Transcript web security overview – on digital identities - GTUG

Web 2.0 Technology
by
GTUG-Addis
March 5,2011
Contents
Introductions
Gtug-addis
Who am I ?
What is this presentation about ?
What is Web 2.0 ?
Advanced searches
Real Time
Comparative/computational searches
Social networking tools
Securing your wordpress blog
GTUG-Addis
GTUG - Google Technology Users Group
GTUG-addis is a group dedicated for Addis
technology enthusiasts and professionals to
come together and share their knowledge. All
of the moderators of this site come from
different walks of the technology life –
software, hardware, network and security, so
feel free to ask questions and make suggestions.
GTUG-addis will contribute to the society:
students,professionals or anyone in technology
trainings and consultings
Who Am I ?
Fitsum Assalif
Electrical Engineering + CCNA +SCNA +
MCITP+ GPEN
Enterprise systems ( Windows, Linux/Unix)
and Security (Ethical hacking and penetration
testing)
I like to participate in groups/associations for
sharing knowledge and contributing what I
know
I am not always correct ! so let me know if I
What is this presentation about ?
It is about
Introducing GTUG-addis
Basic online security, social networking and web
2.0 tools and tips
Chance to discuss/request any type of technical
collaboration with/from
GTUG-addis
It is not about
Coding /web design
What is web 2.0 ?
“ The term Web 2.0 is associated with web applications that facilitate
participatory information sharing, interoperability, user-centered
design, and collaboration on the World Wide Web. A Web 2.0 site
allows users to interact and collaborate with each other in a social
media dialogue as creators (prosumers) of user-generated content in
a virtual community, in contrast to websites where users (consumers)
are limited to the passive viewing of content that was created for
them. Examples of Web 2.0 include social networking sites, blogs,
wikis, video sharing sites, hosted services, web applications, mashups
and folksonomies. “ Wikipedia
Advanced Searches
Real Time Search
Searching real time update from public tweets
and facebook posts
Using the normal web searches
Google ( Use Realtime option )
Bing ( social search and twitter maps )
Social networking searches
Openbook - http://openbook.org/
Tweetmeme - http://tweetmeme.com/
Picfog - http://picfog.com/
Comparative/computation searches
Statistical, comparative and trends
Comparative/computational
Wolfram Alpha ( http://www.wolframalpha.com/ )
Google trends ( http://www.google.com/trends )
Google squared … (in labs and a little complicated
currently )
Public Data
Google public data explorer
( http://www.google.com/publicdata/directory )
Social networking tools
If you want to see all your social network
account updates,notifications and messages on
one window like me !
TweetDeck ( https://www.tweetdeck.com/ )
Desktop,Android,Chrome... Coming to iphone and
ipad
Yoono ( http://yoono.com/ )
Chrome,Firefox,iphone,ipod touch,ipad
Windows,Mac and Linux
Securing your wordpress blog
Why would anyone want to attack my blog ?
There is nothing valuable on my blog !
I only have very few visitors !
I turned off comments, I am secure !
Not necessarily, hacker will upload or inject
spam urls
Malware files
DOS (hacking 100 small blogs and inserting a link
to launch 10 instances = 1000)
1- DO NOT USE ADMIN ACCOUNT
Create a new account
Make the username very unique
Assign the new account an Administrator role
Log out and log back in with new account
Delete original admin account
2- USE STRONG PASSWORDS
alphanumeric+symbols+upper and lower cases
Create random passwords
goodpassword.com
Convert existing ones to complex
password
P@55w0rd
Ilovemom 1L0v3M0m
3- KEEP WP and PLUGINS UPDATED
Update WP Core
Code
Keep theme files
current
Keep all plugins
current
4- REMOVE WP VERSION FROM HEADERS
Viewing source on most WP sites reveal the version
they are running
<meta name="generator" content="WordPress 2.8" /> <!-- leave
this for stats -->
This helps attackers find vulnerabilities on the current
version easily
Themes and plugins might also display versions in
your
header.
5-USE SECURITY PLUGINS
WordPress Security Scan
WordPress Exploit Scanner
WordPress File Monitor
Login Lockdown Plugin
6 - ...
Use Secret Keys
Hide your plugin directory
Edit configuration files to change default
names/values before installation
eg. table prefix wp_ to something unique axc_
Check Google Web Master tools to see if your
site has been compromised and it will tell you
why
BACKUP … BACKUP and
And If you still get HACKED ?
Give up and Join the Circus !
Using Public Internet/Computers
and Security
Purpose of this topic
...is to scare the wp_crap out of you!
Using Public Internet
Public Internet: Open and shared by anyone
(mostly Wi-Fi)
Cafes, Internet Cafes, Hotels,Libraries, and open
spaces
Advantage
Open access to anyone
Don't have to carry your dongle anywhere
Increases internet access coverage for the public
Risks
Using Public Internet
Open Wi-Fi
Problem : Anyone with basic internet and
computer knowledge can access your account if
you working on the same connection
Solution : Use full SSL communication with every
service you use online
Account Settings > Use SSL (gmail,hotmail,facebook …
)
Firefox Users: HTTPS Everywhere
Chrome Users: Prefer HTTPS, SSL Enforcer
IE Users : :(
Firesheep
MITM
Using Public Computers
Risks
Key Loggers : software recording every keystroke
you made
Cookies left on the computer
Solutions:
If you have to use internet in a place where are not
sure about the reputation; use your own browser on
USB drive with keyscramblers
Firefox Addon: “keyscrambler”
Basic Online and Offline Security
measures
DATA Types
Data in Use
Data in Motion
Data at Rest
Security
Online security
Data leak protection (DLP)
Lost data prevention (LDP)
Online Security
Protecting your credentials as well as data while you
are online
OS Hardening
Disable unnecessary services
Updates and patches must be applied
Anti-Malware Systems (anti-virus, anti-spam,firewall,HIDS)
Browser security
Latest updates
Firefox: No Script, WOT – Web Of Trust,Better Privacy,
Adblock, Flashblock, Ghostery
Offline Security
OS Hardening
Encryption:
Partition: encrypt a separate partition for secure data
storage
File Container: folder like file holding files. Can be
created on a computer or removable media
Full Disk: Encrypt the whole computer disk
Questions ?
Thank You !