Security 4 - Safe Practices

How To Stay Safe? A pretty short list!

1. Password Safety

• Email password is especially important because of password-reset
• Don't let the bad guy guess your password
  -Don't use a weak password
• Don't re-use passwords across important sites
  -Bad guys have software to re-try found passwords across a zillion sites
• Don't type your password on some random machine in a cafe (keylogger)
   -Cheap wi-fi phones are great for this case (e.g. Nick Starbucks example)
• Do write your passwords down
• Do consider two-factor authentication for important sites (below)
•  -Not all sites are important! Hey, your time is valuable too.

2. Phishing Safety

• Avoiding the bad guy tricking you into disclosing your password
• Something is asking for your password? Look up at the browser url area
• Something is asking for your password? Look up at the browser url area
• Something is asking for your password? Look up at the browser url area (demo)
• Watch out for clever bad guy urls: weblogin.stanford.edu-xnr-xyzldlwerou.ru
• Proceed carefully with content from email or random pages with provocative "click this" content
• Or just type in "www.schwab.com" yourself in the browser instead of clicking in the email - super simple and secure practice
• Do consider two-factor, U2F specifically (below)
• Let's hope something like this catches on

The Future: Two-factor Hardware

• Passwords run into problems because of dictionary attacks and phishing
• Two-factor hardware tokens are the future
• 1. SMS to phone -- a lot better than nothing, but not great
  -problem with bad guy fooling cell provider customer service
  -still susceptible to phishing
• 2. App on phone, e.g. "TOTP token"
  -Time Based One Time Password - number that changes over time
  -a standard with many supporting apps, e.g. "Google Authenticator"
  -does not use cell-connectivity (i.e. customer-service proof)
  -still susceptible to phishing, more work for bad guy
  -need printed backup passwords in case of lost phone
• 3. U2F "universal second factor"
  -U2F
  -more advanced than TOTP
  -device does it, you don't have to copy/paste anything
  -phishing proof! not relying on user being 100% vigilant
  -usb device now, or maybe later an app on your phone
  -needs printed backup in case of lost phone

3. Malware Safety

• Avoiding the bad guy installing software on your machine
• Trojan - be wary of downloading and running an application
• Trojan - be wary of .zip file in email
   -like phishing, what domain is hosting this thing I'm downloading?
   -google the name of the site ... lots of complaints?
• Trojans are commonly sent in email, often in a .zip file
• (phone) - best to install apps from official apple/google stores only
• Vulnerability case - keep internet-facing software on auto-update to stay at the latest
• Have backups of important files
  - I use a little external hard drive

Let's stay safe out there!

Nick's Favorite Question

List all the ways you can think of that a bad guy could obtain your password.

-dictionary attack
-phishing
-malware / keylogger steals the password
 (malware first gets in as a trojan or vulnerability)
-get password from another site where the foolish victim re-used the password

More marginal ideas:
-social eng: bad guys trick you into revealing the password
-camera or shoulder surf - watch the victim type in password
-break into site, steal the password from it (not sure if this counts)