The document provides an introduction to web 2.0 security from JP Bourget, who has experience in computer security, network security management, and security consulting. It discusses what constitutes web 2.0 technologies like social networks and web apps, and how they impact privacy and trust online. It then outlines 10 best practices for securing personal data on web 2.0 platforms, which include knowing what data you have, how third parties use it, maintaining strong passwords, keeping devices updated, and having backups of important files. Physical security of devices and wireless networks are also addressed.

1. JP Bourget
Rochester Institute of Technology
Syncurity Networks
Arnold Magnetic Technologies
1NTR0 T0 WEB 2.0 SECUR1TY

2. Why I may be able to teach you
something
 I secure networks for a living
 Wait… I secure **data** for a living –
networks are a side effect of data
 Professor – MS in Computer Security and Info
Assurance
 Business - Network Security Manager
 Student – Security continues to evole – I have to
keep up - -but I love it (especially the good vs. evil)
 Consultant – I pen test for companies to help
them identify what weaknesses they have

3. What is Web 2.0
 Social Networks
(Facebook, Twitter, Foursquare, MySpace)
 Web based Apps (gmail/webmail, google
docs, mozy, Mint.com, fb
apps, wordpress), zillow, lastFM, netflix
 Mobile- Iphone, Android
 A new paradigm in privacy or lack of privacy ( i.e.
facebook )
 A new model of trust
 (Don’t forget web 3.0 – the intelligent web – it’s on
it’s way – facebook newsfeed is an example of a
closed intelligent web)

4. Web 2.0 Let’s change our
lens
 At a basic level – you interact with data
 We can call that data certain things
 Your facebook or twitter status
 You new film
 Music
 Scripts
 Bank info (and transactions)
 What other examples can you come up with? b

5. What is YOUR web data exposure
 Do you have a:
 Facebook account?
 Linked in account?
 Dropbox account?
 Blog?
 VPN ?
 Work related Web based application?
(CRM, upload site, film preview site?)
 Script or film stored on your hard drive right now?

6. Scary
 The desktop security game may be over
 We have lost
 Your router or DSL modem can be owned by the bad guys
 Your desktop may already be owned – do you care? Do you have
the ability to detect or fix it?
 Things are getting worse not better
 Blame the industry
 Bruce Potter (shmoo group) says we should revisit the Trusted
Computing paradigm
 Proof:
 Banks and other secure institutions are already assuming their
users are insecure
 AV Vendors are sounding the call to action (but they’ll still take
your $$)

7. History of vulnerabilities
Source: NIST Vulnerabilities Database

8. 10 Best Practices to secure
your data
10. Know what data you have – you organized
your filing cabinets – why not your data
9. Identify which data you care about
 Depending on quantity, you may need to prioritize
 You may need to assess what is really important
to you ( i.e. what is your irreplaceable data)
 I have 3 types of data: public, private, and work
 What is your gold?
 Apply the other steps to your types of data based
upon their attributes

9. 10 Best Practices to secure
your data
8. Identify how entities that you share data
with treat your data
 Merchants
 Banks
 Social Networking
 What other 3rd parties do you share your data
with?

10. 10 Best Practices to secure
your data
7. Know your footprint --when you save data are
you aware of the tracks you leave?
 Just because you delete data in Windows/Mac/Linux
doesn’t mean that data is purged from disk (if I want it
I can get it)
 Did you share your flash drive, or put it in a computer
you don’t trust
6. Have a good firewall and have someone help you
ensure it’s configured correctly
 The AV industry is a hot mess right now – you aren’t
getting what you’re paying for (but you should still
have some)

11. 10 Best Practices to secure
your data
5. Don’t click on random links (follow the
attachment rule)
5a. Don’t use internet explorer (before 8) it
has inherent design flaws that will expose you
or your data
 5bDon’t install programs you don’t know
what they do or you don’t need – practice
software minimalism – your CPU and RAM
will thank you and you’ll have a smaller attack
surface

12. 10 Best Practices to secure
your data
4. Keep your computer up to date (this is hard
sometimes)
 AV/IDS/IPS
 Java/Flash/skype/etc
 ADOBE – Huge attack vector lately
 Windows/MaxOSX updates
 Most compromises happen to computers more than
1-2 months behind on updates

13. 10 Best Practices to secure
your data
3. Physical Security – #s 4-10 can only do so
much if I can steal your laptop – physical
access is everything… that’s why data centers
are so secure – I have unchecked access to
your machine – game over

14. 10 Best Practices to secure
your data
2. Secure Passwords – 95% of problems start
with weak passwords
Passwords are your most effective barrier for
your information
Password Length All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36 minutes .046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days
9 characters 20 millennia 2.07 months
10 characters 1,899 millennia 4.48 years
11 characters 180,365 millennia 1.16 centuries
12 characters 17,184,705 millennia 3.03 millennia
13 characters 1,627,797,068 millennia 78.7 millennia
14 characters 154,640,721,434 millennia 2,046 millennia

15. 10 Best Practices to secure
your data
1. BACKUP – If you have good backups you
can
 Have your laptop stolen
 Have a disk failure
 Have windows crash
 AND STILL HAVE YOUR DATA
 (but someone else may have it too )

16. Some More Thoughts
What data do you share out?
 Is it what you intended?
 What does your linked in profile look like?
 What happens when you google yourself?
 What is on your laptop? Is it secured?
 Your phone
 Your iPad?

17. Your iPh0ne
 Does your iPhone app transmit your
credentials in plain text? (tweet deck did this
forever)
 What data do these apps store on your phone
(iPhone forensics is a hot industry)
 What do you think I can do if I have physical
access to your iPhone
 Wireless vs. 3G access

18. Backup Ideas
 To disk (use Time Machine, or windows
backup)
 To the cloud (getdropbox.com, mozy.com)
 Keep a copy somewhere else – your mom’s
house – at work – safe deposit box (flip this
for business)

19. Wireless Security
 Pay someone $20 to secure your home
network if you don’t know how to
 Don’t connect to WEP networks (use WPA or
WPA-2 (even better))
 If you aren’t on a network you (or someone
you know controls) don’t do anything you
don’t want exposed

20.  Thanks for listening
 Any questions?
 You can find me:
 jp@syncurity.net or jp.bourget@gmail.com
 Twitter: punkrokk
 Blog: http://www.syncurity.net
 Sources: NIST, http://onemansblog.com/2007/03/26/how-id-hack-your-weak-
passwords/