This commit is contained in:
bparodi 2024-04-24 13:58:22 +02:00
parent 8993c2b88c
commit a1eecc01db
4 changed files with 82 additions and 133 deletions

BIN
img/password-hint.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

View file

@ -49,39 +49,6 @@
data-separator="^--$" data-separator="^--$"
data-markdown="slides/password.md"> data-markdown="slides/password.md">
</section> </section>
<section id='passwordTest'>
<p>Vediamo quanto sei bravo/a ad inventare una password:</p>
<input type="password"
v-model='password'
@input='checkStrength'
:class="['score' + estimationScore]"/>
<button :disabled="estimationScore!==4"></button>
<p v-if='password.length>2'>
Questa password è {{score[estimationScore]}}, dopo un sequestro uno bravo
ci mette più o meno <b>{{slowCrackTime}}</b> a scoprirla,
la CIA circa <b>{{fastCrackTime}}</b>:
</p>
<li v-for="s in sequence">
<span v-if="s.pattern=='bruteforce'"> {{s.token}} forza bruta</span>
<span v-else-if="s.pattern=='dictionary'">
{{s.token}} dizionario: {{s.dictionary_name}}
{{s.reversed?'(invertita ' + s.matched_word + ')':''}}
{{s.l33t?'(con sostituzione ' + s.sub_display +')':''}}
{{s.uppercase_variations>1?'(con maiuscola)':''}}
</span>
<span v-else-if="s.pattern=='sequence'"> {{s.token}} sequenze: ({{s.sequence_name}})</span>
<span v-else-if="s.pattern=='spatial'"> {{s.token}} sequenze spaziali: ({{s.graph}})</span>
<span v-else-if="s.pattern=='repeat'"> {{s.token}} ripetizione: ({{s.base_token}})</span>
<span v-else-if="s.pattern=='date'"> {{s.token}} data {{s.day}}/{{s.month}}/{{s.year}}</span>
<span v-else-if="s.pattern=='regex'"> {{s.token}} pattern {{s.regex_name}}</span>
<span v-else> {{s}}</span>
<script src='js/moment.js'></script>
<script src='js/vue.min.js'></script>
<script src='js/zxcvbn.js'></script>
<script src='js/password.js'></script>
</section>
</section> </section>
<section> <section>
<section <section

View file

@ -11,18 +11,34 @@ You can find the slides at
<p xmlns:cc="http://creativecommons.org/ns#" ><a href="https://creativecommons.org/licenses/by-nc-sa/4.0/?ref=chooser-v1" target="_blank" rel="license noopener noreferrer" style="display:inline-block;">CC BY-NC-SA 4.0</a></p> <p xmlns:cc="http://creativecommons.org/ns#" ><a href="https://creativecommons.org/licenses/by-nc-sa/4.0/?ref=chooser-v1" target="_blank" rel="license noopener noreferrer" style="display:inline-block;">CC BY-NC-SA 4.0</a></p>
</small> </small>
</footer> </footer>
Notes here
-- --
## GOAL ## Goal
- When you leave the squat, you should have a better idea of what it means to defend yourself when you have a digital presence. - When you leave the squat, you should have a better idea of what it means to defend yourself when you have a digital presence.
<br>
- The slides are meant to be used as a web resource, so there is a lot of text. I'll try not to read ¯\_(ツ)_/¯ - The slides are meant to be used as a web resource, so there is a lot of text. I'll try not to read ¯\_(ツ)_/¯
-- --
### Why
- There is no such thing as 100% protection
<br>
- There is no one size fits all solution
<br>
- Cybersecurity means mitigating the potential dangers your
online actions might create
<br>
- Techniques that are beneficial in one situation might pose risks in
another
<br>
--
### Threat model ### Threat model
You can't protect yourself from what you're not aware of. You can't protect yourself from what you're not aware of.
@ -71,21 +87,21 @@ A framework to answer the question "how can I be attacked?"
### Spoofing ### Spoofing
The act to violate **authenticity**. Examples: The act to violate **authenticity**. Examples:
- TODO - Forgery of documents
- Web phishing
IMMAGINI ORSO? - Email spoofing, the act to fake the sender
-- --
### Repudiation
TODO
--
### Tampering ### Tampering
TODO The act to violate **integrity** of data. Examples:
- Graffiti
- Man in the middle attacks
- Web defacing
- Double spending w.r.t. blockchain networks
-- --
@ -93,7 +109,9 @@ TODO
The act to violate **confidentiality**. Examples: The act to violate **confidentiality**. Examples:
- TODO - Whistleblowing
- Revenge porn
-- --
@ -102,7 +120,9 @@ The act to violate **confidentiality**. Examples:
The act to violate **availability**. Examples: The act to violate **availability**. Examples:
- TODO - Denial of service attacks
- Ticket scalping
-- --
@ -112,6 +132,16 @@ The act to violate **availability**. Examples:
The act to violate **authorization**. Examples: The act to violate **authorization**. Examples:
- TODO - Jailbreaking
- Card cloning
-- --
### Repudiation
The act of denying or disavowing responsibility for an incident or
security breach. <br> In other words: claiming that you didn't do something
or were not responsible. Examples:
- Cooking the books
- Deleting log entries

