SlideShare une entreprise Scribd logo
1  sur  37
Télécharger pour lire hors ligne
SECURE
COMMUNICATION
For activists and privacy conscious users
11-Feb-16
https://www.cudeso.be
Goal
•  Defend yourself and your friends from surveillance
•  Use secure technology
•  Apply best practices
•  Use common sense
•  Based on EFF – Surveillance Self Defense
•  https://ssd.eff.org/
11-Feb-16
Secure Communication 2
Threat Modeling
•  What do you want to protect?
•  Assets, your data (e-mails, messages, files)
•  Who do you want to protect it from?
•  Who is your adversary? Their capabilities.
•  How likely is it that you will need to protect it?
•  Likelihood of unauthorized access to your data. The risk
•  How bad are the consequences if you fail?
•  What is the possible damage? Financial loss? Reputational loss?
•  How much trouble are you willing to go through in order to try to
prevent those?
•  Threat = a bad thing that can happen
•  Risk = a likelihood that an incident will occur
11-Feb-16
Secure Communication 3
Don’t get paranoid
•  Risk analysis based on risk and capabilities is
•  Personal
•  Subjective
•  Your threat actor might be the only threat actor
•  You might be one of many subjects
•  High numbers of subjects decrease the likelihood that you become
a victim
•  Every threat actor has limited capabilities
•  Risk of tunnel vision
•  Technology is only the tool. Your brain is the strongest
lock.
11-Feb-16
Secure Communication 4
Best practices
•  Secure your computer and devices
•  Protect your computer with a password
•  Require a password when the computer starts or is locked
•  Do not use “auto-login”
•  Protect your mobile phone with a PIN code or ideally a password
•  Have your mobile phone set to use encrypted local storage
•  You raise the bar for someone else to get easy access to
your data. Requires the attacker to have minimal –
computer- skills to read your personal information
11-Feb-16
Secure Communication 5
Best practices
•  Use strong and long passwords, better use passphrases
•  Not only for your computer but for all your accounts
•  Ideally use a password vault
with a strong master password
•  LastPass, Dashlane
•  Different passwords/passphrases for different accounts
•  If supported, use 2 factor authentication
•  Extra protection with a code via an SMS
•  Demo password strength test https://howsecureismypassword.net/
•  Use more than 10 characters with numbers and not easy to guess
•  Do not use Password, the name of your mother or the town where you
live
11-Feb-16
Secure Communication 6
Best practices
•  “Password reset questions” on sites
•  Can be tiresome
•  Use questions and answers that only you know
•  Even better: use store the questions and answers in a password vault
•  Use full disk encryption
•  Different levels of protection, depending on your adversary
•  Some systems are flawed
•  Make sure you have backups of your data
•  Encrypted backups or not?
11-Feb-16
Secure Communication 7
Container encryption - TrueCrypt
•  Original developers stopped support
•  Still available for download from other sites
•  If you’re really concerned about the download check the hashes
•  https://truecrypt.ch/downloads/
•  https://www.grc.com/misc/truecrypt/truecrypt.htm
•  TrueCrypt containers are just “files”, they can be moved to
other devices
•  For example copy the TrueCrypt container to an external drive
•  Share the password for unlocking via other secure channels
•  Copy files from your “normal” drive to TrueCrypt
11-Feb-16
Secure Communication 8
Container encryption - TrueCrypt
•  Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php
11-Feb-16
Secure Communication 9
Container encryption - TrueCrypt
•  Workflow
•  Select TrueCrypt file
•  Select a mount slot
•  Click Mount
•  Enter password
11-Feb-16
Secure Communication 10
File encryption - GPG
•  GPG, digital signature and encryption
•  https://www.gnupg.org/
•  Requires more technical knowledge
•  http://ubuntuforums.org/showthread.php?t=680292
•  Made more accessible via Keybase
•  https://keybase.io/
•  Ideal for encrypting one file and then sending it over
“unsafe” communication channel
•  Protect your master-key!
