Transcription
Computer and E-mailSecurity in a COVID-19WorldJan L. Peterson (KD7ZWV)Murray Amateur Radio Club
What Happened?uuConnie’s e-mail got hackedushe had over a thousand contactsuthe hacker copied her contacts and then deleted them alluthe hacker also deleted all her mail from her accountuthe hacker created a new e-mail account on gmail that looked like it was Connie’suthe hacker e-mailed all of Connie’s contacts from this new account, asking for 200worth of Amazon gift cardsuseveral people called her to check if it was legit, but at least one person sentAmazon gift cards to the hackerConnie created a new e-mail account on gmail, but has been having a timetrying to recover her contact list
How did it happen?uConnie probably had an easy to guess passworduConnie could have had a virus on her computer that logged her keystrokes
How can I Protect Myself?uPick a good password (more on this in a minute)uDon’t use the same password on multiple sitesuDon’t click on links that people send to you until you validate themuDon’t download software/files from sites that you don’t trustuIf you get an e-mail from someone, and it looks weird, confirm that it is validudouble-check that the e-mail it is from is the one you know is theirsucall/text them to confirmuRun anti-virus/anti-malware softwareuBack up your files/contacts/etc.
Let’s Talk PasswordsuHow do I pick a good password? What is a good password?uSTIG – Security Technology Implementation GuidelinesuMinimum characters: 15uMinimum numbers: 1uMinimum lowercase characters: 1uMinimum uppercase characters: 1uMaximum consecutive repeating characters: 2uThe last seven passwords cannot be reuseduExample: 3loon7UnBate84puCons: hard to remember
Let’s Talk PasswordsuHow do I pick a good password? What is a good password?uXKCD model: https://xkcd.com/936/upick four random common wordsuExample:correct horse battery stapleuCons: a lot of sites want you touse more ”complex” passwords,include digits/punctuation, etc.
Let’s Talk PasswordsuHow do I pick a good password? What is a good password?uPhrase modeluPick a short but memorable phraseuTake the first or second letter of each worduInsert a digit/capitalization in the phraseuExample: Now is the time for all good men to come to the aid of their party.Password: Nittfagmtcttaotp.uCons: Takes a while to get used to
Let’s Talk PasswordsuHow do I pick a good password? What is a good password?uRandom crap modelujust throw some random mash of characters out thereuExample: A]s%*pZmYzpa?U4NuCons: memorize that! yeah, I didn’t think so
Let’s Talk PasswordsuHow do I pick a good password? What is a good password?uCombination of the aboveupick some random wordsuinject some capital lettersuinject some digits and/or punctuationuExample: 4ethnic-Bedim-Clam2-Deli-4lawns-magoguCons: I’m sure there are some, but this is the mechanism I use
Password UsageuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one siteuNEVER use the same password for more than one site
How do I Remember all ThosePasswords?uUse some kind of “password manager” softwareuMany browsers have this built in (Chrome, Firefox, etc.)uSome operating systems have this built in (MacOS “Keychain”, Linux“Keyring”, Windows “Credentials Manager”)uThird party c. etc. etc. - this is the one I use
Two-Factor AuthenticationuMany web sites and cloud services offer “two-factor authentication”uThe two factors are typically “something you know” and “something youhave”uThis typically involves the use of “one time” passwords or having the sitesend you a text message or e-mail to validate your loginuExamples include RSA SecurID tokens,TOTP systems like Authy
What is “Phishing”?uAn attempt to “fake you out” and get you to give someone your credentialsuUsually an e-mail that looks like it came from e.g. your bank, eBay, Facebook,etc.uTells you something that tries to encourage you to click on a link in the mailuClicking on the link takes you to a page that looks like the real siteuYou log in and you’ve just given your username and password to them!
What is “Phishing”?uExample:
What is “Phishing”?uExample:
What is “Phishing”?uExample:
What is “Phishing”?uExample:
What is “Phishing”?uExample:
How to Recognize “Phishing”?uGrammatical errors (word choice, punctuation, weird phrasing)uLow resolution logouURL doesn’t go to the right siteuTries to frighten you (your card is disabled, your order has been placed, etc.)uE-mail is unexpected (you won a prize from a contest you don’t rememberentering, you’re getting a refund that you weren’t expecting)uPresumes to know something or someone that you knowuThis is what Connie’s attacker tried to use against her contacts
Viruses, Trojans, Worms, and RansomwareuBotnet
VirusesuNo, we’re not talking about COVID-19uComputer software that infiltrates “good” software and does something baduReplicates itself by inserting it’s code into other programsuOften used to transport/infect with some other type of malwareuOften take advantage of buggy software
TrojansuThink of the story of the Trojan HorseuYOU LET IT IN!uMaybe you clicked on a link, downloaded some software and ran it,downloaded a video file that was really an executable, etc.uAttack vector for other malware
WormsuType of malware that attempts to spread by exploiting vulnerabilities onother machines on your networkuAttempts to automatically spread from machine to machineuFamous example, the Morris Internet WormuNovember 2nd, 1988, Robert Morris at Cornell activated it using systems at MITuTook advantage of known bugs in sendmail, finger, rsh, and poor passwordsuHad a bug in it that made it easy to detect by it’s side effectsuSystems admins actually contacted the CDC to track and eradicate ituSpawned several security/vulnerability tracking systems/groups (CERT, etc.)
