An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
An Introduction To IT Security And Privacy In Libraries & Anywhere
1. IT Security For Librarians:
Outrunning The Bear
Blake Carver
LYRASIS Systems Administrator
2. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Privacy
Passwords
Securing Your Devices
Web Browsers
Email
Staying Safe On-line
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat Modeling
Hardware & Networks
Week Four: The Web – Sites & Servers
How websites get hacked
Web Servers and Networks
Servers in general
3. Everything You Need To Know
• Passwords: L E N G T H
• Paranoia: Think Before You Click
• BackuPs: Frequent and Automatic
• Patches: Set to Auto
• Ponder Before Posting
Intro
4. Quick Review
All software can be exploited.
Obscurity is not always security.
Everything is worth something.
Worry about likely attacks.
Security isn’t Either / Or.
Being a bad guy is a full time job.
Surveillance Is The Business Model Of The
Internet.
7. 'Silent Listeners'
“They” are out there collecting shared
personal information that oftentimes, users
are completely unaware they’re sharing.
Privacy
9. When it comes to Privacy...
Librarians are different.
Privacy
10. Good Security Means Better Privacy
Don’t be the place that gave away your
patrons personal information. Once it’s out
there you can’t get it back.
Privacy
11. There Is Value To Privacy
Privacy Troubles Are Small & Incremental
Privacy
12. The Data We Leave Behind Is
Our Digital Foot Prints
Privacy
13. "Getting your privacy back is
like getting your virginity back,"Jim Reavis, Executive Director of the non-profit Cloud Security Alliance
Privacy
14. • We don’t know how our information is used,
stored or shared and for how long
• We don’t know who has access
• We don’t know if it’s safe
Privacy
15. On the InterWebs, the
companies entrusted to keep
our personal data safe are
invariably the ones who have
the most to gain from not doing
so.
Robert X. Cringely
Privacy
16. Nearly every privacy policy on
the Web starts with the phrase
"we value your privacy," but
almost none of them actually
mean it.
Robert X. Cringely
Privacy
18. “Not having a [company name] account does not
mean that they have no information about you. It’s
more like you don’t have a password to access your
data.”
https://www.martinruenz.de/article/data-privacy/2016/02/14/the-dark-side-of-big-data.html
19. What About Your ISP?
So Many Footprints
All HTTP Traffic
All HTTPS Domains/Sites Via DNS
All Those "Things"
Phone Carriers & Apps?
20. What Can We Do?
Awareness & Education
Decentralize
FOSS and Self Hosting
21. • Are there new social norms now?
• Are people okay with less privacy?
• Should this make any difference to your library
policies?
Privacy
30. These and ALL the tools and
attacks only ever get bigger
better faster stronger cheaper
easier and more common.
31. Attackers can steal more than the current
passwords of the given users; they can also
lift the password histories…
Passwords
32. Password Policy
• Be at least 15 characters in length.
• Contain at least 3 of the following 4 character types:
– Uppercase letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
– Lowercase letters (abcdefghijklmnopqrstuvwxyz)
– Symbols (,./’~<?;:”[]{}|!@#$%^&*()_=-+)
– Numbers (0123456789)
• Not be similar to or contain any portion of your name or login name
• Not contain English words that are longer than 4 letters
• Not begin or end with a number
• Not be the same as any of the previous 24 passwords in the password history
• Be changed at least once every 60 days
• NOT Use a sequence of keys on the keyboard, such as QWERTY or 12345
• NOT Use information about yourself, family members, friends or pets. This includes (in
whole or in part) names, birthdates, nicknames, addresses, phone numbers
• NOT Use words associated with your occupation or hobbies
• NOT Use words associated with popular culture, such as song titles, names of sports teams,
etc.
• NOT Be reused for multiple accounts
• Must not repeat any of your last ten passwords.
• Must not have been your password in during the last ten days.
• Must not be a word in a language, slang, dialect, or jargon.
• Must not be related to personal identity, history, environment, or other personal associations.
• Must not be shared or displayed in plain view.
Passwords
35. Kill your P@55W0RD policies
"Much of the extra strength demanded by
the more restrictive policies is superfluous: it
causes considerable inconvenience for
negligible security improvement."
Passwords
37. Simple Things Make a Strong
Password
• DO Make it as _l o n g_ as you can
• Do not reuse it on multiple sites
• Do not use numb3r5 1n pl@c3 of letterz
• Some Letters – UPPER and lower case
• Use some numbers
• Maybe a something else (*%$@!-+=)
Passwords
38. Should You Change Your
Passwords Every X # of Months?
• Email?
• Bank Account?
• Network?
• Server?
• Router?
• Facebook & Twitter?
• Library Web Site?
• LISNews?
Passwords
39. Don’t Test Your Memory
Anything dependent on memory doesn’t
scale
• Use a password manager
– LastPass, KeePass[X], 1Password, Dashlane..
• Use A Pass Phrase
• Nobody – nobody – is immune from getting hacked
Passwords
46. It ain’t about what’s most secure…
its about what the bad guys focus on
Staying Safe Online
47. How Do You Know If You Are
Infected?
• Fans Spinning Wildly
• Programs start unexpectedly
• Your firewall yells at you
• Odd emails FROM you
• Freezes
• Your browser behaves funny
• Sudden slowness
• Change in behavior
• Odd sounds or beeps
• Random Popups
• Unwelcome images
• Disappearing files
• Random error messages
Staying Safe Online
You Don’t
60. 90% of fully undetected malware
was delivered via web-browsing.