•  Store the revocation certificate in a safe place
•  Don’t lock yourself out
11-Feb-16
Secure Communication 11
Best practices
•  Use different browsers
•  Firefox, Chrome, Safari, Opera, Internet Explorer
•  Avoid Internet Explorer if possible
•  Closely tied to the operating system
•  One browser only for “personal” things
•  1 for online banking, e-mail ,
•  1 for information gathering
•  1 for random browsing
•  Use “Private” browsing
•  No cookies
•  No history
•  Forensic research on your computer can still disclose your
browsing history
11-Feb-16
Secure Communication 12
Best practices
•  Always type in the URL, do not click on a link
•  When you enter usernames and passwords, make sure
the website is secured - HTTPS
•  Log out of a website (e-mail, Facebook) once you no
longer need it
•  This prevents tracking
•  Use disposable e-mail for subscribtions or one-time-only
messages
•  https://www.guerrillamail.com/
•  This is not “encryption”
11-Feb-16
Secure Communication 13
Guerillamail
11-Feb-16
Secure Communication 14
Best practices
•  Use an up-to-date system
•  All the Windows and Apple patches
•  Use automatic updates
•  Do not use Windows XP, Vista or old versions of Apple OSX
•  Any protection mechanism or encryption is useless when remote
intrusion to your computer is childs ’play
•  Avoid Acrobat Reader and Microsoft Office documents
•  Lots of vulnerabilities
•  Loads external resources
•  Avoid Flash
•  Do not use Java on your machine
11-Feb-16
Secure Communication 15
Best practices
•  Use a system firewall
•  Build in for both Windows and Apple
•  Use a virus scanner
•  Make sure it is still active and receives the new updates
•  Quality of free virus scanners is good, no real quality difference
with commercial –paid- virus scanners
11-Feb-16
Secure Communication 16
Best practices
•  Enable the option for “remote wipe” of your telephone or
tablet
•  Automatically when a wrong PIN is entered more than x times
•  From remote when your device is lost
11-Feb-16
Secure Communication 17
Best practices
•  Limit the use of location services, enable them only for the
applications that you need it for
•  Disable share your location by default
11-Feb-16
Secure Communication 18
Common sense
•  Do not connect to random wireless networks
•  Only connect to trusted networks, networks that you know
•  Protect your wireless network at home with a password
•  Do not let anyone else use your computer or telephone
un-attended
•  Never leave your device unlocked
•  Shoulder surfing
•  Someone eavesdropping when you enter your password
•  Access your online accounts from trusted sources
•  Logging in to your e-mail or Facebook from a “friends’computer” is
not always a good idea, depends on the trust you have in that
friend
11-Feb-16
Secure Communication 19
Common sense
•  Be careful with attachments that you did not request
•  Word documents, PDF files, …
•  Even if it comes from a “trusted” contact
•  Mails can be easily spoofed (“pretending” to come from someone)
•  If it comes from a trusted contact, ask that contact for clarification
•  Do not use the same transport (e-mail) for clarification, use telephone or
messaging
•  Do not install software from a popup or similar. Always
make sure you started the install (and not by clicking on a
link)
11-Feb-16
Secure Communication 20
Social media
•  Social media
•  Do you really need to have your picture there?
•  Why would you need tagging?
•  Be aware of geo-location
•  No need to include all the location details
•  One-on-one does not exist in social media
•  It is a broadcast to everyone
•  A message (almost) never goes away
•  Your data belongs to the net forever
•  “Right to be forgotten” (ref. Google)
•  Other sites copy the content and do not comply with the request for deletion of
data
11-Feb-16
Secure Communication 21
Tor network – surf anonymously
•  Software to browse the Internet anonymously
•  “normal” network packet : sender + destination
•  Path to destination is more or less pre-defined and is (almost) fixed
•  “tor” network packet : packet wrapped in multiple layers
•  Path to the destination is not pre-defined and changes
