Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Security for Data Scientists
PyDataBCN 2017: Closing Act
Davi...
Abstract
Handling confidential data
attracts unwanted attention
from hostile attackers :(
We’ll see threats, attacks,
defe...
Data Security
"Data security means protecting data
from destructive forces and from the
unwanted actions of unauthorized u...
Common myths
●
“I have nothing of value. I don’t mind”
●
“No one cares, I’m not a target”
●
“Nobody would go through the e...
Why should you care about security?
● You have access to huge amounts of data
● Malicious individuals interested in
person...
Threats: Authentication
●
Attacker will try to guess your weak password
●
You need to secure your strong password
Attack: Brute-forcing
●
Brute-forcing cracking (i.e: John the Ripper)
– Try all combinations, systematically
●
Optimized b...
Most common passwords...
Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Att...
Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Att...
Tool: ‘Have I Been Pwned?’
●
https://haveibeenpwned.com
Rules for strong passwords
●
Use long, complex, random, unique
passwords
– Use letters, numbers, symbols
●
Size does matte...
Defense: Use a Password Manager
●
To generate new strong passwords
– It’s like using pwgen
●
To store your passwords
– All...
This is not a password manager!
NOPE!
Threat: Phishing
Attacker disguises as a trustworthy entity,
to obtain your sensitive information
by tricking you
It’s a trap!
Sadly, phishing is not this obvious (anymore)
Everybody can be phished
Source
Looks legit! It’s not :(
Source: twitts from @tomscott
Check the url and the “lock”
WRONG! Homograph attack
Source: Phishing with Unicode Domains
аррӏе.com != apple.com
Attack: Spear-phishing
●
Targeted attack
●
Attackers gather personal information about
their target
●
Very successful
Attack: CEO Fraud / Whaling
"Please make a huge $ transfer to this unknown company - Boss"
Defense: Two-Factor Auth (2FA)
●
Something you know + something you have
– SMS (but it’s complicated… avoid if possible)
–...
Tool: Google Authenticator
●
Mobile app
●
Use code when login
●
Code change each
few seconds
Tool: U2F key
Threat: Man-In-The-Middle (MITM)
●
Two parties communicate between each other
●
Attacker in the middle, relaying messages:...
Attack: all HTTP traffic
●
HTTP traffic is not encrypted
●
Assume ALL traffic is monitored/MITM’ed
●
Wifi hotspots, School...
ENCRYPT ALL THE THINGS!
Defense: always use encryption
●
Always use SSL: HTTPS instead of HTTP
●
As user: install HTTPS Everywhere
– Redirects you...
Defense: always use encryption
●
As a developer:
– don’t send unencrypted confidential data
– avoid insecure APIs
– sign y...
Threat: internet tracking
●
Most websites do internet tracking:
– To record your actions, profile you
– To serve (customiz...
Beware of malware ads!
Defense: block tracking
●
Install anti-tracking extension in browser:
– uBlock Origin
– Disconnect.me
Threat: Internet of Things
●
“The S in IoT stands for Security”
●
Mirai botnet caused massive internet outage
Threats: physical security
●
Protect yourself against nearby attackers
– Use security locks against thiefs
– Be aware of o...
Defense: Full Disk Encryption
Defense: Mark tapes his webcam
(be like Mark!)
Attack:
Exploding USB
●
1) Insert USB stick
●
2) Kaboom!
Just kidding, it’s a joke ;-)
Attack: BadUSB (BlackHat 2014)
Attack: USB Killer
●
When plugged, it rapidly charges its capacitors
from the USB power lines
●
When charged, -200VDC is d...
Defense: avoid unknown USBs
:(
Physical access to HW = Game over
More resources
●
Courses:
– Surveillance Self-Defense, from the EFF
– CS 88S: Safety in the Cloud, from the UCLA
●
People ...
David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Thanks for attending!
Security for Data Scientists
Security for Data Scientists
Security for Data Scientists
Security for Data Scientists
Upcoming SlideShare
Loading in …5
×

Security for Data Scientists

1,500 views

Published on

Handling confidential data attracts unwanted attention from hostile attackers.
We will go over the basic concepts of security threats, show many examples of real attacks, and focus on how to defend ourselves and secure our data.

Main topics:
- Myths
- Why it's important to be safe
- Authentication & Password Managers
- Phishing & 2FA
- MITM & Encryption
- Internet tracking & Ad-blockers
- Internet Of Things
- Physical Security
- More Resources

Closing Act at PyData Barcelona 2017:
https://pydata.org/barcelona2017/schedule/presentation/52/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security for Data Scientists

