BSIDESKyiv 2018 - Kostiantyn Korsun "Who needs my mail?" The 1st steps to personal cybersecurity

Who needs my mail and the name of the presentation? I heard such words from a number of respected people, whom I respect. But they are not professionals in cybersecurity and do not work in the field of cybersecurity. They think that if they have some kind of mail and they are sending some kind of secret information, they are not hackers, oppositionaries, political activists or agents of the special services, then some kind of ordinary information is needed. Who needs it? Who needs my mail? In fact, it is not so. And that's why they can just steal your money through the withdrawal of your email password, which you don't need. It's a lot of money. PayPal, Bitcoin, WebMoney, etc. The same password for Facebook, Instagram, something

else with social networks. This is what's on the surface. And then it's a personal data card. You can use it to make some requirements, manipulations, etc. You can use it to make some private photos, and something more intimate, to make it public. And some more technical things, like your account can be used to hide C&C server for botnet management or just as one of the nodes of the botnet or phishing domain or phishing campaign and so on. That is, you will use your post on the web interface and so on. Nothing will happen, everything will work in the standard mode, and then the cyber police will run to you and take your laptop, because something was sent from your machine, some phishing.

This is an example of what can happen if you don't need an email, it will be hacked somewhere. Your friends, your contact list will receive such a message, and in a couple of weeks your acquaintance will say: "How is mom?" "Mom is fine. I have money, she got sick, I have counted money for you." Unpleasant situation, agree? This is about who needs my mail. As for passwords, I haven't seen it in recent times at any conferences. It is considered that everyone already knows about passwords. But let's talk about new ones. Yegor, do you remember this situation? And UAE is working on it. Once again, an interesting case and very fresh. It's been a few days. The passwords are not encrypted, they are not phished.

They are encrypted with some kind of self-propelled algorithm. And it's true that it exists, that it doesn't exist. It's been written in detail on Facebook. And they have already corrected it. And they went to the meeting and are actively cooperating. They understand, agreed, admitted their mistakes. Good. One-on-all password. This is the lowest level. This is the lack of security in general. If you use one password for your post, bank account, Facebook, any other resource, especially those where some money, your credit card is tied. That is, one password for everything, even complicated, even long, even powerful, this is the lack of security in general. And 2-3 passwords on web banking - one, on mail - the

second, and on social networks - the third. This is better, but also far from normal security. And this is the most popular passwords. You see, right? This is something that is already known and if there is a lot of passwords, then first of all, you should take it from all public databases. A unique password for each resource is great, but the question is how to keep it all in memory or how to write it somewhere, because if you have 5, 10, 15, 20 and even more different resources, How to remember this? Well, password manager, rules, as they say, these are the ones that are recommended, which you can trust more or less. And for the password manager,

you have to remember only one password, a passphrase that must be powerful, very difficult to break, and you only need one to to have safe access to all your resources. What is it? A smiley phrase from a song, first teacher, first car, etc. How to combine it? We will talk about it later. Words, letters are replaced with numbers. The password length must be at least 8 hours. For a qualified hacker or cracker, sorry. Not everyone thinks that a hacker is a bad person. 8-10, well, the capabilities of one computer are up to a week. 11-12, a virtual machine is up to a week. 16 is very good, more than 20, it's really possible, but it is unlikely that someone will spend so much

time, effort and resources on your program. It is written here that it is unrealistic, but it is not realistic. Here is such a thing. One bank, very famous in Ukraine, releases, when I tried to change the password, a more regular password update, and here is such a message from Ukraine. A good password should use both special symbols, and big and small letters, and everything else. And the limit on the length of the password looks a bit strange in the current video. Here is Kyivstar. Your password was also sent. You see, it's 31 December, not so long ago. But I hope that everything is better there. In plain text, they send you a password. This is wrong, this is not right. Which words? It's better

to have a row of 3-4 words or a row of 5 words, different letters, symbols, numbers, special symbols in some combination that was not published anywhere before, it was not published in any way, the book was written in the newspaper, it was written in the newspaper, it is not meaningful, it is nothing. uh... Other people may know, but it is not important for them and they can't just say it in one head. On the 13th of February I met with Oksana, we met at Krasnoye Siaiv, there was a saxophone. Here we write: Oksana plus Siaiv equals saxophone and date. Twenty-nine characters, welcome to the class of paranoia. Very good. Very good. That is, if you have a record of this role. I'm already

