SlideShare a Scribd company logo
1 of 49
Download to read offline
David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Security for Data Scientists
PyDataBCN 2017: Closing Act
David Arcos
CTO at
Abstract
Handling confidential data
attracts unwanted attention
from hostile attackers :(
We’ll see threats, attacks,
defenses & tools
Data Security
"Data security means protecting data
from destructive forces and from the
unwanted actions of unauthorized users"
Common myths
●
“I have nothing of value. I don’t mind”
●
“No one cares, I’m not a target”
●
“Nobody would go through the effort of hacking
me”
●
“If my computer was compromised, I’d know”
●
“I have nothing to hide...”
Why should you care about security?
● You have access to huge amounts of data
● Malicious individuals interested in
personal/private/confidential info
● That info gives access to bank accounts,
personal contacts, health conditions...
● Very automated attacks, targeted, high chance
of success
Threats: Authentication
●
Attacker will try to guess your weak password
●
You need to secure your strong password
Attack: Brute-forcing
●
Brute-forcing cracking (i.e: John the Ripper)
– Try all combinations, systematically
●
Optimized by prioritizing likely possibilities:
– Frequency tables
– Dictionary attack (word list)
– Most common passwords...
Most common passwords...
Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites
Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites
– Surprise!
●
Most users re-use passwords :(
●
(And most websites have bullshit security)
Tool: ‘Have I Been Pwned?’
●
https://haveibeenpwned.com
Rules for strong passwords
●
Use long, complex, random, unique
passwords
– Use letters, numbers, symbols
●
Size does matter
– High entropy: no patterns
●
Patterns will be guessed
– A new password for each service
●
A compromised service should not compromise all
your services
Defense: Use a Password Manager
●
To generate new strong passwords
– It’s like using pwgen
●
To store your passwords
– All your passwords are different
– Will be encrypted
●
To share passwords with your team
●
I recommend KeePass
This is not a password manager!
NOPE!
Threat: Phishing
Attacker disguises as a trustworthy entity,
to obtain your sensitive information
by tricking you
It’s a trap!
Sadly, phishing is not this obvious (anymore)
Everybody can be phished
Source
Looks legit! It’s not :(
Source: twitts from @tomscott
Check the url and the “lock”
WRONG! Homograph attack
Source: Phishing with Unicode Domains
аррӏе.com != apple.com
Attack: Spear-phishing
●
Targeted attack
●
Attackers gather personal information about
their target
●
Very successful
Attack: CEO Fraud / Whaling
"Please make a huge $ transfer to this unknown company - Boss"
Defense: Two-Factor Auth (2FA)
●
Something you know + something you have
– SMS (but it’s complicated… avoid if possible)
– TOPT app: Google Authenticator, Authy…
– TOPT hardware: FIDO token, Yubikey
●
Check support for major sites:
– https://twofactorauth.org
Tool: Google Authenticator
●
Mobile app
●
Use code when login
●
Code change each
few seconds
Tool: U2F key
Threat: Man-In-The-Middle (MITM)
●
Two parties communicate between each other
●
Attacker in the middle, relaying messages:
– Gets credentials, can alter messages
Attack: all HTTP traffic
●
HTTP traffic is not encrypted
●
Assume ALL traffic is monitored/MITM’ed
●
Wifi hotspots, Schools, Corporate networks...
ENCRYPT ALL THE THINGS!
Defense: always use encryption
●
Always use SSL: HTTPS instead of HTTP
●
As user: install HTTPS Everywhere
– Redirects you to the “safe” version of the site
– Can block insecure sites
●
As sysadmin: use LetsEncrypt
– Free SSL certs, easy to install, automated
– Also: set up SSH, VPN...
Defense: always use encryption
●
As a developer:
– don’t send unencrypted confidential data
– avoid insecure APIs
– sign your git commits using GPG
Threat: internet tracking
●
Most websites do internet tracking:
– To record your actions, profile you
– To serve (customized ) ads
– To send you malware (read: virus, spyware)
●
Attackers can target victims and send payloads
Beware of malware ads!
Defense: block tracking
●
Install anti-tracking extension in browser:
– uBlock Origin
– Disconnect.me
Threat: Internet of Things
●
“The S in IoT stands for Security”
●
Mirai botnet caused massive internet outage
Threats: physical security
●
Protect yourself against nearby attackers
– Use security locks against thiefs
– Be aware of over-the-shoulder eavesdroppers
– Be aware of your webcam
●
“Evil Maid” attack:
– When you leave your laptop in your hotel room...
Defense: Full Disk Encryption
Defense: Mark tapes his webcam
(be like Mark!)
Attack:
Exploding USB
●
1) Insert USB stick
●
2) Kaboom!
Just kidding, it’s a joke ;-)
Attack: BadUSB (BlackHat 2014)
Attack: USB Killer
●
When plugged, it rapidly charges its capacitors
from the USB power lines
●
When charged, -200VDC is discharged over the
data lines of the host device
●
RIP host device
Defense: avoid unknown USBs
:(
Physical access to HW = Game over
More resources
●
Courses:
– Surveillance Self-Defense, from the EFF
– CS 88S: Safety in the Cloud, from the UCLA
●
People to follow:
– Bruce Schneier
– Bryan Krebs
– Troy Hunt
David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Thanks for attending!

