0

I'm doing a presentation about security/privacy on web and i would appreciate few hints about what would you talk about. Just general, nothing IT specific. I just wanna give a 1000 foot view on few topics and go deeper if I see interest. People should know about a threats on the web and also not just leave defaults everywhere to allow everyone track their every move.

Topics i prepared so far :

  • Nothing is free. If it's "free", it gets money by gathering informations about you(VERY SIMPLIFIED)
  • CSRF - Don't click everything.
  • Encryption.
  • Passwords - Just don't use the same 10 char long pass on every website... Also how to make a "secure" one
  • Defaults - I have a really deep problem with this one. admin/admin is not secure router login. Also many other defaults
  • "Smart" devices - They are not so smart when it comes to security. But they excel at tracking your every move.
  • Backup everything - We are living in the era of ransomwares. Backups always come handy and can save you LOT of time and sometimes even money.
  • Facebook/Instagram/other sites can gather MANY informations if you let them.
  • VPNs & Proxies(maybe even Tor)
  • Sandboxing applications
  • Antiviruses
  • A small bits about random topics - What you delete is not actually deleted. Can be helpful if you accidentally delete something, but can be really dangerous if you think you really erased something. -- Do not use random add-ons in your browser(refering to those malicious sites using facebook to spread) -- few other random bits
  • App permissions on smart devices. Does calculator really need to access your microphone?
  • PDFs/MP3s can be malicious too! Also i would refer to virustotal.com here.
  • Phishing + Social Engineering - I should've mention this earlier. Huge topic. Extremely powerful and sometimes even legal!
  • What to do and how to react when you've been "pWn3d". Time is everything here. You need to react.
  • 2FA

Every idea appreciated. Simply put : How would you scare people?

ShinobiUltra
  • 782
  • 7
  • 16
  • How would you scare people? Talk about [this](http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/) and give them a demo if possible. I feel like a lot of people aren't aware that malware is much more dangerous than just making the computer run slow or display ads. – André Borie Jan 06 '17 at 17:10
  • How many days do you have to hold that presentation? Because that looks like enough material for a week-long seminar. – Philipp Jan 06 '17 at 17:50
  • @Philipp The presentaion is next friday so i've got plenty of time to prepare. – ShinobiUltra Jan 06 '17 at 17:52
  • @ShinobiUltra No, I meant how long the presentation will be. I could fill a half hour with a 1000 foot view introduction on *each single one* of these points. I am worried that you won't be able to cram all of that content in a single presentation without dumping a complete information overload on your audience. – Philipp Jan 06 '17 at 17:54
  • @Philipp Oh sorry, i am not native english speaker. Well, it should be 45min max. But then there is discussion section which can bring it up to 90mins. – ShinobiUltra Jan 06 '17 at 17:58

2 Answers2

1

Why you should never trust a public network: A brief overview of man-in-the-middle attacks.

Why you should never trust a public network #2: Are you 100% sure that the convention center WiFi is really controlled by the convention center and not someone else who just made the SSID look like it's for the convention center?

The name on the second one could probably use a focus group.

Kats
  • 11
  • 2
  • Nice point! This is deffinitely wide topic and is really important. Also turning on "autoconnection" is not really safe. – ShinobiUltra Jan 06 '17 at 16:49
  • 1
    This actually came from an attack I personally used before, where I actually created a compact wide-range router that used 4G for an internet connection, but actually designed custom pages of things like Facebook and Amazon that saved the username/email and password logins. I'd forward the info to the actual website so the users would actually be logged in without ever knowing their data was stolen. I never did anything illegal with the info, but just the ability to gain that information makes you aware of it. – Kats Jan 06 '17 at 16:53
1

I held a similar presentation a while ago, much less in-depth and broad, and for a mix of developers, IT pros and regular office personnel. One thing that worked really well is to present them with real-world examples they can relate to; for example showing screenshots of well-crafted ransomware phishing mails they might have already seen. Try to base your horror story of what could happen on their systems if possible; it's getting much more vivid if you talk about their specific CRM than some random database which might get lost.

I also put a focus on why people actually get hacked, what the motivation of criminals is - it helps putting it into perspective, because a lot of people think "why would somebody hack me?".

Otherwise your list is already pretty complete, hope you can fit it all in :)

Can you estimate who's going to sit in your audience, and what knowledge they already might have?

knipp
  • 589
  • 5
  • 14
  • 1
    Nice points! Deffinitely gonna use it. Well, I'm going to talk to non-IT oriented people so I will simplify things a bit. – ShinobiUltra Jan 06 '17 at 16:59
  • 1
    I forgot I also pulled up http://map.norsecorp.com/ and https://www.shodan.io/ during the presentation to illustrate how widespread some problems are. Not super helpful, but sort of a "wow"-effect for people usually not dealing with security topics. – knipp Jan 06 '17 at 17:08