1. Personal Internet Security
Practices
Brian Pichman
Twitter: @Bpichman

3. Agenda
• Understanding Anonymity, Privacy, and Everything in Between
• Protecting Yourself
• Getting Hacked
• Protecting Your Environment

5. Tools For Anonymity
Making yourself more “invisible”

6. Onion Routing, Tor Browsing
• Technique for anonymous communication to take place over a network.
The encryption takes place at three different times:
• Entry Node
• Relay Node
• Exit Node
• Tor is made up of volunteers running relay servers. No single router knows
the entire network (only its to and from).
• Tor can bypass internet content filtering, restricted government networks
(like China) or allow people to be anonymous whistle blowers.
• Tor allows you to gain access to “.onion” websites that are not accessible
via a normal web browser.
• Communication on the Dark Web happens, via Web, Telnet, IRC, and other
means of communication being developed daily.

7. Cloak of Invisibility
Top reasons why people want to hide their IP address:
1. Hide their geographical location
2. Prevent Web tracking
3. Avoid leaving a digital footprint
4. Bypass any bans or blacklisting of their IP address
5. Perform illegal acts without being detected

8. Cloak of Invisibility
How do you Hide an 800lb Gorilla?
• Use Free Wifi (To Hide your location)
• Use a Secure Web Browser
• Use a Private VPN
• Go back to Dial-up
• Setup RF Data Transfer over CB Radio
Waves
• Use Kali linux to hack someone else’s
Wifi Encryption.
• Setup long-range Wireless Antennas

9. Cloak of Invisibility
• How to hide yourself?
• Private VPN
• You want a TOTALLY anonymous service.
• Look for one that keeps no log history (Verify via reviews)
• Look at Bandwidth & Available Servers
• Recommendations:
• Private Internet Access (PIA)
• TorGuard VPN
• Pure VPN
• Opera Web Browser
• Avast AntiVirus (SecureLine)
• Worst Case: Free WIFI

10. Normal Users and How They Appear:

11. VPN Protected Users

12. Cloak of Invisibility
• How Tor anonymizes – “You”.
• How VPN keeps ”You” protected.

13. Understanding Free Wifi
• Sometimes a good alternative if
you need to do something
anonymously
• Nothing is ever 100% anonymous
• Some public wifi does track
websites you access, what you
do, etc.
• Make sure your computer name
you are using doesn’t include your
actual name

15. Hacked WiFi – Cain and Abel

16. Best Tips and Practices For Connecting Privately
Do
• Use a device that you’ve never
signed into anything ”personal
on”.
• Pro Tip: buy a computer from a
Pawn Shop or Garage Sale
• If using public WiFi; don’t make
purchases with a credit card.
Don’t
• While on a VPN or any other
anonymous tool; don’t sign into
personal accounts (banks, social
media, etc).
• If posting, don’t use anything
that could be associated to you

17. Easy Wins for Privacy
• 10 Minute Email
• https://10minutemail.com/
• Temporarily get an email box that’s anonymous and disappears after 10
minutes
• Dr Cleaner (Mac) or Eraser (Win) can overwrite files on your
computer with “blank” data to make file recovery near impossible.
• Tools like Recuva is free softwares to allow you to restore deleted files.

18. Protecting Yourself

19. You
• Sites to protect yourself all the time (not free)
• IdentiyGuard.com
• LifeLock.com
• Sites to monitor when breached data gets related (this is free)
• Haveibeenpwned.com
• Password Management Sites (like lastpass.com)
• Don’t have the same password for all your sites.
• Don’t write your passwords down on a post-it-note and leave it at your desk

22. Google Isn’t Always Your Friend

23. Dual Factor Authentication
• After logging in; verify login via Email, SMS, or an app with a code.

24. Credit Card Tools for Online Shopping
• Check out Privacy.Com
• https://privacy.com/join/473XB
shameless plug

25. Random Tips and Tricks
• Accept only people you know to personal and professional accounts
• Never click on links from people you don’t know.
• Especially if they are using a url shortner: bit.ly, tinyurl.com, etc
• https://www.urlvoid.com/ - test the website to see if its safe
• https://snapito.com/ gets a screenshot of what will load on the site
• If there are people claiming to be you on social media, it’s best to get
your account “verified” on those social media platforms
• This lets users distinguish that you’re the actual official account
• Dual factor authenticate all of your social media logins

26. More Sources
• https://www.reddit.com/r/deepweb/
• DuckDuckGo.Com doesn’t track searches
• Also lets you search of .onion sites when using TorBrowser to access.

