2. Why This Talk?
• I care about you and your data
• I’m tired of regular users suffering for mistakes made by large
organizations (data breaches) or being caught by the simplest
of phishing scam
• Often small adjustments in user behavior can have a large
impact on security and privacy
• To encourage you to focus your energy in areas that most affect
you
3. Whoami
• Geoffrey Vaughan @MrVaughan
• Sr. Security Engineer @SecurityInnovation
• Appsec pentesting/advisory at all areas of SDLC
• Former High School/Prison/University Teacher
• Occasionally I’m let out of my basement
4. Tldr; If you only read one slide
Giving it all away at the beginning:
1) Use a password manager
2) Keep your devices up-to-date
3) Use 2-Factor Authentication on all your accounts
4) Free Wifi Comes at a cost – Don’t connect to untrusted networks
5) Lock and encrypt your devices (phones + computers)
For more information, I wrote a Guide:
https://web.securityinnovation.com/essential-guide-to-online-security
5. Beyond the Basics: How Paranoid
Should I be?
• Protecting your data and privacy online can take a lot of effort.
• Complete anonymity is really hard.
• It will always be a trade off between usability, security, and
privacy.
8. 5 Minute Threat Modelling
• What assets are you trying to protect?
• What threats are the assets under?
• What is the likelihood of a threat being realized?
• What measures can help mitigate or decrease the risk
associated with the threat?
9. Threat Modeling the Bit Longer Way
1. List all assets you want to protect
2. Define user groups / roles
3. Define components and systems your assets interact with
4. Build an access matrix
5. Define your threats
6. Assess highest risk threats
7. Think of all the ways the risks can be exploited
8. Implement mitigating controls to reduce risk
11. Assets to Protect
• Personal Information - Name, Age, DOB, Spouse, Children, Parents
• Personal Pictures, videos, documents
• Financial Information - Banking, loan, credit
• Location - Home address, places you frequent, or where you are
right now
• Physical Devices
• Business Assets on devices
• Personal Communications/Conversations - Emails, Text Messages,
Chat, etc., phone calls
• Data about Data – When you called someone, who you text
messaged
13. User Groups
• Private – Things you keep completely to yourself
• Significant other
• Known Threat (stalker, ex SO, abuser, online bully)
• Immediate Family and close friends
• Extended friends
• General Public
• Employer
• Doctor / Lawyer
• Foreign / Domestic Governments
15. Components
Places where your assets are stored:
• Mobile device – Apps you use, device storage, cache, browser
history
• Computer – device storage, applications
• Services – LinkedIn, Facebook, Twitter, Instagram, etc.
• Third party trackers – Marketing and Analytics software to track you
• Wireless networks – Home vs while travelling
• Cellular carriers
• Border screening check points
18. Access Matrix?
• A table defining rules for how various user groups can interact
with assets
• For any user group a user may be able to create, read, update,
or delete an assets
• An access matrix defines all these rules
26. Generating Threats
• Now that we have defined all of our rules.
• Think of all the ways that these rules can be broken.
• These are your threats.
27. My Threats
• Unauthorized read of sensitive
information not disclosed publicly (all
other groups)
• Foreign government can read
authentication credentials
• Any unauthorized user can read
authentication credentials
• Significant other reads purchasing habits
and learns how much I spend on lunches,
what their present is, or how much that
new tech toy actually cost.
• Unauthorized create, update, delete of
beneficiary information
• General Public or Known Threat reads
sensitive information not disclosed
publicly
• Unauthorized read of sensitive personal
media (tier 1)
• Unauthorized creation of sensitive
personal media (tier 1)
• User is unable to delete sensitive
personal media (tier 1)
• Unauthorized read of sensitive personal
media (tier 2)
• Unauthorized creation of sensitive
personal media (tier 2)
• User (self) is unable to delete personal
information
• Unauthorized read of location
information
• Significant other is able to update, or
delete personal information affecting
access to resources
• Any unauthorized user can update
authentication credentials
• Attacker or Known threat can create
authentication credentials for accounts in
your name
• Any user is able to update or delete
personal information
• Any user is able to create personal
information to impersonate you
• Unauthorized read of beneficiary
information
• Unauthorized read of meta-data
• Unauthorized read of purchasing habits
• Unauthorized read of personal
communications
• Unauthorized read of associations
• Unauthorized read, update, or delete of
business assets
• Unauthorized creation, read, update, or
delete of financial information
28. My Top Threats
• Unauthorized read of sensitive personal media (tier 1)
• Unauthorized creation, read, update, or delete of financial
information
• Unauthorized read, update, or delete of business assets
• Any unauthorized user can read authentication credentials
• Unauthorized read of personal communications
• Unauthorized read of sensitive information not disclosed
publicly (all other groups)
29. Threats that are not high in my threat
model that might be in yours
• Being unable to delete personal media from the internet (revenge
porn)
• Hiding location and personal information from a stalker
• Hiding information from an abusive partner or ex-partner
• Employer spying on your Internet activity
• Protecting sexual identity or associations
• Attending a protest safely
• Protecting sources and associations as a journalist/activist
• Maintaining an anonymous presence online
• Dealing with identity theft
31. Where are you vulnerable?
• For each top threat in your threat model, think of all the ways
that threat could be exploited.
