security awareness session aiming to increase users privacy, protect their money, identity and data.
to download this presentation please follow the following link: http://ahmadsalahe.blogspot.com/2012/09/how-not-to-be-easy-target.html
More than Just Lines on a Map: Best Practices for U.S Bike Routes
How not to be an easy target
1. Presented by: Ahmad Salah
eng.ahmad.salah84@gmail.com
https://twitter.com/AhmadSalahE
eg.linkedin.com/pub/ahmad-salah/32/b11/4a3
http://ahmadsalahe.blogspot.com/
2. • Why Should We Protect Our Data?
• Who Is The Hacker?
• Why Is the Hacker Interested In Hacking Us?
• Misconceptions
• How Not To Be An Easy Target?
3.
4. Data
Banking Information
Usernames and Passwords
Intellectual Property and Trade Secrets
Personal Files and Photos
10. Antivirus doesn’t protect against zero day attacks
Antivirus doesn’t protect against malware
Antivirus doesn’t protect against network attacks
11. Doesn't protect when you click on a malicious link
Doesn’t protect when you open an infected file
12.
13. Phishing Attacks are very easy and effective
I Sent This Mail
Fake Email Address
Infected
Attachment
Malicious URL
14. No one will ask you to reset your password via email
You will not win a prize or trip from an email
15. Verify that the email come from a trusted source
Avoid following shortened links or links have IP address
Move the mouse cursor over the hyperlink before clicking
Don’t open attachments unless you verify from the source
Copy the link to your address bar instead of clicking on it
16. Brute-force Attack 1) Use long passwords
2) Use Complex Passwords
3) Change your password
frequently
Estimated time to crack Estimated time to crack
Password length password From 4 Years password nowadays
8 Characters password 22875 years 3 days
17. Dictionary Attack 1) Use unpredictable
password
2) Don’t Use predictable
combinations e.g. (name-
birth year)
3) Avoid sequence keyboard
characters e.g. 1234
18. Use passphrase instead e.g. “I G0 2 School Daily”
Don’t let the browser remember your password
Make your email password very complex
Don’t share the same password across multiple websites
19. Ensure that the traffic is
encrypted (https:// before
the URL)
Check that there is padlock
located on the address bar
20. Check that the personal firewall is enabled
Avoid online banking
Avoid connecting to your company via VPN
10101010101101010110101110110101101010110100111011101010101101101111
01011010010100100110100110011010111010000001110110101001100110110110
10101010101101010110101110110101101010110100111011101010101101101111
01011010010100100110100110011010111010000001110110101001100110110110
21. Change the encryption to WPA2 or at least WPA
Use a very complex password
Hide the SSID
10101010101101010110101110110101101010110100111011101010101101101111
01011010010100100110100110011010111010000001110110101001100110110110
10101010101101010110101110110101101010110100111011101010101101101111
01011010010100100110100110011010111010000001110110101001100110110110
22. Don’t give untrusted people physical access on your PC.
Avoid using USB memory as much as you can
Cover webcam unless used.
23. 1) Switch over to HTTPS.
2) Don’t click on suspicious links
1) Don’t follow shortened URLs
1) Don’t post too much information
2) Switch over to HTTPS.
24. Use a dedicated computer.
Use an updated (browser, operating system, antivirus)
Ensure that the personal firewall is enabled
Don’t open another tabs while online banking
Don’t share banking information via email
25. Don’t store any banking information on your PC.
Enter the URL of the online baking website manually
Logout once you are finished
I have chosen this topic to clarify that there is nothing called 100% secured but we can spend some effort for not being easy targets for hackers, example not leaving the car doors opened and saying who will steal my car?