11-Feb-16
Secure Communication 22
client router 1 router 2 server
client
server
Tor network
•  Volunteer driven
•  Can be slower
•  Some destinations block connections from Tor
•  “Deep” web / “Dark” web
•  Sites can also be “hosted” on Tor
•  Only reachable via Tor
•  Criminals also want to surf anonymously
•  Police doesn’t like it
•  Silk Road one of the most known Tor sites
•  Drugs, weapons
•  Merely using Tor can be a sign for law enforcement to get more
interested
11-Feb-16
Secure Communication 23
Tor network
•  Use the pre-packaged software
•  https://www.torproject.org/download/download-
easy.html.en
•  Best practices still apply
•  Do not install extra “browser-plugins”
•  Always use HTTPS
•  Do not submit personal details on websites
•  Do not open / download documents when online
•  Some documents (PDF, Word) open “extra” files via Internet
•  This happens “outside” Tor -> discloses your normal Internet connection
11-Feb-16
Secure Communication 24
Tails
•  “Computer from an USB”
•  Focused on privacy and anonymity
•  https://tails.boum.org/
11-Feb-16
Secure Communication 25
Signal - Secure phone &messages
•  Signal Open Whisper Systems
•  Encrypted
•  Secure phone conversations
•  Secure text messages
•  Requires Internet connection
•  https://whispersystems.org/
•  Only install from App Store or Google Play
•  As always, best practices apply
•  Lock your device
•  Protect it with a PIN code
•  Do not use it with untrusted partners
11-Feb-16
Secure Communication 26
Signal
11-Feb-16
Secure Communication 27
Secure e-mail
•  Use IMAPS
•  Use Authenticated SMTP and do not use POP
•  If you are really paranoid you should not use e-mail
•  If your browser or computer has been hacked then “secure” e-mail
will not protect you
•  Keep a sane Inbox
•  Delete mails. Also the “Sent” mails
•  Empty the deleted e-mails
•  Trust (?) your provider not storing the deleted / purged e-mails
somewhere else
11-Feb-16
Secure Communication 28
ProtonMail
•  Build by students from MIT and people from CERN
•  In Switserland, strong privacy laws
•  https://protonmail.com/
•  myuser@protonmail.com
•  Future myuser@yourdomain.com
•  For privacy conscious users
•  Free
•  Huge success, “waiting list” : can take up multiple days
•  Get immediate access with donations
•  17 (basic) to 73 (Mobile + 1GB) EURO
•  500MB storage
•  1000 messages per month
11-Feb-16
Secure Communication 29
ProtonMail
•  Two passwords
•  One to access your account
•  One to decrypt your mailbox
11-Feb-16
Secure Communication 30
ProtonMail
•  Send mail to users not using ProtonMail
•  Use a one-time password
•  The message will expire after a while
11-Feb-16
Secure Communication 31
Tutanota
•  Alternative to Protonmail
•  https://tutanota.com/
•  No waitinglist
•  Germany based
•  1GB storage
•  No aliases
•  Free for non commercial use
•  Use your own domain with
the Premium version
11-Feb-16
Secure Communication 32
Tutanota
11-Feb-16
Secure Communication 33
Tutanota
•  Send e-mails to users not using Tutanota with a shared
password
11-Feb-16
Secure Communication 34
Take-aways
•  Do not get paranoid
•  Use common sense
•  Use secure websites (HTTPS) for personal data
•  Also for e-mail (IMAPS + Authenticated SMTP)
•  Do not open documents from untrusted sources
•  Set strong passwords
•  Do not use untrusted networks and devices
•  Lock devices with passwords and pins
•  Remote wipe and wipe after unsuccessful pins
•  Keep your systems up to date
•  Operating system and applications
•  Use firewall and anti-virus
11-Feb-16
Secure Communication 35
Take-aways - tools
•  For disposable messages / mail
•  https://www.guerrillamail.com/
•  Secure phone and messages
•  https://whispersystems.org/
•  Tor surf anonymously
•  https://www.torproject.org/download/download-easy.html.en
•  Private e-mail with ProtonMail or Tutanota
•  https://protonmail.com
•  https://tutanota.com/
•  TrueCrypt
•  https://truecrypt.ch/downloads/
11-Feb-16
Secure Communication 36
Contact
•  Use common sense
•  Be vigilant but don’t get paranoid
•  Contact
•  https://www.vanimpe.eu
•  https://www.cudeso.be
•  @cudeso
11-Feb-16
Secure Communication 37

