Personal CyberSecurity How to Better Protect Yourself Online Steve - - PowerPoint PPT Presentation

Personal CyberSecurity

How to Better Protect Yourself Online

Steve McEvoy September 14th, 2019 Fort Lauderdale, FL

The Internet has some scary s**t going on This is a self defense course

Poll Results - Ransomware

Title

The Dental Record

How did it Happen?

Dental Office

How did it Happen?

Dental Office Over 400 !!

Discovered Monday Aug 26th

9 Days Later – Sept 3rd

17 Days Later – Sept 11th

• Have your own LOCAL backup strategy in

addition to a Cloud based backup

• Talk about this to your IT Person and ask

them if this can happen to them/you

• Care about this!

What Should You Do?

Windows 7 End of Life

Why Would You Care?

WannaCry Ransomware

WannaCry Ransomware

• Microsoft Discontinued Support of

Windows XP in April 2014

• No Windows Updates after that time
• WannaCry Ransomware deliberately

exploited a newly found weakness built into Windows XP (May 2017)

• NHS had opted to just keep using XP

Windows XP was full

• f Security Holes

Why Would You Care?

Windows 7 will be full

• f security holes

Time Risk

• Ignore it

– Eventually the PCs will be replaced

• “In Place” Upgrade to Windows 10

– For a while they had been giving it away

• Upgrade to Windows 10

– Reload your existing PCs from scratch

• Replace the PC

– The new one will come with Windows 10

Your Options

• Windows 10 installs Overtop Windows 7
• Generally a BAD idea

– Seen this go sideways many times – All your Applications and Drivers must be Windows 10 Compatible

• Software like Dolphin, Carestream, Ortho2, etc.
• Scanners, Printers, and other hardware
• X-ray machine applications
• Leaves behind a mess

In Place Upgrade

• Updating your Existing PCs Fresh
• Deletes everything and Installs Windows

10 from scratch (Clean install)

• You have to setup everything again (just

like if you had got a new PC)

• If a computer is less than 4 years old you

might consider this

• If a computer is 5+, don’t waste the $$$

Fresh Install of Windows 10

• Windows 10 has been out for 4 years
• If your PC still runs Windows 7 it is likely

4+ years old.

• Replace the old PC that probably has

‘personality’ with a new, much faster PC.

New PC

• Microsoft is offering Extended Support

Updates (ESU) for a fee

• You can Pay for Windows Updates for the

next 1, 2 or 3 years

• The Fees double each year:

– $50 year 1 – $100 year 2 – $200 year 3

Pay for Updates?

• For X-Ray PCs that cannot be upgraded

to Windows 10

• Maybe for Mid-Life PCs (3-4 years old)

that you want to stretch for 1 more year

– It doesn’t make sense to dump $450 into an already 4 year old PC to try and make it live to 7 years old when a new PC is $600

When ESU Makes Sense

• Software companies like Carestream,

Dolphin, Ortho2, etc. will Stop Supporting their applications on Windows 7

– Ultimately this is reasonable

• They usually transition over the first few

months

– Windows 7 will become “Not Recommended” – After a few months will be “Not Supported”

More Motivation….

• Talk to your IT Person

– Review your network can come up with a plan

• Do this ASAP!

– They are already super busy helping others that got started sooner than you.

What to do Next

What about your Phone?

Always Update Your Phone

Help!

Ransomw are

Email Phishing Attacks

Via email attachments

Best Practices for Emails:

• Never click on a link in an email that

you aren’t 100% sure of the sender and where its taking you

• Never open an attachment on an

email if you weren’t 100% expecting it

• When in doubt, open on a cell phone
• When in doubt, check with the sender

What Should You Do?

Ransomw are Phishing

Ransomw are Phishing Bitcoin

Ransomw are Phishing Bitcoin

Corporate Data Breaches

• Hacking peoples accounts one at a time

is a slow, resource intensive process

• Hacking the websites full of user names

AND passwords yields bulk results

• They never targeted you personally, but

the result is they have your information

Bulk Hacking

How can you know if your username & password have been leaked into the wild?

• Security Expert from Microsoft
• Searched the Dark Web
• Compiled a list of 5 ~Billion hacked

accounts

• Created “Have I been pwned?” website

– ‘Pwned’ is a slang term

• Securely check if your username and

passwords has been stolen

Troy Hunt

www.HaveIBeenPwned.com

Is your Password Pwn’d?

(starwars)

Pre-check your new passwords

(MyReallyHardPassword)

• Get notified if your email(s) show up in

the future

Get Notified of pwnage

I was Notified of pwnage

How long will it take for a Hacker to break through my password?

www.howsecureismypassword.net

What makes a GOOD Password??

