This document summarizes security threats and defenses for data scientists. It discusses common attacks like brute forcing passwords, phishing, and spear phishing. It also covers threats from password reuse due to data breaches, man-in-the-middle attacks, internet tracking, physical access to hardware, and USB devices. Defenses include using strong unique passwords, two-factor authentication, encryption, blocking tracking, and avoiding unknown USB devices. The document recommends resources for further learning about data security.
3. Data Security
"Data security means protecting data
from destructive forces and from the
unwanted actions of unauthorized users"
4. Common myths
●
“I have nothing of value. I don’t mind”
●
“No one cares, I’m not a target”
●
“Nobody would go through the effort of hacking
me”
●
“If my computer was compromised, I’d know”
●
“I have nothing to hide...”
5.
6. Why should you care about security?
● You have access to huge amounts of data
● Malicious individuals interested in
personal/private/confidential info
● That info gives access to bank accounts,
personal contacts, health conditions...
● Very automated attacks, targeted, high chance
of success
8. Attack: Brute-forcing
●
Brute-forcing cracking (i.e: John the Ripper)
– Try all combinations, systematically
●
Optimized by prioritizing likely possibilities:
– Frequency tables
– Dictionary attack (word list)
– Most common passwords...
10. Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites
11. Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites
– Surprise!
●
Most users re-use passwords :(
●
(And most websites have bullshit security)
12.
13. Tool: ‘Have I Been Pwned?’
●
https://haveibeenpwned.com
14.
15. Rules for strong passwords
●
Use long, complex, random, unique
passwords
– Use letters, numbers, symbols
●
Size does matter
– High entropy: no patterns
●
Patterns will be guessed
– A new password for each service
●
A compromised service should not compromise all
your services
16. Defense: Use a Password Manager
●
To generate new strong passwords
– It’s like using pwgen
●
To store your passwords
– All your passwords are different
– Will be encrypted
●
To share passwords with your team
●
I recommend KeePass
31. Threat: Man-In-The-Middle (MITM)
●
Two parties communicate between each other
●
Attacker in the middle, relaying messages:
– Gets credentials, can alter messages
32. Attack: all HTTP traffic
●
HTTP traffic is not encrypted
●
Assume ALL traffic is monitored/MITM’ed
●
Wifi hotspots, Schools, Corporate networks...
34. Defense: always use encryption
●
Always use SSL: HTTPS instead of HTTP
●
As user: install HTTPS Everywhere
– Redirects you to the “safe” version of the site
– Can block insecure sites
●
As sysadmin: use LetsEncrypt
– Free SSL certs, easy to install, automated
– Also: set up SSH, VPN...
35. Defense: always use encryption
●
As a developer:
– don’t send unencrypted confidential data
– avoid insecure APIs
– sign your git commits using GPG
36. Threat: internet tracking
●
Most websites do internet tracking:
– To record your actions, profile you
– To serve (customized ) ads
– To send you malware (read: virus, spyware)
●
Attackers can target victims and send payloads
39. Threat: Internet of Things
●
“The S in IoT stands for Security”
●
Mirai botnet caused massive internet outage
40. Threats: physical security
●
Protect yourself against nearby attackers
– Use security locks against thiefs
– Be aware of over-the-shoulder eavesdroppers
– Be aware of your webcam
●
“Evil Maid” attack:
– When you leave your laptop in your hotel room...
45. Attack: USB Killer
●
When plugged, it rapidly charges its capacitors
from the USB power lines
●
When charged, -200VDC is discharged over the
data lines of the host device
●
RIP host device
48. More resources
●
Courses:
– Surveillance Self-Defense, from the EFF
– CS 88S: Safety in the Cloud, from the UCLA
●
People to follow:
– Bruce Schneier
– Bryan Krebs
– Troy Hunt
49. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Thanks for attending!