Big Idea 5.6 Safe Computing

Banner

Personal Identifiable Information (PII)

Personal Identifiable Information or PII is a type of information that is specific to you. For example, your age or race would be an example but something like your favorite cat isn’t (Will insists your diet is a PII but it’s not).

There are times when we want to post our PII online. For example, you would want to upload it to your job profile or a site like LinkedIn because you want people to see it. However, be careful where you upload this data. It will be known by everyone since it’s public.

Some things that you should be cautious about to upload (gray area) would be:

  • Birth date
  • Place of birth
  • Address
  • Phone number
  • Maiden names
  • Drivers License Number

There are things, however, that you will most likely have to upload publicly OR can be found with a quick search. For example:

  • Name
  • Date of Birth
  • SSN
  • Bank Account info
  • Email
  • Picture
  • What high school you attended
  • What college you went to
  • Properties you own
  • State/City of residence
  • Previous residence

You could upload this online (some you have to. Ex: home address for Amazon) but be careful where you upload it. You don’t want to post your mother’s maiden name on social media.

Things that you should keep confidential would be:

  • Private credentials for accounts and what-not
  • Two-factor authentication
  • This is common for sensitive things like financial data
  • Social security numbers
  • Tax records
  • Medical information
  • Financial data

Most if not all financial and government documents should be kept private. However, there will be times when you need to share this. For example, if you are applying for a RealID (form of identification), you will need to submit your social security number.

POPCORN HACK 1:

How do you decide what personal information to share online and what to keep confidential?

Beware, Establish practices for your own Safety

Authentication

Authentication measures protect devices and information from unauthorized access.

Strong Passwords

The easier the password is to guess, the easier it is to make a mess. Strong passwords:

  • 10 or more characters
  • Must contain a symbol
  • Must contain a number
  • Must contain lowercase and uppercase letters
  • Avoid dictionary words/things known about you (ex. “Password”, “123456”, your birthday, your name, your pet’s name, etc.) The above are things hackers can look for while guessing your password

    Types of Authentication

  • What the user knows (ex. passwords, answers to security questions, etc.)
  • What you are (ex. biometric data like eye scan, palm print, thumbprint, etc.)
  • What you have (ex. keycards, etc.)

    Multi-factor Authentication

    When one or more of these authentication measures are used, it is considered multi-factor authentication.

Precautions

POPCORN HACK 2:

How can multi-factor authentication enhance security?

Nefarious Uses of Internet

Virus and Malware

Virus

They try to trick you into clicking a link and may try to scare you or lure you with the promise of something like money. The link could cause unexpected harm. They may install a virus or keylogger on your computer. A keylogger records keystrokes made by the user which can be used to get credentials. They could also turn your computer into a rogue access point or a fake wireless network which can be used to infect other computers.

Factors to Increase Security of System

Encryption is a good way to increase security of a system.

“Alice and Bob”

Alice wants to send an encrypted message to her friend Bob. With symmetric key encryption, the following process ensues:
Alice and Bob Symmetric

Pretty simple, right! You know what else is simple? Trying to share the encryption/decryption key without letting anyone else know. Enter: Asymmetric Encryption

Bob Public Alice Public

POPCORN HACK 3:

What are the key differences between symmetric and asymmetric encryption?

SSL/TLS

Uses a Certificate Authority(CA) to generate a signed certificate that proves the server’s legitamacy.

CA Diagram

Authentication: SSL/TLS certificates ensure the identity of the server and sometimes the client. They contain information about the entity they are issued to, including the domain name and public key.

Encryption: SSL/TLS certificates facilitate encrypted communication between the client and server. They enable the encryption of data transmitted over the internet, preventing eavesdropping and unauthorized access.

Certificate Authorities (CAs): CAs issue SSL/TLS certificates after verifying the identity of the certificate requester. They act as trusted third parties that sign and validate the authenticity of certificates.

Public and Private Keys: SSL/TLS certificates use asymmetric encryption, involving a public key to encrypt data and a private key to decrypt it. The public key is embedded in the certificate while the corresponding private key is securely held by the server.

Handshake Protocol: When a client connects to a server, they engage in a handshake protocol to establish a secure connection. This involves agreeing on encryption algorithms, exchanging keys, and verifying the authenticity of the certificates.

Expiration and Renewal: SSL/TLS certificates have a validity period. They need to be periodically renewed to maintain secure communication. Expired certificates can disrupt services and pose security risks.

HTTPS: SSL/TLS certificates are commonly used in web browsers to enable HTTPS connections. They signal a secure connection, ensuring data integrity, confidentiality, and authenticity between the web server and the user’s browser.

Firewall and antivirus Firewall and antivirus software is a really good and easy way to protect your computer. Pretty much all computers come with this software and are enabled as a default. Just make sure to not disable it!

Homework

  1. Describe PII you have seen on a project in CompSci Principles.

A PII I have seen in a project in Comp Sci Principles is on Advik Garg’s student notebook, the cover page is a photo of his face, which is personal to him.

  1. Describe good and bad passwords? What is another step that is used to assist in authentication? A good password is a string of text that has multiple characters, random symbols, numbers, and are strings that are random in nature as to avoid brute force attacks. A bad password is a simple string that usually is a dictionary word or a simple guessable phrase

Another step used is Two Factor Authentication Two Factor Authentication is another form of protection that asks not only for a password but a code recieved from a phone number

  1. Try to describe Symmetric and Asymmetric encryption.

Symmetric encryption is a simple encryption algorithm that changes the string using a key and uses the same key to revert the encryption.

Assymetric encryption revolves the idea of keys. A public key is used to encrypt ones data, however the recipient has a “private” key that only they can use to decrypt the data. This effectively makes it impossible for any one else to decrypt someone elses message.

  1. Provide an example of encryption we used in AWS deployment.

An example of encryption used in AWS deployment was DNS queries as we sent HTTP requests to and from the backend to get data, and that data is typically encrypted in DNS and AWS

  1. Create a python script that lets the user input a password that is checked by the program
    BONUS: Use online wordlists to compare the password, preventing dictionary attacks
# Code Here for Q5
import urllib.request
import re
pw = input()
word_site = "http://www.instructables.com/files/orig/FLU/YE8L/H82UHPR8/FLUYE8LH82UHPR8.txt"
request = urllib.request.Request(word_site)
response = urllib.request.urlopen(request)
txt = response.read().decode('utf-8')
WORDS = txt.splitlines()
regex = re.compile('[@_!#$%^&*()<>?/\|}{~:]')

if(pw in WORDS):
    print("Please don't use a dictionary password")
if(len(pw) < 10):
    print("Password must be atleast 10 characters")
if(regex.search(pw) == None):
    print("Password needs special characters")
if(pw.lower() == pw or pw.upper() == pw):
    print("Please use a lowercase and uppercase character")