Making Hacking Child’s Play - TIB AV-Portal

Making Hacking Child’s Play

00:00

0

Norwegian Developers Conference (NDC)

Formal Metadata

Title

Making Hacking Child’s Play

Title of Series

NDC London 2016

Number of Parts

133

Author

License

CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this

Identifiers

10.5446/48860 (DOI)

Publisher

Norwegian Developers Conference (NDC)

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

How does it keep happening? I mean why are websites so consistently hacked? Is it the work of sophisticated cyber-villains operating from underground lairs? As it turns out, many of today’s online attacks are mounted by kids – legally children – who simply have time, patience and access to Google. In this session we’re going to look at and execute a heap of online attacks with tools that even kids can use. You’ll learn just how easy it is to mount these attacks and most importantly, what it is you need to do to keep your apps secure not just from mischievous kids, but from cyber-criminals and even nation state actors. This talk is scary, entertaining and will make you distrusting of any kid with a PC.

Speech

Text

Image

00:00

Software developerHacker (term)BitGoogolMultiplication signWebsiteSlide ruleResultant1 (number)Search engine (computing)Web browserContext awarenessRight angleOrder (biology)Computer animation

01:45

Search engine (computing)GoogolBookmark (World Wide Web)InternetworkingSoftware developerGame theoryWindowInclusion mapTerm (mathematics)CybersexType theoryPasswordOperator (mathematics)SpreadsheetStandard deviationEuler anglesSystem callUniform resource locatorEmailMultiplication signPoint (geometry)GodBlock (periodic table)Demo (music)CybersexWebsiteWeb 2.0DatabaseThomas BayesExploit (computer security)Different (Kate Ryan album)QuicksortElectronic mailing listGoogolInformation securityComa BerenicesComputer animation

02:55

Software developerWindowPasswordQuicksortComputer fileDifferent (Kate Ryan album)Information securityDatabaseVulnerability (computing)Electronic mailing listGoodness of fitWebsiteStructural loadVector potentialConnected spaceError messageType theoryFreewareSoftwareAreaMessage passingPresentation of a groupService (economics)GoogolHacker (term)Computer animation

04:02

Software developerElectronic mailing listConnected spaceStructural loadVector potentialWeb pageMessage passingSoftwareComputer animation

04:58

Software developerGoogolGoogolComa BerenicesDifferent (Kate Ryan album)PiBitPasswordWordComputer fileQuicksortWebsiteDatabaseTerm (mathematics)Demo (music)Operator (mathematics)Computer animation

06:02

Software developerWindowWebsiteCore dumpVotingElectronic mailing listAddress spaceSign (mathematics)PasswordAddress spaceCore dumpGame controllerPoint (geometry)EmailOrder (biology)Cheat <Computerspiel>1 (number)Message passingRobotGoodness of fitHypermediaInformationPlastikkarteInformation securityWebsiteCoefficient of determinationFamilyQuicksortDisk read-and-write headMoment (mathematics)CybersexSource codeComputer animation

09:31

Software developerCore dumpVotingEmailAddress spaceElectronic mailing listLattice (order)Sign (mathematics)HookingVacuumInternet forumWebsiteLevel (video gaming)PasswordBus (computing)Connected spaceBit rateEmailMotion captureRegulärer Ausdruck <Textverarbeitung>QuicksortDot productInformation securityHoaxComa BerenicesGame theorySource codeComputer animation

10:26

Software developerEmailFreewareHill differential equationBuildingLoginFAQEmailMultiplication signQuicksortFrictionHoaxFrequencyStructural loadInformation securityInheritance (object-oriented programming)Video gameMotion capturePhysical systemPasswordAddress spaceImage registrationEnumerated typeWebsiteProjective planeRight angleComputer animationSource code

11:40

Link (knot theory)Software developerVideo gameEmailAddress spaceLoginMultiplication signDatabaseService (economics)Physical systemScripting languageField (computer science)Dependent and independent variablesFrequencyMessage passingPasswordInformation privacyDifferent (Kate Ryan album)Structural loadWeb applicationPrice indexBitGoodness of fitPattern languageCountingExpected valueEmailWebsiteSoftware developerAddress spaceInformationSoftware testingMoment (mathematics)Subject indexingProjective planeRight angleTerm (mathematics)Web pageProcess (computing)Information securityOpen setHecke operatorValidity (statistics)NumberResultantWeb 2.0QuicksortComputer virus1 (number)Row (database)Discrete element methodMoving averageVector spaceElectric generatorCross-site scriptingDemo (music)Identity managementHacker (term)Solid geometry

17:25

Software developerSoftware testingInheritance (object-oriented programming)View (database)Inclusion mapMathematicsCross-site scriptingHydraulic jumpWebsiteWave packetInjektivitätMultiplication signSequelScripting languageSpeech synthesisDependent and independent variablesSource codeString (computer science)InformationQuery languageContext awarenessProcess (computing)Point (geometry)Disk read-and-write headMechanism designMoment (mathematics)Computer animationSource code

18:34

Software developerRing (mathematics)Element (mathematics)HTTP cookieExecution unitScripting languageBlock (periodic table)Moment (mathematics)Mechanism designHTTP cookieMedical imagingAuthenticationLink (knot theory)Structural loadSource codeHecke operatorTouchscreenWeb browserDomain nameGreatest elementComputer animationSource code

19:34

Software developerString (computer science)Greatest elementMedical imagingWeb browserWeb pageCross-site scriptingHydraulic jumpHTTP cookieSource codeQuery languageTrailComputer wormStatement (computer science)Beta functionLine (geometry)Hecke operatorSpywareSource codeComputer animation

20:33

Software developerInclusion mapCross-site scriptingClient (computing)Scripting languageVideoconferencingDemo (music)Real numberWebsiteVideo gameSource codeComputer animation

21:21

Software developerElement (mathematics)HTTP cookieClique-widthQuicksortHTTP cookieProof theoryWeb pageRewritingNormal (geometry)Web browserScripting languageWordSource codePoint (geometry)ChainGoodness of fitComputer animation

22:23

Function (mathematics)Attribute grammarClique-widthSource codeJava appletElement (mathematics)Link (knot theory)HyperlinkSoftware developerPlastikkartePulse (signal processing)Bit rateRing (mathematics)Web browserScripting languageVideo game consoleMereologyVirtual machineInformation securitySource codeEndliche ModelltheorieArrow of timeContent (media)Source codeComputer animation

23:40

Software developerContent (media)Multiplication signInformation privacyVideo game consoleElectronic mailing listWebsiteSoftwareQuicksortHypermediaNumberDigital rights managementHTTP cookieDemo (music)Medical imagingContent (media)Error messageDirection (geometry)BitDependent and independent variablesAreaOnline helpTablet computerStructural loadComputer animationSource code

25:14

StatisticsComa BerenicesGoogolAnalytic setSoftware developerContent (media)Data typeContent delivery networkEmailBitSource codeDependent and independent variablesScripting languageTraffic reportingContent (media)Digital rights managementType theoryPoint cloudObject (grammar)LaceDifferent (Kate Ryan album)Electronic mailing listSource codeComputer animation

26:12

EmailData typeContent (media)Fluid staticsSoftware developerDisk read-and-write headControl flowCache (computing)Uniform resource locatorComputer wormMaizeInclusion mapDigital rights managementTraffic reportingWeb browserLevel (video gaming)Web pageComputer wormInternetworkingWebsiteException handlingHypermediaService (economics)EmailBitContent (media)SpacetimeGreatest elementSoftwareVideo game consoleSource codeComputer animation

