 Hello and welcome everyone to our session. So this COVID-19 situation, this pandemic has brought to us a new set of security problem and also we have to be very confident, we have to deal with a new set of arrangements as in working from home. That is the course of discussion for now and we will look into the whole dimension from a security point of view. We have different people with different backgrounds in our discussion today. Today we have Harlow Holmes. Harlow is the Director of Digital Security at the Freedom of the Press Foundation, where she works with journalists, documentary filmmakers and other media makers to secure their communications. We have Neelu Kripati is with us. Neelu works as a security researcher and analyst at ThoughtWorks and she is a very important part of the NAL community. Then we have Kushal Das. Kushal works, he is a public interest technologist. He works at the Freedom of the Press Foundation and he is a Python core developer and also a community guy and he is also a Tor core. And also we have Riddhi as our moderator today. She works with AppPecco and she is the security analyst over there. Now over to Riddhi and all these wonderful people to discuss more on this topic. Hello everyone to our panelists and to our viewers. I hope all of you have joined either using your laptop or your phone devices. Even the presenters here, your panelists here, not all of them have used their regular laptops. But I myself have used my phone, handheld device, my usual Android device, which I was not using earlier to conduct the office work. But situation has happened such today that I am doing two kinds of work using my handset. I am also opening emails and reading sensitive office emails. I am also doing my personal activities. I am also accessing my personal mailbox and doing things in it. Now I am belonging to security background. I have at least some understanding of, not complete understanding, but some understanding of what I should be careful with and what I should be not. But there are many other users who are new to this environment, right, amongst your audience also. So I hope you might be facing this work from home situation for the first time. So today our panelists will be going to discuss things around how we can ensure security and confidentiality of data when we are using different devices which were not normally meant for doing sensitive activities. And we are using it now. We are supposed to use it now. So I would like to start with Neelu. And we will talk about device security, home network and some social engineering and phishing attacks that are very common these days. And we will talk around these points. And we are going to start with device security. So I would like to ask Neelu to start the discussion. And what do you have to say, Neelu, that when people are using devices, many people are using phones, many people are using iPhones, many people are using laptops, some are using desktop, and these devices are not ready right now for them. Not all of them are really equipped to handle sensitive activities, right? So what do you have to say about what people should be doing when they are doing official work using these devices from their home environment? Yeah, so thanks for the question. So this is actually a common concern for many of the companies now because although I am sure some of them were going through some of these kind of drills earlier, but no drill can prepare you actually for the kind of pandemic that's going on currently. In general, I think if we take care of some of the basics that should be good as employees of the companies where we are working from home, we can and we do have the access to the laptop directly. There are a lot of things that depend on the behavior that we follow while we're working from home. So for example, there is a lot of software that we keep on installing. One thing that we can do is install applications only from official sources and update all the software. Neelu, we can't hear you. Neelu, we can't hear you. Can you hear me now? Yeah. You were talking about software installations from known sources. Yeah, from known sources, but also updating your software noise patches from time to time and more so in this condition because your system is supposed to be robust in terms of whichever software that you have so that if there is actually an attack in your network, they're not able to exploit any of those things in the software, any vulnerabilities in the software that may be there. The other thing that we often tend to do is, you know, we share our devices with others generally and we should avoid doing that. So you will see as a company, you start getting a lot of incidents at this time saying that, hey, you know, because we are working from home, there are some kind of... Can I use the... Voice is breaking again. Depending on of course the kind of business data that you're dealing with while you do work from home. Yeah, can you hear me? Yeah, yeah, yeah. So you said Neelu needs to be... We can't hear you. Okay, Harlu. Can you hear me now? Yeah, Neelu. Yes. I guess Harlu can give her input while you're dealing with it. Okay, so Neelu gave a lot of really, really, really good points. And so just to underscore what she is saying, it's very, very important to, you know, like keep your devices up to date, meaning that you want to look at all of the devices that you're going to work with, make sure that automatic updates are turned on, not only for the operating system itself, but also for the software that you normally run, and also have a look at the software that you have on a device that you're going to work from home with and see if like, you know, like, do I really, really need this piece of software? Do I know what it does? Is it obsolete? And if it's obsolete, then, you know, removing it from your device. I have more to say, but I would love to just, like, talk more about what Neelu's points were. Neelu, if your connection is fixed, then we can... So the only other thing that I was talking about is sort of disk encryption or device encryption. If your company does provide for it, you must or, you know, even an MDM for that matter, which not many companies have, but if you do have that kind of a facility, you must enable it, because at this time, generally when you're working from home and the whole company is working from home, what tends to happen is you start getting more incidents around devices getting lost and obviously there is either client data or customer data and all of the kind of PII that may be available. And the best thing would be to enable disk encryption, you know, even for the cases when the unlikely attack of forgetting the laptop or, you know, it being stolen happens. Yeah. So, Harlu, do you want to add something on this and Kishal? Do you want to add on top of this before I move on to the next question? Sure. Neelu mentioned disk encryption, full disk encryption for your computer, and that is especially important. We don't necessarily... I think everybody is at a little bit of shell shock right now, and so I'm coming from New York City, by the way, and so New York City is a very, very interesting place, but and right now we like the mayor has said like crime is down really, really