SpywareuType of malicious software that tracks what you are doinguMonitors your keystrokesuTakes screen capturesuCan activate your camera/microphoneuRecords web sites you visituLogs your usernames/passwords
AdwareuPops up advertisements on your computeruReplaces legitimate ads on sites you are visiting with it’s ownuClicks on those ads can result in further malware infectionuAds may encourage you to e.g. “run this anti-virus software” (which is reallymalware itself)
RansomwareuOnce it gets on your machine, it quietly and transparently encrypts your filesuOnce your files are all encrypted, it blocks you from accessing your datauIt informs you that you have to pay to get your files backuOften can affect your backups as well as it will usually wait a while beforeblocking youuBecause files are encrypted with strong crypto software, it is nearlyimpossible to decrypt them without the keyuEven if you pay the ransom, there is no guarantee that the software won’tkeep doing its thing and come back at you later for another round
BotnetuQuietly sits on your computer waiting for instructionsuCan use your computer to instigate an attack (typically called a “denial ofservice” attack) on some victimuSince millions of computers around the world are infected, it is hard toimpossible to stop
How do I Protect Myself from Malware?uGet and run some good antivirus/antimalware /uFree for personal use!uWorks on Windows, MacOS, Android, and iOSuInstall OS updates when offereduLinux users can run ClamAV
I use Linux/Unix, am I safe?uNOuLinux viruses are now being madeuYou are still vulnerable to phishing attacksuWindows viruses on your Linux machine could attack other systems on your homenetworkuThe Morris worm specifically targeted Unix and Unix-like systemsuKeep your system updateduUpgrade when your OS is no longer supported (e.g. Ubuntu 16.04 LTS will endsupport on April 30th 2021, upgrade before that happens!)
BackupsuAre your files/e-mails on your computer/Internet important to you?uFinancial documents (taxes, bank statements, mortgage info, credit cards, etc.)uMedical information (insurance claims, doctor visit notes, test results)uFamily photos and videosuContact lists (personal and professional)uE-mail history (records of conversations, documents, etc.)uAccount information (cell phone, internet service, Facebook, Twitter, etc.)
BackupsuCopy important files to multiple storage devices/locationsuFloppy disks (ha ha ha)uUSB drivesuCD/DVD-RWuBackup hard drivesuNAS (Asustor, Synology, TerraMaster)uCloud storage (OneDrive, iCloud, Google Drive, Dropbox)uCommercial storage options (Amazon S3, Backblaze, Carbonite (formerly Mozy))
Backup StrategiesuDaily/Weekly/Monthly scheduleuStore a copy off site (in the cloud, at your kid’s house, etc.)uAutomate it!uTest it (try to restore a file every once in a while)uDon’t forget to back up your e-mail and contacts
I’ve Been Hacked, Now What?When in Trouble or in DoubtRun in circles, scream and shout!
I’ve Been Hacked, Now What?uDisconnect your computer from the networkuUse another computer to change your passwordsuuFirst, change your e-mail password. all your other services will send passwordupdate requests to your e-mail, so secure that firstuSecond, change any financial account passwords, your bank, your mortgage, yourcredit cards. have them cancel your cards and issue new ones at this timeuThird, change other passwords for commercial services where you may havepayment information stored (Amazon, eBay, your ISP, even sites you wouldn’t thinkabout like Walmart.com, the restaurant you order from online, etc.)uFourth, social media and other accountsIf you suspect any fraudulent activity, contact the police and file a report
I’ve Been Hacked, Now What?uNotify your contacts that you were hacked and that they should be suspiciousof any e-mails that came from you recentlyuContact the three major credit bureaus (Equifax, Experian, and TransUnion)and explain that you are a victim of identity theft. they have specialprocedures to help with thisuBoot your computer from secure media and run anti-malware software againstit (if you don’t feel comfortable doing this, take it down to PC Laptops, theywill scan your machine for free)uConsider wiping your computer and re-installing from known good media (andgetting your files back from your backups. you have backups, now, right?)
Q&A and s://en.wikipedia.org/wiki/Morris ree.org/2018/04/19/use-a-good-password-generator/
What Happened? u Connie's e-mail got hacked ushe had over a thousand contacts uthe hacker copied her contacts and then deleted them all uthe hacker also deleted all her mail from her account uthe hacker created a new e-mail account on gmailthat looked like it was Connie's uthe hacker e-mailed all of Connie's contacts from this new account, asking for 200
