KEMBAR78
Digital Defense for Activists (and the rest of us) | PPTX
Michele Chubirka, profile picture
Uploaded byMichele Chubirka
PPTX, PDF3,784 views

Digital Defense for Activists (and the rest of us)

This document provides an overview of digital defense techniques for activists and others concerned about online privacy and security. It begins with introductions and an outline of topics to be covered, which include the current security landscape, risk management principles, and specific defense techniques. The document discusses common online threats such as surveillance, hacking, and social engineering. It provides tips for securing web browsers, encrypting data, using anonymity tools like Tor and VPNs, and choosing secure communication platforms and passwords. Overall, the document aims to educate readers on digital risks and best practices for online privacy and security.

Download to read offline
Digital Defense for Activists (And the Rest of Us)
 Michele Chubirka, aka "Mrs.Y.”  Industry analyst, blogger, tech writer, podcaster and Security Jedi Knight.  Researcher and pontificator on topics such as security architecture, privacy and best practices.  Twitter: @MrsYisWhy  www.postmodernsecurity.com  Digs good nerd memes. Who Am I?
Topics  Current Landscape  Risk Management 101  Digital DefenseTechniques
WhatYouWon’t Get From Me  Digital offensive techniques and/or activities that violate state/federal laws.  Legal Advice. I’m not an attorney or law enforcement official.  I’m also not here to fix your computer, printer, or other digital device.
“Never say anything in an electronic message that you wouldn’t want appearing, and attributed to you, in tomorrow morning’s front-page headline in the NewYorkTimes.” —Colonel David Russell, former head of DARPA’s Information ProcessingTechniques Office
It’s Scary OutThere  In 2013, Edward Snowden, a Booz Allen employee contracted to the NSA , revealed massive domestic and global surveillance programs sponsored by the US, UK, and Australia .  In May 2014, six officers of China’s People’s Liberation Army (PLA) were indicted for economic espionage against a number of U.S. based companies.  In November 2014, a North Korean hacker group posted corporate data from Sony Pictures onWikileaks.This included employee PII and email.  In June 2015,Office of Personnel Management (OPM) announced it had been hacked. Records of 22.1M federal workers and contractors were compromised, including members of the intelligence community. Breach was attributed to China  InApril 2015, it was disclosed that Russian hackers had breached theWhite House’s network.  In the 2015Anthem Blue Cross breach, approximately 80M records were impacted.The breach was attributed to China.
Not If, ButWhen  Organizations hit over the last 12 months include:  Arby’s,Wendy’s and other food chains.  InterContinental, Holiday Inn, Hyatt,Trump and Kimpton Hotels  LinkedIn, LANDESK, Scottrade, Experian, Oracle,Twitter, ADP, Pwnedlist, Spotify,Yahoo! AND  Democratic National Committee and National Republican Senatorial Committee systems allegedly breached by Russia.
How Criminals GetYour Data
Social Engineering, aka Phishing
Passwords Really Suck  Samples from the Ashley Madison breach  Originally posted on Pastebin, a site for sharing text, but often used for distributing stolen data.
Brian Kreb’s ImmutableTruths About Data Breaches  If you connect it to the Internet, someone will try to hack it.  If what you put on the Internet has value, someone will invest time and effort to steal it.  Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.  The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.  Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets. https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about- data-breaches/
“Only the paranoid survive.” —Andy Grove, founder and formerCEO of Intel
Freedom on the Net 2016 An annual study of internet freedom around the world
https://motherboard.vice.com/en_us/article/cameroon-internet-outage-diaspora-whatsapp
How the US Government GetsYour Data  CommunicationsAssistance for Law Enforcement Act – CALEA is a wiretapping law requiring telecom providers and manufacturers to provide built-in surveillance capabilities for voice and Internet traffic.  DigitalCollection System Network - DCSNet is an FBI surveillance system used for instant wiretaps for telecommunications devices in the US.  Computer Fraud andAbuse Act – federal law making it illegal to intentionally access a computer without authorization or in excess of authorization, but proposed amendments have been sought to justify increased data collection.  USA FREEDOMAct – Update to PatriotAct that imposed some limits on bulk metadata collection but restored authorization for roving wiretaps and tracking lone wolf terrorists.
HowTechnology Companies and Service Providers MayViolateYour Privacy  Monitoring network traffic for RIAA (Recoding Industry of America) and MPAA (Motion Picture Association of America) violations.  Information Sharing and Analysis Centers – ISACs are industry-focused associations that share threat data between members.  Collection of telemetry data for security, performance analysis and troubleshooting.  Collection of full packet data for security, performance analysis and troubleshooting.  Providing data to law enforcement with and without warrants.
GuessWho Else IsWatching?
How theWorkplace InvadesYour Privacy  Acceptable Use Policy – AUPs are agreements that employees must sign to obtain network access from an organization.They set guidelines on how the network may be used and generally contain “consent to monitoring” clauses.  Social Media Policies – this not only includes guidelines for how you may speak about your employer, it can also impact how you are allowed to access social media sites at work.  Security and network technologies such as firewalls, proxy servers, SSL Intercept, IDS/IPS, DLP, network taps, endpoint agents, DNS filters and other metadata collection tools.  Most workplaces implement controls on Internet traffic similar to repressive governments.
