I.T Security Presentation
Notes
The audio of this presentation is here.
Why Is There A Need For Security Of Your Data?
- The bad guys and what they are up to, the good guys what they are doing.
- Passwords.
- Secure browsing.What are your options when it comes to secure browsing and secure communication?
- Encryption.
Some things you need to know about and a couple of interesting threads from recent news.
Clicking on the links below will take you down a certain rabbit hole, it is worth having a nose around these in order to get a feel for what’s really going on in technology circles.
Bot Nets
https://en.wikipedia.org/wiki/Botnet
These are a complicated network of compromised computers mainly Windows based but can also be based online using platforms like WordPress.
Chinese hackers
https://en.wikipedia.org/wiki/Cyberwarfare_by_China
it’s not only the Chinese there are a number of government’s around the world that seemingly like getting involved with the bad guys, or maybe are the bad guys.
Huawei – 5G problems with chips
https://www.theverge.com/2018/2/14/17011246/huawei-phones-safe-us-intelligence-chief-fears
This is perhaps the first large corporation that has been directly involved in espionage on an epic scale. not only has there been a problem with their corporate technology 5G but also with there personal technology. Phones
With the internet of things becoming a reality then 5G is going to be something that will be happening. In fact i o t has been designed with 5G in mind.
I guess you do have to ask why we need a fridge connected to the internet?
Russian users of the Dark Web
Hackers (Bad Guys) are often looking for one item of data, from there it will be harvested and later when more data is available an evil plan hatched to use it.
It is quite rare for a whole set of data to be picked up from one machines or data breach.
Data spread across several sources is as valuable. Getting access to full data sets is hard, simply because information is held in several places, different parts of the same system.
Do you understand ‘relational databases’?
Access to nectar card information could indicate when you are at home or on holiday. Because of shopping patterns. Real time pricing or demand pricing is being trialled by Tesco.
Password security is important for control of your data.
If a bad guy can get access to one of your accounts, then making sure you have a proper password policy it will mean that they only get access to one and not all.
Not having the same password, is a fundamental.
Using long passwords – something you have, something you know. Is vitally important if you are to maintain a degree of online security. More to come on that.
What Are You Protecting?
You need to work out what you are trying to protect and what the downsides are of losing the keys to unlock that data. Would it be unfortunate to lose access or a disaster?
GMAIL/FACEBOOK/Outlook all allow a third party to have access in case of disaster, so does Lastpass, you can also share data within the lastpass package – great for giving access to family.
What is Lastpass and how how good is it?
Understand these terms
Encryption – the process of converting information or data into a code, especially to prevent unauthorized access. “I use encryption to protect sensitive information transmitted online”
Lock data – encrypt
Unlock data – unencrypt
Secure transfer – moving locked data around.
Explanation of how Https works – a series of locks and keys only using data and encryption tools.
There is a big problem for those that want to spend time and money trying to un-encrypt data and files.
They will never know that the data they end up with is correct.
Dependent on the algorithm used – the output could be wildly different.
Importantly, spoof containers can be used along with ‘gun to the head containers’ – some information but not all.
Simple Tips You Can All Use
Admin User
Can install software inc viruses
Non admin user – needs permission
Always run as a non admin. First base covered.
I no longer run any Windows or Apple machines – just don’t trust them, plenty of alternatives like Linux – nearly all of the internet runs on Linux.
Bits of paper.
Don’t ignore the use of paper – physical things have to be picked up.
Man in the middle/ Phone/ Key Loggers – all are very much in existence still but they can’t read bits of an A5 pad in your lounge.
If you can see it on screen then a screen capture bot/logger can capture it.
On windows do a crtl-alt-del buttons to find out what software is running on your computer
Operating System On A Disc – Ubuntu or Slax
An operating system on a CD/DVD means nothing can be written to the CD/DVD therefore you’ll never been infected – low to nil risk of hacking. Online banking etc.
Will fit on a USB stick – boot from that and you’ll have a secure operating system to work with. Really very safe but a bit of fiddle to get started.
Download, install and use. Great for online banking as nothing is recorded locally – no write to disc option.
