 Next up we have How to Prepare for Internet Privacy at College by Patrick McCanna. Alright guys, we're moving really fast. I was trying to present some videos today and they're gonna be a little tricky, but we'll work it out. So how many of you guys have been hacked? Excellent! You should feel proud of that fact. How many of you guys are thinking about going to college? College is a den of scum and villainy and you're gonna be on networks with lots of interesting people. And there's gonna be lots of interesting opportunities for bad people. And so today I wanna share a few tips on how to avoid getting hacked at college. College is a cool place because it makes a lot of sense. There's gonna be some interesting opportunities for social engineers. But these rules apply outside of college as well. So if you're not thinking about college yet, don't feel bad. These rules still apply. So I'm gonna talk about six things today. Software updates, sharing your computer with other people, avoiding social engineering, privacy on the web, passwords and application safety. So we'll bust into a bad thing. We'll talk about how to avoid the bad thing. And I'm gonna show you what the bad thing looks like. So you'll also get to learn about some of the tools that bad guys use for doing the reverse engineering and the tools that the good guys use to keep people safe. So we're gonna do real world stuff here. Please do not do anything on someone else's computer. You can do it on your own computer. You can do it on your friend's computers with permission. But you never do this at a high school network. You never do this at college networks. And always, always, always just stay focused on your own machine. So the number one thing that you can do to stay secure on the internet is software updates. Does anyone know what a software update is? Old people do. Do any young people do? Yeah? So that comes in two forms. There are operating system updates. So that's when your Android or your iOS phone says, hey, I got a new version. And then there are application updates. You need to do both. If you see that your phone says that there are updates available, that's a really good thing. That means that that vendor is working hard to get security fixes out into your hands. So software updates, if you do nothing else, this is the bare minimum. As soon as they're available, you apply them. And in fact, this week, there's a nasty iOS bug that came out. It's actually a Broadcom bug that you can have your phone get attacked without actually attaching to a Wi-Fi network. A software update came out earlier this week. If you applied that update, you would be in a much safer state at DEF CON. So software updates are super critical. Now, why is this important? Because there are tools that are out there that allow hackers to scan for vulnerabilities. And many of these tools are easy to run by people who are script kiddies. And so here I've got an example of an open source tool called OpenVass that you can download. There are VM images that you can use to experiment with. And you can grab an IP address, point the scanner at that IP address, and find all the ways that you could potentially attack that device from a networking perspective. So the cool thing here is, is again, if you do software updates when somebody runs this scan against your computer, they're not going to have all these cool new ways to get access to it. So another cool thing you're going to run into in college is you're going to have friends who are going to have some reason that they can't use their own computer. And they're going to want to say, hey, can I come over and borrow your computer for a few hours to work on my term paper? That's really a good thing. You're probably making friends. And it's good to have trust with your friends. It's also important to recognize that you're giving them a lot of power. Your friends could accidentally install malicious software, or they could be less friendly than you think, and they could install spyware on your computer. So that's a bad thing. They could copy sensitive files off of your computer. And they could also go through your browser and go through your browser history, grab cookies from your logged in websites, and they can even do things like extract passwords from your browser if you save your passwords in your browser. I'm hoping to show you that in a second. We'll see how that works. So it's a bad thing to share your computer. It's also a good thing, but there are ways to mitigate the risks. The one thing you can do is create temporary guest accounts for your friends. You never let them log in on your own account. And the reason is because no matter how good you think you are about keeping private files out of reach of your friends, you're going to make a mistake. So create an isolated guest account so that people can make mistakes and it doesn't affect you. Never ever share your password. Never set up network file sharing. Someday you're probably going to take computer science classes and you will learn about this. And there are safe ways to do it, but everyone forgets that they turned on file sharing. So the best rule of thumb is don't use file sharing, set up a separate server, do something with a Raspberry Pi so you don't accidentally share your whole computer. Never let them use their computer under your own account. Oh, and one other thing, I know a lot of kids are interested in incognito mode or the private modes on the browsers and how does that protect your privacy? And the thing is, what it does is it deletes your browsing history. It can make your cookies go away so that nobody knows what sites you previously logged into, but it's still not technically private. The web server knows that your IP address accessed that site at a time. They know what resources you accessed. Do not track is kind of an agreement and not all websites have to honor the do not track rules. So it's a thing that kind of keeps your local account safe, but if you're using guest accounts, that's the thing to do. Incognito mode is not really an effective privacy strategy. So I'm going to post my slides online later because obviously these URLs are crazy, but if you don't know how to create guest accounts in Windows or Mac OS X, there are great instructions online from Microsoft and Apple on how to do that. Okay, so I want to show extracting a password from an existing browser session. We'll see how this works. This might not work. Okay, so it's not going to work, but what I'm going to tell you is you can use Chrome dev tools to go into a website that has the password stored in it. And you can use dev tools to change a div type of a password input field. That's the thing that makes the stars to a text input field. And so immediately when you go back into the browser, you're going to see the password that whoever logged in or stored their password, what they used. And so this is just like one example of a way a credential can get taken off of a device. There are some other interesting ways as well. So another thing I want you to think about is you're going to get to go to college and you're going to have an orientation experience and people are going to do all this cool ice breaking. And what's interesting is for a social engineer they manipulate people into persuading them into giving up sensitive