Risk Management 101  Risk = threat x vulnerability x impact Asset – something of value Risk – exposure of asset to harm. Threat – a person or thing likely to cause damage or harm. Vulnerability – susceptibility to threat. Impact – effect of damage. Attack – action to cause harm. “Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.” http://searchcompliance.techtarget.com/definition/risk-management
Threat Modeling 101  A process in which potential threats are identified and analyzed for likelihood of damage to assets.  Helps to identify your vulnerability to various attack types.  Assessment questions:  What do you want to protect?  Who do you want to protect it from?  How likely is it that you will need to protect it?  How bad are the consequences if you fail?  How much trouble are you willing to go through in order to try to prevent those? https://ssd.eff.org/en/module/introduction-threat-modeling
http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html
CommonThreats  Stingrays aka “IMSI catchers”,Wireless “evil twins”  Social engineering campaigns using phishing/spearphishing  Malware, backdoors and surveillance software  OSINT (open source intelligence aka “passive recon”) – gathered from social media, blogs, whois, EXIF data,Spokeo, PeekYou, Google Hacking, etc…  Denial of Service (DoS/DDoS) attacks  Compromised privacy software and technologies (open source encryption, hiding or purchasing vulnerabilities, setting up bogus Tor nodes) Governments use the SAME TECHNIQUES AS HACKERS to track you and violate your privacy.
WARNING!
Passive Reconnaissance UsingWhois
EXIF Photo Data
Your Cell Phone Is aTracking Device Even when the GPS is disabled, your phone may leak location information.  When a device isn’t associated to aWi-Fi network, it sends “beacons” attempting to reconnect to a previously used network. On some devices, “airplane mode” doesn’t disable the wireless functionality.This leaks information about the device and can also make it vulnerable to “man in the middle” attacks, hijacking any Internet traffic.  Cellular networks can use cell tower position and distance to calculate your location.  Mobile devices and laptops have unique hardware addresses such as the MAC, IMSI, IMEI and MEID.These can be used for tracking.  Internet traffic uses a logical address, an IP number, for sending and receiving traffic.This data is easily captured and viewed over an open wireless network.  Bluetooth – a short range wireless device for connecting to speakers or keyboards. It has a physical address and signal that can be intercepted or tracked.  IMSI “catchers” aka Stingrays can track the hardware address of your phone and intercept cellular connections allowing data and voice traffic to be monitored.
MonitoringWireless Networks
IdentifyingWireless User Devices
Network Protocol Analyzer
Online Security Basics  Email Links are dangerous. Use caution.  Don’t open attachments you aren’t expecting. Scan with an AV program prior to opening.  Be careful when sharing information on social media.  Use secure, encrypted connections when transmitting personal information.  Never send passwords in email.  Avoid using public computers in libraries or hotels.  Don’t useWi-Fi in airports, coffee shops or hotels. If you must, use aVPN.  Never leave passwords, credit card numbers or your SSN unencrypted in email, in the cloud or on your computer.  Shred anything with your data before throwing away.
Data Privacy Principles  Identify and categorize your personal data in terms of risk. The most sensitive information deserves the greatest care.  Minimize the creation of sensitive data.  Delete any sensitive data whenever possible.  Encrypt any of this data that can’t be deleted.
How toVerify a Secure Browser Connection
SecuringYour Browser (andYour Privacy)  Web browsers can be dangerous. Information they collect and store can be used by malicious actors for surveillance.A web browser can also be used to deliver malware or backdoors.  Helpful tools:  Tor browser (there are mobile versions forAndroid and iOS)  Privacy Badger  Ghostery privacy extension  Incognito mode in Chrome or private browsing in Firefox.  Search engines without personalization or tracking  DuckDuckGo https://duckduckgo.com/  searX https://searx.me/  Startpage https://www.startpage.com/  Trackmenot https://addons.mozilla.org/en-us/firefox/addon/trackmenot/  Avoid Flash and other helper apps, they leak information. Disable by default.  Periodically delete cache, cookies and other stored data.
Ghostery and Privacy Badger
Secure Searching DuckDuckGo is a non-tracking search engine https://duckduckgo.com/
Chrome and Firefox Private Browsing
Panopticlick https://panopticlick.eff.org/
Tor – the onion router
Tor Browser - https://www.torproject.org/
TorTips  Tor only protects applications that are configured to send Internet traffic throughTor.To avoid problems, use the pre-configuredTor Browser orTailsOS.  TheTor Browser blocks browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address.  Use HTTPS versions of websites.Tor will only encrypt your traffic to and within theTor network  Don't open documents downloaded throughTor while online, this could leak data through helper apps.  If you must work with DOC and/or PDF files, use a disconnected computer, a virtual machine image with networking disabled, or Tails.  Tor prevents the disclosure of websites you connect to, but it does not prevent someone learning that you're usingTor.
PersonalVPNs  Similar toTor,Virtual Private Networks (VPNs) can provide an additional layer of protection from surveillance.  It creates an encrypted tunnel for your traffic and can route it through another network, sometimes through another country.  AVPN hides your original IP address and all your traffic inside the tunnel.  Can also help to evade monitoring and censorship of Internet content.