Secure internet browsing and https. How does that all work and why it’s so powerful?
Https – SSL secure browsing and secure messaging.
Dark web.
Drugs
Cyber Criminals
Kidnappers etc
How does it work – with a secure browser and peer to peer technology (read computer to computer) your connection is not only secured but bounced around many hundreds of networks with each connection being encrypted – locked.
Freenet or I2P are other networks. Tor is about the biggest. All secure TOR sites end in .onion
Porn/Drugs/Sex offenders – some really bad stuff.
Secure drop for sharing files – a simple word document, dropped securely is a good communication tool.
Also secure sites that use encrypted content are plentiful.
Most contain information that most of us wouldn’t want to see.
You may have seen something like this.
This kind of login is at the server level, no files on this machine are readable without a password, there may also be ‘user level’ folders once inside. Simple to do, keeps out most of the bad guys.
Any web data may also be fully encrypted and locked down on a web server.
It’s about the DNS – Domain Name Server – Protecting Your Movements.
This is how your computer/phone/tablet connects to the net.
Internet connection – always uses a DNS – it’s translates www.bbc.co.uk to 193.8.21.12
By using a different DNS you can be sent to pre checked sites – preventing malware and virus from infecting your computer, cross site hacking is also prevented – automatic safety and of course free.
Most machines will use a Google DNS server, some Apple etc etc
If you use A. N. Other you can block sites using your online account and control what is seen on your machines – it won’t stop your internet service provider from seeing your requests – court order required for release of data, some shared automatically.
Open DNS – Computer/Router
Quad 9 – Computer and Router
Google and ISP’s may set your DNS settings automatically. Which means your data and search records are available to them.
It’s not definite that Open DNS and Quad 9 are sharing data.
TOR Browser
Easy to use, safe, but you need to know where you are headed. Or use a search engine like
Parazite.
.tor browsing is safe and secure – darn hard to trace and each user protects the other.
Other browsers
VPN
Effectively a tunnel through the internet, you can’t be seen. It’s the same as a secure certificate – but for you alone. You can get these from a number of dedicated sources, search for VPN.
Beauty is you can protect yourself by releasing as little information about you, including location, IP (internet protocol) address – a sure way of I.D’ing you online.
https://www.hidemyass.com/en-gb/index free service works, paid for is excellent.
Imagine browsing inside one of those long tunnels in the seaquarium – you can see the fish, the fish can see you – but can’t touch – that’s a VPN – also with a VPN your details are hidden – others know you are there but don’t know anything else. Harry Potter invisibility cloak (ish).
Also make sure your router is up to date – much of the data sniffing is done through routers now. Change password, router name.
Two Factor Authorisation
Should use for all logins, via SMS or the Google Authenticator App.
Secure email and encryption, the options, software, problems.
I love PGP – Pretty Good Privacy.
PGP Banned for use inside the USA, still not sure if it is or not.
Can be used for files/email/images.
Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for “munitions export without a license”. Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits, so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmerman was closed without filing criminal charges against him or anyone else.
PGP America has banned this under Military Weapon rules – not so strong now since Zimmerman released the source code as book, which every one used – cut it up and scanned it into some free software and compiled it.
PGP released as a book were not banned under the American constitution.
Now owned by Symantec.
To use, create a private and public key, submit your public key.
There are lots of options.
https://www.igolder.com/pgp/encryption/ allows you to create secure keys
TrueCrypt for files and secure folders
It was taken down for a reason. It is a very good package for home/small business use.
It’s still available and is very effective, so much so the U.S Gov was going to force a release of it’s “source code” instead the guys that owned it decided to pull the plug on it. The last known copy is here. It’s very effective for securing data – probably overkill for personal use. More importantly is not hard to use which is why I like it.
In terms of its use, when a container is created ‘variable data is use’ which makes it very, very hard to break. Entropy
Entropy – a lack of any order
Some downsides, it may not be supported in the future.
Public Keys/Private Keys
An easy way to secure and secure emails.
In cryptography, a public key is a large numerical value that is used to encrypt data. The key can be generated by a software program, but more often, it is provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.
