An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy

1. IT Security For Librarians:
Outrunning The Bear
Blake Carver
LYRASIS Systems Administrator

2. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Privacy
Passwords
Securing Your Devices
Web Browsers
Email
Staying Safe On-line
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat Modeling
Hardware & Networks
Week Four: The Web – Sites & Servers
How websites get hacked
Web Servers and Networks
Servers in general

3. Everything You Need To Know
• Passwords: L E N G T H
• Paranoia: Think Before You Click
• BackuPs: Frequent and Automatic
• Patches: Set to Auto
• Ponder Before Posting
Intro

4. Quick Review
All software can be exploited.
Obscurity is not always security.
Everything is worth something.
Worry about likely attacks.
Security isn’t Either / Or.
Being a bad guy is a full time job.
Surveillance Is The Business Model Of The
Internet.

5. • http://blog.whitehatsec.com/wp-content/uploads/ven.png
Privacy

6. Surveillance Is The Business
Model Of The Internet
Privacy

7. 'Silent Listeners'
“They” are out there collecting shared
personal information that oftentimes, users
are completely unaware they’re sharing.
Privacy

8. This Data Is Power & Money
Privacy

9. When it comes to Privacy...
Librarians are different.
Privacy

10. Good Security Means Better Privacy
Don’t be the place that gave away your
patrons personal information. Once it’s out
there you can’t get it back.
Privacy

11. There Is Value To Privacy
Privacy Troubles Are Small & Incremental
Privacy

12. The Data We Leave Behind Is
Our Digital Foot Prints
Privacy

13. "Getting your privacy back is
like getting your virginity back,"Jim Reavis, Executive Director of the non-profit Cloud Security Alliance
Privacy

14. • We don’t know how our information is used,
stored or shared and for how long
• We don’t know who has access
• We don’t know if it’s safe
Privacy

15. On the InterWebs, the
companies entrusted to keep
our personal data safe are
invariably the ones who have
the most to gain from not doing
so.
Robert X. Cringely
Privacy

16. Nearly every privacy policy on
the Web starts with the phrase
"we value your privacy," but
almost none of them actually
mean it.
Robert X. Cringely
Privacy

17. We value your data
Privacy

18. “Not having a [company name] account does not
mean that they have no information about you. It’s
more like you don’t have a password to access your
data.”
https://www.martinruenz.de/article/data-privacy/2016/02/14/the-dark-side-of-big-data.html

19. What About Your ISP?
So Many Footprints
All HTTP Traffic
All HTTPS Domains/Sites Via DNS
All Those "Things"
Phone Carriers & Apps?

20. What Can We Do?
Awareness & Education
Decentralize
FOSS and Self Hosting

21. • Are there new social norms now?
• Are people okay with less privacy?
• Should this make any difference to your library
policies?
Privacy

22. Passwords
Passwords
Reuse
Weak

23. Here’s a hint for someone trying
to get passwords from any
library…

25. It's Easy to Create Long Crazy Unique and
Confusing Passwords.
The Downside? Remembering Them

26. Any decent password is either
nearly impossible to remember
or too long to deal with.
Passwords

27. How Did They Get Me?
Guessed
Password Reset
Stolen Mobile Device
Phishing
Trojans
API Exploitation
Third Party App Exploitation
Website Breach

28. What Have We Learned From
Breaches?
• Passwords Are Reused
• Passwords Are Weak
Passwords

29. OCL Hashcat

30. These and ALL the tools and
attacks only ever get bigger
better faster stronger cheaper
easier and more common.

31. Attackers can steal more than the current
passwords of the given users; they can also
lift the password histories…
Passwords

32. Password Policy
• Be at least 15 characters in length.
• Contain at least 3 of the following 4 character types:
– Uppercase letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
– Lowercase letters (abcdefghijklmnopqrstuvwxyz)
– Symbols (,./’~<?;:”[]{}|!@#$%^&*()_=-+)
– Numbers (0123456789)
• Not be similar to or contain any portion of your name or login name
• Not contain English words that are longer than 4 letters
• Not begin or end with a number
• Not be the same as any of the previous 24 passwords in the password history
• Be changed at least once every 60 days
• NOT Use a sequence of keys on the keyboard, such as QWERTY or 12345
• NOT Use information about yourself, family members, friends or pets. This includes (in
whole or in part) names, birthdates, nicknames, addresses, phone numbers
• NOT Use words associated with your occupation or hobbies
• NOT Use words associated with popular culture, such as song titles, names of sports teams,
etc.
• NOT Be reused for multiple accounts
• Must not repeat any of your last ten passwords.
• Must not have been your password in during the last ten days.
• Must not be a word in a language, slang, dialect, or jargon.
• Must not be related to personal identity, history, environment, or other personal associations.
• Must not be shared or displayed in plain view.
Passwords