28:02

Software developerInclusion mapMaizeComputer wormDisk read-and-write headHacker (term)WebsiteService (economics)Density of statesDenial-of-service attackLevel (video gaming)Group actionWeb browserMechanism designSpecial unitary groupQuicksortGreatest elementTouchscreenPattern languageRight angleMultiplication signType theoryInsertion lossCommunications protocolSoftwareComputer animation

29:56

Software developerLink (knot theory)Reading (process)UDP <Protokoll>Android (robot)MiniDiscPlastikkarteHacker (term)Shared memoryTwitterCircleService (economics)Denial-of-service attackGoodness of fitInsertion lossGame theoryEquivalence relationFirst-person shooterCellular automatonQuicksortAddress spaceState transition systemCASE <Informatik>Order (biology)LaserMereologyProcess (computing)Multiplication signVirtual machineIP addressGreatest elementWeb 2.0Uniform resource locatorBlogServer (computing)WebsiteComputer animation

32:52

Link (knot theory)Software developerAndroid (robot)Arc (geometry)Metropolitan area networkUser interfaceVirtual machineGame controllerDressing (medical)RAIDOrbitInheritance (object-oriented programming)Canonical ensembleTouchscreenDensity of statesLie groupTwitterAreaCuboidDenial-of-service attackIP addressKeyboard shortcutGoodness of fitThread (computing)PlastikkarteUniform resource locatorHacker (term)Computer animationSource code

34:44

Software developerMetropolitan area networkSource codeGodService (economics)Denial-of-service attackGoodness of fitDialectComputer animation

35:55

Link (knot theory)Software developerReading (process)UDP <Protokoll>Android (robot)Hacker (term)Beat (acoustics)Software testingAutomatic differentiationDenial-of-service attackService (economics)Stress (mechanics)Right angleSoftware testingRow (database)QuicksortOrder (biology)Term (mathematics)Multiplication signVirtual machineNumberInterface (computing)WebsiteBootingGame theoryPoint (geometry)Computer animation

37:52

PasswordSoftware developerPasswordQuicksortDifferent (Kate Ryan album)Goodness of fitGraphics tabletMessage passingInheritance (object-oriented programming)Data managementHypermediaBridging (networking)Computer animation

39:12

Software developerSource codeClique-widthFunction (mathematics)Asynchronous Transfer ModeThresholding (image processing)Electronic signatureEmailPasswordQuicksortRandomizationData structureMereologyComputer fileRow (database)Web 2.0DatabaseTraffic reportingEmailHash functionAddress spaceRight angleScripting languageGoogolCASE <Informatik>SequelSource codeComputer animation

40:44

Software developerMiniDiscReverse engineeringInformationHash functionPasswordPersonal digital assistantGoodness of fitResultantHash functionPasswordDecision theoryDeterminismCASE <Informatik>Computer animation

41:42

Software developerConvex hullRankingInheritance (object-oriented programming)No free lunch in search and optimizationResultantPasswordCASE <Informatik>Hecke operatorHash functionHacker (term)Context awarenessBitSource codeComputer animation

42:33

Software developerTraffic reportingBitPasswordSocial engineering (security)Data conversionGoodness of fitQuicksortInformation securityCoefficient of determinationTouchscreenInformationNumberVideoconferencingInsertion lossState observerConnected spaceSeries (mathematics)Konferenz Europäischer StatistikerCircleRight anglePhysical lawSign (mathematics)Line (geometry)Rule of inferenceSound effectCASE <Informatik>Web 2.0Computer animationMeeting/Interview

45:27

Software developerNumberSign (mathematics)NeuroinformatikMetropolitan area networkMultiplication signPasswordPoint (geometry)Demo (music)SoftwareEncryptionBitInterface (computing)FreewareTransport Layer SecurityConnected spaceDean numberBetti numberMilitary baseInformation securityQuicksortComputer animationMeeting/Interview

47:39

Point (geometry)Data managementClient (computing)Asynchronous Transfer ModeMobile WebInternetworkingMKS system of unitsDemonSoftware developerInclusion mapWebsiteFreewareRoutingEncryptionSoftwareDemo (music)CASE <Informatik>Point (geometry)BitNon-standard analysisInheritance (object-oriented programming)Office suiteForceComputer animation

49:25

Software developerSoftwareDependent and independent variablesHydraulic jumpWeb browserNumbering schemeService (economics)Information securityUniform resource locatorBitWebsiteEmailComputer animation

50:53

Software developerContent (media)Data typeServer (computing)Codierung <Programmierung>EmailVaporComputer-assisted translationLine (geometry)Dependent and independent variablesWebsiteInformation securitySoftwareEmail2 (number)Computer animationSource code

52:01

Software developerComputer networkData typeServer (computing)Information securityCodierung <Programmierung>Content (media)Frame problemComputer configurationWeb browserInformation securityDisk read-and-write headWebsite2 (number)Dependent and independent variablesGoodness of fitEmailInclusion mapMetropolitan area networkComa BerenicesNetwork topologyStructural loadData miningSource codeComputer animation

53:26

Software developerLinear regressionBeta functionTime domainWebsiteWeb browserDomain nameInformation securityBinary codeEmailProjective planeCodeDifferent (Kate Ryan album)Google ChromeMobile app9 (number)Computer animation

54:34

Software developerAddress spaceExplosionClient (computing)SoftwareNumberMereologyWindowPoint (geometry)Android (robot)CASE <Informatik>Connected spaceMoment (mathematics)FreewareTransport Layer SecurityGodWebsiteOffice suiteTouch typingPersonal identification numberBitMultiplication signSoftware developerInteractive televisionInformation securitySuite (music)Source codeComputer animation

56:54

Address spaceClient (computing)ExplosionSoftware developerBit rateAndroid (robot)MereologyInternetworkingSoftwareFerry CorstenFreewareRight angleView (database)AreaMultiplication signBitPreconditionerWebsiteGame theorySource codeComputer animation

58:05

Software developerAddress spaceExplosionClient (computing)Time domainMaxima and minimaElectronic mailing listCompilation albumDenial-of-service attackWebsiteBlogEmailVolume (thermodynamics)Dependent and independent variablesPreconditionerGoogolInternet service providerOrder (biology)Service (economics)QuicksortProcess (computing)Right angleEndliche ModelltheorieType theoryInformation securityDirection (geometry)Software as a serviceSource codeComputer animation

59:53

Software developerWebsiteService (economics)Term (mathematics)NumberFacebookPermanentPublic key certificateFreewareWeb browserDenial-of-service attackInternetworkingElectronic mailing listCache (computing)Direction (geometry)Patch (Unix)Information securityBit rateCASE <Informatik>ArmComputing platformWebsiteComputer animation

01:01:48

Software developerAddress spaceExplosionClient (computing)MechatronicsPhysical systemConfiguration spaceMassLocal area networkBitMultiplication signCASE <Informatik>Source codeComputer animation

Transcript: English(auto-generated)

00:05

So we're going to talk about making hacking child's play and what I really wanted to cover here is to start to talk about how easy hacking is or how easily accessible it is for children, certainly how easy it is as well. You may learn some things from this that you could teach your children

00:24

or more specifically things that you probably should watch out for your children doing. And it's quite interesting when we talk about hacking today, we've got this problem, right? Where hacking is absolutely everywhere it is all over the place. And interestingly, I'll put this slide together and we've got Toy Story in here and Toy Story is now 20 years old.

00:47

The kids that were hacking TalkTalk the other day weren't even born, not for another five years, they're 15-year-old kids. They don't even know what this is, they weren't there when it came out. So how's that for a bit of context? But this is the problem, we're seeing it in the news all the time. Mentioned TalkTalk, that was a big one.

