Online Privacy - What everyone should know - Full Sail Hall of Fame Week - 2017

ONLINE PRIVACY:What everyone should knowFull Sail Hall of Fame Week - 2017

www.FourthAmendmentAsAService.org - @4thAsAService

2

LEGAL DISCLAIMER

• We are not lawyers• We are not your lawyers• None of the presented or provided content

constitutes legal advice. • This is general security & privacy advice from

security & privacy advocates. • Consult with a lawyer before making your decisions.



About Us and About the Presentation

INTRODUCTIONS

4

ABOUT THE PRESENTER(S)


@[email protected]

Ean Meyer • Security Professional working with Fortune 500s• Focused on compliance and risk management• Bsides Speaker• Tripwire State of Security Guest Blogger• Course Director for Full Sail University• Security Mentor• Privacy Advocate

Hobbies – Lockpicking, Makerscene, Writing

https://www.twitter.com/eanmeyer

mailto:[email protected]

5

ABOUT THE PRESENTER(S)

@[email protected]

Jack Norman• MS, IA and Cyber Security, FIT• EM and Homeland Security Certificate, UCF• Executive MBA, UCF• BS Electrical Engineering, UB• Board Member - OWASP Orlando• Sr. Information Security Engineer• Course Director for Full Sail University• Privacy Advocate

Hobbies – Outdoors, firearms, swinging a hammer, anything not involving a computer.


http://www.apple.com/


6www.FourthAmendmentAsAService.org - @4thAsAService

How did we get here?

7

Marginalized Groups

•Protesters•Genders•People of Color•LGBTQ+•Foreigners•Religious Affiliation•Dissenting Political Voices


8

ABOUT THE PRESENTATION


• Topics we will cover– Your Right to Privacy– Secure Communications - Protecting Yourself– Online Privacy– Privacy Tools

• Things we won’t cover– Illegal or unethical use

– If you are here to learn how to avoid the law… leave– Law enforcement has a hard enough job as is

– In-depth discussions of technology– In-depth State and Local Law– Legality as it applies to your specific situation

• Q&A– We will have 5 minutes for Q&A at the end– Please hold your questions until the end

www.FourthAmendmentAsAService.org - @4thAsAService 9

YOUR RIGHT TO PRIVACY

Why should I care? I have nothing to hide.


"Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order, to efficiency of operation, to scientific advancement and the like.”

William O. Douglas (1898-1980), U. S. Supreme Court Justice

11

Fourth Amendment

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

https://www.law.cornell.edu/constitution/fourth_amendment


https://www.law.cornell.edu/constitution/fourth_amendment

12

Fourth Amendment

How does it protect me?•Unreasonable searches and seizures•Arbitrary arrests•Basis

–Search Warrants–Stop-and-frisk / Safety inspections

•Wiretaps


13

Other Constitutional Amendments

These also help define privacy:•1st – “Freedoms”•5th – “Self Incrimination”•14th – “Equal Protections” (“Personal Autonomy”)



Why is privacy important now?

Current Events

15

Apple on Privacy and Encryption

“They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”

Tim Cook - Apple CEOJune 2, 2015 https://techcrunch.com/2015/06/02/apples-tim-cook-deli

vers-blistering-speech-on-encryption-privacy/


REDACTED

https://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/

https://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/


If it’sFREEYOUare the product

17

BIG DATA


18

BIG DATA - Correlation, Correlation, Correlation


HighlyLikelyYou

MaybeYou

MaybeYou

MaybeYou

Thin

gs y

ou lo

oked

at Places you were

Things you like

• Social Media Likes• Shares• Cookies• Click Tracking• Favorites• Referrals• Meta Data Analysis

• History• Cache• Cookies• Searches• Image Capture - Vizio

• GPS• Photo Analysis• People you’re with• Beacons• WiFi• Cell Triangulation

Now imagine BILLIONS of data points

https://foller.me/ What do you think Twitter knows?

https://foller.me/

19

Identifying People

We can identify 87% of the population, uniquely using only:

–Gender–Date of Birth–Zip Code

http://dataprivacylab.org/projects/identifiability/paper1.pdf


http://dataprivacylab.org/projects/identifiability/paper1.pdf

20

Advertising Networks

•You can be uniquely identified by your browser with 97% accuracy

•Information is shared, sold and auctioned - with your permission.