VPNTips  Look for aVPN provider with locations outside the US. Some have stricter privacy laws and won’t readily provide traffic logs or user data to US law enforcement.  Focus on providers that don’t store traffic logs at all, so the history of your online activity is less likely to be tracked. http://www.techradar.com/news/the-best-vpn-services-and- vpn-deals-of-2017 http://www.pcmag.com/article2/0,2817,2403388,00.asp
Encryption
Cryptography Basics  Encryption is the technique of obfuscating data to prevent unauthorized access.  Cryptographic tools can provide the following:  Confidentiality – keeping information private through encryption  Integrity – making sure data hasn’t been altered  Authentication- ensuring identity  Non-repudiation – preventing refutation Always ask yourself, “Who has the keys?” If it isn’t you, that organization can be forced to provide them to law enforcement.
Encryption Use-Cases  Encryption-at-rest means data on a device is stored encrypted (a computer disk or mobile device).  Encryption-in-transit means data is encrypted while in motion over a network (HTTPS).  Full disk or device encryption is used to prevent unauthorized physical access to information on a device.  Email encryption can be used to ensure confidentiality, integrity and non-repudiation of email communication.  Encrypted chat and text messaging is used to ensure confidentiality of communication in transit. Sometimes integrity and non-repudiation as well.
EncryptionTools  FileVault on OSX or Bitlocker on Windows  Android and iOS have native encryption  For email:Thunderbird with the Enigmail plugin, Protonmail, Virtru,Voltage, Hushmail  With chat: ChatSecure, Zom Mobile Messenger, Pidgin or Adium and OTR (off the record)  Text messaging: Signal,WhatsApp
Why Encryption Fails  Poor password (i.e. key)  Unsecured password/key  Physical access to a running device (Cold Boot Attack, Evil Maid Attack)  Email is sent encrypted, but stored unencrypted.  Unencrypted chat logs are stored on a device.  Failure to delete data securely.  Encryption implementation has a backdoor, uses a weak cipher or implemented improperly.
https://postmodernsecurity.com/category/security-soc-puppets/ Gert and Bernie on Email Security
Turning On Encryption: iOS and Android How to encryptAndroid https://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/ How to encrypt an iPhone http://www.zdnet.com/article/how-to-turn-on-iphone-ipad-encryption-in-one-minute/
Enable Encryption:Windows and OSX Enabling FileVault https://support.apple.com/en-us/HT204837 Enabling Bitlocker https://uit.stanford.edu/service/encryption/wholedisk/bitlocker
ProtonMail andVirtru
Chatsecure and Signal
Endpoint Protection and Anti-Virus Software  Yes, Macs get malware.  Install or turn on your firewall. On OSX, it isn’t enabled by default.  Set boot and screensaver passwords.  Apply all application patches and operating system updates.  Make sure mobile devices (laptops, phones, tablets) have screen timeouts and are password protected.The fingerprint reader is okay, but avoid PINs.  If your computer becomes infected with malware, reinstall it. Modern malware is difficult to remove completely.
https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/
Password Managers
Going OffThe Grid  Use dedicated devices prepaid phones and laptops without any personal information or accounts.  Use special software that runs a virtualized computer image on your system and can be easily destroyed.  Vmware Fusion  Parallels  VirtualBox  Boot from a read-only OS, run applications from a USB drive or a sandbox environment.  Tails  Portable Apps  Qubes OS
VMware Fusion:Windows on Mac
Tails and PortableApps
Facebook Privacy and Security Options
Twitter and LinkedIn Privacy Options
OSINTTool: Stalkscan
Defense in Depth  Enable multi-factor authentication on accounts, regularly change passwords and use a password safe to limit password reuse.  Delete data securely.  ENCRYPT: mobile devices, laptops, email, chat, messaging.  Cover web cameras. Strip EXIF data from photos and configure your devices not to add location information.  Turn off location tracking in your devices except when you need it.  If you need to travel with an electronic device, consider using one dedicated for this purpose that has limited access to personal data. When crossing a border, always shut down devices completely.  Never take an electronic device to a demonstration or consider purchasing a “burner” which isn’t associated with any of your accounts.  Use anti-virus, a firewall and patch your devices regularly. Secure your home network: encrypt wireless, change the default password on your router, configure the firewall. Remember, apply security in layers .  Avoid unencrypted wireless. If you must use it, then only with a VPN.  Enable privacy options in social media accounts and in your browser. Use search engines and other tools to validate your settings.  Separate your social media personas, don’t use real names if not required.
Trust No One CAUTION: There are limitations to any security tool. A dedicated adversary with the right resources (time and money) can bypass them. LAYERYOUR DEFENSES!
Resources  How Whole Disk Encryption Works https://www.symantec.com/content/en/us/enterprise/white_papers/b- pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf  Chatting in Secret https://theintercept.com/2015/07/14/communicating-secret-watched/  Enemies of the Internet http://surveillance.rsf.org/en/  Me and My Shadow Project https://myshadow.org/  Freedom on the Net https://freedomhouse.org/report-types/freedom-net  Access Now Digital Security Helpline https://www.accessnow.org/help/  EFF Surveillance Self Defense for tutorials on using security tools https://ssd.eff.org/  Krebs On Security http://krebsonsecurity.com/  Best VPN Services 2017 http://www.pcmag.com/article2/0,2817,2403388,00.asp  Digital First Aid Kit https://www.digitaldefenders.org/digitalfirstaid/  Tor Browser, Orbot or Onion Browser for mobile devices https://www.torproject.org/about/overview.html.en  Burner Phone Best Practices http://www.b3rn3d.com/blog/2014/01/22/burnerphone/  Password managers: Dashlane, 1Password, Lastpass

