Slides from my Third Tuesday Vancouver talk "Practical Privacy and Security for Marketing Professionals"

1. Practical Privacy & Security
for Marketing Professionals
Tris Hussey, Community Manager, eCrypt
Technologies

2. Most of us don’t take online
security seriously
There are lot’s of other people out there
It won’t (or isn’t likely to) happen to me
How risky is it, really?

3. Cyber Crime Is Growing
It’s where the money is
Easy to get lots of information quickly
Borderless and no geographic constraints
Low cost of of entry
Easy to learn

4. Tonight’s Take-aways
Safer browsing
Better passwords
Secure email
Keeping security top of mind for you and your clients

5. Terms
SSL
WPA, WPA2, WEP
AES128/AES256
Sidejacking
Packet sniffer
Brute force attack
Social engineering

6. Safer browsing
Open WiFi is not safe
Period.
Firesheep only drew attention to existing flaws
“Just browsing” can expose your Facebook & Twitter logins
Assume that when on open WiFi you’re being snooped on.

7. Scary example time
This afternoon at a favourite coffee place...

8. While having my coffee...

9. While having my coffee...
And working on this presentation

10. While having my coffee...
And working on this presentation
I captured some packets

11. While having my coffee...
And working on this presentation
I captured some packets
Did some fleecing

12. While having my coffee...
And working on this presentation
I captured some packets
Did some fleecing
Got a few passwords

13. While having my coffee...
And working on this presentation
I captured some packets
Did some fleecing
Got a few passwords
Wanna see?

17. Simple Solutions
Don’t use unlocked WiFi if you can help it
Set Facebook to always use SSL
Force SSL/HTTPS connections to Facebook, Twitter, etc.
Extensions for Chrome, Firefox, IE, and Safari
Use your smartphone to connect to the Internet instead of
WiFi

18. What about Hotspot VPNs?
I’ve had mixed results with free ones
Bandwidth caps
Poor performance
Not sure about paying for a VPN for casual use
For the geeky among us...
Gina Tripani’s SSH proxy tunnel trick: http://tris.me/
sshsocks

19. Facebook
Set Facebook to always
use SSL
Under “My Account”

20. Facebook
Set Facebook to always
use SSL
Under “My Account”
Check Facebook Privacy
Settings for changes

21. Foursquare & Location
Who are your “friends” on these services?
What should you share?
When should you share it?
Are we being careful enough?

22. What we share says a lot
Sarah Palin’s Yahoo was hacked using publicly available
information to guess her “secret questions”
Who you are meeting with can reveal strategies
It’s more than a tweet or a status update.

23. Passwords
Good passwords are essential to online security
A weak password jeopardizes an entire company
Example: Twitter hack of 2010. One weak password let a
someone get to much more sensitive passwords

24. Passwords
Don’t reuse passwords for multiple services
Yes, it sucks to have to remember them
A password manager like 1Password or LastPass makes it easier
Passwords should be:
At least 8-10 characters long
Use UpPer aNd loWer casE letTErs
Us3 nuMb3rS
U$3 $YmB0l$!

25. How to create a good
password
Think phrases, not words
Use substitutions
Use random passwords

26. Password example

27. Password example
Have pizza for dinner

28. Password example
Have pizza for dinner
havepizzafordinner

29. Password example
Have pizza for dinner
havepizzafordinner
H@v3p1zz@forDinn3r

30. Password example
Have pizza for dinner
havepizzafordinner
H@v3p1zz@forDinn3r
H@v3p1zz@4Dinn3r

31. Password example
Have pizza for dinner
havepizzafordinner
H@v3p1zz@forDinn3r
H@v3p1zz@4Dinn3r
H@v3p1zz@4Dinn3r!

32. Password example
Have pizza for dinner
havepizzafordinner
H@v3p1zz@forDinn3r
H@v3p1zz@4Dinn3r
H@v3p1zz@4Dinn3r!
H@v3p1zz@4Dinn3R!

33. How safe is that?
According to howsecureismypassword.net
It would take 9 quadrillion years for a desktop PC to crack it.

34. Standard email is insecure
It’s the electronic equivalent of mailing a postcard
Yes, many services secure your connection with SSL
But the messages are stored in plain text
IT has access to the servers
And your messages

35. Encrypting email hasn’t been
easy
PGP is no fun to use
BES isn’t as secure as you think
Once email leaves your BES it’s plain text again
BIS? Nothing.
Commercial solutions are expensive
Getting people to use email encryption is like asking bloggers
to turn down freebies

36. Why it’s essential
More and more sensitive business is done over email
Contracts
Strategic plans
Marketing tactics
Private conversations
Financial information

37. When was the last time...
You mailed a contract on a postcard?
Had a bill that didn’t come in an envelope?

38. When was the last time...
You emailed a contract to someone?
You emailed financial information to your accountant?
You discussed strategies with clients over email?

39. eCrypt.me is a solution for
secure email
Easy, web-based secure, encrypted email
Free during the beta. Sign up at https://www.eCrypt.me/

40. eCrypt.me

41. eCrypt.me

42. eCrypt.me

43. eCrypt.me

44. eCrypt.me
https://www.eCrypt.me/

45. Privacy, Security, & Your
Clients
What information are you asking users to provide?
Do you really need their birthday?
Gender?
How are you storing that information?
There are rules you know

46. Storing data
What is stored in the clear on your laptop?
Should you encrypt everything?
It’s all about control.

47. Whole disk encryption
If I told you, I’d have to kill you
Forget your password
And you’re hooped
Try encrypted partitions for some files:
Knox (commercial - Mac)
TrueCrypt (open source)

48. Don’t forget backups!
Part of security is disaster recovery
Options
TimeMachine
Carbonite
Mozy
Crashplan (my fav)
Dropbox (my Dept of Redundancy Bureau)

49. Questions?
Thank you!
Contact info:
tris@ecryptinc.com
Twitter: trishussey and ecrypt
http://yourprivacyisourbusiness.com/