33. O-|s9q[#*FjJ9k@d5tads7HJ&^4&!@&$#s(6@G
Passwords

34. people respond to policies, perversely
ZAQ!@#$
Passwords

35. Kill your P@55W0RD policies
"Much of the extra strength demanded by
the more restrictive policies is superfluous: it
causes considerable inconvenience for
negligible security improvement."
Passwords

36. All passwords must be at
least 20 characters
Passwords

37. Simple Things Make a Strong
Password
• DO Make it as _l o n g_ as you can
• Do not reuse it on multiple sites
• Do not use numb3r5 1n pl@c3 of letterz
• Some Letters – UPPER and lower case
• Use some numbers
• Maybe a something else (*%$@!-+=)
Passwords

38. Should You Change Your
Passwords Every X # of Months?
• Email?
• Bank Account?
• Network?
• Server?
• Router?
• Facebook & Twitter?
• Library Web Site?
• LISNews?
Passwords

39. Don’t Test Your Memory
Anything dependent on memory doesn’t
scale
• Use a password manager
– LastPass, KeePass[X], 1Password, Dashlane..
• Use A Pass Phrase
• Nobody – nobody – is immune from getting hacked
Passwords

40. Assume Your Password Will Be
Stolen
Passwords

41. Not A Case Of If, But When
Passwords

42. Have your accounts been
compromised?
https://haveibeenpwned.com/
Passwords

43. Passwords aren’t the only
insecure part of logging in
End of Passwords – Next - Staying Safe Online

44. Are You Using Strong Usernames /
E-mail Addresses?
These are like your passwords.
They should be properly handled and
secured!

45. “Computers”
Staying Safe Online

46. It ain’t about what’s most secure…
its about what the bad guys focus on
Staying Safe Online

47. How Do You Know If You Are
Infected?
• Fans Spinning Wildly
• Programs start unexpectedly
• Your firewall yells at you
• Odd emails FROM you
• Freezes
• Your browser behaves funny
• Sudden slowness
• Change in behavior
• Odd sounds or beeps
• Random Popups
• Unwelcome images
• Disappearing files
• Random error messages
Staying Safe Online
You Don’t

48. Malware's chief weapon is
invisibility
and surprise… and fear…

49. http://xkcd.com/1180/

51. Your antivirus software is a seat
belt – not a force field.
- Alfred Huger
Staying Safe Online

52. Research: 80% of Carberp infected
computers had antivirus software
installed

53. Which of your accounts is most
valuable?
• Email
• Bank
• Social Network
• Shopping
• Gaming
• Blogs

54. Own the Email, Own the Person

56. Use a second factor of
authentication

57. Email
• Don’t trust anything
• Don’t leave yourself logged in
• 2 Factor Authentication
• Passwords
Staying Safe Online

59. Surfing The Web

60. 90% of fully undetected malware
was delivered via web-browsing.
It took antivirus vendors 4x as
long to detect malware from web-based
applications as opposed to email
(20 days for web, 5 days for email).
paloaltonetworks.com

61. The majority of encounters
happen in the places that online
users visit the most—and think
are safe.
2013 Cisco Annual Security Report

62. Browsers
• Use Two & Keep Updated
• Know Your Settings
–Phishing & Malware Detection - Turned ON
–Software Security & Auto / Silent Patching -
Turned ON
• A Few Recommended Plugins:
–Something to Limit JavaScript
–Something to Force HTTPS
–Something to stop trackers
–Something to Block Ads
Staying Safe Online

63. Privacy Badger uBlock Origin
Disconnect

64. But The Internet Is Free Because
Of Ads...
• Malicious content is 27 times more likely to
be encountered via search engines than
counterfeit software
• Online ads were 182 times more likely to
deliver malware than an adult site
Cisco’s 2012 Annual Security Report

65. According to a just-published post from Malwarebytes, a flurry of malvertising
appeared over the weekend, almost out of the blue. It hit some of the biggest
publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com,
my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and
newsweek.com. Affected networks included those owned by Google, AppNexis,
AOL, and Rubicon. The attacks are flowing from two suspicious domains...