Contenu connexe

Tendances

IT Security landscape and the latest threats and trends
IT Security landscape and the latest threats and trendsIT Security landscape and the latest threats and trends
IT Security landscape and the latest threats and trendsSophos Benelux
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionMohammad Yahya
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCanSecWest
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Business Peer Peer File Sharing Guide
Business Peer Peer File Sharing GuideBusiness Peer Peer File Sharing Guide
Business Peer Peer File Sharing Guide- Mark - Fullbright
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training -  Passive Information Gathering(OSINT)Practical White Hat Hacker Training -  Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA (European Emergency Number Association)
 
2017 Phshing Trends and Intelligence Report: Ransomware Explosion
2017 Phshing Trends and Intelligence Report: Ransomware Explosion2017 Phshing Trends and Intelligence Report: Ransomware Explosion
2017 Phshing Trends and Intelligence Report: Ransomware ExplosionPhishLabs
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 

Tendances (20)

IT Security landscape and the latest threats and trends
IT Security landscape and the latest threats and trendsIT Security landscape and the latest threats and trends
IT Security landscape and the latest threats and trends
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
 
OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Business Peer Peer File Sharing Guide
Business Peer Peer File Sharing GuideBusiness Peer Peer File Sharing Guide
Business Peer Peer File Sharing Guide
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training -  Passive Information Gathering(OSINT)Practical White Hat Hacker Training -  Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
 
2017 Phshing Trends and Intelligence Report: Ransomware Explosion
2017 Phshing Trends and Intelligence Report: Ransomware Explosion2017 Phshing Trends and Intelligence Report: Ransomware Explosion
2017 Phshing Trends and Intelligence Report: Ransomware Explosion
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
 

En vedette

Secure communication in Networking
Secure communication in NetworkingSecure communication in Networking
Secure communication in Networkinganita maharjan
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
Content Marketing. Theory and Practice
Content Marketing. Theory and PracticeContent Marketing. Theory and Practice
Content Marketing. Theory and PracticeKateryna Abrosymova
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryptionVenkatesh Kariappa
 
Secure Communication with Privacy Preservation in VANET
Secure Communication with Privacy Preservation in VANETSecure Communication with Privacy Preservation in VANET
Secure Communication with Privacy Preservation in VANETAnkit Gupta
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - Thomas Seropian
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 

En vedette (9)

Secure communication in Networking
Secure communication in NetworkingSecure communication in Networking
Secure communication in Networking
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
 
Content Marketing. Theory and Practice
Content Marketing. Theory and PracticeContent Marketing. Theory and Practice
Content Marketing. Theory and Practice
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
 
Secure Communication with Privacy Preservation in VANET
Secure Communication with Privacy Preservation in VANETSecure Communication with Privacy Preservation in VANET
Secure Communication with Privacy Preservation in VANET
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 

Similaire à Secure Communication

Syafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah Akemi
 
Syafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah Akemi
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an OxymoronMax Nokhrin
 
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16TechSoup
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptxbinowe
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptxreagan sapul
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks  - Ed Adams, President, Security InnovationWfh security risks  - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 

Similaire à Secure Communication (20)

Syafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah slideshare of security measures
Syafiqah slideshare of security measures
 
Syafiqah slideshare of security measures
Syafiqah slideshare of security measuresSyafiqah slideshare of security measures
Syafiqah slideshare of security measures
 
ACESnWS cyber security tips
ACESnWS cyber security tipsACESnWS cyber security tips
ACESnWS cyber security tips
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacy
 
001 ho basic computer
001 ho basic computer001 ho basic computer
001 ho basic computer
 
Basic Computer Security for Doctors
Basic Computer Security for DoctorsBasic Computer Security for Doctors
Basic Computer Security for Doctors
 
Personal security
Personal securityPersonal security
Personal security
 
Internet security
Internet securityInternet security
Internet security
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an Oxymoron
 
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self Defense
 
Judy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 PresentationJudy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 Presentation
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptx
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptx
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks  - Ed Adams, President, Security InnovationWfh security risks  - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 