•Target determined a 16 year old was pregnant before the family knew based off of search queries. http://www.forbes.com/sites/kashmirhill/2012/02/16/how-tar

get-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#7f93522d34c6


REMOVED FORMATTERS OFNATIONAL SECURITY

http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/%237f93522d34c6



21

4chan ISIS Strike

•4chan, an online forum, used meta data analysis to located ISIS fighters

•Utilizing data gleaned from social media posts, photos, and other information found online they identified ISIS sites

•This information was used to call in strikes on those sites. http://www.vocativ.com/326039/how-one-4chan-board

-is-trying-to-fight-isis-in-syria/


THIS CONTENTMAY BE USEDAGAINST YOUIN A COURT

OF LAW

http://www.vocativ.com/326039/how-one-4chan-board-is-trying-to-fight-isis-in-syria/

http://www.vocativ.com/326039/how-one-4chan-board-is-trying-to-fight-isis-in-syria/

22

Social Media is monitored

•Law Enforcement is monitoring social media

•No warrant or oversight needed for public posts

•EULAs often allow for your data to be shared as part of a legal request https://www.washingtonpost.com/news/the-switch/wp/2016/11/18/police-are-spendin

g-millions-to-monitor-the-social-media-of-protesters-and-suspects/?utm_term=.fe4ad20a62a8


THIS CONTENTWAS REMOVED

FOR YOURPROTECTION

https://www.washingtonpost.com/news/the-switch/wp/2016/11/18/police-are-spending-millions-to-monitor-the-social-media-of-protesters-and-suspects/?utm_term=.fe4ad20a62a8



23

This Couldn’t Happen to Me

•Reddit investigations gone wrong – Sunil Tripathi

•Find my Phone leads to wrong home and threats

•Snapchat Revenge Sites

•Farm in Kansas becomes site of threats as online tracking goes wrong

•Three Felonies a Day


24

What do you think your online activities says about you?

Do you think it is a realistic depiction of you?

Do you think it could be taken out of context?


If it’s a legal request, shouldn’t there be a back door for law enforcement?

What’s wrong with backdoors?

26

On Encryption Backdoors

Compliance with Court Orders Act of 2016• Initial attempt to require backdoors into

encryption

• Bill would require companies to create a mechanism that would allow for encrypted data to be retrieved without consent

• Proposed by Sen. Richard Burr – Chairman of the Senate Intelligence Committee and Sen. Diane Feinstein

https://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/


https://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/

27

Encryption Backdoors

Tools created to leverage backdoor vulnerabilities in code to listen in to encrypted conversations.

Although authorized organizations could use this backdoor there was nothing stopping anyone who knew it existed from using it.

Juniper is the second largest network equipment manufacturer behind Cisco

https://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/




28


A report from the Encryption Working group put together by two House committees found:

• There is no way to stop bad actors from adopting encryption.

• The Committees should explore other strategies to address the needs of the law enforcement community

https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf

Page 5 Encryption Working Group Year End Report - 2016





29


The FBI paid a one time fee to Cellebrite, a security firm specializing in mobile phones, to unlock an iPhone which may contain evidence related to the San Bernardino terrorist attacks.

The FBI had a legal order to unlock the phone and Cellebrite’s tools were able to unlock it. https://www.washingtonpost.com/world/national-secu

rity/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?utm_term=.49f13b074cbc


IS THIS GIMMICKSTILL WORKING?

https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?utm_term=.49f13b074cbc





30


Recently tools allegedly used to break the encryption on an iPhone associated with the San Bernardino terrorist attacks.