low in New York City. There's been like a record low amount of crime happening in New York City, but what can happen, you know, like a couple weeks out from now when we're still working from home, but then like someone steals your computer or something like that, and you have sensitive data on that computer. And so full disk encryption, as Neelu says, is really, really important because what that means is that when you power down your computer, once your computer is off or, you know, it's like properly hibernated if your computer has that capability, then no one can actually turn the data on your computer into something that they can actually use. And so, yeah, if you happen to forget your work computer when you're working from a cafe because that's where the best internet is, or if you are at home and, you know, you decide to go outside and go grocery shopping and something happens, God forbid, those scenarios where full disk encryption on a properly powered down laptop will protect you, especially if you're working from home with, as Neelu says, personally identifying information. Thank you, Harlow. So I would like to ask Kushal now on top of what Harlow just mentioned that I wanted to add like, I want to add one particular point that a lot of us have multiple devices at home while working from home. And for not for all companies, but few companies, people can actually choose between different devices. And like, so please keep that part in mind that like, you know, if you have a system which is you're mostly using for accessing your office network data, then try not to do other things on the computer if possible, like separate out your work devices and your personal devices. This is just adding on top of what both Neelu and Harlow said. Sure, sure, sure, which is absolutely, absolutely right and valid. But then Harlow, not all of people, all everybody would be having multiple devices, right? Some people might be stuck with just one device, which might not be up to date. So it's a general question to all three of you. So what do you have to say to such users? Because people who are prepared, they are good. They know what to do to an extent. But people who are absolutely new and who just have, because we have seen even in trainings where very specific requirements are mentioned, people turn up with very old laptops with not up to date software and which doesn't support a lot of things. So there are high chances there might be people with such devices even now and stuck with just one device. So what would you say to them? Yeah, that's a really, really good question. And more and more as we're having like these global conversations, we're really starting to understand the impact of that. So there's a couple of things that you mentioned. One is having an older device. I think like, I mean, quite frankly, devices that are older are only capable of doing so much. They're only capable of providing so much protection. And you might have to be incredibly transparent with the company that you work for in saying that, you know, like, this is the type of device that I have. And if you can't help me in getting a new device that is more capable of like, you know, maintaining protection of the data that I have on it, then you have to like adjust your, you have to adjust your expectations of what I can do. So first and foremost, transparency is possible. Having lines of communication open will also help you like finding key workarounds. So let's say if you're using Windows, but you don't have the utility that's called BitLocker on it in order to ensure full disk encryption. Perhaps you can either work with your IT department in order to get a license for Windows Pro so you can enable BitLocker, or you can make a compromise by using something like Veracrypt in order to, you know, encrypt certain parts of data that still resides on your machine. This isn't like the best case scenario, but for certain cases that will work pretty well. Another thing it has to do with like the fact that depending on where you live, it might be really, really hard, both from a financial perspective, because a lot of people are, you know, like in households where they have less income than they're used to, or they're in situations where you can't even get delivery, right? So you can't necessarily just order a new laptop or order a new phone. And so people have to find really, really novel ways of making things work. This is a continuing conversation. And from my perspective, it's totally different from the perspective that other people are going to have where they are. And I would love to hear what everybody has to say about that. Yes. So Kushal, do you want to add something on this? I mean, Harlow mentioned the major point about letting the company know what is your situation. So that's one of the most important and I actually want to, like maybe we can come back to that later on, but I want to talk about a little bit of the habit of not clicking on random leads over emails. I think Harlow can have, Harlow has much more better examples to talk about it, but I think we should talk about that also. Yeah, we haven't gotten to that point yet, but we definitely do need to talk about, you know, just like phishing and the way that like phishing is way more effective when everybody is like in crisis and totally doesn't have their head 100% in the space that they need to be vigilant against those type of things. But I think that's like a discussion for a little bit later on. Yes, yes. So we will be coming to that. So right now, what you said, both of you said is if people have old devices, then they should work with the IT department and come make a decision as to what should be done. Neelu, do you want to add something on this? Yeah, I think that was actually a very robust point and it also safeguards you in many ways. But in general, if I was to just call out by practice, we can try and become more vigilant in terms of our browsing habits. So even if there is no link, if you're going around or searching for websites and it's best not at this time if you have a laptop which is being compromised or is very old in terms of OS or technology that you're using, it's best to go only on trusted websites which you really need to be trusted which are your business or your company. So now that we are talking about devices, I think it's the right point to talk about managed devices a little bit and mobile device management which is MDM in short. So what is managed device? A simple person, a normal person, a layman has to understand what is a managed device? What would you say? Before Neelu gets into that topic, there is also an interesting question on the chat from the viewer after this is over. Okay, so let me read out the question. It is from Ashok Hariharan. Isn't a virtual laptop as a virtual machine that you RDP into a better option for corporations in terms of safety? So Neelu, would you like to address this? Yeah, so basically a virtual laptop or a virtual machine if that's what you're talking about is generally same in terms of how you maintain a managed device. So from a company perspective, it will more or less be same while there are a few things in terms of patching that you may not be very effectively able to do when