01:03

Last year we had big ones as well, like Ashley Madison. We're going to look at a bit of Ashley Madison today, that might be interesting. And we have this problem where clearly hacking is very, very accessible. It's very easy. And I want to start to show you some of the ways it's very easy, but where I thought we might start

01:22

is to have a look at how we're trying to protect our kids. And one of the things that we try and do with our kids is we want to keep them safe online, right? We want them to go to search engines that aren't going to return some of the results you might find on the likes of Google. So we have sites like this, Safe Search for Kids.

01:41

I want to show you how this works and how it protects your kids. So what we'll do is we'll jump on over to the browser. This is Safe Search for Kids. And the way it works is if your kids search for something that they really should not, you never know how these demos are going to turn out. They are live demos, thank God. All right, you search for a blocked term, and this is what we want, right?

02:02

Like, we don't want our kids searching for porn. This is good. They've been kept away from things which might adversely influence them at these tender, impressionable ages. Good news. Now, search is interesting, though, because you can do some really kind of cool stuff with search. In fact, the FBI is quite right about search.

02:22

So the FBI came out about 18 months ago and said, malicious cyber actors, which, first of all, sounds enormously scary, but malicious cyber actors are using advanced search techniques. Now, the advanced search techniques which they're talking about is Google Dorking.

02:41

Anyone heard of a Google Dork before? Only a few. Wow, okay, we're going to learn something here. This is cool. All right, so I'm going to show you how to use a Google Dork to find things on the web that you shouldn't and become a malicious cyber actor yourselves. So, here's how it works. What we do is we go to a site like this. This is the Google Hacking database. It's at exploit-db.com.

03:03

And this site has got a whole bunch of different lists of exploits, of things you can learn if you want to learn how to do all sorts of things with security. You might use them for bad purposes, might use them for good. But what we can do here is say, look, what sort of Google hacking would we like to do? So, we could have things like vulnerable servers, error messages, files containing juicy info,

03:26

which kind of sounds like non-presentation safe. So, we might skip over that and go to files containing passwords. And then we can do a search, and what it's going to do is filter down the list of potential Google Dorks that could show us files containing passwords.

03:42

And what we're going to see when the list loads is different types of searches that return absolutely nothing because my connection's gone. All right, let me unplug this. Replug that. Oh, look, no network. Has anyone connected to Excel free or do you always just go, well, I'd really like it fast as well?

04:01

I'm going to go to Excel free fast. Who knows why they do that? Let's try and load that guy again. So, hopefully what this is going to do when we have an actual connection is load a list of potential searches, which is still not loading. And if it doesn't work eventually, I'm just going to explain it. All right, let's try this again. Someone said don't even trust the Wi-Fi, apparently.

04:23

Connecting, connecting. We'll go Excel slow. Loading, loading. No, it's not even doing that because that's an HTTP page.

04:42

Doesn't do that. Maybe we'll go fast again. And if that doesn't work, we can all watch as I try and see if my wireless hotspot actually works. Okay, so that is connected. That's not working. Let's try this one. We'll connect to that one. And if it doesn't, we're going to skip that and we're just going to wing it. Hey, there we go. At least you know they're real demos now.

05:02

All right, so we're there. So, Google Hacking Database. Now, this is files containing passwords. So, as we have a scroll down here, we will see a whole bunch of different searches which will find files containing passwords. And as you sort of eyeball these, you can get a bit of a sense of what they're going to do.

05:21

And if we find something like, let's grab this one. SitePasteBin.com in text username. Now, inevitably, this is going to search Paste Bin. And we're just using like Google search criteria here. You know, the site operator, the in text operator. It's going to find, paste on Paste Bin, have the word username in them, which is fine.

05:42

You know, this is easy. And if we do that, we'll find that. And then we'll find all of these sites that have a whole bunch of usernames and things in them. In fact, you can get a bit of a sense already. We've got passwords and things here. It's not hacking if you only look at Google searches, apparently. So, here's the thing though. So, we can take that search term.

06:01

We can go over to a site where you can't search for porn, but you can search and learn how to hack things. So, your kids are kept safe from porn. We don't want the kids watching porn. But they can go through and start grabbing things like email addresses and password dumps and things like that. So, as safe as we keep our kids from the things that we traditionally think of as being damaging to young minds,

06:27

it's not safe from all the other stuff they can get themselves into. So, it's very easy for kids to sort of circumvent some of these controls that we think keeps them safe online. So, that's Google Docs and kids. Let's move on to something that's a little less kid-like.

06:44

Adult Friend Finder. Who had an account on Adult Friend Finder? That is the correct answer. I know nothing. First I've ever heard of it. Now, Adult Friend Finder got compromised back in May. They had about 4 million accounts leaked out of it.

07:00

And you may be looking at this feigning innocence. And let's imagine for a moment everyone's innocent and you do not know what Adult Friend Finder is. And you're thinking, well, finding friends is nice. You know, I like having friends. Maybe it's a social media site. Here is what they mean by friend. This is what happens after you log in for research purposes.

07:23

You don't see many guarantees as emphatic these days, do you? These guys are very, very, very sure. Interestingly enough, tangent here. Ashley Madison, after Ashley Madison was breached and people started going through the data, what they found was that not only were there a lot of bots on there for women,

07:40

but they were also paying prostitutes in order to fulfil the guarantee that they had made to men about getting laid. Apparently there was enough ROI, I assume, paying for cheap prostitutes to justify the expense that some of these members were paying in order to get the guarantee. Interesting cyber security fact. Don't tell your kids that one.

08:01

Anyway, moving on. So, we're here looking at Adult Friend Finder. Now, Adult Friend Finder did get hacked and they came out with this long message about security updates and so on and so forth. And one of the things that they said in this message was that, yes, your account information has been exposed and your wife now knows that you're cheating on her.

08:24

And it was predominantly men, almost exclusively men. So inevitably it's wives finding out about husbands, maybe losing their families and all sorts of nasty stuff. But good news, your financial information and your password is okay. You know, the stuff that you'll just go and replace, right? Like if your credit card gets defrauded, you call your bank and say,

08:43

hey, my card got defrauded and they say, okay, here's the money and a few days later we'll give you the card. Exactly that happened to me just recently, not from this side. It was actually my wife's card, I hope not from this side. But that happened and we got the money back and we got the card back literally days later. So you see companies saying this in order to appease the payment card industry.

09:05

Because if PCI gets upset, well, then you don't get to take payments anymore and that kind of does bad things to your revenue. So here's the thing, though. So Friend Finder got hacked and all of these people got quite upset, understandably, because they're saying, well, now anyone can find out if I had an account on adult Friend Finder.

09:26

And I thought this was curious because you can do that anyway and you can still do it today. Here's what you do. You jump over to here and, again, loading a site like this while you're in a forum like this and it does have some interesting stuff on it, it's kind of intriguing,

09:41

but we can go to Forgotten Password, we still have a connection. You can enter a username or an email and you can fabricate one, right? So you just come up with anything you like, blah, blah, blah, blah, at blah, blah, blah, so it meets the regex. This is a very highly advanced capture just here, which we have to fill out. And when you fill that out with something random, it comes back and it says it is an invalid email.

10:04

So you get this sort of explicit confirmation that this account does not exist. Now, who was it who said they didn't have an account? All right, we'll make one up. I did this at NDC a little while ago, so I had an NDC 2015 and I made it at notmailinator.com.

10:21

Everyone know what Mailinator is? So just for those who don't, just for curiosity's sake, you go to Mailinator and what you can do is you can send an email to anything at mailinator.com and then check the inbox. So, you know, inevitably people have been sending it to Foo, you jump into Foo, here's everything that's been sent to Foo, which is kind of cool

10:41

because if you need to make up like a fake account or something for a brief period of time and everyone can access it, right, that's how it works, it's a very, very sort of low friction way of accessing email. Anyway, we'll run this one, NDC2015 at notmailinator.com, super, super secure capture, load that and here we go,

11:03

an email has been sent to your email address. Like this is magic, right? We have hacked it because we've just found out who has an account and who doesn't. And this is just an enumeration risk. So enumeration risk being that you can ask the system does an account exist and then the system comes back and it says yes or no.

