Big Idea 5.6 Safe Computing
Personal Identifiable Information (PII)
Personal Identifiable Information or PII is a type of information that is specific to you. For example, your age or race would be an example but something like your favorite cat isn’t (Will insists your diet is a PII but it’s not).
There are times when we want to post our PII online. For example, you would want to upload it to your job profile or a site like LinkedIn because you want people to see it. However, be careful where you upload this data. It will be known by everyone since it’s public.
Some things that you should be cautious about to upload (gray area) would be:
- Birth date
- Place of birth
- Address
- Phone number
- Maiden names
- Drivers License Number
There are things, however, that you will most likely have to upload publicly OR can be found with a quick search. For example:
- Name
- Date of Birth
- SSN
- Bank Account info
- Picture
- What high school you attended
- What college you went to
- Properties you own
- State/City of residence
- Previous residence
You could upload this online (some you have to. Ex: home address for Amazon) but be careful where you upload it. You don’t want to post your mother’s maiden name on social media.
Things that you should keep confidential would be:
- Private credentials for accounts and what-not
- Two-factor authentication
- This is common for sensitive things like financial data
- Social security numbers
- Tax records
- Medical information
- Financial data
Most if not all financial and government documents should be kept private. However, there will be times when you need to share this. For example, if you are applying for a RealID (form of identification), you will need to submit your social security number.
POPCORN HACK 1:
How do you decide what personal information to share online and what to keep confidential?
- What they might use it for, their credibility, etc. Think about why do they want it and what will they use it for.
Beware, Establish practices for your own Safety
Authentication
Authentication measures protect devices and information from unauthorized access.
Strong Passwords
The easier the password is to guess, the easier it is to make a mess. Strong passwords:
- 10 or more characters
- Must contain a symbol
- Must contain a number
- Must contain lowercase and uppercase letters
- Avoid dictionary words/things known about you (ex. “Password”, “123456”, your birthday, your name, your pet’s name, etc.) The above are things hackers can look for while guessing your password
Types of Authentication
- What the user knows (ex. passwords, answers to security questions, etc.)
- What you are (ex. biometric data like eye scan, palm print, thumbprint, etc.)
- What you have (ex. keycards, etc.)
Multi-factor Authentication
When one or more of these authentication measures are used, it is considered multi-factor authentication.
Precautions
- Run Virus scans to help prevent malicious code from getting into and affecting your system.
- Keeping the operating system and other software up to date can also fix errors that would allow a virus or malware to compromise a system.
POPCORN HACK 2:
How can multi-factor authentication enhance security?
- Multiple pieces of information needed to access something, so attacker needs to break/crack multiple things to get access
Nefarious Uses of Internet
Virus and Malware
Virus
- Viruses can allow unauthorized access by modifying the operating system to accept any user without authentication.
- Virus malicious programs that can copy themselves and gain access to systems that they are not supposed to be in.
Malware
- Malware is often intended to damage a computing system or take partial control over its operation.
- Infiltrates a system by posing as legitimate programs or by attaching itself to legitimate programs, like an email attachment.
- Malware is often sent in attachments to things in email. Often they request you to click on an attachment and it starts the process of adding a virus to your computer.
Phishing: Phishing is an attempt to trick a user into providing personal information (PII) by using social manipulation. Phishing emails look like they’re from a trusted source. They may appear to be an email from a bank or credit card company or a store. They could also be from a Nigerian prince or a fish who is phishing.
They try to trick you into clicking a link and may try to scare you or lure you with the promise of something like money. The link could cause unexpected harm. They may install a virus or keylogger on your computer. A keylogger records keystrokes made by the user which can be used to get credentials. They could also turn your computer into a rogue access point or a fake wireless network which can be used to infect other computers.
Factors to Increase Security of System
Encryption is a good way to increase security of a system.
- Passwords vs. keys: A password is something used to login or unlock an account, while a key is used to encrypt/decrypt the data being used or transferred by that account.