It took antivirus vendors 4x as
long to detect malware from web-based
applications as opposed to email
(20 days for web, 5 days for email).
paloaltonetworks.com
61. The majority of encounters
happen in the places that online
users visit the most—and think
are safe.
2013 Cisco Annual Security Report
62. Browsers
• Use Two & Keep Updated
• Know Your Settings
–Phishing & Malware Detection - Turned ON
–Software Security & Auto / Silent Patching -
Turned ON
• A Few Recommended Plugins:
–Something to Limit JavaScript
–Something to Force HTTPS
–Something to stop trackers
–Something to Block Ads
Staying Safe Online
64. But The Internet Is Free Because
Of Ads...
• Malicious content is 27 times more likely to
be encountered via search engines than
counterfeit software
• Online ads were 182 times more likely to
deliver malware than an adult site
Cisco’s 2012 Annual Security Report
65. According to a just-published post from Malwarebytes, a flurry of malvertising
appeared over the weekend, almost out of the blue. It hit some of the biggest
publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com,
my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and
newsweek.com. Affected networks included those owned by Google, AppNexis,
AOL, and Rubicon. The attacks are flowing from two suspicious domains...
66. Why Block Ads?
You’re given the ability to block 3rd Party Requests and JA and selectively block other things
All this stuff is downloaded onto you computer.
When you’re not running blockers you’re letting in a TON of random and unseen things.
Saves bandwidth – Especially on Mobile
Speeds up pages and load times
Cookies and other persistent trackers that follow you around
Your searches, sites, history and other data builds a profile, your preferences are bought and sold
Malvertising through evil and hacked sites
Ads slow down performance and eat up resources
Ads Add in distractions - noises, colors, flashes blinking and beeping and flashing
68. Social Media
• Understand and adjust your privacy
settings
• Be skeptical of everything
–especially ANYONE asking you for money
Staying Safe Online
69. Watch Your Apps
“Privacy Protection for Social Networking Platforms“
A Felt and D Evans, Web 2.0 Security & Privacy (W2SP), 2008.
Felt and Evans studied the top 150 Facebook applications and
found that 90% of them didn’t need any of the user data which
they were able to access while the other 10% were largely using personal
information for trivial things such as displaying it to the user or choosing a
horoscope. Of the 14 applications with non-trivial data use, four were
contravening Facebook’s Terms of Service.
71. “...if you're not the customer
you're the product being
sold”
metafilter.com/95152
Staying Safe Online
Free Services Are Expensive
72. Mobile Devices - Threats
• Trojans, Viruses & Malware
• Lost and/or Stolen
• Opaque Apps Permissions
Access To Everything
• Open Wi-Fi Networks and Public Hotspots
Staying Safe Online
73.
74. If I took your portable right
now....
What would I have access to?
Staying Safe Online
75. Mobile Devices
1. Encrypt it
2. Password it
3. Backup it
4. Case it
5. It is not forever
Staying Safe Online
76. Carry A Safe
Not A Suitcase
Staying Safe Online – Next - Libraries
77. IoT – The Internet of Things
Small easy to forget
Small easy to multiply
Full of Vulnerabilities
Security is an afterthought
Sold and forgotten
Security degrades rapidly
Hidden accounts
Insecure defaults
Patching complicated
Updates never
Who's responsible: manufacturer or consumer?
78. I bought some awful light bulbs
so you don't have to
So, in summary: it's a device that infringes my copyright, gives you
root access in response to trivial credentials, has access control
that depends entirely on nobody ever looking at the packets, is
sufficiently poorly implemented that you can crash both it and the
bulbs, has a cloud access protocol that has no security
whatsoever and also acts as an easy mechanism for people to
circumvent your network security. This may be the single worst
device I've ever bought.
https://mjg59.dreamwidth.org/40397.html
79. I stayed in a hotel with Android
lightswitches and it was just as
bad as you'd imagine
It's basically as bad as it could be - once I'd figured out the gateway, I
could access the control systems on every floor and query other rooms to
figure out whether the lights were on or not, which strongly implies that I
could control them as well. ... hotels are happily deploying systems with
no meaningful security, and the outcome of sending a constant stream of
"Set room lights to full" and "Open curtain" commands at 3AM seems
fairly predictable.
We're doomed.
https://mjg59.dreamwidth.org/40505.htm
l
82. Let’s Review
• We all have something worth stealing
• Surveillance Is The Business Model Of The
Internet
• Passwords
• Locking Down Computers
• Email
• Browsers
• Wi-Fi
• Social Media
• Mobile Devices
83. Let’s Review
• Use Good Passwords
• Use a Password Manager
• Never Reuse
• Use Second Factor Authentication
• Don’t Trust Links / Attachments
• Have A Really Secure Browser
• Use Routine Backups
• Limit Social Networks
• Keep Everything Patched / Updated
85. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Privacy
Passwords
Securing Your Devices
Web Browsers
Email
Staying Safe On-line
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat Modeling
Hardware & Networks
Week Four: The Web – Sites & Servers
How websites get hacked
Web Servers and Networks
Servers in general
86. IT Security For Librarians:
Outrunning The Bear
blake.carver@lyrasis.org
Blake Carver
LYRASIS Systems Administrator
Editor's Notes
http://www.securityweek.com/surveillance-business-model-internet-bruce-schneier
I sure quote Schnier often