More Related Content

What's hot

Basic ethical hacking for seminar presentation
Basic ethical hacking for seminar presentationBasic ethical hacking for seminar presentation
Basic ethical hacking for seminar presentationVipin Rawat @ daya
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...Digital Transformation EXPO Event Series
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Roger Hagedorn
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 
Get search lock to protect your search privacy from anonymous users
Get search lock to protect your search privacy from anonymous usersGet search lock to protect your search privacy from anonymous users
Get search lock to protect your search privacy from anonymous usersSearchLock
 
Ransomware - Mark Chimely
Ransomware - Mark ChimelyRansomware - Mark Chimely
Ransomware - Mark ChimelyIISPEastMids
 

What's hot (11)

Basic ethical hacking for seminar presentation
Basic ethical hacking for seminar presentationBasic ethical hacking for seminar presentation
Basic ethical hacking for seminar presentation
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
Wannacry
WannacryWannacry
Wannacry
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
 
Wannacry
WannacryWannacry
Wannacry
 
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
Exploits in the Cryptocurrency Craze: What You Must Know to Protect Your Orga...
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.tech
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
 
Get search lock to protect your search privacy from anonymous users
Get search lock to protect your search privacy from anonymous usersGet search lock to protect your search privacy from anonymous users
Get search lock to protect your search privacy from anonymous users
 
Ransomware - Mark Chimely
Ransomware - Mark ChimelyRansomware - Mark Chimely
Ransomware - Mark Chimely
 

Similar to Security for Data Scientists

Hit by a Cyberattack: lesson learned
 Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsKevin Wall
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxDhruvsinhbhati
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdfw4tgrgdyryfh
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Introduction To Hacking
Introduction To HackingIntroduction To Hacking
Introduction To HackingAitezaz Mohsin
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwarePositive Hack Days
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”tunzida045
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”tunzida045
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 

Similar to Security for Data Scientists (20)

Hit by a Cyberattack: lesson learned
 Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handouts
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Introduction To Hacking
Introduction To HackingIntroduction To Hacking
Introduction To Hacking
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malware
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 