Dernier

Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondContinuent
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?krc0yvm5
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxJustineGarcia32
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfMaria Adalfio
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...hasimatwork
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Eric Johnson
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technologysoufianbouktaib1
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxlibertyuae uae
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of VirtualizationRajan yadav
 

Dernier (10)

Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdf
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technology
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptx
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualization
 

Secure Communication

  • 1. SECURE COMMUNICATION For activists and privacy conscious users 11-Feb-16 https://www.cudeso.be
  • 2. Goal •  Defend yourself and your friends from surveillance •  Use secure technology •  Apply best practices •  Use common sense •  Based on EFF – Surveillance Self Defense •  https://ssd.eff.org/ 11-Feb-16 Secure Communication 2
  • 3. Threat Modeling •  What do you want to protect? •  Assets, your data (e-mails, messages, files) •  Who do you want to protect it from? •  Who is your adversary? Their capabilities. •  How likely is it that you will need to protect it? •  Likelihood of unauthorized access to your data. The risk •  How bad are the consequences if you fail? •  What is the possible damage? Financial loss? Reputational loss? •  How much trouble are you willing to go through in order to try to prevent those? •  Threat = a bad thing that can happen •  Risk = a likelihood that an incident will occur 11-Feb-16 Secure Communication 3
  • 4. Don’t get paranoid •  Risk analysis based on risk and capabilities is •  Personal •  Subjective •  Your threat actor might be the only threat actor •  You might be one of many subjects •  High numbers of subjects decrease the likelihood that you become a victim •  Every threat actor has limited capabilities •  Risk of tunnel vision •  Technology is only the tool. Your brain is the strongest lock. 11-Feb-16 Secure Communication 4
  • 5. Best practices •  Secure your computer and devices •  Protect your computer with a password •  Require a password when the computer starts or is locked •  Do not use “auto-login” •  Protect your mobile phone with a PIN code or ideally a password •  Have your mobile phone set to use encrypted local storage •  You raise the bar for someone else to get easy access to your data. Requires the attacker to have minimal – computer- skills to read your personal information 11-Feb-16 Secure Communication 5
  • 6. Best practices •  Use strong and long passwords, better use passphrases •  Not only for your computer but for all your accounts •  Ideally use a password vault with a strong master password •  LastPass, Dashlane •  Different passwords/passphrases for different accounts •  If supported, use 2 factor authentication •  Extra protection with a code via an SMS •  Demo password strength test https://howsecureismypassword.net/ •  Use more than 10 characters with numbers and not easy to guess •  Do not use Password, the name of your mother or the town where you live 11-Feb-16 Secure Communication 6
  • 7. Best practices •  “Password reset questions” on sites •  Can be tiresome •  Use questions and answers that only you know •  Even better: use store the questions and answers in a password vault •  Use full disk encryption •  Different levels of protection, depending on your adversary •  Some systems are flawed •  Make sure you have backups of your data •  Encrypted backups or not? 11-Feb-16 Secure Communication 7
  • 8. Container encryption - TrueCrypt •  Original developers stopped support •  Still available for download from other sites •  If you’re really concerned about the download check the hashes •  https://truecrypt.ch/downloads/ •  https://www.grc.com/misc/truecrypt/truecrypt.htm •  TrueCrypt containers are just “files”, they can be moved to other devices •  For example copy the TrueCrypt container to an external drive •  Share the password for unlocking via other secure channels •  Copy files from your “normal” drive to TrueCrypt 11-Feb-16 Secure Communication 8