11:24

You see this happen a lot on password resets, you also see it happen on registration. You know how you go to a website and you register and you forgot that you'd already registered and it comes back and says you already had an account. Enumeration risk, very, very easy and you can find other people's accounts doing that.

11:42

Now, after you do this, after you actually go and test an account, that account gets an email like this. Pretty typical password reset email. But I thought it was funny because it says, hey, this could have been you or someone else, okay? Someone may have entered your username by mistake, which is possible.

12:01

It's also possible your wife entered the username and now she has been told that you have an account. So it's a curious thing but do on a serious note, think about your systems, is there an expectation of privacy? So do people expect that their information will be held secure and not disclosed in a way like this?

12:22

Now, this was very explicit, right? So it came back and said, yes, this email address exists and you've been sent a message. Now, a little bit later, we had Ashley Madison. Who had an Ashley Madison account? Very quiet, good answer, perfect. Now, Ashley Madison was a similar deal.

12:43

So August last year was when all the data originally or eventually went public. It was originally announced, the attack back in July. So in July, the attackers go, we have broken into your things, we have 30 plus million accounts, shut the service down or we're going to dump it all publicly. And of course, they didn't shut the service down.

13:02

But there was this one month period between the hackers saying, we've got your stuff and it actually being turned off. And like adult friend finder, a lot of people, a lot of guys, got very, very nervous about the fact that their identities may be disclosed. The fact that they had an account may be disclosed.

13:21

So I thought it would be curious to see if Ashley Madison had the same risk as adult friend finder. So I went over to the password reset page and I put in an email address. This is invalid at invalid.com. I assumed it would be invalid. And a message came back like this. And when I first saw this, I got excited. I went, oh, good, they've done a good job.

13:41

Because in bold text, it says, if that email address exists in our database, you will receive an email to that address shortly. I thought, great, because that's sort of very noncommittal, isn't it? So I might have an account, not telling you. That's an invalid account. This is what happens with my, for research purposes only, valid account.

14:06

These two things are not the same. These two things are fundamentally different. It's the same message in bold, but they've taken out that first paragraph and they've taken out the email address in the send field. So see how you're actually getting different responses back.

14:21

So you can still tell whether an account exists or not once you know the pattern of a positive versus a negative response. So I wrote about this and the next day they fixed it. So, you know, they screwed up a lot of things, but to their credit, they fixed that pretty quickly, which sounded like a challenge. So I thought, OK, let's have a look at what else they do.

14:43

So I went over here and I thought, well, try this. Let me try and log on 25 times and I'll see how long it takes. So I took my valid account, research account, number of times I'll say that to my wife, it's research. Honestly, I do a lot of research.

15:03

So I've gone and I've logged in 25 times with the email address of a valid account, but an invalid password. So it was never going to properly authenticate. And when I logged in 25 times, I saw this. This is the total duration of the HTTP request, from request through to response.

15:21

Pretty solid pattern there, around 500 to 600 milliseconds. Sometimes it spikes a little bit. I thought, OK, well, that's interesting. Let's now try it with an invalid account, a made-up email address and a fake password. There's a pattern here. I'll wait while you all get it.

15:40

That's all right. But here's the thing. Anyone know what does this? So why is an invalid account so fast and a valid account so slow? The index lookup is faster. May I make a suggestion? If your database index lookup takes 400 milliseconds, you may have another problem. So here's what it is.

16:00

It's hashing. Because when you have a valid account, what happens is you provide the username and the password to the system. The system goes, I'm going to go to the database, and I'm going to say, get me the record for that email address. And when it comes back with a valid record, one result, then it hashes the password that was provided in the web interface, and then it compares the ones in the database.

16:22

That takes 500 to 600 milliseconds for the request. When it goes to the database with an invalid email address, and the database comes back and says it doesn't exist, the developers did what all of us would do if we're trying to make it fast, which is to go, OK, we'll just bail here. We don't actually have to hash it again.

16:40

We'll just return the response. But that effectively creates a timing attack vector, because we can now observe from the way the site behaves when we make the request whether the account exists or not. So that's kind of interesting. One to think about, if there's an expectation of privacy, how should the thing behave? All right, let's go on to something different.

17:01

We will go on to XSS, cross-site scripting. Now, cross-site scripting remains one of the top risks on the web today. It's enormously prevalent. It's still categorized, I think it's in about the top three spot at the moment, according to the Open Web Application Security Project. And I want to give you a bit of a demo of what cross-site

17:21

scripting is, and then I'll show you a really neat way of defending against it. So here's what we'll do. We'll jump over to this site just here. Now, any of you can go to this site and hack around with it any time you like after this talk. So this is at hackyourselffirst.troyhunt.com. I use this for a lot of my Pluralsight courses and a lot of my training and speaking, because it's just full of flaws.

17:42

It's got SQL injection all through it, a bunch of other stuff, and cross-site scripting. But here's what I want to show you first. Let's do this. We'll do a search for Fubar, like so. Now, the site comes back, and it says, you searched for Fubar. So it's actually reflecting Fubar in the response.

18:02

You can see Fubar's up there in the query string as well. So we give it a piece of information. It reflects it back to us. Now, if we have a look at the source code and we do a find for Fubar, we'll see that we've got Fubar there in the header, and we've also got Fubar down here in the world's most pointless piece of jQuery.

18:22

So it's actually reflected in two different places. Once in the HTML context and once in the JavaScript context. Now, the trick for us when we think about cross-site scripting is how can we modify Fubar up here such that it changes the behavior of the script block that it appears in down here?

18:42

And I can go and take an attack like this. And we'll look at the mechanics of how this works in a moment. Go up to here, paste it over that query string, load the page, and my authentication cookies have been stolen. I'm going to show you how it works in a moment, but that's how fast it is. You go to a link, and the link has cross-site scripting in it.

19:03

Now, what this link has actually done is it's put this image over here on the left-hand side of the screen, which looks broken. We can inspect that in the dev tools, and we'll see that image source goes to evalsyberhacker.com. That is my domain. It's a legitimate domain, evalsyberhacker.com. And off the end of evalsyberhacker.com,

19:23

you can see it goes to a path called log cookies, and it passes over every single cookie that the browser has access to. And here's how it does that. We can see it once we view the source code. Jump down to the bottom. Here's what happened. So this is where our cross-site scripting payload starts from.

19:41

We can see it up here. Percentage 27 is a URL-encoded single quote. So what I did is I passed a string which closed off this val statement, terminated the line, and then it created a new image, and then it set the source of the image to evalsyberhacker.com, and it appended document.cookie.

20:02

Now this will get every single cookie that the browser has access to. It then appended that image to the page. So once that actually gets returned to the browser and rendered, the browser makes a request for the image and passes the cookies as a source. It doesn't matter that that's not a valid image.

20:22

All that matters is that the request was made and the query string was passed. And I then cover my tracks. So I then go, okay, in my heading two, I'm gonna say nothing interesting to see here at all, which is why we see this. So that's actually rendered by client script in the DOM. So that's how easy it can be to hijack cookies,

20:41

and indeed to execute an XSS attack. But here's what I wanna show you, because a lot of people see XSS and they go, okay, well, you know, like contrived demos and stuff like this work pretty well, but, you know, it's contrived. Like what actually happens in real life? Like what are real world examples of sites

21:01

being impacted by XSS? I saw a demo last year by a Dutch guy, and I wanna show you a little video he made. And this is a video of Dutch banks being affected by XSS. The sound and the motion is all across site scripting attack,

21:44

which is kind of cool, right? It's a nice sort of proof of concept. Normally not what attackers do, as annoying as that soundtrack is, they don't just play the Harlem Shake on banks. They tend to steal cookies and rewrite pages and do other things like that. However, it is good fun. So let's go and do that.