• Consider all of the components that contain the asset under
threat and ways it could be exploited.
32. Ex: Unauthorized read of sensitive
personal media
Mobile Device
* Device is compromised via malware or
rootkit
* Insecure transmission of sensitive data from
device to recipient (SMS)
* Unattended unlocked device
* Unauthorized device backup
* Unencrypted storage of sensitive media
* Malicious app gains access to media storage
* Devices are lost, stolen, or otherwise
compromised
Computer
* Device is compromised via malware
* Insecure transmission of sensitive data from
device to recipient (http,ftp, etc)
* Unattended unlocked device
* Unauthorized device backup
* Unencrypted storage of sensitive media
* Devices are lost, stolen, or otherwise
compromised
Web Service
* Data unintentionally shared with web services
* Unauthorized access to media storage by web
service
Corporate Servers
* Sensitive media is inadvertently shared to
corporate servers
* Personal data flowing through corporate
servers
* Corporate IT installs monitoring software
Email Provider
* Email account is compromised, leaking
sensitive media
Wireless Networks, Cellular Carriers, Internet
Service Providers, Relays
* Insecure transmission of sensitive media
Contact Device
* Device is compromised via malware or rootkit
* Insecure transmission of sensitive data from
device to recipient (SMS)
* Unattended unlocked device
* Unauthorized device backup
* Unencrypted storage of sensitive media
* Malicious app gains access to media storage
Border Screening Checkpoint
* Devices are confiscated and forensic analysis
is performed against them
* Forced unlock of device
* Forced disclosure of usernames and
passwords
* Forensic memory analysis is performed on
devices
* Lock screen bypass techniques
* Confiscated device image is uploaded to
remote provider who is later hacked
34. Protecting Financial Data
• Use strong passwords
• Check your financial statements regularly
• Check your credit report annually
• Enable 2-Factor authentication all accounts
• Using Big retailer is probably better then small online shop
35. Border Crossing
• Do your homework and prep in advance
• Print all documents you need so you can turn your phone off
• Use strong (long) passwords on all devices
• If concerned, get alternate computer/mobile devices to use when
traveling
• Your goal is to not draw attention to yourself
• Be prepared for what you will say/do if asked to unlock your device
• Remember that border officials are permitted to lie to you, but DON’T
LIE TO THEM
• If at any time you loose custody of your device, assume its been
compromised and copied
36. Protesting safely
• Strongly consider leaving your device at home
• If not, only communicate via Signal app
• Record and post later vs. live streaming
• Strong passcode with fingerprint unlock disabled
Great video by The Intercept:
https://theintercept.com/2017/04/21/cybersecurity-for-the-people-
how-to-protect-your-privacy-at-a-protest/
37. Hiding information from stalker /
abusive ex-partner
• Make up new identities/aliases for each network you use
• Don’t have them overlap
• This includes cell/internet/cable providers, banks, and any other related
accounts
• Adjust and review privacy settings on all apps / device regularly
• Be very choosy about who you let in to your networks as friends
• Get help!
• Violet Blue’s Smart girls guide to Privacy:
https://www.nostarch.com/smartgirlsguide
38. Protecting Sources as a Journalist
• Some journalists are starting to take this seriously and are
getting better at it
• With high risk sources, significant effort will need to be taken.
• This might include burner devices for all parties involved, never
turning them on in news office or at home
• Full disk encryption, Signal, strong passwords
• An air-gapped computer devoted exclusively to email / tip lines
• GET HELP!
39. Resources
I wrote a paper:
Essential Guide to Online Security
https://web.securityinnovation.com/essential-guide-to-online-
security
First time giving this talk,
Why talk about the really wild and ‘sophisticated’ hacks when most people are barely doing the basics correctly
Its been 4.5 months since I was last let out of my basement for work
5) Don’t wait for a crypto locker to do it for you
This is by no means a complete list, there are definitely way more threats to consider than we can talk about today
It greatly depends you your personal TM
Governments, NSA, Russia, China, Anonymous, IoT toaster, Connected Sex Toy
Crazy defenses, use signal, use tor, get a vpn,
Twitter Troll Definition: Ryan Gooler @jippen Oct 20
@mrvaughan a plan for how to lose the company, used to help keep it running
Threat models can be long painful processes by companies to plan for every possible outcome… They don’t have to be complex
Ask yourself these four questions take some notes and then take action
Trust me there are much longer ways still.
Access Matrix - (rules defining what users can read/write what assets)
7. Hack yourself
Ask a few people:
Stick to digital for the time being.
Show of hands if you care about that?
Participate for a few (put in slide prompt)
“That guys a jerk”
“He smells”
“Their lazy”
Put it all together and what do you get?
This helps you visualize the threats associated with all the devices, components, and networks you use.
Bad guy quota
Talk about sometimes
Talk about writing down the rules you care about, any thing that can break that rule is a threat.
This is all the ways I worry about my personal rules being broken, From this we can develop our top threats.
Things I am most concerned about :
Protecting business assets
Protecting personal communication
Protecting authentication credentials (account access)
Protecting financial information
How likely are the threats at being realized, how would you be exploited?