The vulnerabilities used for this legal court order for information may now be in the hands of criminals.

https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite


NO? WELL, IT’S THE LAST ONE

ANYWAY




31

Stalking, CyberBullying, Abuse, and protecting yourself

Secure Communications Moscow Rules


32

Perfect Security

•It doesn’t exist•Going off the grid is near impossible•No protection is unbreakable•It’s about reducing your attack surface•Best time to plant a tree is 20 years ago…

Security isn’t about technology; it’s about behavior.


33

Fundamentals (Rational Paranoia)

1. Assume nothing.

2. Never go against your gut.

3. Everyone is potentially under opposition control.

4. Do not look back; you are never completely alone.

5. Go with the flow, blend in.

Moscow Rules number anywhere from 10 to 40; we went with the fundamentals.


34

Fundamentals (Rational Paranoia)Moscow Rules number anywhere from 10 to 40; we went with the fundamentals.

6. Vary your pattern and stay within your cover.

7. Lull them into a sense of complacency.

8. Do not harass the opposition.

9. Pick the time and place for action.

10. Keep your options open.


35

These seem silly, why would you do this?


Use cases:

•Domestic abuse situations where formerly shared accounts and information with abuser may be compromised

• If you or peers are members of an at-risk demographic group

•Any situation concerning personal safety that requires alternate communications with trusted partners

36

These seem silly, why would you do this?


Use cases:

• Protecting activism communication channels, future-proofing against eventual compromise, or where past activism has come under scrutiny

• General communication hygiene, any concern one might have for future breaches or compromises, these are good practices

This applies to everything you do online and in real life.


If you don’t protect your personal privacy, who will?

Online Privacy


Data in Motion• Text Messages• Emails• HTTP/HTTPS

Data at Rest• Databases• Social Media• Websites

Transit• Networks• Cellular• Public WiFi

Common Data Collection Points

39

What the Pros Do (The pretty picture of this was copyrighted :-P )

Reference: http://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-security-pros-about-staying-safe-online/


WHAT PEOPLE THINK THEY SHOULD DO WHAT SECURITY EXPERTS DO

1. USE ANTIVIRUS SOFTWARE 1. INSTALL SOFTWARE UPDATES

2. USE STRONG PASSWORDS 2. USE UNIQUE PASSWORDS

3. CHANGE PASSWORDS FREQUENTLY 3. USE TWO FACTOR AUTHENTICATION

4. ONLY VISIT WEBSITES THEY KNOW 4. USE STRONG PASSWORDS

5. DON’T SHARE PERSONAL INFORMATION

5 USE A PASSWORD MANAGER

http://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-security-pros-about-staying-safe-online/

40

Best Practices - Email

DO…• Use a strong and unique password• Use two-factor authentication• Confirm suspicious attachments/links from known contacts• Look closely at the sender’s email address• Unsubscribe from mailing lists• Delete emails older than 180 days!

DO NOT…• Use a simple password• Click on suspicious attachments/links• Enter any personal information into a pop-up screen• Use real information for “Security Questions”

“A password is like a toothbrush. Choose a good one. Don’t share it with anyone. Change it frequently.”


41

Best Practices - Browser

DO…• Use a modern browser• Use anti-virus software that scans all downloads• Use a pop-up blocker• Use HTTPS (The “S” stands for secure)• Use a Virtual Private Network (VPN)

DO NOT…• Use public or free WiFi• Let your browser store your passwords• Enter any personal information into an unexpected pop-up

“Think of the internet as a public place. Don’t leave your details lying around!”


42

Best Practices – Social Media

DO…• Use privacy settings• Understand the terms and conditions• Use false information strategically• Use caution before clicking links• Minimize third party applications

DO NOT…• Post, Tweet, or SnapChat ANYTHING that you would not want your

employer to see!• Use your legal name as your profile name• Link your social media with your work email

“If you are not paying, you are the product!”www.FourthAmendmentAsAService.org - @4thAsAService

43

Best Practices – Mobile Device

DO…• Lock your device with a password or PIN• Back up your data• Keep your software up-to-date• Enable the ability to remotely wipe your device

DO NOT…• Send any image/video that you do not want to be public!• Use biometrics• Jailbreak/Root your device• Leave WiFi and Bluetooth on all the time!