22:01

Let's go and do that to a bank. English bank. What do they do here if you commit a crime? Like they just deport you to Australia? Is that how it works? All right. Now take note of this, because you guys will want to do this when you go home afterwards. The source there, that URL, troy.hn forward slash Harlem Shake script.

22:21

Make a note of that, because you're gonna wanna do this, it's good fun. We copy this entire script. We jump over to the browser and we pick an English bank, an English bank. We jump into the console of our dev tools. We paste this, we run it.

22:54

And the really cool part is all the menus and things still dance. As you do it.

23:01

Which is pretty awesome. All right, I'll shut that up. Now, here's the relevancy to this. Is this a security risk? If we can go into the console and modify our own local DOM to load external content, would we consider it a security risk? Yes, so why is it a security risk?

23:21

It's on my site, right? It's on my machine. I'm already modifying it. It's not like I modify the source or the transport layer or, because people are, well, I'm not gonna argue that people are stupid. However, that may not be the reason this is a security risk. Let me demonstrate with another one.

23:40

I'll go to this site. Who's used this site before? Keep your hand up if you've been owned. Well, some of you got off easy. Three times I'm on here. Believe it or not, three times my data has appeared in a public data breach. All right, so I go F12 in here. I go into the console, paste, run. And it doesn't shake, right?

24:01

There is no shaking on this site. However, I do get two errors in the console. Refuse to load the style sheet is the first one, and then refuse to load media is the second one. Now, both of them list Amazon AWS URLs, and both of them then say because it violates the following

24:21

content security policy directive. So what we're seeing here is I'm using a CSP on this site, a content security policy. Out of the top one million sites, as according to Alexis, there are just over 1,000 sites that use a CSP.

24:42

So you are looking at about a 10th of 1% of all sites that use a CSP. But I'm gonna show you what it does and how cool it is, and then hopefully we'll be able to get those numbers up a little bit. So it has refused to load these style sheets. It would not load in the external content. Now, this is Harlem Shake, and it's fun and all that sort of thing, but think about the demo I did just before,

25:00

where I loaded in an external image as a way of actually sending a request to an external site. If you could block that, where it's trying to send auth cookies off, that would be kind of cool. So let me show you how this works. We'll go to the network tab, I'll give this a reload, and then what we'll see here on that first request, down here in the response headers

25:20

is a content security policy response header. It goes all the way down a little bit more to here. Now, what this header does, and it is just that, it's only a header, that's all it is. What the header does is it whitelists the allowable sources that external content can be loaded from. So for example, it says I can load a script

25:42

from the CloudFlare CDN, because I embed jQuery off there, so I don't have to pay to serve my jQuery, and I get CDN stuff, and that kind of thing. So I need to whitelist that. You also whitelist content sources such as fonts, such as objects, such as child sources,

26:00

if you're using iframes anywhere. And you go through, and for each one of those different content types, you whitelist where you want to allow it to be loaded from. The other thing you can do here is have a report URI, which is this last bit. So what all this means when you bundle it together is if anything is attempted to be loaded by the browser

26:21

from a non-whitelisted site, violation reports are going to be sent to that URI. And that URI, report-uri.io, is a free service made by a guy over here that allows you to log your content security policy exception reports over to there. And what it means is that you can now monitor

26:40

who's trying to embed things into your pages. Certainly you can monitor what's trying to be embedded into your page. So with this running, and knowing now that we've got this reporting mechanism, if I go to the console and try and do this again, and then go back to network, right down the bottom, I will see two reports that get sent back.

27:01

There's the first report, that'll be the CSS, and the second report for the media. If we drill into this, we can see that it's a request over there, it's a post request, it's got a body down here, here's a payload. So it's actually sent this entire report back to that report-uri site. And I can now go to report-uri

27:21

and spin through and have a look at all the violations that my site is logging from browsers. So this is really cool. Content security policies are supported in the level one of content security policy, about 88% of browsers. Level two of content security policy is around about 55% of browsers, with the major exception being Internet Explorer

27:42

and Edge don't support it at all. But the only thing that happens, if you have a CSP and the browser doesn't know what the header is, it just goes, I don't know, and it moves on. So there's no downside. You can add a CSP and get this benefit from browsers that support it. So that's CSPs.

28:00

They're really kind of cool and definitely worthwhile having a look at, because ultimately that's gonna save you if you make a mistake somewhere and you do get XSSed. All right, so let's move on. And I wanna get back to kids and hacking. And I wanna have a look, particularly at distributed denial of services. Now DDoS is a really, really popular mechanism

28:21

of kids hacking because it's so easy. I'm gonna show you how easy in just a moment. This map is really awesome. So this is a map of DDoS attacks in action. And the cool thing is it's actually a live map. If you jump over to the browser and you go to map.ipviking.com,

28:40

and I'll put it in full screen because it looks awesome. How's that? There's always this pattern that I notice with this. It kind of follows the sun. So what this is telling us is that down the bottom left it's telling us attack origins,

29:01

the countries that the attacks are coming from, attack types, are they UDP, TCP, FTP? Sometimes they're NTP, they use the Network Time Protocol. And then of course where they're targeting. And it's kind of mesmerizing, like you just sit here and go, what is China doing? And it's almost always the West Coast of the US too.

29:22

It's kind of interesting. So this is sort of live DDoS in action. And we see DDoS a lot. In fact, in my talk yesterday I mentioned just before I came on stage and reading the news and anonymous is DDoSing Nissan. And they're DDoSing Nissan because Japan likes eating whales. That's it.

29:40

That is the reason to DDoS a car manufacturer with a global presence because their original country of origin is killing whales. Whoa, look at that one. I think they heard me. All right, so that's really cool. Check that out sometime. Now you may be wondering as well, oh, that's nice, thank you.

30:00

What's the what now? What is it based on? That's a really good question. Where do they get their data from? Tweet me when you find out and I'll share it. So moving on. It is very well renowned though. It's certainly not fabricated and it has been very popular in Fosec circles. So you might be looking at this and saying,

30:20

well, perhaps I don't like Japan as well or whoever. How do you go about mounting a DDoS attack? And you can actually get services online. You can get services from kids like this. I'm Krista and I'm here to promote Waco's professional cheap duty OS service.

30:41

It's strong, fast and trusted with no entitlement. What we do is we take down large websites, large forums, game servers and website blogs. You can blow your competition and web enemies away. You reach us at Skype, Yahoo or MSN at the bottom and we look forward to doing business with you. But she's so sweet.

31:03

She's literally sitting there in her bedroom selling distributed denial of services in order to blow your web enemies away. And this is one of the things that kids do actually use distributed denial of services for. They're playing a game and someone keeps fragging them

31:20

the whole time, keeps nailing them and whatever first person shooter it is they're playing and they're like, right, that's it. I'm gonna do the sort of the digital equivalent of throwing my toys, I'm gonna DDoS you. So they find the IP address of the opponent and they basically use a service to throw all sorts of packets at that IP address such that it can't process malicious requests or process genuine requests.

31:43

And this is really what a DDoS is. It's like throw so much crap at a machine that it can't do what it's actually there to do. Now I wanna show you how this works. Different ways of doing DDoS. Now Krista has a service of unknown repute but let's imagine she has a good service.

