Wednesday, August 26, 2015

Security Practitioners: Eat Your Own Dogfood!

Josh Sokol presented at the Austin OWASP chapter meeting in August.  His talk was about how we should set a better example for colleagues as security practitioners by using a security-sensitive thought process in our day-to-day lives.



A recording of his talk is here: https://vimeo.com/channels/owaspaustin  We had a good turnout for the talk, and the audience interaction was great!



Here are some of his key points:

In the Car

  •           Don’t indulge in bumper stickers that give away too much information. There are a lot of bad guys running around that can use it for evil purposes.
  •           Don’t leave valuables in your car. It gets the interest of the wrong element.
  •           Keep an eye on neighborhoods you travel through, and observe when you need to get out of bad neighborhoods.
  •           Don’t leave your garage door opener in the car. It’s a simple matter for bad guys to get your codes from it and possibly break into your house via the garage
  •           Get a CarSafety Hammer, Window Breaker and Seatbelt Cutter.

House – think about deterrents

  •           Have an escape plan in case of an emergency
  •           Even if you don’t have an alarm system like ADT, be sure to get some of their signs/stickers
  •           If you have an alarm system, make sure you set up a panic code. That’s a code you use if the bad guy forces you to disable the alarm, and it sends a distress call while appearing to simply disable.
  •           Get good door locks! Guys like Jgor can get through the cheap ones in 30 seconds.
  •           Get motion lights
  •           Get a camera surveillance system. They are cheap now.
  •           Get a “Beware of Dog” sign, even if you happen to be a cat person.
  •           Consider getting a device to separate your cable modem from your router like the PA-200. That way, you don’t have to trust your ISP and you can allow guest access to wifi in your house without worries
  •           Backup the Backup of your Backups
  •           Use WPA2 encryption
  •           Have  a Fireproof Safe
  •           Have a week’s worth of home rations
  •           Have a “bug out” bag and location decided

At Work

  •           Keep your desk clean
  •           If in doubt, take your computer with you wherever you go
  •           Shred sensitive documents
  •           Don’t leave valuables unattended
  •           Don’t expect police to help you with a stolen cell phone – even if you can track it they will not help . Get set up for remote wipe instead.

Your Computer

  •           Check before clicking
  •           Check to make sure it’s HTTPS
  •           Know what you’re running
  •           Cover your camera
  •           Disable JavaScript
  •           Use 2-step verification
  •           Use KeePass – it’s free and open source
  •           Don’t use a bank debit card – all the liability is on you
  •           Use one card for in-person transactions; consider a card with a Virtual Account Number






Posted by at

4 comments:

  1. bazeAugust 31, 2015 at 3:23 PM

    "Don’t use a bank debit card – all the liability is on you"

    Absolutely NOT true.

    The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA) offer protection if your credit, ATM, or debit cards are lost or stolen.

    "ATM or Debit Card Loss or Fraudulent Transfers.
    If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:

    If you report before any unauthorized charges are made, your maximum loss is $0:

    If you report within 2 business days AFTER YOU LEARN ABOUT the loss or theft, your maximum loss is $50"

    ReplyDelete
  2. Kate BrewAugust 31, 2015 at 3:27 PM

    Hi baze, thanks for the comment. I agree, if you can report in time, and you're very legally astute, you can probably get your money back. BUT, I've tried to report fraudulent activity on by bank debit card and they are none too helpful. Contrast this with the credit cards - they have you fill out some online forms and credit you while they investigate. Other thing is, with credit cards you get those loyalty programs with cash or miles back. So I'm leaning toward Josh's advice, and only using the debit card in the ATM - definitely not online...

    ReplyDelete
  3. bazeSeptember 1, 2015 at 10:17 AM

    Never had a problem, and my debit card has been replaced due to fraud twice, issued by a tiny credit union. No issues, no loss. No money to get back as no money was lost. BTW, my corporate Amex has also been detected in fraudulent use twice in the past 3 years, and similarly replaced without incident. If you can't notify within two days of when you know it is missing or has been used you deserve a penalty.

    ReplyDelete
    Replies
    1. Kate BrewSeptember 3, 2015 at 8:50 AM

      Well, the other thing is that I get cash-back or airline points on my credit card purchases, and nothing on debit card purchases. If there were a discount for debit card purchases, I would think about it.

      Delete

Subscribe to: Post Comments (Atom)