• Recently updated their recommended

digital identity standard (SP 800-63)

• Troy Hunt canvased NIST and others to

derive what the collective wisdom is thinking

• 12 or more characters
• We can use short dictionary words
• 3 or 4 random words

Length Matters

dog beer hat red tree bill head

Nothing Personal

spouse kids food movie birthday address date pets phone

dog beer hat red tree bill head

3 or 4 Short Random Words

doghatbeerhead

Make ‘em Memorable

• Think up something about the site
• i.e. Wells Fargo

– dumb wagon horses – ripping off clients – stashing my cash

• dumbwagonhorses

– 15 characters – 3 random words – dumbwagonhorses is better than Sj7$qq#56

But what is wrong with this?

• They ‘Evolve’
• Websites, banks, etc. will need to learn

and adopt these standards

• dumbwagonhorses wouldn’t meet their

current ‘complexity checker’

Standards Don’t Change Overnight

Starting TODAY! (2019 and on)

– Three or Four unassociated dictionary words – At LEAST 12 characters in length – Capitalize First Letters – Add a 2 digit year to the end (reminder)

Steve’s Recommendation (Simple Complexity)

DumbWagonHorses19

• DumbWagonHorses19

– 2 Trillion Years to Hack – Should meet the Banks requirements – Much easier to remember

Simple Complexity Works

(Public WiFi in Particular)

• To hack you while on WiFi the hacker

needs to be within range

Up Close and Personal

• White Hat Hackers that you hire to

‘PenTest’ your own business to find the weaknesses

• Toolkits are available online to purchase
• Of course, who are the biggest

customers?

The Good Guy Hacker

Hak5

Hak5

• You don’t need to be an expert
• Anyone with a Hobbyist level of computer

skills can use these tools effectively

• (and get into trouble fast)

Hacker Hobbiest

Typical places we rely on WiFi include:

• Home
• Office
• Coffee Shops
• Hotels
• Conferences ….

Where do we use WiFi?

• The convenience of our devices

is their undoing

• It can be set to remember WiFi’s

its been connected to and automatically reconnect

• They are constantly ‘beaconing’
• ut looking for those memorized

zones

Remembered Connections

Hello?? Home WiFi Zone Named “Steve’s WiFi” are you there??

Why Yes I am! “Steve’s WiFi” is ready to connect, please do Thanks! All Connected

• Fool you into connecting to a ‘Open’ Free

WiFi zone

• They advertise a convincing name:

– Starbucks Free WiFi – Detroit Airport Free WiFi – UofM Free WiFi

Phishing you with a Freebie

Free WiFi! Come and get your Free WiFi ‘AAO Free WiFi’ Cool! They arranged Free WiFi for the meeting

• HTTP vs. HTTPS

– http://www.google.com is unsecure – httpS://www.google.com is encrypted

• HTTP web surfing is like shouting across

a room - ANYONE can listen in

Secure Surfing

• HTTPS web surfing is an encrypted connection
• When you access the website they hand you

an encryption key

• Your device goes through a process to verify

the key is legitimate through a 3rd party verification

• If it checks out you see a Lock symbol

Secure Surfing

• Banks
• Retailers
• Any place you have to ‘Login’

– They should be in HTTPS mode by the time you are on the login page.

Where would you expect it?

• This is your key defense to knowing if

you are potentially being hacked

• An HTTPS website with a BROKEN lock

symbol means you are at risk

Pay Attention to the Lock

Have you ever seen this?

Have you ever just Continued?

• “Damn computer is acting up again. I

just need to get my work done”

• … and you click on Proceed Anyway …

Hackers count on our Reaction

• Do not proceed*
• Close your Browser session and try again

SOMEWHERE else safer

• Ask your IT person if it persists

What to do?

• Hacker gets in the middle of your HTTPS

encrypted conversation

• They Hand you a FAKE certificate and you

link encrypted to them!

• Then they connect to the website for you
• They are of course now able to see all

your information passing through

Man in the Middle Attack

Fake SSL Certificate

• Forget WiFi zones you don’t need

What Should You Do?

• Don’t set zones to “Connect Automatically”

if you don’t really need to

– Hotels – Airports – Events

What Should You Do?

• Watch for HTTPS Warnings
• Close out Browsing Session

What Should You Do?

• Limit your use Public WiFi
• Use your phone’s cellular data connection

What Should You Do?

Thank You!

steve@mmeconsulting.com

Presentation online at

www.mmeconsulting.com/Presentations