“Can I have your phone and just… look around?”www.FourthAmendmentAsAService.org - @4thAsAService


The right tool for the right job

Privacy Tools

45

Best Practices – Tools

Password Managers• Lastpass, 1Password, KeypassRemote Wipe Utilities• iCloud, Android Device Manager, PreyBrowser Plugins• Privacy Badger, uBlock Origin, HTTPS EverywhereVPN Clients• Private Internet Access, PrivateXPN, IP VanishAntiVirus Packages• Windows Defender, Avast, AVGwww.FourthAmendmentAsAService.org - @4thAsAService

46

Best Practices – Tools

Remember:• Tools change

• What’s good today may not be tomorrow

• No tool is perfect - Moscow Rules

• A tool is only as good as its operator



Data in Motion• Signal • Temporary Email• HTTPS Everywhere

Data at Rest• Removal• Alt-Accounts• Misinformation

Transit• VPN• VPN• VPN

Common Data Protection Tools


Data in Motion• Signal • HTTPS Everywhere

Data at Rest• JustDelete.me• Privacy Badger

Transit• PIA VPN

Common Data Protection Tools

49

Videos - VPN


See youtube link for demo videoshttps://www.youtube.com/watch?v=0n0YmEGIYrI

https://www.youtube.com/watch?v=0n0YmEGIYrI

50

Videos - Signal




51

Videos - Privacy Badger, HTTPS Everywhere, uBlock Origin, Temp Email




52

Videos - JustDelete.me



http://justdelete.me/



1. No Security is Perfect

2. Times change, your tools should too

3. Reduce what people know about you

4. You have a right to privacy

5. Consult a lawyer

In Conclusion

54

THANKS!


55

QUESTIONS AND CONTACT

Contact Us at:www.FourthAsAService.org

@[email protected]


http://www.FourthAsAService.org/

https://twitter.com/4thAsAService


56

RESOURCES & SOURCES

RESOURCES – Include any resources referenced in the presentation and any additional sources for later reading

Fourth Amendment As A Service – www.fourthamendmentasaservice.orgFourth Amendment As A Service Twitter – www.twitter.com/4thAsAServce Surveillance Self-Defense - https://ssd.eff.org/

SOURCES – Include ALL sources for content, images, and intellectual property

James Madison Portrait - John Vanderlyn (1775–1852) - Ths White House Historical Association- Ths White House Historical Association. the painting is in the White House collection[1] Flat Icon – Open Book - http://www.flaticon.com/authors/zlatko-najdenovski Flat Icon – Map - http://www.flaticon.com/authors/madebyoliver Flat Icon Clock - http://www.flaticon.comTools Image - https://upload.wikimedia.org/wikipedia/commons/thumb/8/8e/Icon_tools.svg/2000px-Icon_tools.svg.png Social Media - https://upload.wikimedia.org/wikipedia/commons/b/bf/Socialmedia-pm.png


http://www.fourthamendmentasaservice.org/

http://www.twitter.com/4thAsAServce

https://ssd.eff.org/

http://www.whitehousehistory.org/04/subs_pph/PresidentDetail.aspx?ID=4&imageID=24

http://www.whitehousehistory.org/04/subs_pph/PresidentDetail.aspx?ID=4&imageID=24

http://www.flaticon.com/authors/zlatko-najdenovski

http://www.flaticon.com/authors/madebyoliver

http://www.flaticon.com/

https://upload.wikimedia.org/wikipedia/commons/thumb/8/8e/Icon_tools.svg/2000px-Icon_tools.svg.png

https://upload.wikimedia.org/wikipedia/commons/b/bf/Socialmedia-pm.png

Online Privacy - What everyone should know - Full Sail Hall of Fame Week - 2017

Presentations & Public Speaking

Transcript of Online Privacy - What everyone should know - Full Sail Hall of Fame Week - 2017