you... We can't get you. So Neelu? Also in one side, the companies can provide updated VMs with all the necessary things but they should also have things like proper processes in place about multi-factor authentication and other things. It should not be just one particular username and password which people are setting kind of situation. Neelu, can you talk about multi-factor? Well, yeah, multi-factor definitely, but to get back to the virtualization and also remote desktop usage, not all solutions are equal and it also depends on the computer that you're using. So one would hope that you're using your corporate VPN in order to RDP into work machines. That would be great if you can do that in a way that you've worked with the IT department and your IT department has set you up with the tools that you need at home to do that safely. I personally am not a fan of consumer-grade solutions like TeamViewer, for instance, which is riddled with vulnerabilities and one should not be used just to remote desktop into a computer that you have in the shared office, especially if it's not without permission from your IT department because then you get into a situation that's called what's called shadow IT, which means that you're creating workarounds that ultimately create more problems than solutions as far as the network security is concerned and that would take your IT department totally by surprise and ultimately end up compromising your organization security as a whole. So once again, I think this is probably the theme of this discussion is like having lines of communication open with the IT department, even though you can't be there in order to find the right solutions. So ask them first before you remote control desktop into something. SSH is another option that you might have. And if you can SSH into another machine in order to do stuff that is more like command line based, depending on the type of work that you do, that actually might be a really, really great option, but you have to make sure that the keys that you are using to SSH are incredibly strong and also make sure once again that your ID department knows that you're doing this. So basically the lesser that you are the safer you are, right? UI, no UI, it has command lines and just that we have to be careful with the keys, how we are handling it and how we are storing and using it, right? Yeah, and also how we are transmitting them. So if an IT department wants to transmit a key to you in order to use on a virtual machine, you have to think about the security of that initial contact. So what might you use? You can't necessarily post it to GitHub. You definitely shouldn't email it to someone. You should make sure that it is transmitted over an end to end encrypted form of communication. Like signal? I will defer to Kishal to that. What do you think about that, Kishal? Kishal, do you think signal is a good medium to exchange secrets? Signal is kind of like depending on like existing processes, if you are not already using signal and if you like... It depends again, the answer is signal is good for many things, but like again, depending on your company's current processes, you may find something else which was better for your company because I don't want to just give one single suggestion which will try to fit all. Yeah, otherwise it would be like one specific product. Is that what you meant? Yeah, I mean signal is great again, but like some cases encrypted, like GPG encrypted emails can also do better, but it totally depends on like company to company. But what Harlow particularly pointed out is that making sure that it's a proper secure communication, those fast registers and other details. Yeah, I think what she was hinting at is the channel is encrypted in case of SSH, and that's why it's more robust and secure for extended data. Yeah, so I think the question, I hope the question asked by Ashok has been answered. So in case Ashok you have more questions, feel free to post it again and we will address them. Meantime we move on with the discussion and we were talking about managed devices. So what is a managed device? So a managed device is a phone or a computer that your IT department can remotely administer. Not only can they like, you know, put software on it, they can issue updates to it to make sure that the software is up to date, but also they can enforce certain policies about your access to certain things. So they can make sure that you are using two factor authentication, for instance, in order to access your email, right? That's just one example. And they can also remotely wipe it if they need to, which is kind of contentious because our phone, especially as phones are concerned because phones are very, very personal, deeply personal devices. We use them for business, but we also use them for our personal lives. We take pictures of our children with them. We like, you know, watch YouTube on them. We do Twitter with them. And so giving your company that you work for the ability to whenever they decide is necessary to like, you know, possibly wipe or otherwise monitor or modify your device can be a little bit contentious. So manage devices have always been pretty controversial, but we can imagine that like now we're going to see like a lot more tension in how IT departments in companies that are not, that don't have like traditional lines of communications with employees are going to have a little bit of difficulty in managing expectations about how manage devices can be used. Yeah. In first place, a lot of them might not have even thought about it and they might not have anything in place and they might have to drop all the policies, right? Yeah. And it also, it matters a lot which platform you're on. So the difference between iOS and Android are really, really, really vast. With Android, that is managed via like, you know, your Google Enterprise account. So if you primarily log into your phone using an Enterprise account on an Android, then that means that the person who administers your Enterprise account can literally just brick your device with one click of a button, which is super-duper interesting. On iOS, it's a little bit different. The management solutions are customized differently. For instance, if you are also using like Google Enterprise to manage your email and your documents and things like that, what that person only is able to do on an iOS device is to wipe all of the Google properties from your phone and lock you out of the Google parts of your communications on your iPhone, but they won't necessarily be able to brick your phone or wipe your photos or anything like that. And also, on iOS devices, there's higher possibilities of installing what are called profiles, which usually not only manage the types of software that you have on your phone, but also manage your connection to the Internet. So that's where you put in, like, always on connections to VPNs and things like that. So which is, I mean, you very nicely explained that what is a managed device and you also explained, Harlow, that what are the trade-offs. I mean, if someone is managing your device, then where things could go wrong. So what I could think of is that you should keep your devices separate for work and separate for your personal