Demoing cryptography - Symmetric Encryption - Basic ciphers or codes
- Symmetric encryption uses one key to encrypt and decrypt
- Examples: Caesar Cipher, Morse Code, Rail Fence Cipher, PSK, etc.
- Asymmetric encryption is much more secure. It uses public keys to encrypt and private keys to decrypt.
- Examples: RSA, Diffie-Hellman, Public Key Encryption
“Alice and Bob”
Alice wants to send an encrypted message to her friend Bob.
With symmetric key encryption, the following process ensues:
Pretty simple, right! You know what else is simple? Trying to share the encryption/decryption key without letting anyone else know. Enter: Asymmetric Encryption
POPCORN HACK 3:
What are the key differences between symmetric and asymmetric encryption?
- Symmetric encryption uses 1 key, asymmetric encryption uses 2 (one to encrypt, one to decrypt)
SSL/TLS
Uses a Certificate Authority(CA) to generate a signed certificate that proves the server’s legitamacy.
Authentication: SSL/TLS certificates ensure the identity of the server and sometimes the client. They contain information about the entity they are issued to, including the domain name and public key.
Encryption: SSL/TLS certificates facilitate encrypted communication between the client and server. They enable the encryption of data transmitted over the internet, preventing eavesdropping and unauthorized access.
Certificate Authorities (CAs): CAs issue SSL/TLS certificates after verifying the identity of the certificate requester. They act as trusted third parties that sign and validate the authenticity of certificates.
Public and Private Keys: SSL/TLS certificates use asymmetric encryption, involving a public key to encrypt data and a private key to decrypt it. The public key is embedded in the certificate while the corresponding private key is securely held by the server.
Handshake Protocol: When a client connects to a server, they engage in a handshake protocol to establish a secure connection. This involves agreeing on encryption algorithms, exchanging keys, and verifying the authenticity of the certificates.
Expiration and Renewal: SSL/TLS certificates have a validity period. They need to be periodically renewed to maintain secure communication. Expired certificates can disrupt services and pose security risks.
HTTPS: SSL/TLS certificates are commonly used in web browsers to enable HTTPS connections. They signal a secure connection, ensuring data integrity, confidentiality, and authenticity between the web server and the user’s browser.
- Ex: When we used certbot to make our backend server run using HTTPS in the passion project
Firewall and antivirus Firewall and antivirus software is a really good and easy way to protect your computer. Pretty much all computers come with this software and are enabled as a default. Just make sure to not disable it!
Homework
- Describe PII you have seen on a project in CompSci Principles.
- In my team’s passion project at the end of trimester 1, we created a small game with preset characters and images. The images were photos of all our team members, so my photo, which is a PII, was part of the project.
- Describe good and bad passwords? What is another step that is used to assist in authentication?
- Good passwords can be considered as passwords that are unique and hard to guess if you don’t know it, while bad passwords can be considered as basic, easily-guessable, and brute-forceable. Some characteristics of good passwords is being long (>10 characters), having a symbol and number, lowercase and uppercase letters, and no common words or sequences (hello, 123, !@#). There are many other steps used in authentication, such as biometric steps (like fingerprints) or physical (like a keycard)
- Try to describe Symmetric and Asymmetric encryption.
- Encryption is where data is encrypted to make secure so no outsider can see what it is, and then decrypted to its intended receive so they, but no one else, can know what the data is. The change from data to jumbled mess (secured data) and back is done through keys. Symmetric encryption is where the same key is used for both encryption and decryption, while asymmetric encryption is where one key is used for encryption and a separate key is used for decryption.
- Provide an example of encryption we used in AWS deployment.
- AWS deployment, which we used in our passion project in trimester 1, uses certbot. Certbot automates getting and renewing SSL/TLS certificates, which a Certificate Authority uses to encrypt the data that needs to be secured.
- Create a python script that lets the user input a password that is checked by the program
BONUS: Use online wordlists to compare the password, preventing dictionary attacks- See code cell below.