32:01

The other thing that tends to happen with DDoS is we see stuff like this. Now these are a bunch of tweets that are all asking people to fire the lasers. All right, fire your lasers, target this. And what they're trying to do here is crowdsource a distributed denial of service attack. So they're trying to encourage other people

32:20

to run this particular tool because if they run this tool and you get enough people running it and pointing it all at the one location at the same time they might be able to take it offline. Now who here has actually used this before? Oh, one guy. Okay, so I need one person who is not that guy. What about you? You're not that guy. Have you done this before?

32:41

Excellent, come up here. All right, this will be good. What's your name? Brian, is it? Ryan. What's your last name and address because we may need that after this. All right, Ryan, come up here, mate. Now because of my convict heritage I can't actually do this but you can. So what we're gonna do, you take control of... It'll be fine, don't worry.

33:00

You take control of the keyboard. Now what we're gonna do is run LOIC, which is the Low Orbit Ion Cannon. Now this is what we see in all the tweets behind the screen here. Now what you gotta do, Ryan, is first of all think of someone that you don't like or you have a grudge against or a football team you don't like. Chelsea. Chelsea, all right. So what you do is you enter the URL of Chelsea in there.

33:23

Just for the sake of the camera, it is Ryan typing now. What's the URL of Chelsea? Chelsea. Is there any Chelsea supporters here? No, I don't wanna get any red cards. All right, so yeah, anyway, hopefully that's it.

33:42

Now you click on log on or lock on just next to that. And what it's gonna do is it's a super hacker thing which is resolving a hostname to an IP address. Very good. Now what you gotta do is you gotta choose the method of DDoS that you wanna use. So you see this little method box just here. You're gonna wanna choose a value in there.

34:01

We might go TCP. Actually, no, let's do HTTP because we're connected to the web. We know that'll work. Probably it'll work. All right, so now we gotta choose threads. And really what you're doing with threads is deciding how much you don't like Chelsea Football Club. Now a 10 is like, yeah, it's not so bad.

34:20

If it was much higher, mostly just 100, it would be if you really, really don't like them. Holy shit. Okay, this has never been done before. This is all new ground. And then when you're, it'd be funny if it crashes my machine. I gotta start the whole thing again. When you're ready, let's find out.

34:40

Press I'm a charge in my laser to start your attack. Oh, look at that. What the shit? What on earth made you put that in the thread? Ha ha ha. All right, Ryan, look, you're a passionate guy but let's dial it back a bit. Ha ha ha.

35:03

Okay, that's probably more likely. Let's try that. Never seen that happen before. All right, there we go, quick stop. All right, and that's it. Like that is, first of all, thank you, Ryan. Well done, mate. Good on you. That is how easy it is.

35:20

And it's certainly not a distributed denial of service when it's just Ryan. And he can provide his contact details later for anyone interested. It's not when it's just Niall or Ryan. That is not distributed, right? That's just one person. But once you start getting hundreds or thousands of people all doing this, all trying to make 150 simultaneous requests

35:40

to the same site, then it becomes a distributed denial of service. And then it does get hard to defend against. It's hard to keep that stuff out and let the legitimate stuff come through. So that's how DDoS works using LOIC and crowdsourcing the attack. You can actually buy distributed denial of services,

36:03

malicious distributed denial of services. And some of them have got some really great ads for them too.

36:46

That looks awesome, doesn't it? Who wants to go and mount a DDoS now just after seeing that because it looks so cool? And did you see the epic DDoS interface? Did that really make you wanna go and buy some DDoS services? But this is what it is. It is a service that you go and pay for.

37:02

You pay for a small amount of money, you get a certain number of machines over a certain amount of time, and they all just bombard your target with packets. Now you might have seen they use the term stressor. And you often see DDoS services referred to as stressors or booters because they're there for stress testing your things. That's how they're legal, right?

37:21

It's just a stress test. Unfortunately, you can stress test any person's things, which is kind of the whole point that they exist. But it's particularly that sort of stuff that kids will use in order to either take down their targets in games or take down websites that they don't like. So DDoS remains enormously prevalent

37:42

and kids do use it a lot. And you do see kids end up in court getting records and sometimes even going to jail for it as well. All right, so that's DDoS. Let's move on to something a little bit different. And I wanna have a chat about passwords because we keep seeing really, really bad password practices.

38:02

And as a parent, it worries me because I've got a six-year-old. He's just starting to use iPad, things like that. And I've gotta try and teach him about good password practices. And I can't really tell him to go and use one password as a password manager either. He's not quite ready for that. But I was curious as to what sort of messages are our kids actually getting

38:21

from the likes of social media and television about creating passwords. And I actually found some really good advice for kids. There was a good idea of me to make all passwords password. It's so easy to remember. Aah! And this is great, right?

38:44

This is what we want our kids to see. Have a unique password because the evil aliens will faint if you do. You know, whatever gets the message through, I'm fine with that. So this is good. It's a good message to kids. It also makes you wonder though, if kids are learning this now, which is great,

39:00

what are adults learning? What are adults doing? What sort of password practices do adults have? And there's a really good way to start to have a look at this. And it's to look at data breaches. And I want to show you a data breach. So I'm going to jump over here and show you this one. And this is the Stratfor data breach. This is the actual data

39:20

which was distributed out around the web in 2011. So Stratfor was a company which did intelligence reports, particularly did a lot of intelligence reports for governments. And what you're looking at here is the first part of 870,000 records in a CSV file. So in case you're curious about what data breaches actually look like once they're distributed,

39:43

they look often like this. They're usually either this or MySQL database scripts. So in this case, all of you will be familiar with this sort of thing, user ID, name, password, mail. It's just a simple comma delimited structure. When we start looking at the passwords, we see things like this, all right? This is a password hash.

40:01

This is not someone just making the world's best random password. It is a hash. Now, we can learn some curious things by searching for hashes, particularly when hashing is done badly, which is what Stratfor did. So Stratfor saved MD5 hashes with no salt.

40:21

And the problem with no salt is that we don't have any randomness in the password hash. It's very predictable. Now, here's what it means. So Stratfor did these reports, particularly for government agencies. So let's do this. Let's find a .gov email address in here. So we go .gov. Let's see what we find. We'll just grab the first .gov email address in here.

40:42

Let's grab their hash, which is there. That's the hash of their password. Now, there is a really, really good password-cracking engine known as a Google search. And what you can do is paste in just about any password hash you find, which wasn't salted, and you can get results like this.

41:03

Let's go and have a look at this result here. Now, keeping in mind that this website, Stratfor, and this government person created a password, which we're now going to see, what would this password possibly be? Da-da-da, da-da.

41:22

There it is. Stratfor, all lowercase. Now, we can learn other things from this, because you might look at that and go, okay, one bad decision bound to happen. But because the hash is deterministic and because there is no salt, every person who used the password Stratfor

41:40

will have the same hash. So we can jump back here. We can do a count and see how many results we find. 12,023 people on the website Stratfor use the password Stratfor all lowercase.

42:01

Now, this is very specific to those exact characters, too. So if someone used a capital S, that's not included in this set. There's a whole bunch of other results for the MD5 hash of Stratfor with a capital S. There's a whole bunch of other results, again, for Stratfor with the zero instead of the O. Some people seem to think that if you make an O a zero,

42:21

hackers don't know what it is. Not true. They're aware of these tricks. So we have a problem with passwords. No doubt. Now, there was a really interesting piece a little while ago where Jimmy Kimmel sent a reporter out on the street to try and learn a little bit about password practices and she interviewed some people.

42:42

I've got one of the interviews here. We're talking about cybersecurity today and how safe people's passwords are. What is one of your online passwords currently? It is my dog's name and the year I graduated from high school. What kind of dog do you have? I have a chihuahua papillon. And what's his name? Jamison. Jamison. And where did you go to school?