Recently uploaded

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

Recently uploaded (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 

Security for Data Scientists

  • 1. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Security for Data Scientists PyDataBCN 2017: Closing Act David Arcos CTO at
  • 2. Abstract Handling confidential data attracts unwanted attention from hostile attackers :( We’ll see threats, attacks, defenses & tools
  • 3. Data Security "Data security means protecting data from destructive forces and from the unwanted actions of unauthorized users"
  • 4. Common myths ● “I have nothing of value. I don’t mind” ● “No one cares, I’m not a target” ● “Nobody would go through the effort of hacking me” ● “If my computer was compromised, I’d know” ● “I have nothing to hide...”
  • 5.
  • 6. Why should you care about security? ● You have access to huge amounts of data ● Malicious individuals interested in personal/private/confidential info ● That info gives access to bank accounts, personal contacts, health conditions... ● Very automated attacks, targeted, high chance of success
  • 7. Threats: Authentication ● Attacker will try to guess your weak password ● You need to secure your strong password
  • 8. Attack: Brute-forcing ● Brute-forcing cracking (i.e: John the Ripper) – Try all combinations, systematically ● Optimized by prioritizing likely possibilities: – Frequency tables – Dictionary attack (word list) – Most common passwords...
  • 10. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites
  • 11. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites – Surprise! ● Most users re-use passwords :( ● (And most websites have bullshit security)
  • 12.
  • 13. Tool: ‘Have I Been Pwned?’ ● https://haveibeenpwned.com
  • 14.
  • 15. Rules for strong passwords ● Use long, complex, random, unique passwords – Use letters, numbers, symbols ● Size does matter – High entropy: no patterns ● Patterns will be guessed – A new password for each service ● A compromised service should not compromise all your services
  • 16. Defense: Use a Password Manager ● To generate new strong passwords – It’s like using pwgen ● To store your passwords – All your passwords are different – Will be encrypted ● To share passwords with your team ● I recommend KeePass
  • 17. This is not a password manager!
  • 18. NOPE!
  • 19. Threat: Phishing Attacker disguises as a trustworthy entity, to obtain your sensitive information by tricking you
  • 20. It’s a trap! Sadly, phishing is not this obvious (anymore)
  • 21. Everybody can be phished Source
  • 22.
  • 23. Looks legit! It’s not :( Source: twitts from @tomscott
  • 24. Check the url and the “lock”
  • 25. WRONG! Homograph attack Source: Phishing with Unicode Domains аррӏе.com != apple.com
  • 26. Attack: Spear-phishing ● Targeted attack ● Attackers gather personal information about their target ● Very successful
  • 27. Attack: CEO Fraud / Whaling "Please make a huge $ transfer to this unknown company - Boss"
  • 28. Defense: Two-Factor Auth (2FA) ● Something you know + something you have – SMS (but it’s complicated… avoid if possible) – TOPT app: Google Authenticator, Authy… – TOPT hardware: FIDO token, Yubikey ● Check support for major sites: – https://twofactorauth.org
  • 29. Tool: Google Authenticator ● Mobile app ● Use code when login ● Code change each few seconds
  • 31. Threat: Man-In-The-Middle (MITM) ● Two parties communicate between each other ● Attacker in the middle, relaying messages: – Gets credentials, can alter messages
  • 32. Attack: all HTTP traffic ● HTTP traffic is not encrypted ● Assume ALL traffic is monitored/MITM’ed ● Wifi hotspots, Schools, Corporate networks...
  • 33. ENCRYPT ALL THE THINGS!
  • 34. Defense: always use encryption ● Always use SSL: HTTPS instead of HTTP ● As user: install HTTPS Everywhere – Redirects you to the “safe” version of the site – Can block insecure sites ● As sysadmin: use LetsEncrypt – Free SSL certs, easy to install, automated – Also: set up SSH, VPN...
  • 35. Defense: always use encryption ● As a developer: – don’t send unencrypted confidential data – avoid insecure APIs – sign your git commits using GPG
  • 36. Threat: internet tracking ● Most websites do internet tracking: – To record your actions, profile you – To serve (customized ) ads – To send you malware (read: virus, spyware) ● Attackers can target victims and send payloads
  • 38. Defense: block tracking ● Install anti-tracking extension in browser: – uBlock Origin – Disconnect.me
  • 39. Threat: Internet of Things ● “The S in IoT stands for Security” ● Mirai botnet caused massive internet outage
  • 40. Threats: physical security ● Protect yourself against nearby attackers – Use security locks against thiefs – Be aware of over-the-shoulder eavesdroppers – Be aware of your webcam ● “Evil Maid” attack: – When you leave your laptop in your hotel room...
  • 41. Defense: Full Disk Encryption
  • 42. Defense: Mark tapes his webcam (be like Mark!)
  • 43. Attack: Exploding USB ● 1) Insert USB stick ● 2) Kaboom! Just kidding, it’s a joke ;-)
  • 45. Attack: USB Killer ● When plugged, it rapidly charges its capacitors from the USB power lines ● When charged, -200VDC is discharged over the data lines of the host device ● RIP host device
  • 47. Physical access to HW = Game over
  • 48. More resources ● Courses: – Surveillance Self-Defense, from the EFF – CS 88S: Safety in the Cloud, from the UCLA ● People to follow: – Bruce Schneier – Bryan Krebs – Troy Hunt
  • 49. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Thanks for attending!