compromised, you understand, right? And I can't explain it anymore. That's it, forget about it. It's just a thinking technology. How to better understand it. Another good technique is to come up with some famous phrase for you, write it down with the use of the "Cypher" command, etc. And there are three more characters, their combination, let's say, will be necessary to remember. This is such a thing. And in front, behind, in the middle, that is, you also keep it in your head, somehow combine it. And a good password. How many are there? Ten characters. Well, not super, but for some non-critical resources, it's okay. But just remember, remember and you will keep it in your head And

you don't have to look for some kind of a folder where everything is written down, or something else, look on the phone Your own unique combination of all these methods, which are not strictly followed by the way I showed Your own interpretation based on your own experience, your personal knowledge, some private information And... I'm sure you're all ready for the last one. I highly recommend it. And an interesting case from my own experience. I once read... I love fantasy. And I read a fantasy with the name of two swords. One is Tahakai, the other is Tayaskaron. I think this is a very cool password. Very long one. Who knows it? First of all, it's not true. It was a long time ago.

First, it was printed in books, that is, it is already pre-printed information and the combination can theoretically be broken. And secondly, I was very far away from Ukraine and I did not have a laptop, but I needed to terminate the access. And the keyboard was only painted in English and Korean. And I wrote these words in Russian and quickly heard the word "virtual keyboard" and found it somewhere and downloaded it. And it took many years, it was not as easy as it is now. So, you don't need to use it. It is still better to use English alphabet. We are moving quickly. Two-factor authentication. Use it wherever it is available. Here are examples of where you can use

it. And here is another two-factor.fk.org. I also recommend you to check out this resource, which services support two-factor authentication. And SMS is currently a very popular, the simplest and most common means of the second factor. Why is it not desirable? It's not secure. Because your card can be stolen, you can renew it for another number. For example, I know, maybe I'm not working now, but a few months ago I was working. Some ad is posted on OLX, something very attractive, a very attractive laptop, the latest MacBook Pro, $500. Money is needed quickly. And this is applied to different kinds of telephones for the door-to-door connection. And you call first to one number, then to the second, then to the

third, fourth, fifth. And all this is controlled by one person and your weekly calls Then the malicious person calls the operator and says: "I want to replace the SIM card". He says: "Name your last 5 calls". And this person controls all these ads with different phones. He just calls these, that is, you call, and he does not answer. And then the malicious person, using these calls, he restores the SIM card to his phone. And the second factor comes to the restored map. Access to the email account is obtained. From it to other, other, other and that's it. You can spend $500-600 and this is for more serious tasks of intercepting. It was used in professional means during

the dignity revolution, but such equipment costs about $500-600 and it is not difficult to find it in the world, there are no restrictions. Google Authenticator is free, not bad, very good. I recommend it. One-time password token is also not bad. And biometrics in this building. A couple of hours ago we were showing that biometrics are used for eye reticle, finger prints and even weight control. This is for such super-secure projects. You can use these other biometric factors. This is already a higher class. Operating system. Who uses Linux, Unix, BSD? Respect. That's it. Everything is good here. At this level, we won't even talk about it. Windows vs. macOS. I personally and many of my colleagues still believe that macOS is much more

secure than Windows. Some even think that Windows and Mazda are the same. Unfortunately, this is the most widespread operating system in the world and in our country. And you can't do anything about it. So, if you want to maximize the security level and minimize risks, you should use the principle of the least privileges, that is, do not interfere with the administrator's rights whenever possible. create a normal user and work with him. If the program requires you to temporarily give access to administrative rights, you do it and exit. And consider the administrator's right to enter as an incident. These are some key words to read about the how to increase security in your operating system, in this case, Windows

and macOS. Updates. Everything needs to be constantly updated. And if it's in the environment, how do you say it in Ukrainian? MacOS environment is simpler, because mostly Most of the programs installed are updated from one source - the App Store. But here you can also download Homebrew. You can be a little lucky, but you can. And all the programs will be updated. And you will have a reminder that this update has been released. Download, please. And for Windows, there are also several useful things. that remind you that you need to patch, that you have weak passwords, that updates have been released, how to fix it, etc. And antivirus... I like to compare antivirus with a speakerphone because you can imagine that you have an

apartment, and there are no locks, no alarm, no dogs, no anything. There are no locks, but there is a speakerphone at the bottom. This is how effective an antivirus is for real protection from cyber threats of modern people. 20-25%. I don't protect any antivirus 100%. When we talk about the attack on the EPI, nobody protects it. There are no protected systems. Something unique, developed for a target client. Antivirus is a program that has administrative rights to your computer and even more because it has access to the registry It transmits information to its servers. You don't know what information is there, what is the purpose of it, what is it for. You are not a specialist, a virus analyst, you have not developed this

