no one,

  1. Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me

  2. What’s this about? Topics: ● Authentication ● Phishing ● PGP ● SSH ● USB ● Networking

  3. “Can I trust you, Denis?” ● Trust no one, remember how this talk is called ● I just share what I do myself ● I do my best to follow all the latest infosec topics ● I’m familiar with basic pen-testing, CTF is my hobby ● I reported 6 serious vulnerabilities in my career ● People around me think I’m paranoid

  4. Authentication

  5. Passwords — most common authentication method ● Passwords must be long (>8 characters in 2019) ● Can not contain words, must be random ● Must contain numbers and special characters ● Must be different for each service/web-site/access ● Must be securely stored ● Otherwise, they can be cracked

  6. Passwords — how do people crack passwords? ● It’s not under your control ● Depends on how websites store your password/hash ● Some old hash functions like MD5 are easily crackable with modern hardware and software (hashcat) ● Can be found in dictionaries or brute-forced (up to 8 characters) ● Databases with hashes often get leaked

  7. Passwords — how do people crack passwords? Some services just fail to protect our passwords: ● Twitter was logging plain-text passwords till May 2018 ● GitHub was logging plain-text passwords till May 2018 ● Facebook stored plain-text passwords for years These companies have hundreds or even thousands of employees, how can we trust all of them not to sell it?

  8. Passwords — we’re only humans ● Most humans are not capable to satisfy the requirements ● Please use password managers — still can leak your passwords but it’s better than not having them ● And please, don’t write them down anywhere

  9. I recommend pass — Standard Unix Password Manager, that is based on GPG and Git

  10. Demo (pass)

  11. Passwords alone are not secure

  12. 2FA — 2 Factor Authentication ● I’ve never heard of anyone saying “My 2FA-protected account got hacked” ● So, USE 2 FACTOR AUTHENTICATION !

  13. 2FA — Options ● SMS — the most insecure, can be intercepted ● Authentication App — bound to your phone that can die, be hacked or stolen ● Security token (e.g. Yubikey) — U2F (Universal 2 Factor)

  14. Demo (U2F)

  15. Passwords? Where we’re going we don’t need passwords

  16. “ One of the primary weaknesses of password-based authentication is that a password is a shared secret ” webauthn.guide

  17. WebAuthn ● Is based on asymmetric cryptography ● You need a security token (e.g. Yubikey) ● Server stores only the public key, so if it leaks it’s useless for an attacker ● Works in mobile and desktop browsers except Safari (still under the experimental flag)

  18. Demo (WebAuthn)

  19. Phishing

  20. Do you remember “Celebgate”? “Collins [person responsible for the attack] allegedly gained access by setting up emails designed to look like official accounts associated with the Google or Apple services used by his celebrity targets.” Washington Post

  21. Check the URL!

  22. PGP

  23. PGP — Pretty Good Privacy (GnuPG) ● In my opinion, the most reliable tool ● 2 modes: ○ Asymmetric — private/public keys ○ Symmetric — encryption with a password ● You can store your keys on a Yubikey and use them for SSH, encryption, signing data (e.g. Git commits)

  24. PGP — Pretty Good Privacy (GnuPG) The tool itself is reliable but plugins for mail clients that use the tool can be vulnerable. Sebastian Schinzel gave a talk at 35c3 how they found some vulnerabilities in email client plugins.

  25. Demo (GPG + Yubikey)

  26. SSH

  27. SSH — Secure SHell ● Don’t use passwords to access your servers ● It’s better to forbid passwords at all: in /etc/ssh/sshd_config PasswordAuthentication no ● Use public/private key pair ● Store the key pair on a Yubikey and use from there

  28. Demo (SSH + Yubikey)

  29. Buy this Yubikey already!

  31. Yubikey ● It’s a write-only security token device ● 2FA (U2F/OTP) ● GPG (Smart Card mode), can store your keys ● SSH via GPG ● FIDO2 (WebAuthn) ● USB-A, NFC, USB-C ● PIN-protected, requires a touch

  32. USB

  33. USB is vulnerable ● Exploiting a device via USB is easier than you think ● There are many ways to hack you via USB ● Don’t use public USB sockets/charging stations, they can be compromised If you still want though...