Your public key is used to send information to you.
You will send information to a third party with their public key.
With the private key you can view the encrypted data.In cryptography, a public key is a large numerical value that is used to encrypt data. The key can be generated by a software program, but more often, it is provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.
—–BEGIN PGP PRIVATE KEY BLOCK—–
lQOBBFw3kMMRCADK+fLtheT3YdyqhZoip+GDS5G2dWkiMOaMBLd+467ckZ8SDm5N
qr1/q3wL2k2RvbpKqkli6MTh1/uSYBkhF4E9R87RMTSj+5e/8fJXlcyvHdEDn1fH
NuueP+MB3CHaEFeRKtLmHKjKswCJhtfODrORLgR1hCcjCwPiP45w8tzrMxtrsUl7
1JswLVYl45K9ucRmcuCeUpbBqg1aJPfrr/oUkIaf0caaB8kCpKAbLilHZrWmRXS1
DteVTMM6gk6bWhPzi0KPIZr4RSbCwZJBFpUxRnHhhW255ZWQynqVDR7cA+5qICJi
s77IwqwR69Lv/GQmJrgqLFqUpzfRVBgw/+/vAQDEK7PWhqF0STjlAFKj15n9X9vu
2tBNqBWPQtOtOeOYSQf/bU/koDxrKpudXppWJR1vCg48UlFMcB18qaQNRK23roR3
6vH4+HXBkD5oK4Hx9fukjLsoAarOHve0MKpUqRSf9W7y9XW8m3t9cW9ASjWa9TxV
nRIHz6T+MYjHEiemoN6VuDkdHXsslEUTgkt805NsAoCF5p01c/yt5m3r8vltEmwa
lE32wv6j7SRIILYufSIg3xp1rfvyW5/uQQQ95I4RCdWhZzw/TOzUjukwa4PFjvlF
xLZ2069N27gF1q+fH/MuWvjfQ9N3Z8ieCturR6hw9Znj+pwGmz3I43YRD6TsOY4o
wN9sab/1dFL4y4969DS9pdMnAC8OXdcZ5IIKjNCBfgf9GULkv6+XXlt7cMr4NCzW
oRCq8a1zDn5zy6HZl2no+zQB/PFNgBI3KIuBA0q4rMpYLOCvPh11eHmRyS1Uw0ei
EJ/0aQRuaHDd5XfNgaB416Fi+JyY65sM+/TNCPYr34SehtZAmVOA4ndmX91Rtqpg
1Ex3mKWWqgTKblmks9ogKOS4ynVIF0OHbayEXicEueQrnRnPj/4XCAUBdHXEatND
qP3GSAQRHjbpHkxheCYsHXU46NHvIop7s0+IB3NNE+enUGP83UCLaCIOw0Bo4lpg
peUIZ9LCEe+EQKKHNeSi4FDcZNL5urzTsmwJTkYIUQxxONLKl3qZuFhPQotCZ/Wt
c/4HAwLlqZt+As2/2WBrOG27xyvxCXG9EQ6r3QpCNwK7NfY/IxvmDdppzj6fsDId
72lO92DVMFiNxObTdcJa7VNTe4of/iM/sdFtq4QMXyxu1VgRtCtSaWNoYXJkIFNt
aXRoIDxyaWNoYXJkQHRoZXJpY2hhcmRzbWl0aC5jb20+iHoEExEIACIFAlw3kMMC
GyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOSRBepy4v2oMKcA/0XmTZAv
iYgIvfvBglc8vBFWwXI68n382De5qRof6jxGAPsGSCUVfkMqzZkm4LKjSjuYkdEc
inH7dogOk557CBAsgp0CawRcN5DDEAgAi68EbDSXhEOYlo+USxuwzRm8omFPTPWU
AV0RsSnyRc6ms3gLWjbhehQGlBWfjlHzmfoRYMir2zC4mkwRK94TTzLiY62eMD2k
hFFZiHGprzxPGyvhNUFbC1sAwH8Rec4WYkF7LtDKr1EvruSR4KgDVoaMi0+iBYsN
PQUPephFVVvb3/hMM2o5k+EZceLC3ddzUhSwJPqETrlTLvskScOYHE/M8Y7VLyFr
2yIcdvuP29tN/tKwolpl59AdHZi2NppbrLQBgozkaBh54lOvIrV7dKfk81yqiPPe
Wjd2A0ogoMCQ+q5yykApeWj282xVR78Ia+ODphs2z4z2QFMjn6gepwADBwf/VrWF
1mgDsi59fv6wsZbYScT4mhYW/i+kgAClE9P3tlIjvcebAXOjUXfJDmCsAmY6FUvR
03BhN/BhpBAaXi1zb92Kb+/pDly90sYpRxIai7PS2W696qLBLKEAvd4uc0k+G/J9
47cev7q+2AQwByPgy4uBaWfUsPMP9zlUtzORPhYptQdfui5JXa1e9bczUIMouvHr
Bga0Vy7K8YDlVxqpCuQo5HMFmkunusxwkGrAMhpCiPjlgJDllyLumkGRC2wRm99h
56GnW6kngzlgwm3YhwFwmtlniPMJI3om7/BMThy8QQHzewiH29gvTe5Oj25p1tc8
wxI1vG+nsV7rRcOUN/4HAwLlqZt+As2/2WCjXKDV1qjbD926wQhrh9T8mVmmT6oB
MLNUppI8XmXVDvw8rAEmZmH8awwaY9dccxT6HOoCilqbRiOZp4Bw7kdteXHQZGfO