View file

@ -5,127 +5,79 @@ data-background="https://ak7.picdn.net/shutterstock/videos/25863227/thumb/5.jpg"
## The basics: passwords ## The basics: passwords
Le password sono la prima barriera di accesso a dati che vogliamo tenere Passwords are the first barrier to accessing data that we want to keep to ourselves.
per noi.
Le usiamo leggere la posta, per ritirare al bancomat (pin), per entrare nel We use them to read our email, to withdraw cash at the ATM (PIN), to log into our computer, and to access the thousands of digital services we use.
computer e nei mille servizi digitali a cui accediamo.
-- --
### Ma... Non siamo bravi a scegliere delle buone password
- <!-- .element: class="fragment" --> E' la password di gmail? <span> ![](/img/password-hint.jpg)
ci mettiamo `gmail` <!-- .element: class="red" --> in mezzo</span> <!--
.element: class="fragment" -->
- <!-- .element: class="fragment" --> Usiamo concetti ricordabili <span>
date di nascita, nomi di amic\*/compagn\*</span> <!-- .element: class="fragment" -->
- <!-- .element: class="fragment" --> Riusiamo la stessa password in
molti posti.
<br/> In pratica scegliamo password facilmente indovinabili. <!--
.element: class="fragment" -->
-- - <!-- .element: class="fragment" --> It's the gmail password ➜
**gmailpassword**
Spinti a migliorare le nostre password - <!-- .element: class="fragment" --> At least one capital letter ➜
**Gmailpassword**
![img/passhint.png](./img/password-requisiti.png) - <!-- .element: class="fragment" --> At least one number ➜
**Gmailpassword1**
-- - <!-- .element: class="fragment" --> At least one symbol ➜
**Gmailpassword1!**
scegliamo le soluzioni piu' semplici e prevedibili
- <!-- .element: class="fragment" --> e' la password di facebook ➜
**facebookpassword**
- <!-- .element: class="fragment" --> inserisci almeno una maiuscola ➜
**Facebookpassword**
- <!-- .element: class="fragment" --> inserisci almeno un numero ➜
**Facebookpassword1**
- <!-- .element: class="fragment" --> inserisci almeno un simbolo ➜
**Facebookpassword1!**
notes: Sono tutti schemi facilmente immaginabili. notes: Sono tutti schemi facilmente immaginabili.
-- --
### Ma soprattutto.. ### People are predictable
Usiamo la stessa password per più siti/servizi - Statistically some words are used more ofter
- We tend to use words that are connected to the website
- In the worst scenario, the password is reused
<!-- .element: class="fragment" -->
![scimmia](./img/scimmia.jpg) <!-- .element: class="fragment" --> notes: ![scimmia](./img/scimmia.jpg)
chiedere perche' e' un problema.... <!-- .element: class="fragment" -->
notes: chiedere perche' e' un problema....
-- --
### Orrore!
<!-- .element: class="fragment" --> i dipendenti di ogni servizio hanno ### Mamma Mia!
accesso ad ogni altro servizio! [Have I been PWNed](https://haveibeenpwned.com) gives an overview of **known** website breaches and contains millions of leaked passwords.
<!-- .element: class="fragment" --> quando (non se) uno dei servizi viene - On average, since 2013, a website is breached every ten days
bucato, gente a caso ha accesso ad ogni vostro servizio (succede un giorno - `123456` and `password` are the most common passwords
si e l'altro pure). - there are a few recurrent schemas
- most accounts share passwords between websites
<!-- .element: class="fragment" --> E' talmente diffusa la cosa che mozilla
ha un servizio per fare un check ➜
[monitor.firefox.com](https://monitor.firefox.com)
--
### Leak
Negli ultimi anni sono stati bucati tanti servizi e milioni di password
sono diventate pubbliche (leak) permettendo di farci ricerca sopra e si, le
password piu' usate sono `123456` e `password`, gli schemi usati sono
drammaticamente ricorrenti e la maggior parte delle persone riusa le
password in piu' servizi.
Una lista di servizi la cui compromissione è pubblica è
[qui](https://haveibeenpwned.com/PwnedWebsites). Un posto dove poter
studiare le statistiche
-- --
### Password Cracking ### Password Cracking
Esistono programmi e servizi che tentano ripetutamente password basandosi There are programs and services that repeatedly attempt passwords based on our predictability, commonly relying on dictionaries to which rules are applied.
sulla nostra prevedibilità e si basano comunemente su dizionari a cui
vengono applicate delle regole (permutazioni, aggiunte di
prefissi/suffissi, cambio di caratteri comuni, maiuscole/minuscole).
Considerate che i file dizionario in attacchi mirati vengono creati ad-hoc Note that in targeted attacks, dictionary files are created ad-hoc, taking all the digital material of the target into consideration.
prendendo tutto il material digitale del target. notes: Mostrare un
piccolo esempio di `hashcat` (da preparare)
-- --
### E quindi?
Se non siamo capaci a fare qualcosa, cerchiamo qualcuno in grado di farlo.
--
### Password manager ### Password manager
Usiamo i password manager. Generate random, hard to gues and crack passwords, unique for every website.
You need to remember a single password to access the manager.
Sono dei programmi che generano e si ricordano delle password sicure, in
cambio di una sola master password (passphrase).
notes: spiegare master password, che e' possibile fare piu' liste di notes: spiegare master password, che e' possibile fare piu' liste di
password, suggerire buone pratiche. password, suggerire buone pratiche.
-- --
### E la master password? Per le poche passphrase che non possiamo salvare ### What about the master password?
usiamo i seguenti accorgimenti: - Never share it
- Never write it down
- Use at least 4 common words, think of an image or story to memorize the password
- mai riusare una passphrase (dai te ne devi ricordare massimo 4, stacce) ![](https://imgs.xkcd.com/comics/password_strength.png)
- mai condividere una passphrase (no no no e no) <!-- .element: class="fragment" -->
- mai scrivere una passphrase (a parte se sai quello che stai facendo)
- usa 4 parole a caso (veramente a caso) e costruiscici una storia sopra
per ricordarle.
notes: il `4` del primo punto e' un numero a caso. esempio live di scelta
passphrase.