  34. Use protection!

  35. Networking

  36. Networking — Rules Use a firewall ● iptables for Linux ● Built-in for Mac or LuLu for advanced control

  37. Networking — Observe Look for suspicious traffic: ● iftop for Linux (*nix systems) ● netstat -atulp

  38. Demo (iptables, iftop)

  39. Links ● have i been pwned? ● pass — the standard unix password manager ● Four embarrassing password leaks on live TV ● WebAuthn Guide ● Yubico (Yubikey manufacturer) ● Guide to using YubiKey for GPG and SSH ● Attacking end-to-end email encryption

  40. “ Sorry, my account got hacked ” is the new “ The dog ate my homework ” Linus Sebastian

  41. Thank you! Q/A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if everyone really is after you, Jerry. Jerry: Maybe all security people are crazy! Linda: No, theyre just insecure. Everything You

444 views • 17 slides
Understanding Habits Caterpillar Confidential Green What Are Habits? Habits are patterns of

Understanding Habits Caterpillar Confidential Green What Are Habits? Habits are patterns of

Understanding Habits Caterpillar Confidential Green What Are Habits? Habits are patterns of behaviors that govern our everyday life About 40% of our daily decisions arent really decisions at allthey are habits The more

289 views • 18 slides
Becoming Paranoid Or how I learned to start worrying and fear the Internet George V.

Becoming Paranoid Or how I learned to start worrying and fear the Internet George V.

Becoming Paranoid Or how I learned to start worrying and fear the Internet George V. Neville-Neil www.neville-neil.com Why This Talk? To make all of you more paranoid Give people a grounding in current problems with securing internet

659 views • 33 slides
How to be a paranoid Dates of birth or just think like one Exposure to identity theft

How to be a paranoid Dates of birth or just think like one Exposure to identity theft

Leaking information Stealing 26.5 million veteran s data Pro rotection a and S d Securi rity Data on laptop stolen from employee s home (5/06) Veterans names Social Security numbers How to be a paranoid Dates of birth or

337 views • 5 slides
Better Habits for Healthier Backs Better Habits for Healthier Backs Protect Your Back with

Better Habits for Healthier Backs Better Habits for Healthier Backs Protect Your Back with

Better Habits for Healthier Backs Better Habits for Healthier Backs Protect Your Back with Proper Body Mechanics Practice these techniques to prevent injuries: LIFTING Position yourself closely to the object and stand with your feet

598 views • 7 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
MISSION The mission of iConquer is not to change habits but to create habits. VISION The vision

MISSION The mission of iConquer is not to change habits but to create habits. VISION The vision

MISSION The mission of iConquer is not to change habits but to create habits. VISION The vision of iConquer is to see a world where the risk of obesity and diabetes is greatly reduced in the adolescent population. FACTS If a child is

388 views • 25 slides
Habits of Mind Developing good practice in our approach to school work and tasks. HABITS OF

Habits of Mind Developing good practice in our approach to school work and tasks. HABITS OF

Habits of Mind Developing good practice in our approach to school work and tasks. HABITS OF MIND " Excellence llence is an art won by train ining ing and habituatio tuation. n. We We do no not ac act rig ightly htly be because

395 views • 23 slides
Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit Mika Bostrm <mika.bostrom@smarkets.com> Infrastructure Engineer, Information Security Officer[], semi-professional interviewer, Systems

411 views • 19 slides
Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007 mihai@cs.wisc.edu Original slides by Jonathon Giffin Internet: Attack and Defenses Makes communication easier and faster Makes attacks

1.05k views • 66 slides
Just the Two of Us Key Habits to Strengthen Your Marriage: 1. Pursue God Together Key

