web security overview – on digital identities - GTUG-Addis

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 4 χρόνια και 1 μήνα)

77 εμφανίσεις

Web 2.0 Technology

by

GTUG
-
Addis

March 5,2011

Contents

Introductions

Gtug
-
addis

Who am I ?

What is this presentation about ?

What is Web 2.0 ?

Advanced searches

Real Time

Comparative/computational searches

Social networking tools

Securing your wordpress blog

Using public internet/computers and security

Basic online and offline security measures

Links

GTUG
-
Addis

GTUG
-

Google Technology Users Group

GTUG
-
addis

is a group dedicated for Addis
technology enthusiasts and professionals to
come together and share their knowledge. All
of the moderators of this site come from
different walks of the technology life


software, hardware, network and security, so
feel free to ask questions and make suggestions.

GTUG
-
addis will contribute to the society:
students,professionals or anyone in technology
trainings and consultings

Monthly meeting held @ iHub

Who Am I ?

Fitsum Assalif

Electrical Engineering + CCNA +SCNA +
MCITP+ GPEN

Enterprise systems ( Windows, Linux/Unix)
and Security (Ethical hacking and penetration
testing)

I like to participate in groups/associations for
sharing knowledge and contributing what I
know

I am not always correct ! so let me know if I
make any mistakes

What is this presentation about ?

It is about

Introducing GTUG
-
addis

Basic online security, social networking and web
2.0 tools and tips

Chance to discuss/request any type of technical
collaboration with/from

GTUG
-
addis

It is
not

about

Coding /web design

What is web 2.0 ?


The term Web 2.0 is associated with web applications that facilitate
participatory information sharing, interoperability, user
-
centered
design, and collaboration on the World Wide Web. A Web 2.0 site
allows users to interact and collaborate with each other in a social
media dialogue as creators (prosumers) of user
-
generated content in
a virtual community, in contrast to websites where users (consumers)
are limited to the passive viewing of content that was created for
them. Examples of Web 2.0 include social networking sites, blogs,
wikis, video sharing sites, hosted services, web applications, mashups
and folksonomies. “

Wikipedia



Advanced Searches

Real Time Search


Searching real time update from public tweets
and facebook posts

Using the normal web searches

Google ( Use
Realtime

option )

Bing (
social search

and
twitter maps

)


Social networking searches

Openbook
-

http://openbook.org/

Tweetmeme
-

http://tweetmeme.com/

Picfog
-

http://picfog.com/

Socialmention
-

http://socialmention.com/




Comparative/computation searches


Statistical, comparative and trends

Comparative/computational

Wolfram Alpha (
http://www.wolframalpha.com/

)

Google trends (
http://www.google.com/trends

)

Google squared … (in labs and a little complicated
currently )

Public Data

Google public data explorer

(
http://www.google.com/publicdata/directory

)


Social networking tools

If you want to see all your social network
account updates,notifications and messages on
one window like me !

TweetDeck (

https://www.tweetdeck.com/

)

Desktop,Android,Chrome... Coming to iphone and
ipad

Yoono (
http://yoono.com/

)

Chrome,Firefox,iphone,ipod touch,ipad

Windows,Mac and Linux

Securing your wordpress blog



Why would anyone want to attack my blog ?

There is nothing valuable on my blog !

I only have very few visitors !

I turned off comments, I am secure !

Not necessarily, hacker will upload or inject

spam urls

Malware files

DOS (hacking 100 small blogs and inserting a link
to launch 10 instances = 1000)


1
-

DO NOT USE
ADMIN

ACCOUNT



Create a new account


Make the username very unique


Assign the new account an Administrator role


Log out and log back in with new account


Delete original admin account


2
-

USE STRONG PASSWORDS



alphanumeric+symbols+upper and lower cases


Create random passwords

goodpassword.com


Convert existing ones to complex

password
P@55w0rd

Ilovemom
1L0v3M0m



3
-

KEEP WP and PLUGINS UPDATED



Update WP Core
Code


Keep theme files
current


Keep all plugins
current


4
-

REMOVE WP VERSION FROM HEADERS

Viewing source on most WP sites reveal the version
they are running

<meta name="generator" content="WordPress 2.8" /> <!
--

leave
this for stats
--
>


This helps attackers find vulnerabilities on the current
version easily

Themes and plugins might also display versions in
your

header.



5
-
USE SECURITY PLUGINS


WordPress Security Scan

WordPress Exploit Scanner

WordPress File Monitor

Login Lockdown Plugin

6
-

...


Use Secret Keys

Hide your plugin directory

Edit configuration files to change default
names/values before installation

eg. table prefix
wp_

to something unique
axc_

Check Google Web Master tools to see if your
site has been compromised and it will tell you
why

BACKUP … BACKUP and
BACKUP


And If you still get HACKED ?



Give up and Join the Circus !

Using Public Internet/Computers

and Security

...is to scare the wp_crap out of you!

Purpose of this topic

Using Public Internet


Public Internet
: Open and shared by anyone
(mostly Wi
-
Fi)

Cafes, Internet Cafes, Hotels,Libraries, and open
spaces

Advantage

Open access to anyone

Don't have to carry your dongle anywhere

Increases internet access coverage for the public

Risks


Wi
-
Fi : Open Wi
-
Fi, MITM, Rogue Access Point


Who is running the network ? reputable and well
-
known entity ?

Using Public Internet


Open Wi
-
Fi

Problem

: Anyone with basic internet and
computer knowledge can access your account if
you working on the same connection

Solution

: Use full SSL communication with every
service you use online

Account Settings > Use SSL (gmail,hotmail,facebook …
)

Firefox Users:
HTTPS Everywhere

Chrome Users:
Prefer HTTPS, SSL Enforcer

IE Users :

:(

MITM (Man/Monkey in The Middle) attacks: If
you are using a Wi
-
Fi and the wifi gets
disconnected many times and comes with
different channels

Firesheep


MITM


Using Public Computers


Risks

Key Loggers

: software recording every keystroke
you made

Cookies left on the computer

Solutions:

If you have to use internet in a place where are not
sure about the reputation; use your own browser on
USB drive with keyscramblers

Firefox Addon: “keyscrambler”


Basic Online and Offline Security
measures

DATA Types

Data in Use

Data in Motion

Data at Rest

Security

Online security

Data leak protection (DLP)

Lost data prevention (LDP)

Online Security

Protecting your credentials as well as data while you
are online

OS Hardening

Disable unnecessary services

Updates and patches must be applied

Anti
-
Malware Systems (anti
-
virus, anti
-
spam,firewall,HIDS)

Browser security

Latest updates

Firefox: No Script, WOT


Web Of Trust,Better Privacy,
Adblock, Flashblock, Ghostery

Offline Security

OS Hardening

Encryption:

Partition: encrypt a separate partition for secure data
storage

File Container: folder like file holding files. Can be
created on a computer or removable media

Full Disk: Encrypt the whole computer disk

Questions ?

Thank You !