Making Hacking Child’s Play
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 163 | |
Author | ||
License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
Identifiers | 10.5446/49830 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
NDC Oslo 201521 / 163
6
13
16
17
18
19
20
21
22
25
28
29
30
31
40
41
44
45
49
51
52
53
54
55
57
58
60
61
71
74
75
76
78
84
85
91
92
93
94
95
96
98
99
100
105
106
107
112
115
116
117
118
122
123
124
125
127
128
129
130
131
132
133
135
136
142
144
150
151
153
155
156
157
159
160
00:00
LaceWater vaporProcess (computing)Thomas BayesNetwork topologyCartesian coordinate systemMoment (mathematics)InternetworkingStudent's t-testStrategy gameInformation securityWave packetBitHydraulic jumpShape (magazine)AreaQuicksortFreewareInformationOptical disc driveSign (mathematics)Machine visionSpacetimeLink (knot theory)Endliche ModelltheorieLevel (video gaming)1 (number)Basis <Mathematik>ChainArchaeological field surveyMultiplication signNumberHacker (term)DataflowMessage passingGateway (telecommunications)Hecke operatorTwitterDemo (music)System callPrime idealWeb browserComputer animationEngineering drawing
07:27
Search engine (computing)GoogolComputer-generated imageryGame theoryVideoconferencingPermianEuler anglesAddressing modeSystem callInformationCybersexTerm (mathematics)Latent heatType theoryElectronic mailing listPasswordEmailSpreadsheetUniform resource locatorGoodness of fitContext awarenessHacker (term)Hecke operatorCybersexGoogolInternetworkingPhysical systemInformationComputer animation
08:22
GoogolHacker (term)DatabaseInformationSpacetimePasswordAbelian categoryData managementExpert systemGame theoryComputer-generated imageryVideoconferencingMenu (computing)Execution unitReal numberInternetworkingPhysical systemControl flowComputer fileWebsiteExploit (computer security)Category of beingNumberExtension (kinesiology)QuicksortTerm (mathematics)Web 2.0DatabasePasswordInformationLink (knot theory)Arithmetic meanComputer animation
10:08
SynchronizationConvex hullComputer wormHookingSign (mathematics)Lemma (mathematics)SimulationSet (mathematics)FreewareMenu (computing)Mass flow rateInformationInformationVirtual machineMetropolitan area networkPiType theoryVulnerability (computing)Service (economics)WebsiteBridging (networking)BitIncidence algebraNetwork topologyMessage passingQuicksortView (database)Physical systemNeuroinformatikGastropod shellComputer fileFunctional (mathematics)Exploit (computer security)Information securitySpecial unitary groupWeightWeb 2.0Insertion lossComa BerenicesGame controllerRemote administrationMereologyWebcamCASE <Informatik>Computer configurationPasswordMalwareRight angleAddress spaceSystem callOrder (biology)Trojanisches Pferd <Informatik>Ferry CorstenReal numberKey (cryptography)Remote procedure callSlide ruleCombinational logicPermutationSoftware bugRow (database)Lattice (order)CD-ROMWeb pageComputer clusterWindowOperating systemPlanningDistribution (mathematics)Uniform resource locatorDigital photographyDifferent (Kate Ryan album)
16:11
Game theoryComputer-generated imageryVideoconferencingComputer iconProgrammable read-only memoryMultiplication signEmailWebsiteWordParameter (computer programming)BitCountingComputer animationProgram flowchart
17:27
Sign (mathematics)GradientRing (mathematics)PasswordMaxima and minimaMalwareEmailFormal verificationComa BerenicesUniversal product codeComa BerenicesImage registrationEmailAddress spaceForcing (mathematics)Physical systemSign (mathematics)Service (economics)WebsiteCASE <Informatik>PasswordCAPTCHADressing (medical)CountingExistenceTouchscreenQuicksortPiDifferent (Kate Ryan album)Physical lawDependent and independent variablesDemo (music)Dot productInformation privacyEnumerated typeOrder (biology)Web pageDomain nameFormal verificationBit1 (number)XMLProgram flowchart
21:00
PasswordLink (knot theory)Web pageCodeEmailAnalogyMessage passingTwin primePasswordCodeWebsiteScripting languageWeb 2.0Cross-site scriptingWeb pageStatisticsEmailXML
22:05