More Related Content

PDF
wp-us-cities-exposed
byNumaan Huq
 
PDF
Hackers and Hacking a brief overview 5-26-2016
byGohsuke Takama
 
PPTX
Data breach
byBurhan Ahmed
 
PDF
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
byDinesh O Bareja
 
PPT
Hacking And Its Prevention
byDinesh O Bareja
 
PPTX
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
PDF
Social Media Security Risk Slide Share Version
byfamudal
 
PPTX
An Introduction To IT Security And Privacy for Librarians and Libraries
byBlake Carver
 
wp-us-cities-exposed
byNumaan Huq
 
Hackers and Hacking a brief overview 5-26-2016
byGohsuke Takama
 
Data breach
byBurhan Ahmed
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
byDinesh O Bareja
 
Hacking And Its Prevention
byDinesh O Bareja
 
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
Social Media Security Risk Slide Share Version
byfamudal
 
An Introduction To IT Security And Privacy for Librarians and Libraries
byBlake Carver
 

What's hot

DOCX
THESIS-2(2)
byElsayed Muhammad
 
PDF
NATO Cyber Security Conference: Creating IT-Security Start-Ups
byBenjamin Rohé
 
PDF
Cyber Threat Intel : Overview
byDeepak Kumar (D3)
 
PDF
Cyber security awareness presentation nepal
byICT Frame Magazine Pvt. Ltd.
 
PDF
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
PPSX
Unit 2
byJigarthacker
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
PPTX
Jerod Brennen - What You Need to Know About OSINT
bycentralohioissa
 
PPT
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
byScott Wright
 
PPSX
Cyber Security Awareness Month 2017-Wrap-Up
byChinatu Uzuegbu
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PPTX
Cybersecurity2021
byPrabhatChoudhary11
 
PPSX
Cyber Crime and Ethical Hacking
byANKIT KUMAR
 
PPSX
Security Awareness Training Summary
bySNP Technologies, Inc.
 
PDF
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
byDinesh O Bareja
 
PDF
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
byUnited Technology Group (UTG)
 
PDF
Cyber security-awareness-for-social-media-users - Devsena Mishra
byDevsena Mishra
 
PPTX
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
PDF
10 things you should know about cybersecurity
byUnited Technology Group (UTG)
 
PDF
Cyber War, Cyber Peace, Stones and Glass Houses
byPaige Rasid
 
THESIS-2(2)
byElsayed Muhammad
 
NATO Cyber Security Conference: Creating IT-Security Start-Ups
byBenjamin Rohé
 
Cyber Threat Intel : Overview
byDeepak Kumar (D3)
 
Cyber security awareness presentation nepal
byICT Frame Magazine Pvt. Ltd.
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
Unit 2
byJigarthacker
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
Jerod Brennen - What You Need to Know About OSINT
bycentralohioissa
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
byScott Wright
 
Cyber Security Awareness Month 2017-Wrap-Up
byChinatu Uzuegbu
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
Cybersecurity2021
byPrabhatChoudhary11
 
Cyber Crime and Ethical Hacking
byANKIT KUMAR
 
Security Awareness Training Summary
bySNP Technologies, Inc.
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
byDinesh O Bareja
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
byUnited Technology Group (UTG)
 
Cyber security-awareness-for-social-media-users - Devsena Mishra
byDevsena Mishra
 
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
10 things you should know about cybersecurity
byUnited Technology Group (UTG)
 
Cyber War, Cyber Peace, Stones and Glass Houses
byPaige Rasid
 

Viewers also liked

PDF
Design in Tech Report 2017
byJohn Maeda
 
PDF
What is A Cloud Stack in 2017
byGaurav Roy
 
PDF
AgensGraph: a Multi-model Graph Database based on PostgreSql
byKisung Kim
 
PDF
Mobile Finance: 2017 Trends and Innovations
byCorporate Insight
 
PPTX
DATA SCIENCE IS CATALYZING BUSINESS AND INNOVATION
byElvis Muyanja
 
PDF
Cross-regional Application Deplolyment on AWS - Channy Yun (JAWS Days 2017)
byAmazon Web Services Korea
 