activities. Kushal, do you want to add on top of this your views? I actually want to hear what you think, because I'll send you the phone number of appropriate people. Okay. Yeah, so I think this is a rather longer-term project to have an MDM across your organization. And I have ordered a few while it does take care of creating sort of a sandbox and having only the office documentation. But I agree with Harlow that this segregation is very important. When you're thinking of having the MDM in place, it also has to tie up with a lot of security policy from the organization itself. So your own compliances, your own organizational security policy also has to go into it in terms of implementation. Now that we are suddenly in a mode of work from home for all of us, this may not be very much reachable. But when we come out of something like this, it's good to plan in terms of long-term for any other similar scenario where we want to ensure business continuity, have something like an MDM and have decent configuration around it so that you can at least provide a secure environment for working for your employees. Yeah, so talking about secure environment, Neelu, I would also like you to talk about zero trust access model. What does it mean exactly? Okay, so I am not an expert in that. But I do understand that it does take years of enforcing policies and implementing in the right way. So basically when you start considering your device or devices that you give to your employees as something that could also be in the hands of an adversary or an attacker, that's when you start treating it like a zero trust. So zero trust in the sense that you do not really trust it. And hence you create the right kind of configuration, be it network and device-based configuration that will not help an attacker. For example, if in today's scenario an attacker actually gets hold of the device, shouldn't be able to access the internal systems right away. So it does create a boundary in terms of trust and hence zero trust. And that sounds absolute, but I'm sure it's not the easiest to do for a network. But I'd like to do a push or a hollow. Yeah, so what you just said is zero trust is when we are not trusting anything literally, whether it's internal network, whether it's external network, validation is being done at every phase, right? Nothing is being taken for granted. Please correct me, hollow. And in addition to all that, it also means that there is end-to-end encryption on the data. So usually we're thinking about end-to-end encryption in terms of communication systems, which is awesome, like, you know, Signal, WhatsApp, PGP email, as Kushal mentioned earlier. But zero trust also means that the service provider that you're working with does not have the ability to decrypt any of the data that you might store with them in cold storage even. And so I think that that's incredibly important. I think it was incredibly important before we, you know, we're living in a pandemic, but it's incredibly important now just because there's so much uncertainty regarding, you know, like our connectivity to these critical systems. Yeah, so do you think this is the only way given the current situation, or do we have something in between any other option instead of adopting zero trust right away? Sorry, can you repeat that question? I'm so sorry. Yeah, I'm saying zero trust is the extreme, right? One extreme where you are just not trusting everything and security is really, really tight. Is it the necessity of, I mean, the situation that we are in right now? Is it absolutely required to go towards zero trust access model? I think everyone has different ideas about that. And this is where like our regional perspectives come into play really, really crystal. So encryption is expensive as far as one, maybe the cost, but also just in terms of like, you know, how much you can store reliably and as far as redundancy is concerned. So, you know, if you do lose encryption keys on any particular device, that could be catastrophic because the service provider in the middle cannot decrypt it for you or at least ideally, right? And so there's that and then there's also the regional perspectives regarding encryption. Not historically, well, yeah, historically, we have definitely seen tensions between, you know, countries that could easily participate in this types of encryption and countries who do not have the ability to do so because of something like the Vasinar agreement, which really just like manages how certain countries have access to encryption software. And so if you are working in a company that is multi-global where that might be a problem, then there might be some cases where a zero knowledge solution might not even be feasible for you. Yeah. Someone just asked a question. It is like, is not a MDM device, essentially a surveillance device by the employer? I absolutely did want to answer this question because the short answer is yes. Yes, it is. It is. And I'm laughing because like I come from a very strong like, you know, kind of privacy background. And so I am always really skeptical of managed devices and usually advise clients against them unless they absolutely have to for some sort of reason make that the solution that works for them. So yes, it is a surveillance device totally. Yeah. We are having a lot of surveillance. There is a second question on the same point. Like one particular food delivery service. Yeah. They have asked their, all their delivery partners to install an app from which is coming from Indian government and there is already a lot of questions related to privacy practices. So I'll read out the question. They call it a managed device. Yeah, I'll read out the question. For instance, Zomato just said that the delivery partner app will not work unless the ROGC2 app is installed. Would you call it as a managed device even though it is not owned by the employer? No. Yeah. Who would like to take this question? Kushal, do you want to answer? That particular app, the particular app in question, it's a contact tracing application coming from the Indian government. Yes. And like, I'll not say it will make it a managed device, but it, I'd rather say following Harlow's path is that now that device is under proper surveillance. I mean, I'm going to call it that way because still that company has zero management power on that phone, whatever else is going on. But some people somewhere without any proper legal boundaries have access to data, your private data by the app. So that's my answer. What is the managed device? Managed device. It is device and here what we are seeing is ROGC2 is app. It's not a device. It will be installed in a device. So this is not a managed device. I'm just trying to add on it. Neelu, right? The question, the question says, what do you call it as a managed device? So yeah, technically, I agree with Kushal again. It's not a managed device per se. However, I'm not a fan myself of apps which make other apps mandatory for any reason. And for that matter, apps which make any services mandatory for any reason. Like, you know, some apps have constantly Bluetooth running in the background, constantly voice recorder running in the background. So those are obviously to be shunned, but this kind of