43:00

I went to school back in Greensburg, Pennsylvania. What school? Hemphill Area Senior High School. Oh, when did you graduate? In 2009. Oh, great. This is awesome. And look, as much as we like to laugh about it, this is more sophisticated than what it seems. In fact, there's some really good social engineering going on here. So think about the way the reporter approached this.

43:23

The reporter didn't go, hi, g'day, how are you, can I have your password, please? She said, how do you create your passwords? And the girl said, you know, dog's name, year I graduated. And then the reporter starts a conversation. So she starts saying, what kind of dog do you have? And the girl's a bit chuffed. I like my dog. I'd like to talk about my dog.

43:41

You know, I've got a papillon. And then she goes, okay, well, what's the dog's name? And by then the conversation started and it's the same with the school she went to. You know, where was it? What was the school's name? And eventually, when did you graduate? So she lulls the victim into this false sense of security. So it's a really interesting social engineering observation here as well

44:01

about how they've managed to extract this. There's a whole series. This was one of the funniest, but there's a whole bunch of people that divulge information in pretty much the same sort of way. So that's passwords. Now, who's got one of these? I don't mean for you, for your kids.

44:22

Now, you may laugh, but apparently this also has a splash screen. So it's not as bad as it sounds. I'm not sure that for me that would actually be enough in sort of assurance to go, yeah, okay, here you go. I would also suggest maybe just giving the kids a little bit longer before they actually start playing with these things.

44:41

But it does raise an interesting question here, which is, are we exposing kids to things like Wi-Fi very early? Because all these devices are connected, right? We're seeing an amazing number of connected things now. Some of the stuff that came out of CES just the other day as well is nuts. I tweeted a few things just before this talk about some of the...

45:03

There's no subtle way to put this, but connected insertables that are now out there. And I'm just going to leave that there. You can Google it and find it later on. But you wouldn't believe the things that people will connect to the web. Now, this did get me curious, though. So we're talking about kids and Wi-Fi. What are we teaching our kids about Wi-Fi?

45:20

And indeed, how smart are they when it comes to Wi-Fi? So I went and found a good video on it. I found lots of just like numbers and like signs just all together, which really don't quite make sense. But then when you go get into it, you'll get it and it'll come clear to you.

45:42

Betsy set up her computer to pretend to be the Wi-Fi hotspot, as it were, in the cafe. So when the victim connected, they actually connected to her computer. And it was that way that all of their data went through her computer and she was able to see usernames and passwords and that kind of thing.

46:01

And it's known as a man-in-the-middle attack. Well, that's easy, isn't it? It's not a man in the middle. It's like a little seven-year-old girl in the middle. Anyone could do this. There are a number of things here that strike me as suspicious. And maybe it's just because this would be different to Australia. But do you normally have seven-year-olds drinking coffee at coffee shops?

46:21

Possibly not. The other thing that's quite unusual, and I'm pretty sure you don't do this here either, but she's using Wireshark. Now, who here has used Wireshark before? Keep your hand up if you actually understand what it does. It's about two guys left, that's all. It's deep-level packet inspection.

46:41

I mean, it's seriously hardcore stuff. It's very, very full-on. But somehow Betsy has mastered Wireshark. Maybe in a caffeine-induced haze, she's figured it all out. But she's got it working, and she's stood up her own wireless hotspot, which got me thinking, how easy is it to stand up your own wireless hotspot? So I did.

47:00

So here's what we're going to do. We're going to do another demo here. I have got my own wireless hotspot, which is this one just here. This is my Wi-Fi pineapple. Who's seen the Wi-Fi pineapple? Seen me right at this. Okay, excellent. Lots of people haven't. This will be fun. So I've stood up the Wi-Fi pineapple. And what I should have here somewhere is I should have a network connection,

47:20

which is Betsy's free Wi-Fi, which we can jump onto. That's how easy it is. You just turn it on. Betsy's free Wi-Fi. And now that we're on Betsy's free Wi-Fi, we can have a look at what I've set up. And then the real point here is we're going to talk a little bit about transport layer security and encryption. So with that stood up, I can jump over into my Wi-Fi pineapple interface.

47:41

And if I have a little bit of a spin around here, we should be able to see our network set up here. Here's our access point. Here's Betsy's free Wi-Fi. So that's how it's set up. Now, this website is actually being served off the Wi-Fi pineapple. And just to be clear, this is 100 bucks. You pay 100 bucks online. They ship it a few days later.

48:00

You turn it on, and within a few minutes, you've got all this running. Now, I could call this Betsy's free Wi-Fi, go to a cafe, and then route it out through the cafe Wi-Fi. And then people come along, and they say, well, Betsy's free Wi-Fi sounds good. Or what I might do is I come here, and I call it XL Wi-Fi. And instead of XL Wi-Fi fast, I call it XL Wi-Fi super fast.

48:24

Because no one ever connects to the other one that's slow. So I call it something attractive, and people will connect to it. Just in case you don't believe me, often I've done talks where I have called it free NSA Wi-Fi. And people connect to it.

48:40

And I think what happens is they're basically looking down the Wi-Fi, and they go, free, yep, done, we're in. And whatever after that, they just don't care. Okay, so that's on. Now, what I'm going to do is turn on a couple of other things, and then I'm going to talk about encryption and how we can better protect our things. Because, of course, the whole point of this is to show what happens

49:02

when people are connected to untrustworthy Wi-Fi networks. And not just Wi-Fi networks as well, but even wired networks that we may not be able to trust. Let's give this guy a reload. Now, one of the things with pineapples is the demos, once there's a lot of people in the room, can become kind of funky.

49:21

While that's loading, the good news is we are actually connected. So I can go and do some demos. So what I'm going to do with the traffic routed through the pineapple and out through the network is once this is intercepting traffic, it can modify requests and it can modify responses, as well as obviously eavesdropping. Which means that if I go somewhere like American Express, we can do this.

49:42

Sorry, I just made the audio guy jump out of his chair. Or American Express is fun. We could do, let's try this one, F.B.I. Endless fun. Now, I showed both of those sites because if you go to them on your device,

50:02

well, firstly, if you go to them on your device where you're connected to Betsy, you might get a flying cat or something. But if you go to there on a legitimate network, what you'll find is you make an HTTP request. And that's what this is, right? When you don't put the scheme in the browser, so when you don't start with HTTP colon forward slash forward slash,

50:21

the browser will default to HTTP. That request with either AMX or the F.B.I. will be sent to their servers, they'll receive it and they'll say, well, I'd really like you to talk securely. So they respond with an HTTP 301, which comes back to your browser, and there's a location header with that response as well, which says now go over to here, which is the secure scheme.

50:42

So then your browser makes a secure request. But we have this problem in that the first request is insecure. I want to show you my other site again, and we'll see how that behaves. No Nuncap, no Banana, straight through.

51:02

We can see it's HTTPS. My site does the same thing. It'll 301 the response. You get a request that's insecure or go, okay, 301, make a secure request. But it does something different to the F.B.I. and AMX and to many, many, many other secure sites, otherwise secure sites.

51:21

I want to show you what it looks like. If we jump into the dev tools here, and what we'll do is we're on the network tab, we'll give this guy a reload, and what we're going to do here is have a look at our response headers. And I have a response header here that is strict transport security. It's this one. Now here's how this works.

51:41

Strict transport security is setting a max age. That max age that starts with three million something is one year's worth of seconds. And what it's saying is for the next one year, I cannot make an insecure request. And if I try to make an insecure request, here's what happens. So we're on our network tab. Let's just explicitly go to HTTP.