Banking Information: in the last period there were a lot of malware targeting banking information, Zeus, Spyeye and recently Gauss which is a new malware that infect computer and capture banking login information and it , what if you find in the bank statement that you are stoledUsername and Passwords: personal social network accounts, VPN access to company assets, Banking Login information, personal email (hackers love getting username and passwords)Intellectual Property: which may be the most valuable thing for the organization, what if you are a KFC employee and your computer is hacked because you downloaded infected attachments on your PC and as a result of that KFC trade secret has been exposed to public Personal Files and photos: what if you find that your personal photos are published on the internet
Hacker can be a person or cyber crime organization
Zero Day Attacks: it means that that developers don’t know anything about that attack so they don’t created a patch for that particular attack and hackers nowadays are very well educated and trained to discover new vulnerabilitiesNetwork Attack : for example MITM which means that the attacker is intercepting every single packet originating from you and every single packet coming to you and can modify the data too
Malicious Link: because in this case your PC will call back the hacker and the traffic will be originating from your PC and it will appear as a legitimate traffic for the firewallInfected File: Same as the Malicious link
Phishing is attempting to acquire information such as usernames, passwords, and credit card details by pretending as a trustworthy entity or personEasy: if I want hack a company I have two options either bypassing all the security measures or just sending malicious mail to one of the employees and access the company networkPassword: security administrators, mail administrators, bank stuff Prize : ignore mails that said that you win a prize and to get it you have to click this link or reply with your banking information in order to receive your prizeTrusted source : for example GOOGLE not G00gleShortened links: mails don’t put restriction on the number of characters so they have no need to put shortened links , IP address means that the destination hasn’t registered a domain name so it is very suspicionsMouse: to see whether the URL is suspicious or notAttachments: if you are not expecting an attachments then there is no need to open it, even it is an excel sheet it might be a malware and if you received a mail from your contacts it is a good practice to call him and verify that he sent you this attachment because his mail account may be hackedCopy: sometimes there is something hidden in the URL
I thought it is a good practice to tell you about the common password attacks in order to know why you should make your passwords complexBrute Force Attack: is trying all the possible combination until reaching to the correct password, this attack will get the password for sure but sometime this attack is impractical due to the large time it require but the time issue is significantly reduced, processing power now can try33 billion password per second while it was less than 10 000 password per sec in the last four years due to the rapid technology in processing power For example if the password is 8 characters lowercase and uppercase = 26 power 8 + 26 power 8 instead of being lowercase only which will be 26 power 8Complex : upper case lower case digits special charactersDictionary Attack: is trying every single word in a dictionary for the sake of finding possible match Passphrase: long and easy to rememberBrowser remember your password: because it is stored in clear text and easy to get when your computer is hackedEmail Password: is very important because most of other passwords can be reset by sending you an emailDon’t Share Same passwords across multiple websites: Don’t put all the eggs in one basket e.g. LinkedIn incident when six million accounts are leakedPadlock: means that you are visiting the website that you are expecting and the traffic is encrypted so there is no one looking at your traffic while the transaction (online banking, writing password) is processed
Wireless: your traffic is moving in the air so it is very easy for a hacker to see what you are doing , capturing passwords , modify the traffic, take access to your computer because he is in the same networkPersonal firewall: to protect your Pc. from being hacked VPN: to protect your company from being hacked through you Encryption: is most protective thing you can do . It is very hard to crack WPA2 wireless network while WEP network can be cracked in less than 5 minutesPassword: to make it is difficult for the attacker to take access to your home networkHide the SSID: this will just help
Untrusted people: even if you are using very complex password it is easy to be cracked if I have a physical access on your pcUSB : it is an excellent media to spread a malware Webcam: because if you are hacked the attacker my have access your webcam and record without your knowledge
https: to ensure that your traffic is encrypted no one can understand it even if he can see itSuspicious Links: Facebook hackers often use your friends to send you messages or wall posts with harmful links. Usually these can be detected if they seem uncharacteristic for your friends, but beware of generic messages such as "I just found the coolest video!" or "Do you remember when we did this?" If ever in doubt, ask them before you open something that could be potentially harmfulShortened URLS: twitter is limited to 140 characters so people use shortened URLS and this can infect you pc easily because you can’t see what is the actual URL you can limit that to trusted twitter handles and avoid tweets that are to good to be true and you can unshorten the links by http://www.unshorten.comMuch information: your phone number, detailed work experience because this information can be used in social engineering against you for example an attacker can call you and tell you that your manager has delegated to him the responsibility of auditing on something related to your work and then convince you more information via email and that you have to respond fast because the manager is expecting from him the result of the audit soon
Dedicated computer : it is a good practice to use a dedicated computerUpdated: to mitigate from the common attacksTabs: to protect against that if you clicked a malicious link the attacker can initiate a request from your browser to transfer money to his account this attack called CSRF Share: the bank will never ask you about your banking information (PIN acoount number user password) via emailStore: because in case if your pc is hacked hackers search for any banking informationManually: to protect against directing you to a malicious website which may steal your banking informationLogout: logging out protect your cookies from being sealed and used to take access to your account
Anti malware: to protect your from malware which can badly affect your privacyUpdate: for not being attacked by common threats and to protect yourself from threats that is introduced when a new update is releasedUSB auto run: it is a feature that show you a menu to execute programs or view files it also introduce a lot of malwares to your computer