program and you don't know its code and access to it. I understand that Windows is still desirable to use with antivirus If for MacOS, Linux, Unix systems and others, then do not use antivirus, just do not need it It is not necessary and even a little bit bothers But to use with Windows and how to choose them, here is a link, look at your own opinion Backups. Why do we need them? You all know it already, but there are bars, restaurants, taxis, reptile services that can use your device, laptop, phone. The first two options are the most common. Three, or two, or metro. There is always a risk of losing your device, your invaluable information. And almost always the loss of information

is more painful than the loss of the hardware itself. You should do it as often as possible, based on your own experience, colleagues' experience and some practice. There are hardly any super experts who do backups more often than once a week. So once a week is fine. I don't do it more often. Are you a paranoiac who does it more often? Are you doing it now? Ah, these are the professional features. Where to store it? Outside, if you have a big 500GB flash drive, for example. HDD, SDD, USB stick, if you have a lot of information, then microSD, maybe, or even some rarity. Does anyone know what it is? Still remember, right? Well, I'm not the

oldest here. And where to keep and how to protect? Ideally, the backup of the working machine should be kept at home, and the backup of the home machine at work. This is for maximum safety. This happens very rarely. Usually, it is some external disk that is separately from the computer. If you take a computer with you to work, I mean a laptop, or a trip, or something else, then leave your backup at home, because the road is like that, it can happen. So, in order to avoid any problems, you need to have a safe place, ideally in a safe, there are few people like that here, so somewhere in a safe place.

I will briefly talk about encryption. A couple of hours ago, Ms. Anastasia spoke in more detail about corporate sector and corporate solutions. We consider personal cybersecurity for everyone, not only for professionals and ordinary users. So, HTTPS is good everywhere where it is available. But you need to check certificates periodically, go to the lock, open it and check if the project is paired or not, if the term of validity has ended. There are such extensions of HTTPS and HW. For these three browsers it is definitely available. Maybe for Explorer or Edge something like that has appeared. This is a thing that with the presence of two versions of HTTP and HTTPS automatically transfers to more secure HTTPS.

Full disk encryption is free for Linux, MacOS and Windows Pro But I think that for others it is possible to come up with something like this, even free programs or some money Connection Cache, PGP, GPG, Must Have, SMIME, etc. We have more popular ones. You need to make some effort there, if you haven't worked with PGP before. It's not very difficult to deal with it. I won't even ask you. You all know what it is and you all use it. We are not doing anything dangerous here. And encrypted messengers have already been mentioned many times today. By default, from end to end, P2P. This is Signal, WhatsApp, iMessage, Viber, 3M. And some others were called. Why not? There is also a secret Facebook

message, Google, Allo, Telegram. We are observing. This is our certificate. It was issued on Saturday, May 26. It's almost over. I took it to be correct. e-mail and GPG Tools for Microsoft Outlook, SMIME for Outlook Web. VPN is a very popular word in the last few months. There are many ready-made solutions. from $5 per month, and even cheaper. One very hardworking developer suggested something less than $2 per month. So, there are many options. How to choose is another question, but it's good practice. Use VPN whenever it's possible. What can be... to rent a virtual server and set up a VPN with a set of free plugins and software. I haven't figured it out yet, but there is

such a possibility. Of course, Tor Browser. If you don't want your own country, special services, government or someone else to be censored for your movements on the web, Tor Browser is for you. Adblockers, of course, Adblock+ or advertising, if you don't like pop-ups, various advertising that comes from the browser. It's free, please use it. It affects the speed of windows opening a little, but you will get used to it. I'm used to it. And incognito mode, well, it's generally, so to speak, like a ostrich, you know, like this, approximately. That is, if This can ensure that your sessions, your meetings, wherever you go, will only be a secret for another user of your computer. So if you haven't earned money for your own computer

yet, I will ask you about it later, and you use with someone else, with a friend, with a neighbor, with a brother, sister, with a computer, then the incognito mode is only for that, so that your other mate doesn't know where you went. That's all. I also want to mention privacytools.io, a very interesting resource. I recommend you to check it out. It tells about how to choose a VPN provider, because there are providers that, for example, no special services, FB, ANB, anyone, do not provide any information about users, because the system is so implemented that they simply do not have this information and they publicly state it on their website. This is one such example, which is interesting. There are also many other criteria, will