# Code Here for Q5
# Defines checkpassword as the inputted password
checkpassword = input("Input a password you'd like to check!")
print(f"Your password to check is: {checkpassword}")
print("")
# Counters for checks passed or failed
checkpassedcount = 0
checkfailedcount = 0
# Check #1: Length > 10 characters
print("This is Check #1 to see if your password is greater than 10 characters.")
passwordlength = len(checkpassword)
if passwordlength > 10:
checkpassedcount += 1
print(f"You have {passwordlength} characters, which is greater than 10. You pass Check #1.")
print("")
else:
checkfailedcount += 1
print(f"You have {passwordlength} characters, which is less than or equal to 10. You fail Check #1.")
print("")
# Check #2: Contains symbol
print("This is Check #2 to see if your password has a symbol or not.")
symbols = ["`", "~", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "-", "_", "=", "+", "[", "]", "{", "}", "|", r"\\", ";", ":", "'", '"', ",", "<", ".", ">", "/", "?"]
symbolcount = 0
for i in symbols:
for x in checkpassword:
if x == i:
symbolcount += 1
# Note: \ and Python is weird and it can't check it only for one, so you have to do \\ and the r
if "\\" in checkpassword:
symbolcount += 1
if symbolcount >= 1:
checkpassedcount += 1
print(f"You have {symbolcount} symbols, which is greater than or equal to 1. You pass Check #2.")
print("")
else:
checkfailedcount += 1
print(f"You have {symbolcount} symbols, which is less than 1. You fail Check #2.")
print("")
# Check #3: Contains number
print("This is Check #3 to see if your password has a number or not.")
numbercount = 0
for i in checkpassword:
if i.isdigit():
numbercount += 1
if numbercount >= 1:
checkpassedcount += 1
print(f"You have {numbercount} numbers, which is greater than or equal to 1. You pass Check #3.")
print("")
else:
checkfailedcount += 1
print(f"You have {numbercount} numbers, which is less than 1. You fail Check #3.")
print("")
# Check #4: Lowercase and uppercase letters
print("This is Check #4 to see if your password has both lowercase and uppercase letters.")
checkpasswordUPPER = checkpassword.upper()
checkpasswordLOWER = checkpassword.lower()
if checkpasswordUPPER != checkpassword and checkpasswordLOWER != checkpassword:
checkpassedcount += 1
print("You have both lowercase and uppercase letters. You pass Check #4.")
print("")
else:
checkfailedcount += 1
print("You don't have both lowercase and uppercase letters. You fail Check #4.")
print("")
# Check #5: Avoid dictionary words
print("This is Check #5 to see if your password is a common word.")
# Import PyDictionary and nltk to make a list of common words
from PyDictionary import PyDictionary
from nltk.corpus import words
dictionary = PyDictionary()
commonwords = set(words.words())
def checkpasswordindictionary (password):
return password.lower() in commonwords
if checkpasswordindictionary(checkpassword):
checkfailedcount += 1
print("Your password is a common word. You fail Check #5")
print("")
else:
checkpassedcount += 1
print("Your password is not a common word. You pass Check #5.")
print("")
# Final result
if checkfailedcount > 0:
print(f"You passed {checkpassedcount} checks and failed {checkfailedcount} checks, try to pass all 5 checks!")
else:
print(f"You passed all {checkpassedcount} checks! Your password is great! Well done!")
Your password to check is: testingNodNod1
This is Check #1 to see if your password is greater than 10 characters.
You have 14 characters, which is greater than 10. You pass Check #1.
This is Check #2 to see if your password has a symbol or not.
You have 0 symbols, which is less than 1. You fail Check #2.
This is Check #3 to see if your password has a number or not.
You have 1 numbers, which is greater than or equal to 1. You pass Check #3.
This is Check #4 to see if your password has both lowercase and uppercase letters.
You have both lowercase and uppercase letters. You pass Check #4.
This is Check #5 to see if your password is a common word.
Your password is not a common word. You pass Check #5.
You passed 4 checks and failed 1 checks, try to pass all 5 checks!