66. Why Block Ads?
You’re given the ability to block 3rd Party Requests and JA and selectively block other things
All this stuff is downloaded onto you computer.
When you’re not running blockers you’re letting in a TON of random and unseen things.
Saves bandwidth – Especially on Mobile
Speeds up pages and load times
Cookies and other persistent trackers that follow you around
Your searches, sites, history and other data builds a profile, your preferences are bought and sold
Malvertising through evil and hacked sites
Ads slow down performance and eat up resources
Ads Add in distractions - noises, colors, flashes blinking and beeping and flashing

67. Never Trust Public Wi-Fi
Use A VPN
Staying Safe Online

68. Social Media
• Understand and adjust your privacy
settings
• Be skeptical of everything
–especially ANYONE asking you for money
Staying Safe Online

69. Watch Your Apps
“Privacy Protection for Social Networking Platforms“
A Felt and D Evans, Web 2.0 Security & Privacy (W2SP), 2008.
Felt and Evans studied the top 150 Facebook applications and
found that 90% of them didn’t need any of the user data which
they were able to access while the other 10% were largely using personal
information for trivial things such as displaying it to the user or choosing a
horoscope. Of the 14 applications with non-trivial data use, four were
contravening Facebook’s Terms of Service.

70. Love Everyone…
Trust No One.

71. “...if you're not the customer
you're the product being
sold”
metafilter.com/95152
Staying Safe Online
Free Services Are Expensive

72. Mobile Devices - Threats
• Trojans, Viruses & Malware
• Lost and/or Stolen
• Opaque Apps Permissions
 Access To Everything
• Open Wi-Fi Networks and Public Hotspots
Staying Safe Online

74. If I took your portable right
now....
What would I have access to?
Staying Safe Online

75. Mobile Devices
1. Encrypt it
2. Password it
3. Backup it
4. Case it
5. It is not forever
Staying Safe Online

76. Carry A Safe
Not A Suitcase
Staying Safe Online – Next - Libraries

77. IoT – The Internet of Things
Small easy to forget
Small easy to multiply
Full of Vulnerabilities
Security is an afterthought
Sold and forgotten
Security degrades rapidly
Hidden accounts
Insecure defaults
Patching complicated
Updates never
Who's responsible: manufacturer or consumer?

78. I bought some awful light bulbs
so you don't have to
So, in summary: it's a device that infringes my copyright, gives you
root access in response to trivial credentials, has access control
that depends entirely on nobody ever looking at the packets, is
sufficiently poorly implemented that you can crash both it and the
bulbs, has a cloud access protocol that has no security
whatsoever and also acts as an easy mechanism for people to
circumvent your network security. This may be the single worst
device I've ever bought.
https://mjg59.dreamwidth.org/40397.html

79. I stayed in a hotel with Android
lightswitches and it was just as
bad as you'd imagine
It's basically as bad as it could be - once I'd figured out the gateway, I
could access the control systems on every floor and query other rooms to
figure out whether the lights were on or not, which strongly implies that I
could control them as well. ... hotels are happily deploying systems with
no meaningful security, and the outcome of sending a constant stream of
"Set room lights to full" and "Open curtain" commands at 3AM seems
fairly predictable.
We're doomed.
https://mjg59.dreamwidth.org/40505.htm
l

80. Shodan
https://www.shodan.io/
Shodan is the world's first search engine for
Internet-connected devices.

81. Simplicity is security.

82. Let’s Review
• We all have something worth stealing
• Surveillance Is The Business Model Of The
Internet
• Passwords
• Locking Down Computers
• Email
• Browsers
• Wi-Fi
• Social Media
• Mobile Devices

83. Let’s Review
• Use Good Passwords
• Use a Password Manager
• Never Reuse
• Use Second Factor Authentication
• Don’t Trust Links / Attachments
• Have A Really Secure Browser
• Use Routine Backups
• Limit Social Networks
• Keep Everything Patched / Updated

84. Do something to make the bad guys job harder

85. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Privacy
Passwords
Securing Your Devices
Web Browsers
Email
Staying Safe On-line
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat Modeling
Hardware & Networks
Week Four: The Web – Sites & Servers
How websites get hacked
Web Servers and Networks
Servers in general

86. IT Security For Librarians:
Outrunning The Bear
blake.carver@lyrasis.org
Blake Carver
LYRASIS Systems Administrator