This document summarizes security threats and defenses for data scientists. It discusses common attacks like brute forcing passwords, phishing, and spear phishing. It also covers threats from password reuse due to data breaches, man-in-the-middle attacks, internet tracking, physical access to hardware, and USB devices. Defenses include using strong unique passwords, two-factor authentication, encryption, blocking tracking, and avoiding unknown USB devices. The document recommends resources for further learning about data security.

1. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Security for Data Scientists
PyDataBCN 2017: Closing Act
David Arcos
CTO at

2. Abstract
Handling confidential data
attracts unwanted attention
from hostile attackers :(
We’ll see threats, attacks,
defenses & tools

3. Data Security
"Data security means protecting data
from destructive forces and from the
unwanted actions of unauthorized users"

4. Common myths
●
“I have nothing of value. I don’t mind”
●
“No one cares, I’m not a target”
●
“Nobody would go through the effort of hacking
me”
●
“If my computer was compromised, I’d know”
●
“I have nothing to hide...”

6. Why should you care about security?
● You have access to huge amounts of data
● Malicious individuals interested in
personal/private/confidential info
● That info gives access to bank accounts,
personal contacts, health conditions...
● Very automated attacks, targeted, high chance
of success

7. Threats: Authentication
●
Attacker will try to guess your weak password
●
You need to secure your strong password

8. Attack: Brute-forcing
●
Brute-forcing cracking (i.e: John the Ripper)
– Try all combinations, systematically
●
Optimized by prioritizing likely possibilities:
– Frequency tables
– Dictionary attack (word list)
– Most common passwords...

9. Most common passwords...

10. Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites

11. Attack: previous data breaches
●
Websites are breached all the time
●
Those credentials are sold in the black market
●
Attacker steps:
– Get/buy credentials
– Try same credentials in other sites
– Surprise!
●
Most users re-use passwords :(
●
(And most websites have bullshit security)

13. Tool: ‘Have I Been Pwned?’
●
https://haveibeenpwned.com

15. Rules for strong passwords
●
Use long, complex, random, unique
passwords
– Use letters, numbers, symbols
●
Size does matter
– High entropy: no patterns
●
Patterns will be guessed
– A new password for each service
●
A compromised service should not compromise all
your services

16. Defense: Use a Password Manager
●
To generate new strong passwords
– It’s like using pwgen
●
To store your passwords
– All your passwords are different
– Will be encrypted
●
To share passwords with your team
●
I recommend KeePass

17. This is not a password manager!

18. NOPE!

19. Threat: Phishing
Attacker disguises as a trustworthy entity,
to obtain your sensitive information
by tricking you

20. It’s a trap!
Sadly, phishing is not this obvious (anymore)

21. Everybody can be phished
Source

23. Looks legit! It’s not :(
Source: twitts from @tomscott

24. Check the url and the “lock”

25. WRONG! Homograph attack
Source: Phishing with Unicode Domains
аррӏе.com != apple.com

26. Attack: Spear-phishing
●
Targeted attack
●
Attackers gather personal information about
their target
●
Very successful

27. Attack: CEO Fraud / Whaling
"Please make a huge $ transfer to this unknown company - Boss"

28. Defense: Two-Factor Auth (2FA)
●
Something you know + something you have
– SMS (but it’s complicated… avoid if possible)
– TOPT app: Google Authenticator, Authy…
– TOPT hardware: FIDO token, Yubikey
●
Check support for major sites:
– https://twofactorauth.org

29. Tool: Google Authenticator
●
Mobile app
●
Use code when login
●
Code change each
few seconds

30. Tool: U2F key

31. Threat: Man-In-The-Middle (MITM)
●
Two parties communicate between each other
●
Attacker in the middle, relaying messages:
– Gets credentials, can alter messages

32. Attack: all HTTP traffic
●
HTTP traffic is not encrypted
●
Assume ALL traffic is monitored/MITM’ed
●
Wifi hotspots, Schools, Corporate networks...

33. ENCRYPT ALL THE THINGS!

34. Defense: always use encryption
●
Always use SSL: HTTPS instead of HTTP
●
As user: install HTTPS Everywhere
– Redirects you to the “safe” version of the site
– Can block insecure sites
●
As sysadmin: use LetsEncrypt
– Free SSL certs, easy to install, automated
– Also: set up SSH, VPN...

35. Defense: always use encryption
●
As a developer:
– don’t send unencrypted confidential data
– avoid insecure APIs
– sign your git commits using GPG

36. Threat: internet tracking
●
Most websites do internet tracking:
– To record your actions, profile you
– To serve (customized ) ads
– To send you malware (read: virus, spyware)
●
Attackers can target victims and send payloads

37. Beware of malware ads!

38. Defense: block tracking
●
Install anti-tracking extension in browser:
– uBlock Origin
– Disconnect.me

39. Threat: Internet of Things
●
“The S in IoT stands for Security”
●
Mirai botnet caused massive internet outage

40. Threats: physical security
●
Protect yourself against nearby attackers
– Use security locks against thiefs
– Be aware of over-the-shoulder eavesdroppers
– Be aware of your webcam
●
“Evil Maid” attack:
– When you leave your laptop in your hotel room...

41. Defense: Full Disk Encryption

42. Defense: Mark tapes his webcam
(be like Mark!)

43. Attack:
Exploding USB
●
1) Insert USB stick
●
2) Kaboom!
Just kidding, it’s a joke ;-)

44. Attack: BadUSB (BlackHat 2014)

45. Attack: USB Killer
●
When plugged, it rapidly charges its capacitors
from the USB power lines
●
When charged, -200VDC is discharged over the
data lines of the host device
●
RIP host device

46. Defense: avoid unknown USBs
:(

47. Physical access to HW = Game over

48. More resources
●
Courses:
– Surveillance Self-Defense, from the EFF
– CS 88S: Safety in the Cloud, from the UCLA
●
People to follow:
– Bruce Schneier
– Bryan Krebs
– Troy Hunt

49. David Arcos - @DZPMSecurity for Data Scientists – #PyDataBCN
Thanks for attending!