app mandating another app is generally not a managed device. So in a managed device, you would have transparent controls and these controls are there. So you can configure them and then, you know, there can be a lot of transparency around what you're trying to manage through that. And generally, it's for securing. So is it true that if I have suppose there's an office setup and the company decides to go with MDM approach and then there are the other employees and our devices. We tell the company that these are the devices I am going to use for doing my work and I share my device identity with them and they register it. And then they ensure that I do not access office links, sensitive links or open sensitive documents from any other device other than what has been registered with them. If I try to access the accesses denied, is my understanding correct? Harlow? Yeah, I'm sure Harlow, I had a good deal to it. But you know, there are a lot of different discrete kind of controls where which these products provide. And that's also one of the reasons that earlier we had a discussion that it could become a surveillance device. But there are a lot of different kind of configurations you can use. So it's not just that you will not be able to access a link. Maybe there are sites which the company doesn't want you to go to because they may be known to be malicious, you know. So that is one of the controls. But in terms of data also in terms of say office documents and other client related data and all of that also they can be a lot of controls and all that. Yeah. When we were talking about like the profiles that the networking profiles that can be installed on a managed device that can effectively act as a firewall in order to either prevent you from visiting certain sites or monitor or monitor your your access to certain sites. Yeah, true, true. So moving on to network aspects. There has been, there are threats the most talked about threat when we talk about home networks is Wi-Fi snooping. So what is Wi-Fi snooping? And what needs to be done to prevent Wi-Fi snooping? So, yeah, question is to all three of you. Whoever wants to go first. I'll start. But I think that the three of us have like very, very like a vast trove of information to add here. So this is interesting because first and foremost, we're all working from home. So we're all on our, you know, like home networks. And what you do want to be sure of is that, you know, like the hardware that you use to connect to the internet, whether that is, it's, I mean, it could be in this case, your cable modem that is installed in your home is outfitted in a certain way at least to make sure that, you know, it's firmware is updated. So you want to make sure that that box that is sitting in your, you know, living room or whatever has its software up to date. And you also want to make sure that you can properly administer it, meaning that, you know, you can like hopefully it's in it also depends on the company that installs it in your home. It depends on the telecom company. But you want to make sure that you have control over what the password is so you can only you can administer the router. You want to make sure that once again when you install those software updates that criminals on the internet can't necessarily like take advantage of exploits on your router in order to, you know, like seed malicious malware or other exploits on your home network. In the United States, we have like, I don't know, light bulbs that are connected to the internet and like coffee machines and smart fridges and all of those things that might not be the case everywhere. But one thing that we think about in the United States is using controls to properly segment and network in order to give like a dedicated space to the coffee machine that is totally separate from where you do your work. And also, you know, like having a guest network there to, you know, you can have like a 2.5 G, which has like a broader range, which your neighbors might be able to see. But then you have the 5G network that you can on most routers, you can have both of those which has a closer proximity. So only people ideally within your home can actually have access to this. And knowing the difference between the two is key because anyone with access to your network will have access to any unencrypted traffic that you possibly generate. And we all know that, you know, working with encrypted traffic is key. Like it's been a very, very long time since people have been confused about why we go to encrypted HTTPS sites over HTTP unencrypted sites. They're insecure. We know that. But I think that keeping that in our heads, keeping that fresh in our heads is incredibly important. And also, we don't know what our apps on our phones are doing. We don't necessarily know everything that the software on our computers are doing. So you can't like connections to the internet go way beyond like the web browser that we're using where we can actually see those indications. And so taking a little bit more attention to our network security and our home router security is a little bit more important in this time. And I'll pass it off to everybody else. So I would add one question with one of our viewers has asked. The question is, I use a way modem that Airtel gave during installation. Almost everyone who comes home asks for a Wi-Fi password. We all know that everybody asks it. Is there anything available that dishes out temporary passwords and revokes them? I think that you should just have a guest network personally and your guest network password. Yeah, you just talked about that. Yeah, I think that's a simple and elegant solution to the very complex problem that's very evident. And that happens to everyone of us. So generally you should avoid sharing access to the network unless necessary. But if it is, then you can always give access to the guest network. Now I think this is one of the best times to actually go back and try and have a stronger and more unique router passwords that you know. So generally when you go with your default and if this was any of your setting, maybe now is the time to change it. They generally, the installation people generally leave it with the default passwords, which are supposed to be there. Now is the time to change it, make it strong, make it more unique, especially for the admin accounts which are there. And I'll give you an instance of why we are saying so is because generally it was never that relevant earlier because we always work from office network. But now it's becoming more and more important. So recently, and especially with the COVID-19 thing going on, they have been a lot of hackers have been breaking into people's routers. I mean, I would call them attackers. And what they do is they're changing the DNS setting to point to the users to the coronavirus related sites, you know, and the idea is to push malware. So that can also be and that's become a frequent thing for at many places. And that's a reality. So it's a good time to do that. You can also consider actually if you're not using at least the blue pay to an above in terms of encryption for your network, you should start doing that right away. Yeah, thank you. So, as you described the things that we should