Just the Two of Us Key Habits to Strengthen Your Marriage: 1. Pursue God Together Key

1/30/2017 Just the Two of Us Key Habits to Strengthen Your Marriage: 1. Pursue God Together Key Habits to Strengthen Your Marriage: 1. Pursue God Together The only person that can satisfy the aching abyss of the human heart is Jesus

288 views • 8 slides
AIRWAY - BREATHING - HABITS AIRWAY - BREATHING - HABITS & & MYOFUNCTIONAL

AIRWAY - BREATHING - HABITS AIRWAY - BREATHING - HABITS & & MYOFUNCTIONAL

AIRWAY - BREATHING - HABITS AIRWAY - BREATHING - HABITS & & MYOFUNCTIONAL CONSIDERATIONS MYOFUNCTIONAL CONSIDERATIONS in in ORTHODONTICS ORTHODONTICS Jules E. Lemay III d.d.s., cert. ortho., F.R.C.D. (C) Diplomate,

504 views • 29 slides
Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley gastonsanchez.com github.com/gastonstat/stat133 Course web: gastonsanchez.com/stat133 Good Coding Habits 2 Code Habits Now that youve worked

1.03k views • 99 slides
Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android by Radiohead, who exhibit great musical agility IMO please join our class on OpenClass.ai before Q4 on Wednesday see Piazza for a link Q1

883 views • 49 slides
Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven) Based on joint work with: Tanja Lange (Technische Universiteit Eindhoven) Christiane Peters (Danmarks Tekniske

1.12k views • 89 slides
Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

References Introduction to Cryptography Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar & Pelzl Wide Mouth Frog Protocol from Wikipedia Jim Royer

281 views • 9 slides
Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year Ethical Hacking @MikeyJck BSc @ Abertay Member Abertay Ethical mikeyjck.io Hacking Society I <3 Cryptography Whats all this then?

953 views • 37 slides
The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST Conference Malta - 18 June 2012 Wave 1 Wave 1 Early nineties: Phil Zimmerman releases PGP Photo Phill Zimmerman Pretty Good Privacy Early

649 views • 31 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
Wireless Ad Hoc & Sensor Networks Wireless Ad Hoc & Sensor Networks Introduction -

Wireless Ad Hoc & Sensor Networks Wireless Ad Hoc & Sensor Networks Introduction -

Outline Wireless Ad Hoc & Sensor Networks Wireless Ad Hoc & Sensor Networks Introduction - Security Security challenges in Ad Hoc Networks y g Threats and Attacks Security Solutions Security Solutions

668 views • 15 slides
Privacy David Wagner What is privacy? the right to be let alone Justices Samuel Warren

Privacy David Wagner What is privacy? the right to be let alone Justices Samuel Warren

Privacy David Wagner What is privacy? the right to be let alone Justices Samuel Warren and Louis Brandeis control over who can obtain or use information about me Fair Information Practices notice, consent (opt-in/opt-out),

711 views • 21 slides
Using the Hint Factory to Compare Model-Based Tutoring Systems Collin F. Lynch, Thomas W. Price,

Using the Hint Factory to Compare Model-Based Tutoring Systems Collin F. Lynch, Thomas W. Price,

Introduction Overview Problem Cold Start Conclusions Using the Hint Factory to Compare Model-Based Tutoring Systems Collin F. Lynch, Thomas W. Price, Min Chi, & Tiffany Barnes North Carolina State University, Raleigh North Carolina.

827 views • 26 slides
17 September 2020 Interment Review Public Hearing MC Liz Livingstone, IPART CEO

17 September 2020 Interment Review Public Hearing MC Liz Livingstone, IPART CEO

REVIEW OF COSTS AND PRICES OF INTERMENT PUBLIC HEARING Please mute your microphone 1. Please turn on your camera (webcam) 2. Well start at 2.02 pm 3. 17 September 2020 Interment Review Public Hearing MC Liz Livingstone, IPART

505 views • 9 slides

More recommend