be useful to know for choosing a VPN provider. What are the recommendations for browsers, for email clients, for search systems? DuckDuckGo, by the way, I highly recommend as an alternative Google, which monitors all users and then sends you a context advertisement. For messengers, file sharing, Where to store encrypted data Password Manager, which was mentioned already I don't know... Is that how they write? There is a section, let's say, that says "Do not use Windows 10, it's a nightmare in the sense of privacy" Mobile security iOS vs Android I am convinced that iOS is much safer than Android. Let me explain why. Google bought Android Inc. in 2005 for $130 million. It is now an open platform that

is used by many devices and phones manufacturers. Everyone adapts it to their own needs and adds some features. But the security type updates are... Not very often. It is a public open platform, so it does not have one person who will take full responsibility. And every manufacturer of some versions for their device pretends to be responsible for it. In fact, no. And if in iOS, the operating system and devices are developed by one company, and it is very responsible to do so, and updates almost every day, I don't remember that in a day some updates of some software are constantly coming, constantly, constantly, update, update, update. And so, if Android, then from Google, Nexus, it seems, right? The phones are called. So,

this is a company that produces and responds to both devices and operating system. So, it's more secure. Of course, you don't need to root or jailbreak devices, you can use updates only to download... Do we still have time? from official sources and if you are offered some kind of security update, if you don't like something, if you find something strange, this is not a bad call. So, look where the request for security update comes from. Sometimes it comes from harmful sources. Physical safety. As I said, it is very desirable that the computer is controlled by one person. I hope that you all have it. But there may be some working options. If you know two, you

know the pig. You must be the one person responsible for the safety of your device. Even if you go out in a safe environment, with friends, colleagues, at work, relatives, you go out, excuse me, to the toilet, you turn on the screen. You need to get used to it, but it's a very positive practice that will never hurt you. And you can also put such things on some laptops, locks. Especially if you leave your laptop in the office at night. And don't push the button. Usually it would be better to start with this. But it's better to pay more attention to this. I decided to leave it at the end. Don't click shit. And don't click. I'll say it even faster. And don't

click faster than you think. First, think about whether you received a message via email, Facebook or a website. Facebook has little chance of getting a message because the security system works more or less. But by default, do not trust the source that offers you or somehow encourages you to press a message. Checking of the HTTPS, SSL certificate. We have already talked about this. I have already talked about it. Copy the suggested message, put it in VirusTotal, wait for a minute and see if it's 0.56, everything is clear. OK, go. Of course, the ban on the browser's window settings. This one is broken, let's get a new one. Oh, it's powerful. Foreign flash drives, disks, and this

thing that many people remember. There are attacks like this, where they scatter some nice flash drives, write 64GB, 128GB, 512GB or 1GB or 2GB at the entrance to the office, and someone picks it up and finally puts it somewhere. And the payload, and all this begins. Everything will be fine for the one who scattered these flash drives. And the investments will return. Ah, Flash and Java. I don't even know where to start. No Flash, No Java. It's short. Of course, Flash is an outdated player. And now almost every browser has available plugins that automatically convert Flash to HTML5. And YouTube has banned Flash, as far as I know. But it is still popular, especially on old Windows, on some unupdated devices. That's

why no flash. And Java, I know, Java is not ideal. It is impossible to completely ban Java, because, let's say, some banking clients just don't work without Java. But you can do it in a way that allows Java to do it only for specific resources. How to do it? Well, here is the setting, that's it, remove this checkbox, that's it. The same for Windows 10, where is Downloads, that's it, off, and it's good. This is how my Safari browser usually looks like when I'm asked to play Flash. I'll press it to look at the question about HTML5. This is a modern flash replacement. All these materials are generally available, I didn't come up with anything from myself, I just tried to collect the most key

things in one presentation, so that you could take it all in one place, look around, look around, get to know each other in more detail, maybe you didn't know anything here. And this is, as it were, a cyber victim on GitHub. in English and here are a few more webinars where all this is told in detail, about every question about an hour with technical details, with explanations, that is, I ran here, somehow grabbed the top to somehow generalize it. What to start with personal cybersecurity? Well, that's it.

About anonymity in the browser, it's a very interesting case. Not only your sister, but also your pet, your cat, etc. Why is it important? Recently there was a video of police investigating a guy, he is a member of the hacker group Carbonak, it's Cobalt, and he is being investigated at home. He wrote a lot of things for these guys. He has a search engine and cyber police. The first thing that comes up is the history of the browser. History, websites, they went to the forums. So that you don't get embarrassed by the search engine video. I've wasted half of my time. Great. Thank you very much. What to ask here? I understand everything.