SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
RSA and OAEP
Diffe-Hellman Key Exchange and its Security Aspects
Model of Asymmetric Key Cryptography
Factorization and other methods for Public Key Cryptography
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
RSA and OAEP
Diffe-Hellman Key Exchange and its Security Aspects
Model of Asymmetric Key Cryptography
Factorization and other methods for Public Key Cryptography
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...PROIDEA
They always taught us that the only thing it can be pulled out from a SSL/TLS session using strong authentication and latest state-of-art (Perfect Forward Secrecy) ciphersuites is the public key of the certificate exchanged during the TLS handshake, an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless the size of modulus used. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and
computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occuring error conditions such as CPU overheating and/or hardware faults. Because of these premises devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common are the factors that make it possible, and his customized implementation of the technique. At the end a proof-of-concept able to work both in passive mode (i.e. only sniffing the network traffic) and in active mode (namely, partecipating directly in the establishment of TLS handshakes) will be released.
Everything I always wanted to know about crypto, but never thought I'd unders...Codemotion
For many years, I had entirely given up on ever understanding the anything about cryptography. However, I’ve since learned it’s not nearly as hard as I thought to understand many of the important concepts. In this talk, I’ll take you through some of the underlying principles of modern applications of cryptography. We’ll talk about our goals, the parts are involved, and how to prevent and understand common vulnerabilities. This’ll help you to make better choices when you implement crypto in your products, and will improve your understanding of how crypto is applied to things you already use.
This presentation is based on the paper :
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by R.L. Rivest, A. Shamir, and L. Adleman
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
Big Data Day LA 2016/ Hadoop/ Spark/ Kafka track - Data Provenance Support in...Data Con LA
Debugging data processing logic in Data-Intensive Scalable Computing (DISC) systems is a difficult and time consuming effort. To aid this effort, we built Titian, a library that enables data provenance tracking data through transformations in Apache Spark.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2. SSL/TLS how does it work?
´ Server authentication ()
´ Key Exchange
´ Encrypted data transfer (record
protocol)
Highest SSL Version, Ciphers Supported,
Data Compression Methods,
Session Id = 0,
Random Data
Selected SSL Version, Selected Cipher,
Selected Data Compression Method, Assigned
Session Id, Random Data, Server Certificate
(Client Certificate Request)
Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check
4. Key Exchange - RSA
Integer Prime Factorization Problem
´ Ron Rivest, Adi Shamir and Leonard Adleman in 1977
´ Good for signing and encryption
´ Bad for key exchange
´ Advance key computation
´ Patent expired in 2000
7. Key Exchange – DH & DHE
Discrete Logarithm Problem (in Zp*)
DH
Even though α, p, A and B are known to the
adversary, calculating
a = logα A mod p
is practically impossible with 'p' being a large
prime number.
´ Whitfield Diffie and Martin Hellman in 1976
´ No long term privatekey involved
´ DHE provides Perfect Forward Secrecy
´ No secret key is exchanged
DH - Ephemeral
8. How strong is TLS?
Symmetric Algorithms
Security Level Comparison Sym/Asym Algorithms
9. Elliptic Curve Cryptography - ECC
´ Discovered in 1985 by Victor Miller (IBM) and Neil Koblitz (University of
Washington)
´ Some implementation patented by Certicom
´ Low computing power requirements
´ Reduced key length and hencefast
´ Use only standard NIST curves
Elliptic Curve Discrete Logarithm Problem
Let P and Q be two points on an elliptic curve such that kP = Q, where k is a
scalar. Given P and Q, it is computationally infeasible to obtain k, if k is sufficiently large.
k is the discrete logarithm of Q to the base P.
On EC, Scalar multiplication is a one way function.
P
Q = kP
11. Eg:-‐
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,
What is the discrete logarithm a of Q = (4,5) to the base P =
(16,5)?
One (naive) way to fnd 'a' is to compute multiples of P until
Q is found. The first few multiples of P are:
P = (16,5) 2P = (20,20)
3P = (14,14) 4P = (19,20)
5P = (13,10) 6P = (7,3)
7P = (8,7) 8P = (12,17)
9P = (4,5)
Since 9P = (4,5) = Q, the discrete logarithm of Q to the
base P is a = 9.
In a real application, 'a' would be large enough such that it
would be infeasible to determine 'a' in this manner.