PPTX
Comparing 30 MongoDB operations with Oracle SQL statements
byLucas Jellema
 
PPTX
Risrc top 100 2017
bySteven Mauricio
 
DOCX
Khalil khan (it engineer resume)
byKhalil Khan
 
PPTX
S4 1610 business value l1
byKathryn Butterfuss
 
PDF
Customer Portfolio Segmentation for Finance
byDun & Bradstreet
 
PDF
Emergence Capital Mobile Enterprise Trends - March 2017
byEmergence Capital
 
DOCX
A project report on awareness of mutual funds 1
byNirali Nayi
 
PPTX
Getting started with microsoft azure in 30 mins
byIlyas F ☁☁☁
 
PDF
IBM Storage for Analytics, Cognitive and Cloud
byTony Pearson
 
PDF
Rob Gould - The ASA DataFest: Learning by Doing
byMine Cetinkaya-Rundel
 
PDF
Ani Adhikari & Michael Jordan - Computational Thinking and Inferential Thinking
byMine Cetinkaya-Rundel
 
PDF
Mark Ward - Learning Communities: An Emerging Platform for Research in Statis...
byMine Cetinkaya-Rundel
 
PDF
Le UX Design en Afrique - WIAD Lyon 2017
byYUX Dakar
 
Design in Tech Report 2017
byJohn Maeda
 
What is A Cloud Stack in 2017
byGaurav Roy
 
AgensGraph: a Multi-model Graph Database based on PostgreSql
byKisung Kim
 
Mobile Finance: 2017 Trends and Innovations
byCorporate Insight
 
DATA SCIENCE IS CATALYZING BUSINESS AND INNOVATION
byElvis Muyanja
 
Cross-regional Application Deplolyment on AWS - Channy Yun (JAWS Days 2017)
byAmazon Web Services Korea
 
Comparing 30 MongoDB operations with Oracle SQL statements
byLucas Jellema
 
Risrc top 100 2017
bySteven Mauricio
 
Khalil khan (it engineer resume)
byKhalil Khan
 
S4 1610 business value l1
byKathryn Butterfuss
 
Customer Portfolio Segmentation for Finance
byDun & Bradstreet
 
Emergence Capital Mobile Enterprise Trends - March 2017
byEmergence Capital
 
A project report on awareness of mutual funds 1
byNirali Nayi
 
Getting started with microsoft azure in 30 mins
byIlyas F ☁☁☁
 
IBM Storage for Analytics, Cognitive and Cloud
byTony Pearson
 
Rob Gould - The ASA DataFest: Learning by Doing
byMine Cetinkaya-Rundel
 
Ani Adhikari & Michael Jordan - Computational Thinking and Inferential Thinking
byMine Cetinkaya-Rundel
 
Mark Ward - Learning Communities: An Emerging Platform for Research in Statis...
byMine Cetinkaya-Rundel
 
Le UX Design en Afrique - WIAD Lyon 2017
byYUX Dakar
 

Similar to Digital Defense for Activists (and the rest of us)

PDF
Module 1 Introduction of Network security
byhoangvttlu
 
PPTX
Data Privacy for Activists
byGreg Stromire
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
PPTX
Personal Threat Models
byGeoffrey Vaughan
 
PDF
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
PDF
Why My E Identity Needs Protection
byecarrow
 
PPTX
It security the condensed version
byBrian Pichman
 
PPTX
FBI Cyber Threats - James Morrison - LAM Tech Event 11.7.18.pptx
byEverett24
 
PPTX
Chapter 5 - Digital Security, Ethics, Privacy.pptx
byFannyKwok1
 
PDF
INFORMATION ASSURANCE AND SECURITY 1.pdf
byEarlvonDeiparine1
 
PPTX
NumaanHuq_Hackfest2015
byNumaan Huq
 
PPTX
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
PPT
Handout infosec defense-mechanism-y3dips
byAmmar WK
 
PPT
Bright talk intrusion prevention are we joking - henshaw july 2010 a
byMark Henshaw
 
PPTX
Cyber Security Awareness Program
byJohn Rocco
 
PPTX
IT Security and Wire Fraud Awareness Slide Deck
byDon Gulling
 
PPTX
Securing & Safeguarding Your Library Setup.pptx
byBrian Pichman
 
PPTX
Explain why networks and data are attacked.
byheruwanto4
 
PPT
Tech Topic Privacy
bynetapprad
 
Module 1 Introduction of Network security
byhoangvttlu
 
Data Privacy for Activists
byGreg Stromire
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Personal Threat Models
byGeoffrey Vaughan
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
Why My E Identity Needs Protection
byecarrow
 
It security the condensed version
byBrian Pichman
 
FBI Cyber Threats - James Morrison - LAM Tech Event 11.7.18.pptx
byEverett24
 
Chapter 5 - Digital Security, Ethics, Privacy.pptx
byFannyKwok1
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
byEarlvonDeiparine1
 
NumaanHuq_Hackfest2015
byNumaan Huq
 
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
Handout infosec defense-mechanism-y3dips
byAmmar WK
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
byMark Henshaw
 
Cyber Security Awareness Program
byJohn Rocco
 
IT Security and Wire Fraud Awareness Slide Deck
byDon Gulling
 
Securing & Safeguarding Your Library Setup.pptx
byBrian Pichman
 
Explain why networks and data are attacked.
byheruwanto4
 
Tech Topic Privacy
bynetapprad
 

Recently uploaded

PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 

Digital Defense for Activists (and the rest of us)