28. Myths
• I’m not worth being attacked.
• Hackers won’t guess my password.
• I/we have anti-virus software.
• I’ll/we know if I/we been compromised.

29. Understanding Breaches and Hacks
• A hack involves a person or group to gain authorized access to a
protected computer or network
• A breach typically indicates a release of confidential data (including
those done by accident)

32. The Costs Of Breaches
• This year’s study found the average consolidated total cost of a data breach
is 3.9 million dollars and in the US the average is actually higher at 8.19
million.
[IBM 2019
http://www-03.ibm.com/security/data-breach/]
• Data Breached Companies Experience…
• People loose faith in your brand
• Loss in patrons
• Financial Costs
• Government Requirements,
Penalties, Fees, etc.
• Sending of Notifications
• Payment of Identity Protection or
repercussions.
https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/

34. Protecting Your Home
You home
threats
Data and Information

35. Why do People Attack?
• Financial Gain
• Stocks
• Getting Paid
• Selling of information
• Data Theft
• For a single person
• For a bundle of people
• Just Because
• Malicious

36. https://www.experian.com/blogs/ask-experian/heres-how-
much-your-personal-information-is-selling-for-on-the-dark-
web/

37. Outside
• Modem Router Firewall
Switches
• Servers
End User
• Phones
• Computers
• Laptops

38. Outer Defenses (Routers/Firewalls)
• Site to Site Protection (Router to
Router or Firewall to Firewall)
• Encrypted over a VPN Connection
• Protection With:
• IDS
• IPS
• Web filtering
• Antivirus at Web Level
• Protecting INBOUND and OUTBOUND

39. Unified Threat Management
• Single Device Security
• All traffic is routed through a unified
threat management device.

40. Areas of Attack On Outer Defense
External Facing Applications
• Anything with an “External IP”
• NAT, ONE to ONE, etc.
• Website
• Custom Built Web Applications
or Services
Internal Applications
• File Shares
• Active Directory (usernames /
passwords)
• Patron Records
• DNS Routing
• Outbound Network Traffic
• Who is going where

41. Attacks
• Man in the Middle
• Sitting between a conversation and either listening or altering the data as its sent
across.
• DNS Spoofing (https://null-byte.wonderhowto.com/how-to/hack-like-pro-spoof-dns-
lan-redirect-traffic-your-fake-website-0151620/) set up a fake website and let people
login to it.
• D/DoS Attack (Distributed/Denial of Service Attack)
• Directing a large amount of traffic to disrupt service to a particular box or an entire
network.
• Could be done via sending bad traffic or data
• That device can be brought down to an unrecoverable state to disrupt business
operations.
• Sniffing Attacks
• Monitoring of data and traffic to determine what people are doing.

43. Inner Defenses (Switches/Server Configs)
• Protecting Internal Traffic,
Outbound Traffic, and Inbound
Traffic
• Internal Traffic = device to device
• Servers
• Printers
• Computers
• Protected By:
• Software Configurations
• Group Policy
• Password Policy
• Hardware Configurations
• Routing Rules

44. So…What Can You Do With Just This:

45. Updates, Patches, Firmware
• Keeping your system updated is important.
• Being on the latest and greatest
[software/update/firmware] isn’t always
good – but security updates are usually key
and super important.