gdI7JxG4U1V1eaCIYQQYEQgACQUCXDeQwwIbDAAKCRDkkQXqcuL9qDExAQCS/ilS
F2WINv5jt42rPcly53mkcaw1uEuUJojiun60nQEAoiph/qC6NCTc6NVrEnFOizj2
PbdT/6AEIVYhSymydDA=
=qVhi
—–END PGP PRIVATE KEY BLOCK—–
Using the above
I love you all
becomes
770025d1845d07f6d96b76d3cdda
Digital Signature – like signing with a pen only safer the above digital certificate can be used to sign documents/files/emails – verifying the owner/sender.
Types of Encryption
- AES. The Advanced Encryption Standard, AES, is a symmetric encryption algorithm and one of the most secure. …
- 3DES. Triple Data Encryption Standard, or 3DES, is a current standard, and it is a block cipher. …
- Twofish. Twofish is a symmetric block cipher based on an earlier block cipher – Blowfish. …
- RSA.
Alternatives for secure messaging.
Use a Word Document and Strong Password/Libre or Open Office – same result. Use a large password.
In Office 2007 (Word, Excel and PowerPoint), protection was significantly enhanced since a modern protection algorithm named Advanced Encryption Standard was used.[3] At present there is no software that can break this encryption. With the help of the SHA-1 hash function, the password is stretched into a 128-bit key 50,000 times before opening the document; as a result, the time required to crack it is vastly increased.
Later versions of Office use even better encryption – a simple password on a Word Document means – very few people will ever see it.
Also applies to Libreoffice.
You can share documents and messages via an email account – simply set up a free account. Log in, create a message, save it in drafts, send the account login in details to the third party, they can read the message and create a draft in reply.
No one knows you are there – Al Qaeda/ISIS trick.
Also
Whatsapp/Telegram – banned in Russia – all are becoming a problem. Apple secure messaging is an issue, all have been asked by Governments to release information.
Dropbox/Amazon S3
For very secure file sharing
Virtual Box
Running a computer within a computer – bit more than required for today but a useful addition to the armoury if you really are paranoid about your data an online privacy.
Shift Alt Delete Keys to determine what software is running on your machine – Windows only, useful for keylogging software.
Password principles
Never use a name or dictionary word or a name/brand – dictionary attacks are the commonest form of attack.
Something you have and something you know.
Per site passwords.
Amazon_4rfgt54e23wedr45trfty654w23edfr56tygf_gu11vhb
Simple steps to secure your data, usb sticks, hard drives, and fixed medium options. CD’s and DVD’S etc. Truecrypt. Many modern drives come with security built in.
