Successfully reported this slideshow.
Your SlideShare is downloading. ×

Security for Data Scientists

Ad

David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Security for Data Scientists
PyDataBCN 2017: Closing Act
Davi...

Ad

Abstract
Handling confidential data
attracts unwanted attention
from hostile attackers :(
We’ll see threats, attacks,
defe...

Ad

Data Security
"Data security means protecting data
from destructive forces and from the
unwanted actions of unauthorized u...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Ransomware: Wannacry
Ransomware: Wannacry
Loading in …3
×

Check these out next

1 of 49 Ad
1 of 49 Ad

Security for Data Scientists

Download to read offline

Handling confidential data attracts unwanted attention from hostile attackers.
We will go over the basic concepts of security threats, show many examples of real attacks, and focus on how to defend ourselves and secure our data.

Main topics:
- Myths
- Why it's important to be safe
- Authentication & Password Managers
- Phishing & 2FA
- MITM & Encryption
- Internet tracking & Ad-blockers
- Internet Of Things
- Physical Security
- More Resources

Closing Act at PyData Barcelona 2017:
https://pydata.org/barcelona2017/schedule/presentation/52/

Handling confidential data attracts unwanted attention from hostile attackers.
We will go over the basic concepts of security threats, show many examples of real attacks, and focus on how to defend ourselves and secure our data.

Main topics:
- Myths
- Why it's important to be safe
- Authentication & Password Managers
- Phishing & 2FA
- MITM & Encryption
- Internet tracking & Ad-blockers
- Internet Of Things
- Physical Security
- More Resources

Closing Act at PyData Barcelona 2017:
https://pydata.org/barcelona2017/schedule/presentation/52/

More Related Content

Security for Data Scientists

  1. 1. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Security for Data Scientists PyDataBCN 2017: Closing Act David Arcos CTO at
  2. 2. Abstract Handling confidential data attracts unwanted attention from hostile attackers :( We’ll see threats, attacks, defenses & tools
  3. 3. Data Security "Data security means protecting data from destructive forces and from the unwanted actions of unauthorized users"
  4. 4. Common myths ● “I have nothing of value. I don’t mind” ● “No one cares, I’m not a target” ● “Nobody would go through the effort of hacking me” ● “If my computer was compromised, I’d know” ● “I have nothing to hide...”
  5. 5. Why should you care about security? ● You have access to huge amounts of data ● Malicious individuals interested in personal/private/confidential info ● That info gives access to bank accounts, personal contacts, health conditions... ● Very automated attacks, targeted, high chance of success
  6. 6. Threats: Authentication ● Attacker will try to guess your weak password ● You need to secure your strong password
  7. 7. Attack: Brute-forcing ● Brute-forcing cracking (i.e: John the Ripper) – Try all combinations, systematically ● Optimized by prioritizing likely possibilities: – Frequency tables – Dictionary attack (word list) – Most common passwords...
  8. 8. Most common passwords...
  9. 9. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites
  10. 10. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites – Surprise! ● Most users re-use passwords :( ● (And most websites have bullshit security)
  11. 11. Tool: ‘Have I Been Pwned?’ ● https://haveibeenpwned.com
  12. 12. Rules for strong passwords ● Use long, complex, random, unique passwords – Use letters, numbers, symbols ● Size does matter – High entropy: no patterns ● Patterns will be guessed – A new password for each service ● A compromised service should not compromise all your services
  13. 13. Defense: Use a Password Manager ● To generate new strong passwords – It’s like using pwgen ● To store your passwords – All your passwords are different – Will be encrypted ● To share passwords with your team ● I recommend KeePass
  14. 14. This is not a password manager!
  15. 15. NOPE!
  16. 16. Threat: Phishing Attacker disguises as a trustworthy entity, to obtain your sensitive information by tricking you
  17. 17. It’s a trap! Sadly, phishing is not this obvious (anymore)
  18. 18. Everybody can be phished Source
  19. 19. Looks legit! It’s not :( Source: twitts from @tomscott
  20. 20. Check the url and the “lock”
  21. 21. WRONG! Homograph attack Source: Phishing with Unicode Domains аррӏе.com != apple.com
  22. 22. Attack: Spear-phishing ● Targeted attack ● Attackers gather personal information about their target ● Very successful
  23. 23. Attack: CEO Fraud / Whaling "Please make a huge $ transfer to this unknown company - Boss"
  24. 24. Defense: Two-Factor Auth (2FA) ● Something you know + something you have – SMS (but it’s complicated… avoid if possible) – TOPT app: Google Authenticator, Authy… – TOPT hardware: FIDO token, Yubikey ● Check support for major sites: – https://twofactorauth.org
  25. 25. Tool: Google Authenticator ● Mobile app ● Use code when login ● Code change each few seconds
  26. 26. Tool: U2F key
  27. 27. Threat: Man-In-The-Middle (MITM) ● Two parties communicate between each other ● Attacker in the middle, relaying messages: – Gets credentials, can alter messages
  28. 28. Attack: all HTTP traffic ● HTTP traffic is not encrypted ● Assume ALL traffic is monitored/MITM’ed ● Wifi hotspots, Schools, Corporate networks...
  29. 29. ENCRYPT ALL THE THINGS!
  30. 30. Defense: always use encryption ● Always use SSL: HTTPS instead of HTTP ● As user: install HTTPS Everywhere – Redirects you to the “safe” version of the site – Can block insecure sites ● As sysadmin: use LetsEncrypt – Free SSL certs, easy to install, automated – Also: set up SSH, VPN...
  31. 31. Defense: always use encryption ● As a developer: – don’t send unencrypted confidential data – avoid insecure APIs – sign your git commits using GPG
  32. 32. Threat: internet tracking ● Most websites do internet tracking: – To record your actions, profile you – To serve (customized ) ads – To send you malware (read: virus, spyware) ● Attackers can target victims and send payloads
  33. 33. Beware of malware ads!
  34. 34. Defense: block tracking ● Install anti-tracking extension in browser: – uBlock Origin – Disconnect.me
  35. 35. Threat: Internet of Things ● “The S in IoT stands for Security” ● Mirai botnet caused massive internet outage
  36. 36. Threats: physical security ● Protect yourself against nearby attackers – Use security locks against thiefs – Be aware of over-the-shoulder eavesdroppers – Be aware of your webcam ● “Evil Maid” attack: – When you leave your laptop in your hotel room...
  37. 37. Defense: Full Disk Encryption
  38. 38. Defense: Mark tapes his webcam (be like Mark!)
  39. 39. Attack: Exploding USB ● 1) Insert USB stick ● 2) Kaboom! Just kidding, it’s a joke ;-)
  40. 40. Attack: BadUSB (BlackHat 2014)
  41. 41. Attack: USB Killer ● When plugged, it rapidly charges its capacitors from the USB power lines ● When charged, -200VDC is discharged over the data lines of the host device ● RIP host device
  42. 42. Defense: avoid unknown USBs :(
  43. 43. Physical access to HW = Game over
  44. 44. More resources ● Courses: – Surveillance Self-Defense, from the EFF – CS 88S: Safety in the Cloud, from the UCLA ● People to follow: – Bruce Schneier – Bryan Krebs – Troy Hunt
  45. 45. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Thanks for attending!

×