13. Cipher is
TLS1_ECDHE2_RSA3_WITH4_AES2565_CBC6_SHA7
1. The transport layer protocol used
(others : SSL)
2. Session key exchange algorithm
(others : RSA, DH, DHE)
3. PKI type of the Certificate
(others : DSS)
4. Symmetric algorithmused to encrypt the actual data
(others : RC4, 3DES, CAMELLIA, ARIA, DES40)
5. Mode in which thesymmetric algorithm operates
(others : CCM, GCM)
6. Hashing algorithmfor data integrity
(others : MD5)
openssl s_client -‐showcerts -‐connect qualys.com:443
14. PFS (Perfect Forward Secrecy)
´ A property of secure communication protocols: a secure communication
protocol is said to have forward secrecy if compromise of long-term keys
(private keys) does not compromise past session keys.
´ Passive cryptanalysis
´ DHE (Diffie Hellman Ephemeral)
15. Signature
´ Hash of something signed by privatekey
´ Verified using public key
´ Satisfies Integrity and Non-repudiation
´ Hashing Algorithms
´ MD5, SHA{1,256,384}, SHA3 (Keccak)
´ Collision
16. Chain of trust
Subj’s DN (GIA)
Issuer’s DN (GeoTrust, CA)
Validity, Version etc.
Signed with
GeoTrust’s PrivKHASH
Subj’s PubK (GIA)
Signature
Subj’s DN (google.com)
Issuer’s DN (GIA, CA)
Validity, Version etc.
Signed with
GIA’s PrivKHASH
Subj’s PubK (google.com)
Signature
Subj’s DN (Geotrust)
Issuer’s DN (Equifax, CA)
Validity, Version etc.
Signed with
Equifax’s PrivKHASH
Subj’s PubK (Geotrust)
Signature
browser
used to securely
transport PMS
Root’s DN (Equifax)
Validity, Version etc.
Signed with
Root’s PrivKHASH
Root’s PubK (Equifax)
Signature
18. Threats
´ Crypto vulnerabilities
´ BEAST
´ CRIME
´ Lucky13
´ HeartBleed
´ Poodle
´ Drown
´ Cachebleed
´ Wrong implementation
´ Never write your on crypto, use libraries.
´ Lawful Intercept (LI)
´ Backdoors (RSA and ECC)
´ CA
´ Private Key
19. Crypto Vulnerabilities
´ BEAST (CVE-2011-3389) and Lucky13 (CVE-2013-0169). These are CBC vulnerabilities.
Fix:
The exploit attack impacts TLS 1.0/SSL 3.0, but does not work for TLS versions 1.1 and 1.2. So use
TLS 1.2 with AES GCM suits. But the GCM mode is new and it is an arduous job to get every
security systems (both at the server and the client sides) upgraded;
So instead use RC4 which is a stream cipher and hence faster and CBC/IV-free. But the bad
news is that RC4 has got its own security problems (fixed string cipher entropy problem) when
compared to block ciphers like AES and DSA, but that is less devastating than what CBC
mode offers.
Apache
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:R
SA+3DES:!ADH:!AECDH:!MD5:!DSS
Nginx
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DE
S:!ADH:!AECDH:!MD5:!DSS;
20. Crypto Vulnerabilities
´ CRIME attack (CVE-2012-4929). A vulnerability exposed by TLS compression. Exposes
the site cookies on side-channel attacks.
Fix:
Disable TLS compression. Most of the applications like Nginx and Apache have directives to disable
compression.
Apache
SSLCompression Off
Nginx
export OPENSSL_NO_DEFAULT_ZLIB=1
21. Crypto Vulnerabilities
´ Poodle attack (CVE-2014-3566). Secure Socket Layer (SSL) 3.0 with cipher-block
chaining (CBC).
The POODLE attack takes advantage of the protocol versionnegotiation feature built into SSL/TLS to
force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the
SSL session.
Fix:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol;
however, disabling SSL 3.0 support in system/application configurations is the most viable solution
currently available.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but
presents significant compatibility problems, even today. Therefore our recommended response is to
support TLS_FALLBACK_SCSV.
TLS_FALLBACK_SCSVis a mechanism that solves the problems caused by retrying failed connections
and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from
TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
22. Crypto Vulnerabilities
´ Heartbleed attack (CVE-2014-0160). Secure Socket Layer (SSL) 3.0 with cipher-block
chaining (CBC).
Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat
extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the
client and from the client to the server.
A missing bounds check in the handling of the TLS heartbeat extension can beused to reveal up to 64k
of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including1.0.1f and 1.0.2-beta1.
Fix:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol;
however, disabling SSL 3.0 support in system/application configurations is the most viable solution
currently available.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but
presents significant compatibility problems, even today. Therefore our recommended response is to
support TLS_FALLBACK_SCSV. So Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with-DOPENSSL_NO_HEARTBEATS.
TLS_FALLBACK_SCSVis a mechanism that solves the problems caused by retrying failed connections
and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from
TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
23. Crypto Vulnerabilities
´ Drown attack (CVE-2016-0800). Secure Socket Layer (SSL) 2.0
DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.