52:01

We go yoink like that. Up to here, here's what happens. See this? This is an internal redirect. And it's happened in two milliseconds. So it hasn't gone out over the wire. The whole thing has happened internally within the browser. So because my browser has been able to get that strict transport security header,

52:20

for the next year's worth of requests, it won't allow me to make an insecure request. Now when we go and look at that header again down here, we'll see a couple of other things. Include subdomains. So this applies to all the subdomains as well. If I have anything dot have I been pwned dot com, you can't request that insecurely.

52:40

Now you can only return this strict transport security header over HTTPS. Certainly the browser will only recognise it if it's returned over HTTPS, which leaves a problem. And the problem is, is that you've got to be able to make the first request securely to be able to get this header so that you know that you can't make any subsequent requests insecurely.

53:02

And this is called TOFU, trust on first use. Make the first request, which could be over HTTP, get the response back, and now we're good. Now if you were compromised by a man in the middle attack, such as Betsy or the Wi-Fi here, then you could lose that first request. They could intercept it, and then they could modify your traffic.

53:22

So that's why we have this one down here. This is preload. Now what preload allows you to do is go to HSTS, and this is called HTTP strict transport security. So I know the header said strict transport security, but it's referred to as HSTS. HSTS preload, off to the preload submission page, put in the site, like so, and it comes back

53:44

and it says this domain name is already preloaded. Now what preloading does is it allows you to tell the browser vendors to hard code into the binaries of their browser that a particular site is never allowed to be loaded in securely.

54:00

This particular site, HSTS preload.appspot.com, is run by the Chromium project. And they collate all of these different host names, which they then distribute to the likes of Microsoft, Mozilla, Google, to bake into their browsers. And what it means is that if you download Google Chrome today, and you try to go

54:21

to have I been pwned in securely, you will see that 307, and the request won't go over the wire. So this is a really, really neat way of forcing your site to be HTTPS only. Now we can do some other stuff with the Wi-Fi pineapple. And here's what we're gonna do. We're gonna try and turn this stuff on again, because it played up a little bit before.

54:43

Now, before I showed you how I could stand this up as a wireless hotspot, and then people would see it, and they'd go, oh, it's free, let's join it, that's awesome. But it does more than that. What it does is it traps devices which didn't even want to join it. If we jump onto here, we might start to see some devices.

55:03

So, first of all, someone with an Android has deliberately connected to Betsy's free Wi-Fi. And why you would connect to my Wi-Fi deliberately, I have no idea. But thank you anyway. What we're also seeing here though, let's take that top one. There's a device called Windows-Phone that thinks it is connected to Excel free.

55:24

Now here's what happens. All of our devices, when we connect to a wireless hotspot, you know how we do that thing where we say, look, remember it, so that like when I go home, magic happens and I just connect. And then I go to the office and magic happens and I just connect. And I'm always connected as I move around. This works by your devices sending probe requests.

55:44

Now this is the interactive part. And trust me, nothing bad is going to happen. You can have a look at the networks on your device at the moment. And what you'll see if you fire that up is you'll see all these different wireless networks, which are the wireless networks that all of you have been to before.

56:00

Your phones are broadcasting, the pineapple sees, and it rebroadcasts. And if you spin through, you'll just see this ridiculously large number of networks, which is actually kind of cool and scary at the same time, because what it means is, is that you don't even have to take your phone out of your pocket and it may automatically connect to this network. So in the case of the host name there called Windows Phone,

56:24

they may not have touched it, it may still be in their bag. Other people might see their devices on here as well. And this is kind of the point of how important transport layer security is. So we can't trust the connection because your devices may have connected to it without you even knowing. So you've got to have, as developers, HTTPS on all your things.

56:44

Anything that is not HTTPS, you've got to consider compromised. Not only that, but you want to think about having a VPN. So if you're here using the Wi-Fi without a VPN, such as, I'll show you what I use, I use one called Free Dome. And the neat thing about a VPN like this is that you turn it on and it encrypts the traffic from your device

57:04

out over the wireless network, out to Free Dome's exit node, and then you go out over the Internet. So there's still a risk in the other parts of the Internet if the traffic isn't protected via HTTPS, but it means that around here, in this really high-risk area, you're OK.

57:21

So I'll leave you all looking at your phones and seeing what networks you see. I want to try and, first of all, say thank you. And second of all, leave a little bit of time for questions because often people have questions about things like pineapples and things. So if I stop now, I can take some questions. Are there any questions?

57:42

Yes, at the back. Right, so the question is, what happens if I submit someone else's site to the HSTS preload?

58:00

It may preload it, but here's the thing. When you have a look at the preconditions for preloading, you'll see why it doesn't matter. So if we go down here, the preconditions for preloading assume that you must have the preload token specified in the HSTS response header. Now, that means that they have to consciously put the preload directive in there,

58:23

and if they don't put it in there, it can't be preloaded. If they do put it in there and you're the guy who submits it, well, they wanted it there anyway. Yes, how do you protect troyhunt.com from DDoS attacks?

58:42

I've got a really good answer from this. It's not my problem. And it's not my problem because it's Google's problem. Because I host it on Blogger. And I'm currently in the process of moving it to Ghost, and I'm going to move it to Ghost Pro, and then it's Ghost Pro's problem. Blogs are such an easy, commoditized service

59:00

that's really suitable for a SaaS type of model. I'm really, really happy using a blogging provider to host the whole thing, because I don't have to worry about it. If people DDoS me, and really, I don't know what upside they're going to get if they DDoS me, so they don't want to read my articles or something, there's not a lot of upside for them. I'd probably be more worried about things like large volumes of traffic.

59:25

Sometimes something goes viral, it gets a huge amount of traffic. Not my problem. The hosting provider sorts it out. Oh, if I'm a bank, Troy Hunt Bank. Right. So if I'm Troy Hunt Bank, how do I protect myself from DDoS? So there are many, many different ways of answering that question.

59:43

There are many very expensive things that security vendors will sell you in order to protect your sites from DDoS. Some of them are good. There are also services to protect yourself from DDoS. So stuff like Cloudflare. Anyone use Cloudflare before? The correct answer is you have all used Cloudflare.

01:00:00

because they serve five trillion requests a month. They're basically the same size as Facebook in terms of the number of requests that go through their infrastructure. And Cloudflare is a service that wraps around your site. They've got edge nodes all over the world. They do things like give you HTTPS for free. So if any of you said, hey, I really, really want to have HTTPS on my website,

01:00:20

but I don't want to either pay for a certificate or it's hard to set up with my provider, Cloudflare gives it to you for free and they have some really great DDoS protection. And all that starts for free and then you go up and pay money from there. Other questions? Permanent redirects.

01:00:47

So how would you use permanent redirects or browser caching for what? Oh, so IE permanently cached the redirect

01:01:03

and then you wanted to remove the redirect at some point? Don't use IE. I don't know. And I mean, it's sad that we have to beat up on IE, but I think I mentioned it just before. Unfortunately, IE, even IE 11 and Edge don't support CSPs.

01:01:22

Internet Explorer 11 only started supporting HSTS via a patch in the middle of last year where everyone else had had it for years. IE does some wacky stuff. That's all I can say. But it sounds like it wasn't actually adhering to the directive of the website, which is kind of a problem. Other questions?

01:01:44

Anyone want to see if they've turned up on the pineapple list before we wrap up? Just out of curiosity. If it loads. Let's see who is left here. Log back in. Now, hey, wouldn't this be interesting if someone managed to get in there?

01:02:10

Who have we got? Oh, I think it rebooted. Because it's rebooted, it means that everyone would have been booted off and I've got to turn all the bits on again. So that is probably right on about time as well. So in that case, thank you very much, everyone, for coming.

Recommendations