Password and password security. Securing home and office computers/tablets/phones
What to do with digital data?
Storage
Online portals
USB memory tends to be ‘cheap’ and should not be relied on.
External hard drives/ssd drives/dvd or cd writers some downsides with DVD’s and CD in that they may not be readable in the future.
Flickr/LiveDrive/Google Drive/ Amazon S3 for the more technical. None are 100% safe, ideally local copy, stored on CD/DVD/Network Drive – online.
What is it worth? If it’s really valuable, put it on a CD/DVD/Hard Drive (that’s at least two copies) and one online – for £100 per year you’ll get great
Or
Carbonite – £60 per year – literally. Once installed, tell it what to backup and never worry again.
What’s in an SSL
Indigo
Modulus (2048 bits): – would take 1.5 million years to crack using a normal computer.
E1 7B 23 29 32 3A 0D 42 AC 26 99 66 82 5F 45 11
04 E4 87 26 A4 17 91 DF 8F C7 9B A7 A4 A7 50 A1
4A 3E 13 03 91 2F DD F9 52 40 41 E7 C6 1C A0 63
09 E6 17 7F 8B CF 28 C8 50 BA CB FD A3 D8 50 19
FA D4 06 CF EF 27 C2 F4 99 BF 75 FF EE EC E6 13
6E 3B 12 E9 63 2F 93 18 60 A1 C8 A4 B1 6D 3D AC
41 E8 C5 BA 47 DE 13 7F 86 67 46 66 D2 DC 3D 01
20 11 8E 3C 15 CD 06 D1 92 8A F9 3B 89 27 4D 44
06 FF F1 42 4D 4A 0B EA AD 54 5E E2 81 39 91 26
A2 CD 61 B0 36 42 3E 46 8D FC A7 A8 26 94 75 2B
9F 41 EA B9 8B 08 14 86 69 97 4B 2E F7 D6 A7 2A
91 0A D1 20 11 DB C3 3D 06 7E F7 3B 8A 1A 98 70
E3 18 75 80 EE AC EF E8 E2 DA 5A 8D 25 E9 99 52
F5 E8 83 0D 09 BA C8 93 32 16 FC 32 95 F6 83 54
C7 DD 9D 7D 4D 7C EF 7F A8 DB 96 B9 0B 63 EF FD
D7 FC A7 8D DD 3A 15 36 0D 97 E9 6D 2B 45 3C EB
Public Exponent (24 bits):
01 00 01
Lastpass is the only password manager recommended by Steve Gibson –
Security Now Podcast.
None of your data is stored on their servers is not unencrypted. They don’t see your data in the wild. If you want your data, you can drop it on your local machine, unencrypt it – knowing that it no longer exists in the wild.
ENCRYPTION – WHAT IS IT?
Encryption turns data into a series of unreadable characters, that aren’t of a fixed length. The key difference between encryption and hashing is that encrypted strings can be reversed back into their original decrypted form if you have the right key.
There are two primary types of encryption, symmetric key encryption and public key encryption. In symmetric key encryption, the key to both encrypt and decrypt is exactly the same. This is what most people think of when they think of encryption.
Public key encryption by comparison has two different keys, one used to encrypt the string (the public key) and one used to decrypt it (the private key). The public key is is made available for anyone to use to encrypt messages, however only the intended recipient has access to the private key, and therefore the ability to decrypt messages
A hash function takes a string of any length as input and produces a fixed length string which acts as a kind of “signature” for the data provided. In this way, a person knowing the “hash value” is unable to know the original message, but only the person who knows the original message can prove the “hash value” is created from that message.
Zimmermann challenged these regulations in an imaginative way. He published the entire source code of PGP in a hardback book,[18] via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could cut off the covers, separate the pages, and scan them using an OCR program (or conceivably enter it as a type-in program if OCR software was not available), creating a set of source code text files. One could then build the application using the freely available GNU Compiler Collection. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in the Bernstein case and the Sixth Circuit Court of Appeals in the Junger case).
US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to seven specific countries and a list of named groups and individuals[19] (with whom substantially all US trade is prohibited under various US export controls).