  • 9. Container encryption - TrueCrypt •  Tutorial at : http://andryou.com/truecrypt/docs/tutorial.php 11-Feb-16 Secure Communication 9
  • 10. Container encryption - TrueCrypt •  Workflow •  Select TrueCrypt file •  Select a mount slot •  Click Mount •  Enter password 11-Feb-16 Secure Communication 10
  • 11. File encryption - GPG •  GPG, digital signature and encryption •  https://www.gnupg.org/ •  Requires more technical knowledge •  http://ubuntuforums.org/showthread.php?t=680292 •  Made more accessible via Keybase •  https://keybase.io/ •  Ideal for encrypting one file and then sending it over “unsafe” communication channel •  Protect your master-key! •  Store the revocation certificate in a safe place •  Don’t lock yourself out 11-Feb-16 Secure Communication 11
  • 12. Best practices •  Use different browsers •  Firefox, Chrome, Safari, Opera, Internet Explorer •  Avoid Internet Explorer if possible •  Closely tied to the operating system •  One browser only for “personal” things •  1 for online banking, e-mail , •  1 for information gathering •  1 for random browsing •  Use “Private” browsing •  No cookies •  No history •  Forensic research on your computer can still disclose your browsing history 11-Feb-16 Secure Communication 12
  • 13. Best practices •  Always type in the URL, do not click on a link •  When you enter usernames and passwords, make sure the website is secured - HTTPS •  Log out of a website (e-mail, Facebook) once you no longer need it •  This prevents tracking •  Use disposable e-mail for subscribtions or one-time-only messages •  https://www.guerrillamail.com/ •  This is not “encryption” 11-Feb-16 Secure Communication 13
  • 15. Best practices •  Use an up-to-date system •  All the Windows and Apple patches •  Use automatic updates •  Do not use Windows XP, Vista or old versions of Apple OSX •  Any protection mechanism or encryption is useless when remote intrusion to your computer is childs ’play •  Avoid Acrobat Reader and Microsoft Office documents •  Lots of vulnerabilities •  Loads external resources •  Avoid Flash •  Do not use Java on your machine 11-Feb-16 Secure Communication 15
  • 16. Best practices •  Use a system firewall •  Build in for both Windows and Apple •  Use a virus scanner •  Make sure it is still active and receives the new updates •  Quality of free virus scanners is good, no real quality difference with commercial –paid- virus scanners 11-Feb-16 Secure Communication 16
  • 17. Best practices •  Enable the option for “remote wipe” of your telephone or tablet •  Automatically when a wrong PIN is entered more than x times •  From remote when your device is lost 11-Feb-16 Secure Communication 17
  • 18. Best practices •  Limit the use of location services, enable them only for the applications that you need it for •  Disable share your location by default 11-Feb-16 Secure Communication 18
  • 19. Common sense •  Do not connect to random wireless networks •  Only connect to trusted networks, networks that you know •  Protect your wireless network at home with a password •  Do not let anyone else use your computer or telephone un-attended •  Never leave your device unlocked •  Shoulder surfing •  Someone eavesdropping when you enter your password •  Access your online accounts from trusted sources •  Logging in to your e-mail or Facebook from a “friends’computer” is not always a good idea, depends on the trust you have in that friend 11-Feb-16 Secure Communication 19
  • 20. Common sense •  Be careful with attachments that you did not request •  Word documents, PDF files, … •  Even if it comes from a “trusted” contact •  Mails can be easily spoofed (“pretending” to come from someone) •  If it comes from a trusted contact, ask that contact for clarification •  Do not use the same transport (e-mail) for clarification, use telephone or messaging •  Do not install software from a popup or similar. Always make sure you started the install (and not by clicking on a link) 11-Feb-16 Secure Communication 20
  • 21. Social media •  Social media •  Do you really need to have your picture there? •  Why would you need tagging? •  Be aware of geo-location •  No need to include all the location details •  One-on-one does not exist in social media •  It is a broadcast to everyone •  A message (almost) never goes away •  Your data belongs to the net forever •  “Right to be forgotten” (ref. Google) •  Other sites copy the content and do not comply with the request for deletion of data 11-Feb-16 Secure Communication 21
