Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security / Privacy Advice?

Posted by kdawson on from the all-ears dept.

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

2 of 260 comments (clear)

  1. Back it up with a little detail helps. by Kyle · · Score: 5, Interesting

    Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.

    Unknown Entries:
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)

    Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.

    Really get their attention with some specifics like that.

    --
    The previous comments are only true, if no-one says they're wrong.
  2. Advice by Anonymous Coward · · Score: 5, Interesting

    I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.

    I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.

    Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.

    I hope this helps out a little. Good luck!