  • 1.
  • 2.
     Michele Chubirka,aka "Mrs.Y.”  Industry analyst, blogger, tech writer, podcaster and Security Jedi Knight.  Researcher and pontificator on topics such as security architecture, privacy and best practices.  Twitter: @MrsYisWhy  www.postmodernsecurity.com  Digs good nerd memes. Who Am I?
  • 3.
    Topics  Current Landscape Risk Management 101  Digital DefenseTechniques
  • 4.
    WhatYouWon’t Get FromMe  Digital offensive techniques and/or activities that violate state/federal laws.  Legal Advice. I’m not an attorney or law enforcement official.  I’m also not here to fix your computer, printer, or other digital device.
  • 5.
    “Never say anythingin an electronic message that you wouldn’t want appearing, and attributed to you, in tomorrow morning’s front-page headline in the NewYorkTimes.” —Colonel David Russell, former head of DARPA’s Information ProcessingTechniques Office
  • 6.
    It’s Scary OutThere In 2013, Edward Snowden, a Booz Allen employee contracted to the NSA , revealed massive domestic and global surveillance programs sponsored by the US, UK, and Australia .  In May 2014, six officers of China’s People’s Liberation Army (PLA) were indicted for economic espionage against a number of U.S. based companies.  In November 2014, a North Korean hacker group posted corporate data from Sony Pictures onWikileaks.This included employee PII and email.  In June 2015,Office of Personnel Management (OPM) announced it had been hacked. Records of 22.1M federal workers and contractors were compromised, including members of the intelligence community. Breach was attributed to China  InApril 2015, it was disclosed that Russian hackers had breached theWhite House’s network.  In the 2015Anthem Blue Cross breach, approximately 80M records were impacted.The breach was attributed to China.
  • 7.
    Not If, ButWhen Organizations hit over the last 12 months include:  Arby’s,Wendy’s and other food chains.  InterContinental, Holiday Inn, Hyatt,Trump and Kimpton Hotels  LinkedIn, LANDESK, Scottrade, Experian, Oracle,Twitter, ADP, Pwnedlist, Spotify,Yahoo! AND  Democratic National Committee and National Republican Senatorial Committee systems allegedly breached by Russia.
  • 8.
  • 9.
  • 11.
    Passwords Really Suck Samples from the Ashley Madison breach  Originally posted on Pastebin, a site for sharing text, but often used for distributing stolen data.
  • 13.
    Brian Kreb’s ImmutableTruthsAbout Data Breaches  If you connect it to the Internet, someone will try to hack it.  If what you put on the Internet has value, someone will invest time and effort to steal it.  Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.  The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.  Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets. https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about- data-breaches/
  • 14.
    “Only the paranoidsurvive.” —Andy Grove, founder and formerCEO of Intel
  • 15.
    Freedom on theNet 2016 An annual study of internet freedom around the world
  • 16.
  • 17.
    How the USGovernment GetsYour Data  CommunicationsAssistance for Law Enforcement Act – CALEA is a wiretapping law requiring telecom providers and manufacturers to provide built-in surveillance capabilities for voice and Internet traffic.  DigitalCollection System Network - DCSNet is an FBI surveillance system used for instant wiretaps for telecommunications devices in the US.  Computer Fraud andAbuse Act – federal law making it illegal to intentionally access a computer without authorization or in excess of authorization, but proposed amendments have been sought to justify increased data collection.  USA FREEDOMAct – Update to PatriotAct that imposed some limits on bulk metadata collection but restored authorization for roving wiretaps and tracking lone wolf terrorists.
  • 18.
    HowTechnology Companies andService Providers MayViolateYour Privacy  Monitoring network traffic for RIAA (Recoding Industry of America) and MPAA (Motion Picture Association of America) violations.  Information Sharing and Analysis Centers – ISACs are industry-focused associations that share threat data between members.  Collection of telemetry data for security, performance analysis and troubleshooting.  Collection of full packet data for security, performance analysis and troubleshooting.  Providing data to law enforcement with and without warrants.
  • 20.
  • 21.
    How theWorkplace InvadesYourPrivacy  Acceptable Use Policy – AUPs are agreements that employees must sign to obtain network access from an organization.They set guidelines on how the network may be used and generally contain “consent to monitoring” clauses.  Social Media Policies – this not only includes guidelines for how you may speak about your employer, it can also impact how you are allowed to access social media sites at work.  Security and network technologies such as firewalls, proxy servers, SSL Intercept, IDS/IPS, DLP, network taps, endpoint agents, DNS filters and other metadata collection tools.  Most workplaces implement controls on Internet traffic similar to repressive governments.
  • 22.
    Risk Management 101 Risk = threat x vulnerability x impact Asset – something of value Risk – exposure of asset to harm. Threat – a person or thing likely to cause damage or harm. Vulnerability – susceptibility to threat. Impact – effect of damage. Attack – action to cause harm. “Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.” http://searchcompliance.techtarget.com/definition/risk-management
  • 23.