  • 22. Tor network – surf anonymously •  Software to browse the Internet anonymously •  “normal” network packet : sender + destination •  Path to destination is more or less pre-defined and is (almost) fixed •  “tor” network packet : packet wrapped in multiple layers •  Path to the destination is not pre-defined and changes 11-Feb-16 Secure Communication 22 client router 1 router 2 server client server
  • 23. Tor network •  Volunteer driven •  Can be slower •  Some destinations block connections from Tor •  “Deep” web / “Dark” web •  Sites can also be “hosted” on Tor •  Only reachable via Tor •  Criminals also want to surf anonymously •  Police doesn’t like it •  Silk Road one of the most known Tor sites •  Drugs, weapons •  Merely using Tor can be a sign for law enforcement to get more interested 11-Feb-16 Secure Communication 23
  • 24. Tor network •  Use the pre-packaged software •  https://www.torproject.org/download/download- easy.html.en •  Best practices still apply •  Do not install extra “browser-plugins” •  Always use HTTPS •  Do not submit personal details on websites •  Do not open / download documents when online •  Some documents (PDF, Word) open “extra” files via Internet •  This happens “outside” Tor -> discloses your normal Internet connection 11-Feb-16 Secure Communication 24
  • 25. Tails •  “Computer from an USB” •  Focused on privacy and anonymity •  https://tails.boum.org/ 11-Feb-16 Secure Communication 25
  • 26. Signal - Secure phone &messages •  Signal Open Whisper Systems •  Encrypted •  Secure phone conversations •  Secure text messages •  Requires Internet connection •  https://whispersystems.org/ •  Only install from App Store or Google Play •  As always, best practices apply •  Lock your device •  Protect it with a PIN code •  Do not use it with untrusted partners 11-Feb-16 Secure Communication 26
  • 28. Secure e-mail •  Use IMAPS •  Use Authenticated SMTP and do not use POP •  If you are really paranoid you should not use e-mail •  If your browser or computer has been hacked then “secure” e-mail will not protect you •  Keep a sane Inbox •  Delete mails. Also the “Sent” mails •  Empty the deleted e-mails •  Trust (?) your provider not storing the deleted / purged e-mails somewhere else 11-Feb-16 Secure Communication 28
  • 29. ProtonMail •  Build by students from MIT and people from CERN •  In Switserland, strong privacy laws •  https://protonmail.com/ •  myuser@protonmail.com •  Future myuser@yourdomain.com •  For privacy conscious users •  Free •  Huge success, “waiting list” : can take up multiple days •  Get immediate access with donations •  17 (basic) to 73 (Mobile + 1GB) EURO •  500MB storage •  1000 messages per month 11-Feb-16 Secure Communication 29
  • 30. ProtonMail •  Two passwords •  One to access your account •  One to decrypt your mailbox 11-Feb-16 Secure Communication 30
  • 31. ProtonMail •  Send mail to users not using ProtonMail •  Use a one-time password •  The message will expire after a while 11-Feb-16 Secure Communication 31
  • 32. Tutanota •  Alternative to Protonmail •  https://tutanota.com/ •  No waitinglist •  Germany based •  1GB storage •  No aliases •  Free for non commercial use •  Use your own domain with the Premium version 11-Feb-16 Secure Communication 32
  • 34. Tutanota •  Send e-mails to users not using Tutanota with a shared password 11-Feb-16 Secure Communication 34
  • 35. Take-aways •  Do not get paranoid •  Use common sense •  Use secure websites (HTTPS) for personal data •  Also for e-mail (IMAPS + Authenticated SMTP) •  Do not open documents from untrusted sources •  Set strong passwords •  Do not use untrusted networks and devices •  Lock devices with passwords and pins •  Remote wipe and wipe after unsuccessful pins •  Keep your systems up to date •  Operating system and applications •  Use firewall and anti-virus 11-Feb-16 Secure Communication 35
  • 36. Take-aways - tools •  For disposable messages / mail •  https://www.guerrillamail.com/ •  Secure phone and messages •  https://whispersystems.org/ •  Tor surf anonymously •  https://www.torproject.org/download/download-easy.html.en •  Private e-mail with ProtonMail or Tutanota •  https://protonmail.com •  https://tutanota.com/ •  TrueCrypt •  https://truecrypt.ch/downloads/ 11-Feb-16 Secure Communication 36
  • 37. Contact •  Use common sense •  Be vigilant but don’t get paranoid •  Contact •  https://www.vanimpe.eu •  https://www.cudeso.be •  @cudeso 11-Feb-16 Secure Communication 37