46. Passwords
• Let’s talk about Passwords
• Length of Password
• Complexity of password
requirements
• DO NOT USE POST IT NOTES

50. Open DNS
• https://www.opendns.com/home-internet-security/

51. Setting It Up
• It’s simple, you will just want to update your router’s DNS entry
(or if you wanted, you can do this directly on the device you wish to
protect)
• 208.67.222.123
• 208.67.220.123

52. Your Wireless Router
• Have your wireless connection protected by a password to join
• Have your wireless password interface ALSO protect with a password
(that isn’t the default password either)

53. Other Tools To Protect The Computer

54. Microsoft
https://account.microsoft.com/family/about

55. Apple
https://support.apple.com/guide/mac-help/set-up-parental-controls-mtusr004/10.14/mac/10.14
https://www.apple.com/families/

56. Google Accounts for Kids
• https://support.google.com/families/answer/7103338?hl=en

57. Qustodio
https://www.qustodio.com/en/family/why-qustodio/

58. Understanding Wireless Encryption
• Open (risky): Open Wi-Fi networks have no passphrase. You shouldn’t set up an open Wi-Fi network—
• WEP 64 (risky): The old WEP protocol standard is vulnerable and you really shouldn’t use it.
• WEP 128 (risky): This is WEP, but with a larger encryption key size. It isn’t really any less vulnerable than
WEP 64.
• WPA-PSK (TKIP): This uses the original version of the WPA protocol (essentially WPA1). It has been
superseded by WPA2 and isn’t secure.
• WPA-PSK (AES): This uses the original WPA protocol, but replaces TKIP with the more modern AES
encryption. It’s offered as a stopgap, but devices that support AES will almost always support WPA2, while
devices that require WPA will almost never support AES encryption. So, this option makes little sense.
• WPA2-PSK (TKIP): This uses the modern WPA2 standard with older TKIP encryption. This isn’t secure, and is
only a good idea if you have older devices that can’t connect to a WPA2-PSK (AES) network.
• WPA2-PSK (AES): This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the
latest AES encryption protocol. You should be using this option. On some devices, you’ll just see the option
“WPA2” or “WPA2-PSK.” If you do, it will probably just use AES, as that’s a common-sense choice.
• WPAWPA2-PSK (TKIP/AES): Some devices offer—and even recommend—this mixed-mode option. This
option enables both WPA and WPA2, with both TKIP and AES. This provides maximum compatibility with any
ancient devices you might have, but also allows an attacker to breach your network by cracking the more
vulnerable WPA and TKIP protocols.
https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both

59. What’s the “Guest” Network On My Router
• You can set up a “Guest” network for when people come over, you
can have your network segmented out so they can’t see the other
content/devices in your home:
• Shared Photos and Files on a Personal Computer
• Access to GoogleHome / Apple TV / etc

60. General Browsing Rules

61. What does HTTPS Do?
• HTTPS verifies the identity of a website and encrypts nearly all
information sent between the website and the user.
• Protected information includes cookies, user agent details, URL paths,
form submissions, and query string parameters.
• HTTPS is a combination of HTTP and Transport Layer Security (TLS).
• Browsers and other HTTPS clients are configured to trust a set
of certificate authorities that can issue cryptographically signed
certificates on behalf of web service owners.

62. What Doesn’t HTTPS Do?
• HTTPS has several important limitations.
• IP addresses and destination domain names are not encrypted.
• Even encrypted traffic can reveal some information indirectly, such as time
spent on site, or the size of requested resources or submitted information.
• HTTPS only guarantees the integrity of the connection between two systems,
not the systems themselves.
• It is not designed to protect a web server from being hacked.
• If a user’s system is compromised by an attacker, that system can be altered
so that its future HTTPS connections are under the attacker’s control.

63. Why HTTPS?
• Prevents Hackers from watching what you
do over the Internet
• Encrypts Data
• Keeps stuff private
• Keeps you safe
• Prevents people from tracking your
internet activity
• Unencrypted HTTP request reveals
information about a user’s behavior.
The HTTP protocol does not protect data from interception or alteration.

64. Your Security is as Strong As the Weakest Link

65. Learn and Practice Cybersecurity
• Learn to identify a scam email
• Understanding the “fake” Facebook friends
• Being careful of links you don’t recognize through email, search, or
posts on social media.
• Take webinars and free classes to learn about these things – have
honest and open conversations

66. • Evolve Project
• https://www.linkedin.com/in/bpichman
• Twitter: @bpichman
• Email: bpichman@evolveproject.org
• Slideshare.net/bpichman
Brian Pichman
Questions?