be doing like changing the default credentials and using stronger passes. It reminded me of very common of another question, which is like, what are the some of the bad practices that people often do with respect to Wi-Fi at their home? Maybe due to lack of knowledge awareness. That actually makes it vulnerable. What are the some of the common things that attackers do? Kushal, would you like to address this? Like, why is it so easy to attack Wi-Fi devices? What is it that novice user, a user who is not very comfortable, who is not very security aware? What do they do? What do they take for granted that makes it very vulnerable? I think he's having a bit of voice trouble. Okay, Neelu, would you like to? I think the best thing to do is to not leave it as it is. So, the way you found it. The way you found it would be when people came down for installation and the best thing is to not leave it. From time to time you can always log in and try and rotate even when you set the passwords. Try and rotate it from time to time. Trying to attract attention to your network. So, generally, even in a playful manner, many people do that. I know it's a bit funny, but I'm trying to just address the very, very basic issues that we find. Hello. Hi. Hi, Kushal. So, Kushal, we are talking about what are the assumptions people go with when it comes to Wi-Fi security which makes it vulnerable. For example, one thing which I would like to add from my side is, as Harlow also mentioned and Neelu also mentioned, that it has some default credentials already set and these credentials are easily available to everybody. That means it's known to a lot of people and if we do not change it, many people know that these are the passwords and attackers know that some people out there, someone out there might not have changed that default password and someone will be getting affected, right? So, Kushal, would you like to add on top of this? Yeah, I want to actually say another angle to this whole discussion that not many people know how to change the passwords in their routers. I don't know how many people actually log into the routers and see. It does look complicated. Yes, and thinking about the situation, let's say for India where we are having a lockdown, if your router is brick right now, in my mind that's much more scarier condition than making sure that the router has an updated password. We should do that in an ideal moment, but if only you know what you are doing, then only try to do that, like whatever Harlow and Neelu suggested, but if you do not know what you are doing, try not to experiment too much with your router right now because it will be difficult to fix things in this condition. That would be one of my suggestions. But then if they leave it as is, if they leave it with the default password, that also makes them vulnerable, right? Correct, so that's why you have to choose between which goes more worse. Like you can have a router vulnerable at the same time you make sure all your devices are on VPN or using Tor or something else, but it's again and in general like trusting home networks and these cheaper routers which we have, all of us at home, like that's not going to help much. Something that I would love to hear Kushal talk about is endpoint security. Kushal briefly mentioned using a VPN and Tor, which definitely that was the logic that we had before these times in the BC era, before COVID era, where if you were on unsafe Wi-Fi and you have absolutely no control, you use a VPN or you use Tor or you use your mobile hotspot or whatever, but then there's also another layer which is focusing on that computer that you're using itself. And so that might include employing, I guess, application firewalls or something like that, just to kind of have visibility into what your computer is trying to connect to and saying like, no, I don't want it to connect to that or allowing it if you deem it safe. The first session would be do not turn off firewall. Like that is a bad habit many of the developers has because it's much easier to turn off the firewall than figuring out how to open up ports for experiments or like doing work. So that is an absolute must for the firewall part. And then particularly, let's say like I'm choosing an operating system, let's say if you have Windows and Windows 10, so the default firewall which comes along with it, it's much better than like installing random free software, like freely available software from Internet because you might just install another malware without knowing it. And like I don't think we discussed about the whole discussion which we talked about first for a few seconds. We're about not clicking links and making sure that the kind of work you are doing on your computers, you like verify and then click or then try to use those things will be much more helpful. And because all of us are thinking about many other things than work at the same time, it is not always so easy to understand like whether it's a scam or it's something actually coming from your colleague or something in just one look like women within the last few weeks, I had to read emails again and again to figure out whether it's genuine or not. And then like, yeah, the address. Thank you for helping us move into the next section. That was exactly the next point of discussion that how do we identify, how do users identify that they are under a phishing attack? How does a phishing email look like? What are the symptoms? So as you mentioned that you had to read it very carefully. So how can a user know if they have received something in their inbox, whether it is a phishing email or not? What are the symptoms to look for? So I think so generally where, and I'll again go with some of the basics that we can do very quickly, when we're reading a email is generally if it has come from an unknown source or anonymous source or which you did not ask for, one of the best things is to not open it. And your title and your subject will often say that. The other thing is, and a lot of that also applies to the personal mail that we read and go through. The other thing that you can do is try and check the source. You can hover over the links and see what is the source that it is coming from. So who is it actually? And in most of the cases, if it is an official email ID or an email ID that you exactly know who it belongs to and you're expecting that mail, then you can go ahead and open it. But otherwise it's best to leave it at that. These are some of the basic things which are not very easy to, in certain cases you can also compromise or try and bypass some of these things, but it's not very easy. So in a random case where you're getting these random phishing emails, I'm sure you will not beat the target or you will not end up failing that phishing test. There are other things like going through and looking at, if you're reading the mail, if there is bad grammar, bad spelling, and bad context or pretext that they create, then you should generally just come out of the mail and maybe delete it or something like that. Yeah, because all the phishing emails are sent by people who don't do much auditing, right? Yeah, so... Harlow, you have seen a lot of examples. Do you want to share some stories? I don't know. Sure. I