The document provides an introduction to web 2.0 security from JP Bourget, who has experience in computer security, network security management, and security consulting. It discusses what constitutes web 2.0 technologies like social networks and web apps, and how they impact privacy and trust online. It then outlines 10 best practices for securing personal data on web 2.0 platforms, which include knowing what data you have, how third parties use it, maintaining strong passwords, keeping devices updated, and having backups of important files. Physical security of devices and wireless networks are also addressed.
2. Why I may be able to teach you
something
I secure networks for a living
Wait… I secure **data** for a living –
networks are a side effect of data
Professor – MS in Computer Security and Info
Assurance
Business - Network Security Manager
Student – Security continues to evole – I have to
keep up - -but I love it (especially the good vs. evil)
Consultant – I pen test for companies to help
them identify what weaknesses they have
3. What is Web 2.0
Social Networks
(Facebook, Twitter, Foursquare, MySpace)
Web based Apps (gmail/webmail, google
docs, mozy, Mint.com, fb
apps, wordpress), zillow, lastFM, netflix
Mobile- Iphone, Android
A new paradigm in privacy or lack of privacy ( i.e.
facebook )
A new model of trust
(Don’t forget web 3.0 – the intelligent web – it’s on
it’s way – facebook newsfeed is an example of a
closed intelligent web)
4. Web 2.0 Let’s change our
lens
At a basic level – you interact with data
We can call that data certain things
Your facebook or twitter status
You new film
Music
Scripts
Bank info (and transactions)
What other examples can you come up with? b
5. What is YOUR web data exposure
Do you have a:
Facebook account?
Linked in account?
Dropbox account?
Blog?
VPN ?
Work related Web based application?
(CRM, upload site, film preview site?)
Script or film stored on your hard drive right now?
6. Scary
The desktop security game may be over
We have lost
Your router or DSL modem can be owned by the bad guys
Your desktop may already be owned – do you care? Do you have
the ability to detect or fix it?
Things are getting worse not better
Blame the industry
Bruce Potter (shmoo group) says we should revisit the Trusted
Computing paradigm
Proof:
Banks and other secure institutions are already assuming their
users are insecure
AV Vendors are sounding the call to action (but they’ll still take
your $$)
8. 10 Best Practices to secure
your data
10. Know what data you have – you organized
your filing cabinets – why not your data
9. Identify which data you care about
Depending on quantity, you may need to prioritize
You may need to assess what is really important
to you ( i.e. what is your irreplaceable data)
I have 3 types of data: public, private, and work
What is your gold?
Apply the other steps to your types of data based
upon their attributes
9. 10 Best Practices to secure
your data
8. Identify how entities that you share data
with treat your data
Merchants
Banks
Social Networking
What other 3rd parties do you share your data
with?
10. 10 Best Practices to secure
your data
7. Know your footprint --when you save data are
you aware of the tracks you leave?
Just because you delete data in Windows/Mac/Linux
doesn’t mean that data is purged from disk (if I want it
I can get it)
Did you share your flash drive, or put it in a computer
you don’t trust
6. Have a good firewall and have someone help you
ensure it’s configured correctly
The AV industry is a hot mess right now – you aren’t
getting what you’re paying for (but you should still
have some)
11. 10 Best Practices to secure
your data
5. Don’t click on random links (follow the
attachment rule)
5a. Don’t use internet explorer (before 8) it
has inherent design flaws that will expose you
or your data
5bDon’t install programs you don’t know
what they do or you don’t need – practice
software minimalism – your CPU and RAM
will thank you and you’ll have a smaller attack
surface
12. 10 Best Practices to secure
your data
4. Keep your computer up to date (this is hard
sometimes)
AV/IDS/IPS
Java/Flash/skype/etc
ADOBE – Huge attack vector lately
Windows/MaxOSX updates
Most compromises happen to computers more than
1-2 months behind on updates
13. 10 Best Practices to secure
your data
3. Physical Security – #s 4-10 can only do so
much if I can steal your laptop – physical
access is everything… that’s why data centers
are so secure – I have unchecked access to
your machine – game over
14. 10 Best Practices to secure
your data
2. Secure Passwords – 95% of problems start
with weak passwords
Passwords are your most effective barrier for
your information
Password Length All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36 minutes .046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days
9 characters 20 millennia 2.07 months
10 characters 1,899 millennia 4.48 years
11 characters 180,365 millennia 1.16 centuries
12 characters 17,184,705 millennia 3.03 millennia
13 characters 1,627,797,068 millennia 78.7 millennia
14 characters 154,640,721,434 millennia 2,046 millennia
15. 10 Best Practices to secure
your data
1. BACKUP – If you have good backups you
can
Have your laptop stolen
Have a disk failure
Have windows crash
AND STILL HAVE YOUR DATA
(but someone else may have it too )
16. Some More Thoughts
What data do you share out?
Is it what you intended?
What does your linked in profile look like?
What happens when you google yourself?
What is on your laptop? Is it secured?
Your phone
Your iPad?
17. Your iPh0ne
Does your iPhone app transmit your
credentials in plain text? (tweet deck did this
forever)
What data do these apps store on your phone
(iPhone forensics is a hot industry)
What do you think I can do if I have physical
access to your iPhone
Wireless vs. 3G access
18. Backup Ideas
To disk (use Time Machine, or windows
backup)
To the cloud (getdropbox.com, mozy.com)
Keep a copy somewhere else – your mom’s
house – at work – safe deposit box (flip this
for business)
19. Wireless Security
Pay someone $20 to secure your home
network if you don’t know how to
Don’t connect to WEP networks (use WPA or
WPA-2 (even better))
If you aren’t on a network you (or someone
you know controls) don’t do anything you
don’t want exposed
20. Thanks for listening
Any questions?
You can find me:
jp@syncurity.net or jp.bourget@gmail.com
Twitter: punkrokk
Blog: http://www.syncurity.net
Sources: NIST, http://onemansblog.com/2007/03/26/how-id-hack-your-weak-
passwords/
Editor's Notes
***Data is the whole point – it’s why we computer – we use data in many different ways –facebook or twitter status, sell data (lexis nexus, research, software, FILMS, MUSIC)AdjunctGlobal Network – 13 networks across the Northern Hemisphere (USA Europe China) --
FB Chat and friend RequestsIf you trust a friend on a social network, how many degrees of trust are you really allowing?
Blame the industry – consumers generally don’t want to be bothered with the complexity or the abstract nature of securing their environment what does error code AEF3424 mean? How do I tell if I have a malware infection? No Good answerSo are you scared yet?