  1. 1. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Security for Data Scientists PyDataBCN 2017: Closing Act David Arcos CTO at
  2. 2. Abstract Handling confidential data attracts unwanted attention from hostile attackers :( We’ll see threats, attacks, defenses & tools
  3. 3. Data Security "Data security means protecting data from destructive forces and from the unwanted actions of unauthorized users"
  4. 4. Common myths ● “I have nothing of value. I don’t mind” ● “No one cares, I’m not a target” ● “Nobody would go through the effort of hacking me” ● “If my computer was compromised, I’d know” ● “I have nothing to hide...”
  5. 5. Why should you care about security? ● You have access to huge amounts of data ● Malicious individuals interested in personal/private/confidential info ● That info gives access to bank accounts, personal contacts, health conditions... ● Very automated attacks, targeted, high chance of success
  6. 6. Threats: Authentication ● Attacker will try to guess your weak password ● You need to secure your strong password
  7. 7. Attack: Brute-forcing ● Brute-forcing cracking (i.e: John the Ripper) – Try all combinations, systematically ● Optimized by prioritizing likely possibilities: – Frequency tables – Dictionary attack (word list) – Most common passwords...
  8. 8. Most common passwords...
  9. 9. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites
  10. 10. Attack: previous data breaches ● Websites are breached all the time ● Those credentials are sold in the black market ● Attacker steps: – Get/buy credentials – Try same credentials in other sites – Surprise! ● Most users re-use passwords :( ● (And most websites have bullshit security)
  11. 11. Tool: ‘Have I Been Pwned?’ ● https://haveibeenpwned.com
  12. 12. Rules for strong passwords ● Use long, complex, random, unique passwords – Use letters, numbers, symbols ● Size does matter – High entropy: no patterns ● Patterns will be guessed – A new password for each service ● A compromised service should not compromise all your services
  13. 13. Defense: Use a Password Manager ● To generate new strong passwords – It’s like using pwgen ● To store your passwords – All your passwords are different – Will be encrypted ● To share passwords with your team ● I recommend KeePass
  14. 14. This is not a password manager!
  15. 15. NOPE!
  16. 16. Threat: Phishing Attacker disguises as a trustworthy entity, to obtain your sensitive information by tricking you
  17. 17. It’s a trap! Sadly, phishing is not this obvious (anymore)
  18. 18. Everybody can be phished Source
  19. 19. Looks legit! It’s not :( Source: twitts from @tomscott
  20. 20. Check the url and the “lock”
  21. 21. WRONG! Homograph attack Source: Phishing with Unicode Domains аррӏе.com != apple.com
  22. 22. Attack: Spear-phishing ● Targeted attack ● Attackers gather personal information about their target ● Very successful
  23. 23. Attack: CEO Fraud / Whaling "Please make a huge $ transfer to this unknown company - Boss"
  24. 24. Defense: Two-Factor Auth (2FA) ● Something you know + something you have – SMS (but it’s complicated… avoid if possible) – TOPT app: Google Authenticator, Authy… – TOPT hardware: FIDO token, Yubikey ● Check support for major sites: – https://twofactorauth.org
  25. 25. Tool: Google Authenticator ● Mobile app ● Use code when login ● Code change each few seconds
  26. 26. Tool: U2F key
  27. 27. Threat: Man-In-The-Middle (MITM) ● Two parties communicate between each other ● Attacker in the middle, relaying messages: – Gets credentials, can alter messages
  28. 28. Attack: all HTTP traffic ● HTTP traffic is not encrypted ● Assume ALL traffic is monitored/MITM’ed ● Wifi hotspots, Schools, Corporate networks...
  29. 29. ENCRYPT ALL THE THINGS!
  30. 30. Defense: always use encryption ● Always use SSL: HTTPS instead of HTTP ● As user: install HTTPS Everywhere – Redirects you to the “safe” version of the site – Can block insecure sites ● As sysadmin: use LetsEncrypt – Free SSL certs, easy to install, automated – Also: set up SSH, VPN...
  31. 31. Defense: always use encryption ● As a developer: – don’t send unencrypted confidential data – avoid insecure APIs – sign your git commits using GPG
  32. 32. Threat: internet tracking ● Most websites do internet tracking: – To record your actions, profile you – To serve (customized ) ads – To send you malware (read: virus, spyware) ● Attackers can target victims and send payloads
  33. 33. Beware of malware ads!
  34. 34. Defense: block tracking ● Install anti-tracking extension in browser: – uBlock Origin – Disconnect.me
  35. 35. Threat: Internet of Things ● “The S in IoT stands for Security” ● Mirai botnet caused massive internet outage
  36. 36. Threats: physical security ● Protect yourself against nearby attackers – Use security locks against thiefs – Be aware of over-the-shoulder eavesdroppers – Be aware of your webcam ● “Evil Maid” attack: – When you leave your laptop in your hotel room...
  37. 37. Defense: Full Disk Encryption
  38. 38. Defense: Mark tapes his webcam (be like Mark!)
  39. 39. Attack: Exploding USB ● 1) Insert USB stick ● 2) Kaboom! Just kidding, it’s a joke ;-)
  40. 40. Attack: BadUSB (BlackHat 2014)
  41. 41. Attack: USB Killer ● When plugged, it rapidly charges its capacitors from the USB power lines ● When charged, -200VDC is discharged over the data lines of the host device ● RIP host device
  42. 42. Defense: avoid unknown USBs :(
  43. 43. Physical access to HW = Game over
  44. 44. More resources ● Courses: – Surveillance Self-Defense, from the EFF – CS 88S: Safety in the Cloud, from the UCLA ● People to follow: – Bruce Schneier – Bryan Krebs – Troy Hunt
  45. 45. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN Thanks for attending!

×