would say that in addition to the tips that Nilu mentioned, the best thing to do is that if you receive one of those things, especially something from a platform like Facebook or Google or something like that, delete it as Nilu says, but if you're really curious about it, then just go to open up your browser window, manually type in Google.com from where you're signed in, and then there's always going to be notifications that will lead you to anything that needs your attention, that if that email were legitimate, those notifications will be mirrored when you go to Google itself, so just manually just go to it if you're curious. Otherwise, yeah, delete it, put it to the back of your mind. The only thing that I would say is that we are actually seeing an uptick, or at least from my personal perspective, not only at our organization, I think Kushal can attest, but also with a number of colleagues of mine, we're seeing an uptick in phishing attacks across the information security industry simply because scammers always worked from home. They've always worked from home. So it's an environment that they are thriving in, and they are capitalizing on the fact that we are all in such shell shock in order to increase the likelihood that we will click on stuff. So it's extra important right now as we're settling into, one, just dealing with the trauma that this is presented to us, and also dealing with the fact that we have to take care of our own personal digital security now that we're not in office buildings with an IT department right upstairs to be more vigilant against the attacks that are capitalizing on those two very salient facts. And I just wanted to add one thing here just to show the degree to which the preparedness is currently for phishing, and this is slightly more in a humorous tone, is that with thousands of suspicious domains that have been created in the last couple of months, and that's the degree and the depth of what's going on. Absolutely, and this is a little bit of a messy time, I think, as far as misinformation is concerned, because it's very, very easy to buy up in mass like a number of domains that have COVID-19 or coronavirus in the title in order to masquerade as legitimate health sites. And so not only health sites, but also sites for public benefits that programs that have sprung up around the crisis. And so it's actually really, really, really important that everybody stays as vigilant as possible against these types of scams because it is a blooming industry right now as far as we've heard from the information security perspective. So Harlow, there is one question. I'm receiving a lot of emails coming from in quotes GitHub asking for a lot of details. In the last few weeks, it increased a lot. So Harlow, there is a question for you. What should news journalists do while interacting with sources who are outing confidential government documents that are illegal? Hello? Yes, hi. Okay, so interacting with sources. That's actually, it's interesting. It's an interesting, interesting conundrum. So I don't necessarily know what you mean by like illegal documents. I think that that also like depends on where you are. But it's something that we at Freedom of the Press Foundation are extremely aware of is the challenges that journalists who normally like work from an office and are now working from home still have to do the same interactions with whistleblowers from places where they have less protection. So just like this has not happened yet, but you can imagine this will happen and it's definitely on all of our teams, on all of our minds as something that we might have to deal with is like in the future, you where like if you're working on an investigation, it's totally like less, it's trivial for a law enforcement agency to break down your door and to confiscate your hard drive, let's say, in your own home than it would be if you were working in an actual office building that has protocols, security and legal representation all there in house in order to mitigate that threat. And so we talked about, like we started out talking about end to end encryption. We started out talking about full disk encryption and powering down when you go to the grocery store and things like that. That is the first line of defense there. But also like I think that the number of practices that we've talked about like really are just like tools that you have to have in your basket and you really, really do have to be savvy about those challenges. I think and also like please do know that like, you know, Kushal and Nilu and I and the rest of my team, we have a great team are available if you have like very, very specific questions about how you need to interact with a specific source under specific circumstance. And there are a lot of other tools that can help you get that done. Thank you, Harlow. There's another question for Kushal. Should sources trust journalists to keep their IDs secret or they should always use tor and solutions like cubes? The primary point should be that do not mix technology along with journalism work. Like if you are talking to a journalist, most probably you actually thought about it and then trying to, you know, let's say you're whistleblowing. So if that and that also depends the kind of data you want to share with the journalist. And in many cases, it's like and even still that age of all these digital technologies, people use existing tools and for example, I'm giving an example like WhatsApp, which is not like secured in for that purpose at all. But there are many people who share documents over a tool like WhatsApp and like and tor and cubes and all those technologies come much later. So it's totally depending on what kind of situation you are in and what kind of documents you want to share or what kind of information you want to share. Like using tor is always good almost for everything. That should be your default behavior. But while talking to journalists, it's again, it's depending on which organization you are talking to what kind of security things they follow, what kind of stories they work on. It will depend on that. Like if you are sharing information about upcoming movie and like what things changed that might have a different kind of, you know, anticipation than something which is of national interest in quotes in India. So you have to figure that out, like read a little bit more. Overtaught. Harlow, you want to say something? No, I think that that's really great. Thank you. So we are almost to the end of the session and I think we should at least touch a little bit about a very common thing which had been happening in the recent past, which is zoom bombing. So I would like to hear about it from all three of you. Neelu, start. Okay, start bombing from my side. Okay, so I would first like to start off with, we have heard of a lot of things around zoom and I'm sure there's a lot that's going on in social media as well and people are reporting a lot of stuff. But having tested many other channels of communication myself as as product testing and as an external vendor. I do know that there are similar issues with other products as well. So one of the things that I always say is, you know, that when you are actually having or if you plan to use