Security 4 - Safe Practices
How To Stay Safe? A pretty short list!
1. Password Safety
- Email password is especially important because of password-reset
- Don't let the bad guy guess your password
-Don't use a weak password - Don't re-use passwords across important sites
-Bad guys have software to re-try found passwords across a zillion sites - Don't type your password on some random machine in a cafe (keylogger)
-Cheap wi-fi phones are great for this case (e.g. Nick Starbucks example) - Do write your passwords down
- Do consider two-factor authentication for important sites (below)
- -Not all sites are important! Hey, your time is valuable too.
2. Phishing Safety
- Avoiding the bad guy tricking you into disclosing your password
- Something is asking for your password? Look up at the browser url area
- Something is asking for your password? Look up at the browser url area
- Something is asking for your password? Look up at the browser url area (demo)
- Watch out for clever bad guy urls: weblogin.stanford.edu-xnr-xyzldlwerou.ru
- Proceed carefully with content from email or random pages with provocative "click this" content
- Or just type in "www.schwab.com" yourself in the browser instead of clicking in the email - super simple and secure practice
- Do consider two-factor, U2F specifically (below)
- Let's hope something like this catches on
The Future: Two-factor Hardware
- Passwords run into problems because of dictionary attacks and phishing
- Two-factor hardware tokens are the future
- 1. SMS to phone -- a lot better than nothing, but not great
-problem with bad guy fooling cell provider customer service
-still susceptible to phishing - 2. App on phone, e.g. "TOTP token"
-Time Based One Time Password - number that changes over time
-a standard with many supporting apps, e.g. "Google Authenticator"
-does not use cell-connectivity (i.e. customer-service proof)
-still susceptible to phishing, more work for bad guy
-need printed backup passwords in case of lost phone - 3. U2F "universal second factor"
-U2F
-more advanced than TOTP
-device does it, you don't have to copy/paste anything
-phishing proof! not relying on user being 100% vigilant
-usb device now, or maybe later an app on your phone
-needs printed backup in case of lost phone
3. Malware Safety
- Avoiding the bad guy installing software on your machine
- Trojan - be wary of downloading and running an application
- Trojan - be wary of .zip file in email
-like phishing, what domain is hosting this thing I'm downloading?
-google the name of the site ... lots of complaints? - Trojans are commonly sent in email, often in a .zip file
- (phone) - best to install apps from official apple/google stores only
- Vulnerability case - keep internet-facing software on auto-update to stay at the latest
- Have backups of important files
- I use a little external hard drive
Let's stay safe out there!
Nick's Favorite Question
List all the ways you can think of that a bad guy could obtain your password.
-dictionary attack -phishing -malware / keylogger steals the password (malware first gets in as a trojan or vulnerability) -get password from another site where the foolish victim re-used the password More marginal ideas: -social eng: bad guys trick you into revealing the password -camera or shoulder surf - watch the victim type in password -break into site, steal the password from it (not sure if this counts)