    Threat Modeling 101 A process in which potential threats are identified and analyzed for likelihood of damage to assets.  Helps to identify your vulnerability to various attack types.  Assessment questions:  What do you want to protect?  Who do you want to protect it from?  How likely is it that you will need to protect it?  How bad are the consequences if you fail?  How much trouble are you willing to go through in order to try to prevent those? https://ssd.eff.org/en/module/introduction-threat-modeling
  • 24.
  • 25.
    CommonThreats  Stingrays aka“IMSI catchers”,Wireless “evil twins”  Social engineering campaigns using phishing/spearphishing  Malware, backdoors and surveillance software  OSINT (open source intelligence aka “passive recon”) – gathered from social media, blogs, whois, EXIF data,Spokeo, PeekYou, Google Hacking, etc…  Denial of Service (DoS/DDoS) attacks  Compromised privacy software and technologies (open source encryption, hiding or purchasing vulnerabilities, setting up bogus Tor nodes) Governments use the SAME TECHNIQUES AS HACKERS to track you and violate your privacy.
  • 26.
  • 27.
  • 29.
  • 30.
    Your Cell PhoneIs aTracking Device Even when the GPS is disabled, your phone may leak location information.  When a device isn’t associated to aWi-Fi network, it sends “beacons” attempting to reconnect to a previously used network. On some devices, “airplane mode” doesn’t disable the wireless functionality.This leaks information about the device and can also make it vulnerable to “man in the middle” attacks, hijacking any Internet traffic.  Cellular networks can use cell tower position and distance to calculate your location.  Mobile devices and laptops have unique hardware addresses such as the MAC, IMSI, IMEI and MEID.These can be used for tracking.  Internet traffic uses a logical address, an IP number, for sending and receiving traffic.This data is easily captured and viewed over an open wireless network.  Bluetooth – a short range wireless device for connecting to speakers or keyboards. It has a physical address and signal that can be intercepted or tracked.  IMSI “catchers” aka Stingrays can track the hardware address of your phone and intercept cellular connections allowing data and voice traffic to be monitored.
  • 33.
  • 34.
  • 35.
  • 36.
    Online Security Basics Email Links are dangerous. Use caution.  Don’t open attachments you aren’t expecting. Scan with an AV program prior to opening.  Be careful when sharing information on social media.  Use secure, encrypted connections when transmitting personal information.  Never send passwords in email.  Avoid using public computers in libraries or hotels.  Don’t useWi-Fi in airports, coffee shops or hotels. If you must, use aVPN.  Never leave passwords, credit card numbers or your SSN unencrypted in email, in the cloud or on your computer.  Shred anything with your data before throwing away.
  • 37.
    Data Privacy Principles Identify and categorize your personal data in terms of risk. The most sensitive information deserves the greatest care.  Minimize the creation of sensitive data.  Delete any sensitive data whenever possible.  Encrypt any of this data that can’t be deleted.
  • 38.
    How toVerify aSecure Browser Connection
  • 39.
    SecuringYour Browser (andYourPrivacy)  Web browsers can be dangerous. Information they collect and store can be used by malicious actors for surveillance.A web browser can also be used to deliver malware or backdoors.  Helpful tools:  Tor browser (there are mobile versions forAndroid and iOS)  Privacy Badger  Ghostery privacy extension  Incognito mode in Chrome or private browsing in Firefox.  Search engines without personalization or tracking  DuckDuckGo https://duckduckgo.com/  searX https://searx.me/  Startpage https://www.startpage.com/  Trackmenot https://addons.mozilla.org/en-us/firefox/addon/trackmenot/  Avoid Flash and other helper apps, they leak information. Disable by default.  Periodically delete cache, cookies and other stored data.
  • 40.
  • 41.
    Secure Searching DuckDuckGo isa non-tracking search engine https://duckduckgo.com/
  • 42.
    Chrome and FirefoxPrivate Browsing
  • 43.
  • 44.
    Tor – theonion router
  • 45.
    Tor Browser -https://www.torproject.org/
  • 46.
    TorTips  Tor onlyprotects applications that are configured to send Internet traffic throughTor.To avoid problems, use the pre-configuredTor Browser orTailsOS.  TheTor Browser blocks browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address.  Use HTTPS versions of websites.Tor will only encrypt your traffic to and within theTor network  Don't open documents downloaded throughTor while online, this could leak data through helper apps.  If you must work with DOC and/or PDF files, use a disconnected computer, a virtual machine image with networking disabled, or Tails.  Tor prevents the disclosure of websites you connect to, but it does not prevent someone learning that you're usingTor.
  • 47.
    PersonalVPNs  Similar toTor,VirtualPrivate Networks (VPNs) can provide an additional layer of protection from surveillance.  It creates an encrypted tunnel for your traffic and can route it through another network, sometimes through another country.  AVPN hides your original IP address and all your traffic inside the tunnel.  Can also help to evade monitoring and censorship of Internet content.
  • 48.
    VPNTips  Look foraVPN provider with locations outside the US. Some have stricter privacy laws and won’t readily provide traffic logs or user data to US law enforcement.  Focus on providers that don’t store traffic logs at all, so the history of your online activity is less likely to be tracked. http://www.techradar.com/news/the-best-vpn-services-and- vpn-deals-of-2017 http://www.pcmag.com/article2/0,2817,2403388,00.asp