information. And so on your first day at college when people are trying to make new friends they're going to have these group sessions where people ask you questions like where'd you grow up? What kind of music do you like? Do you have any pets? Is there a favorite book or a movie? And I'm sure you guys probably already share that kind of information with your friends anyways. But as you get older and you start creating accounts on websites and banking sites you're going to be asked password reset questions and all of the types of questions that are going to be coming around in college orientation are going to get populated here. And so the secret here is you don't use password reset questions like this. This is from Yahoo and what's cool about Yahoo is they had the opportunity to type your own question in here. So when we craft that question it should make no sense to anyone but you. No one should be able to reverse engineer what the answer was to your question. Not all websites use this so you're going to have to use some other strategies as well. Another thing is watch your email. If you are seeing password reset emails unexpectedly don't do anything with those. That might be a phishing email but it also might be telling you that one of your hacker friends is bumping your account and they're trying to see whether or not they can get access to your account. So password resets they're not necessarily bad but if you aren't expecting them delete them, ignore them and move on. You might even consider changing your account on the existing application. You should know about hovering over links to validate that a link actually goes to a given address. So in this example we got free relicswatches.com in the browser but if you actually hover over it's going to go to PC world. And this is a common thing for phishers to be using. So be careful about your password reset questions. Does everyone know what two factor authentication is? Yes, yes, yes. Yes, so make sure your email, your social network accounts, those that support it, set up two factor authentication either with SMS or with an independent mobile app. Yeah. Two factor authentication is when you log into a site you submit your username and your password and then it sends a second message to you in an independent channel to validate that someone didn't steal your password. So if I know your phone number if you log into my website you submit your password I know you might be you. But I'm going to send a text message to your phone under the theory that no one stole your phone and it's going to have a number in it and then you're going to enter that number into the web field and that's the second factor this is the second proof of your identity. It's not fool proof but it is the basic thing you should do for all email and social networks. Okay, so the next thing is a college network is going to have lots of computer science students on it and they can scan the network and they might even be able to intercept traffic. So the big thing is you want to know how to troubleshoot or validate HDTPS is in play. So the big thing is you should know how to look at the browser bar and identify bad SSL. So there's a website at SSL.com that shows you all of the different types of TLS certificate errors so you can go and see a bunch of them. Is this first site secure? Why is it secure? Because why? Because it says secure right, trustworthy internet. It's secure because the browser does assert exchange and validates assert. This green icon in Mozilla Firefox that is engineered to never show up unless the cert is properly validated. What's funny is that there's other HDTPS site here mixed up at SSL. No green icon. Clearly using HDTPS. But what's happening is that there's some unencrypted content on that website. So always know how to check the browser bar and look for the green lock. If you don't do that if you don't do that, so here we have a web form and obviously no HDTPS, no green lock. And it's asking for a password. And so in this scenario someone who's on the network running a tool called Wireshark is able to intercept that traffic. My videos aren't playing but in a Wireshark session it's two packets. It's very easy to see the password that was submitted when I hit submit. And in this case my password is my password with a zero. Super trivial. You guys can do this on your own computers right now if you set up an unencrypted website. So it's super easy to extract secrets from unencrypted sessions. So we always look for the green lock in TLS. So you're not always responsible for a stolen password. You can do everything right and a website can still get compromised and your account can get hacked. So plan for the fact that your passwords will get stolen. Make sure that you never ever reuse a password on a different site. Don't create your own personal algorithm for patrick.facebook password. patrick.gmail password. Use password management tools to generate random passwords and set them up to sync to your mobile device so you always have access to them. A cool site, you can submit your email address to HaveIBeenPonedOrNot.com or HaveIBeenPoned.com to see whether or not any sites have lost your account information. This is cool. So when I was about your guys' age I started reading IETF RFCs to try to understand how the internet works. So again, I'll share these links later. This is super advanced reading but it's never too soon to start reading the specs that actually define how the internet works. Another cool thing you can do is actually check certs but because my videos aren't working that's not going to show. So you can troubleshoot why you see a red lock even when you go to an HTTPS site if you know how to check certificates. Okay so second to last is mobile safety so apps. That's the big topic. Jailbreaking or rooting your phone breaks all of your security and privacy assumptions. So while that's a powerful tool and you can learn interesting things just understand that you are damaging your security when you do that. In the android world you can install applications outside of the Play Store using unknown sources. It allows you to download apps from the Play Store and you may have used that to find pirated games. This is always dangerous. This is the way that people get malware in the android ecosystem. So be very wary about using unknown sources. Pay attention to your app permissions so it's going to say I'm going to use the microphone, I'm going to use the camera if you're not comfortable with that don't install the app. One thing I know a lot of kids like snapchat, these pictures they will eventually expire. They can break how the photo exploration works. So I don't think that using expiring photo sharing apps is ever a good idea. Those photos will never stay private. And the problem is again, you'll never know if you're sending something to someone with a jailbroken phone. Okay so that's basically it. So the six rules here keep your software up to date OS and applications. Don't share access to your computer except account. Be careful about social engineering. Always check for SSL. Don't reuse passwords ever and think twice about which apps you trust. If you're interested, I will share a link to my presentation on Twitter later. This is my contact information. I hope this was helpful. Thanks everybody, have a great roots.