Fix:
To protect against DROWN, server operators need to ensure that their private keys are not used
anywhere with server software that allows SSLv2 connections. This includes web servers,SMTP servers,
IMAP and POP servers,and any other software that supports SSL/TLS.
Apache
SSLProtocol All -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2
24. Crypto Vulnerabilities
´ CacheBleed (CVE-2016-0702).
CacheBleed is a side-channel attack that exploits information leaks through cache-bank conflicts in
Intel processors.By detecting cache-bank conflicts via minute timing variations, we are able to
recover information about victim processes running on the same machine. Our attack is able to
recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge
processors after observing only 16,000 secret-keyoperations (decryption, signatures). This is despite the
fact that OpenSSL's RSA implementation was carefully designed to be constant time in order to
protect against cache-based (and other) side-channel attacks.
Attacks target OpenSSL's implementation of RSA (both RSA decryption as well as RSA signatures).
Although we have not demonstrated this, in principle our attack should be able to leak partial
information about ElGamal encryption as well.
https://ssrg.nicta.com.au/projects/TS/cachebleed/
Fix:
25. Wrong Implementation
´ PGP database. [Lenstra et al. 2012]
´ 2 factored RSA keys out of 700,000. Why?
´ Smartcards. [2012 Chou (slides in Chinese)]
´ Taiwan Citizen Digital Certicates smartcard certicates used for paying taxes, etc.
´ Factored 103 (out of 2.26 million)
´ Mind your Ps & Qs -Nadia Heninger
´ High RNG entropy is difficult to achieve
´ Collect entropy more aggressively
´ Natural entropy Sources for true randomness
´ True NRGs
´ Hardware RNGs (SSL Accelerator cards) = Transducer (noise conversion) + Amplifier + A-D
converter Seeds faster cryptographic PRNGs
´ Intels Ivy Bridge Entropy Source Each Ivy Bridge die contains one hardware RNG, shared by all
the cores. The RNG begins with an entropy source (ES) whose behavior is determined by
unpredictable thermal noise.
Bad RNGs & Keys
26. Bruce Schneier -
“I have no idea if the NSA convinced Intel to do this (reducing the entropy to
enable easy cryptanalysis) with the hardware random number generator it
embedded into its CPU chips, but I do know that it could. And I was always
leery of Intel strongly pushing for applications to use the output of its hardware
RNG directly and not putting it through some strong software PRNG like
Fortuna. And now Theodore Ts'o writes this about Linux: "I am so glad I resisted
pressure from Intel engineers to let /dev/randomrely only on the RDRAND
instruction.””
Linux PRNGs, /dev/random and /dev/urandom
https://www.random.org/
Wrong Implementation
Coders, Never Implement Your Own Crypto !!!
27. LI
☛ PIPA (Protect IP Act) May'11, SOPA (Stop Online
Piracy Act) Oct'11
☛ What is about Edward Snowden & PRISM ?
☛ All major players like Google, Facebook, Yahoo,
Twitter etc.
☛ Lavabit and Silent Mail ?
28. CA Threats
Recent Incidents (in last 4 years) :
´ Comodo -‐ hacker issued bad certs
´ Diginotar - hacker issued bad certs for MITM
´ Trustwave - issued sub CA to customer for MITM
´ Turktrust - issued sub CA by mistake, used for MITM
´ Man-‐In-‐The-‐Middle and CA private key compromises leading to change
in certificate
´ Require systems to detect a change in the certificate during the
SSL hand shake.
29. Solutions and Experiments
´ HPKP (HTTP Public Key Extension)
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04
An extension to the HTTP protocol allowing webhost operators to instruct user
agents (UAs) to remember ("pin") the hosts' cryptographic identities for a
given period of time.
´ TACK (Trust Assertions for Certificate Keys)
http://tack.io/draft.html
Server sends his “tack” through TLS Extension
Client has seen the same(hostname, TSK) pair multiple times, theclient will
"activate" a pin between the hostname and TSK for a period equal to the
length of time the pair has been observed for.
Client pins to a server-chosen signing key, known as a "TACK signing key" or
"TSK", which signs the server's TLS keys.
Certificate Pinning
30. ´ Convergence.io et. al.
ü An agile, distributed, and secure strategy for replacing Certificate
Authorities
ü Firefox add-on, once activated, replaces the entire CA infrastructure
ü User initiated
ü No more self signed certificate warnings
ü Privacy with bounce notaries
Replacing CA
32. However, It is up to you too…
ü Watch yourself in the cyber mirror
ü Be careful while you show up and show off in the social networking spree.
ü Investigate the exposure
ü Surprises from unverified sources (lottery, dead bank account, job offers etc.)
ü Electronic Frontier Foundation (https://www.eff.org)