  • 49.
  • 50.
    Cryptography Basics  Encryptionis the technique of obfuscating data to prevent unauthorized access.  Cryptographic tools can provide the following:  Confidentiality – keeping information private through encryption  Integrity – making sure data hasn’t been altered  Authentication- ensuring identity  Non-repudiation – preventing refutation Always ask yourself, “Who has the keys?” If it isn’t you, that organization can be forced to provide them to law enforcement.
  • 51.
    Encryption Use-Cases  Encryption-at-restmeans data on a device is stored encrypted (a computer disk or mobile device).  Encryption-in-transit means data is encrypted while in motion over a network (HTTPS).  Full disk or device encryption is used to prevent unauthorized physical access to information on a device.  Email encryption can be used to ensure confidentiality, integrity and non-repudiation of email communication.  Encrypted chat and text messaging is used to ensure confidentiality of communication in transit. Sometimes integrity and non-repudiation as well.
  • 52.
    EncryptionTools  FileVault onOSX or Bitlocker on Windows  Android and iOS have native encryption  For email:Thunderbird with the Enigmail plugin, Protonmail, Virtru,Voltage, Hushmail  With chat: ChatSecure, Zom Mobile Messenger, Pidgin or Adium and OTR (off the record)  Text messaging: Signal,WhatsApp
  • 53.
    Why Encryption Fails Poor password (i.e. key)  Unsecured password/key  Physical access to a running device (Cold Boot Attack, Evil Maid Attack)  Email is sent encrypted, but stored unencrypted.  Unencrypted chat logs are stored on a device.  Failure to delete data securely.  Encryption implementation has a backdoor, uses a weak cipher or implemented improperly.
  • 54.
  • 55.
    Turning On Encryption:iOS and Android How to encryptAndroid https://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/ How to encrypt an iPhone http://www.zdnet.com/article/how-to-turn-on-iphone-ipad-encryption-in-one-minute/
  • 56.
    Enable Encryption:Windows andOSX Enabling FileVault https://support.apple.com/en-us/HT204837 Enabling Bitlocker https://uit.stanford.edu/service/encryption/wholedisk/bitlocker
  • 57.
  • 58.
  • 59.
    Endpoint Protection andAnti-Virus Software  Yes, Macs get malware.  Install or turn on your firewall. On OSX, it isn’t enabled by default.  Set boot and screensaver passwords.  Apply all application patches and operating system updates.  Make sure mobile devices (laptops, phones, tablets) have screen timeouts and are password protected.The fingerprint reader is okay, but avoid PINs.  If your computer becomes infected with malware, reinstall it. Modern malware is difficult to remove completely.
  • 60.
  • 61.
  • 62.
    Going OffThe Grid Use dedicated devices prepaid phones and laptops without any personal information or accounts.  Use special software that runs a virtualized computer image on your system and can be easily destroyed.  Vmware Fusion  Parallels  VirtualBox  Boot from a read-only OS, run applications from a USB drive or a sandbox environment.  Tails  Portable Apps  Qubes OS
  • 63.
  • 64.
  • 65.
    Facebook Privacy andSecurity Options
  • 66.
    Twitter and LinkedInPrivacy Options
  • 67.
  • 68.
    Defense in Depth Enable multi-factor authentication on accounts, regularly change passwords and use a password safe to limit password reuse.  Delete data securely.  ENCRYPT: mobile devices, laptops, email, chat, messaging.  Cover web cameras. Strip EXIF data from photos and configure your devices not to add location information.  Turn off location tracking in your devices except when you need it.  If you need to travel with an electronic device, consider using one dedicated for this purpose that has limited access to personal data. When crossing a border, always shut down devices completely.  Never take an electronic device to a demonstration or consider purchasing a “burner” which isn’t associated with any of your accounts.  Use anti-virus, a firewall and patch your devices regularly. Secure your home network: encrypt wireless, change the default password on your router, configure the firewall. Remember, apply security in layers .  Avoid unencrypted wireless. If you must use it, then only with a VPN.  Enable privacy options in social media accounts and in your browser. Use search engines and other tools to validate your settings.  Separate your social media personas, don’t use real names if not required.
  • 69.
    Trust No One CAUTION: Thereare limitations to any security tool. A dedicated adversary with the right resources (time and money) can bypass them. LAYERYOUR DEFENSES!
  • 70.
    Resources  How WholeDisk Encryption Works https://www.symantec.com/content/en/us/enterprise/white_papers/b- pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf  Chatting in Secret https://theintercept.com/2015/07/14/communicating-secret-watched/  Enemies of the Internet http://surveillance.rsf.org/en/  Me and My Shadow Project https://myshadow.org/  Freedom on the Net https://freedomhouse.org/report-types/freedom-net  Access Now Digital Security Helpline https://www.accessnow.org/help/  EFF Surveillance Self Defense for tutorials on using security tools https://ssd.eff.org/  Krebs On Security http://krebsonsecurity.com/  Best VPN Services 2017 http://www.pcmag.com/article2/0,2817,2403388,00.asp  Digital First Aid Kit https://www.digitaldefenders.org/digitalfirstaid/  Tor Browser, Orbot or Onion Browser for mobile devices https://www.torproject.org/about/overview.html.en  Burner Phone Best Practices http://www.b3rn3d.com/blog/2014/01/22/burnerphone/  Password managers: Dashlane, 1Password, Lastpass

Editor's Notes