something in your organization, for example, organization, why do you want to have a channel of communication in general for official communication? It shouldn't just depend on whether the product itself is completely secure out of the box because no product is secure out of the box. And we know 100% security is a myth. What goes around that is a lot of education and awareness around how you can configure it. So if you do have a company level administration that you can do for the product, try to ensure that everything is enforced in terms of security. So it has to be secure by default, but that comes from tuning and configuring that product, you know, and all the products come with such configuration. And for that matter, Zoom also comes with that configuration. So there are a lot of configuration level changes which you can do even as individuals to make it more secure and so that no unknown users are first of all joining their channels or are not even allowed to hop on unless you are there and a lot of those things. I'm sure that those are details which you can look at yourself. But it's generally a product level awareness that applies to other channels of communication as well. So it's not just video conferencing, also team messaging or file sharing or other things that we do for communication. It applies to that as well. Sure. Thank you. Hello. I was going to say that there are other options to Zoom, so Zoom has its place and I really, really love Zoom. They, it's a great product. It's really, really easy to use. But as Neelu says, like the devil is in the details and or rather the devil is in the defaults. And it really, really does take time to curate the defaults in order to make that work for you. There are also other alternatives to Zoom. So sometimes we use something called Jitsi Meet for more, for things that are like, you know, private conversations. Maybe you don't need to take it to Zoom. Maybe you could take it to a platform like Wire for instance. And yeah, so just be aware that like you have other options out there with other companies that are equally as invested in security and confidentiality. And Rithi, I would like to add to that as an individual and I understand from Harlow's words that she was talking about the communication channels. It's easy as an individual also to switch. So we keep switching and hopping on to different kinds of social media platforms that come in. And if required from time to time, we may need to take calculated decisions on which communication channel we need to move to. But it does depend on the kind of data we are trying to share. Yep, that's the best advice. Yeah, so Kushal, I would like you to comment on whether commercial versions of the same software are better when it comes to security than the free versions. Commercial softwares always have better marketing. That's the only line. Only marketing? Yes, as I'm a free software open source developer. So for me, as when I look at commercial softwares, most of the time they have much better marketing team to talk about things they want to talk about rather than only security. Like Zoom is just an example. But if you look at all the other big players when it comes to video conferencing and how like the bigger companies are trying to buy smaller companies out and get access to data and etc. Like we'll not see none of those companies. I mean, we'll not see any example where those companies are talking about those details. So it's always in the details. Okay. Yeah, so I think Neelu and Harlow, do you want to add something on this regarding commercial and free versions of software available out there? See, I think I might take it slightly different. As you understand, we can never generalize if commercial is better or free is better. Free is oftentimes more tested and often these days with the community contributions can also be more robust. While we should also understand the limitations of open source and that there's a lot of effort and focused effort that's put not only to make commercial product more secure but also make them more functional. So there are products, commercial products that do come in with better security configuration options there are and there are also open source options available. So I would not like to generalize it in general. So basically it depends on how you are using it and you should do your own review and see if it suits the purpose. Just to keep our viewers informed, there would be a session on Zoom next week, same day, which is Wednesday 9 p.m. So in case you're interested in having a discussion around Zoom, please feel free to attend the session. And I think it's time for us to move towards the closure of this session and before I hand it back to Anvesha, I would like to hear from all three of you one most important thing that you think everybody whoever is watching our show of this discussion takes away with them. So what is that one good habit that people should follow when they're working from home especially in this crisis like environment? What would that suggestion be for you to the viewers? So Neelu, we start with you. Hey, cool. So the only thing if I had to say just one thing, it would be to develop a habit of critical thinking, whether you're trying to browse on websites, you're trying to download apps, you're trying to click on links or before you make any move, try and develop a habit of a little bit of critical thinking where you're slightly more vigilant in terms of what action you're going to take and is that really necessary and what that could lead to? Thank you. Kushal, what would you like to add? What would that habit be that you want your viewers to follow with respect to security practices? Oh, just keep your system updated and before you click on any link, read twice or thrice mail. Okay, so do not sign the contract just like that, read always. Harlu, what is that thing that you want to share with the viewers? Remember that our computers and phones are physical devices that we touch a lot, so wash your hands. Wow, that's nice. Thank you. That's the best one, I guess. Yeah, given the current situation, yes, that's very important to remember. And do not touch with that hand any other human being next to you. With this, I think I would like to hand it back to Anvesha. Thank you, Riddhi. Can you hear me? Yes, we can hear you. Thank you for the session. Thank you for the session for wonderfully moderating it while there were like many technical aspects which were going here. Thank you, Harlu. Thank you, Neelu. Thank you, Kushal. I would like to conclude it with a point that people didn't mention about if you have a child at home, what should we do with the security? Like with the device because at the infant they try to play flying saucer with it. Like we are getting all these pictures everywhere that kids are doing it. Anyways, so we would like to announce this discussion on which we are going to have in Zoom. It will be happening next Wednesday. Same time, not same time, it's 9pm IST. We are going to have Maika Lee. Maika is the Director of Information Security at the First Look Media. He will be interviewed by Vivek. So see you all over there. Thank you everyone for joining the session. Bye. Bye. Thank you. Bye. Thank you. Bye.