Inheritance (object-oriented programming)View (database)Hacker (term)Computer iconTerm (mathematics)Function (mathematics)Medical imagingDifferent (Kate Ryan album)Context awarenessTouchscreenoutputDemo (music)Greatest elementSource codeWeb pageUniform resource locatorWeb browserStructural loadHTTP cookieVulnerability (computing)Arithmetic meanPoint (geometry)Process (computing)Dependent and independent variablesPiSingle-precision floating-point formatScripting languageInjektivitätComputer animation
23:44
Structural loadVideo game consoleHacker (term)Curve fittingData typeHTTP cookieEmailCache (computing)Normed vector spaceFunction (mathematics)No free lunch in search and optimizationRouter (computing)SynchronizationComa BerenicesBitHTTP cookieDrill commandsConnected spaceCommunications protocolMultiplication signAuthorizationSource codeWebsiteDependent and independent variablesWeb pageMedical imagingMoment (mathematics)Line (geometry)TrailoutputStatement (computer science)Right angleScripting languageCovering spaceJava appletGreatest elementComputer animationXML
25:20
Grand Unified TheoryAiry functionHacker (term)Function (mathematics)Scripting languageDean numberClique-widthLoop (music)WebsiteSoftware developerVideo game consoleWeb pageReal numberInformation securityOrder (biology)Web browserElectronic visual displayRight angleVirtual machineTwitterScripting languageXMLComputer animation
28:01
Surjective functionMathematicsChi-squared distributionContent (media)Computer networkElement (mathematics)Function (mathematics)Loop (music)Default (computer science)LengthBoss CorporationServer (computing)Error messageWebsiteAreaDigital rights managementHypermediaWeb browserSign (mathematics)Client (computing)Direction (geometry)Shape (magazine)Line (geometry)Uniform resource locatorXML
28:59
Translation memoryProgrammable read-only memoryComputer wormMenu (computing)Web pageVideo game consoleDependent and independent variablesEmailHTTP cookieAsynchronous Transfer ModeCache (computing)Principle of maximum entropyWeb browserEmailMedical imagingWeb pageClient (computing)Dependent and independent variablesDigital rights managementScripting languageBitElectronic mailing listSpacetimeOnline helpVector spaceContent (media)Moment (mathematics)WebsiteCASE <Informatik>Cross-site scriptingService (economics)NumberHydraulic jumpBlogSource codeXML
30:12
Communications protocolFunction (mathematics)Loop (music)Web browserService (economics)Hydraulic jumpWeb browserFunctional (mathematics)Video game consoleWebsiteSource codeScripting languageServer (computing)Traffic reportingNumberState of matterLevel (video gaming)Line (geometry)Greatest elementSoftwareAnalytic setWeb 2.0Point (geometry)GoogolComputer animation
31:51
EmailVideo game consoleSource codeUniform resource locatorComa BerenicesCompilation albumProgrammable read-only memoryComputer iconExecution unitLemma (mathematics)Time zoneRow (database)RankingGamma functionVulnerability (computing)WebsiteSineData typeLibrary catalogWeb pageCore dumpTraffic reportingCASE <Informatik>Multiplication signInformationEmailWebsiteIntegrated development environmentDenial-of-service attackWeb browserFluid staticsWeb pageSoftwareNumberMalwareVector spaceOnline helpDependent and independent variablesAutomatic differentiationDirection (geometry)QuicksortClient (computing)Block (periodic table)State of matterMoment (mathematics)PiPoint (geometry)SpacetimeReal-time operating systemVirtual machineOffice suiteXMLComputer animation
34:24
MaizeRankingWeb pageDrum memoryMenu (computing)CalculusUniform resource locatorSummierbarkeitUDP <Protokoll>Android (robot)PlastikkarteHacker (term)Link (knot theory)Real-time operating systemTwitterLaserDenial-of-service attackMessage passingService (economics)Goodness of fitHydraulic jumpGame theoryBlogWebsiteBitWeb 2.0IP addressVideoconferencingMultiplication signEscape characterGreatest elementType theoryState of matterRow (database)Series (mathematics)Data miningComputer animation
36:57
UDP <Protokoll>Link (knot theory)Android (robot)Military operationWage labourHacker (term)Uniform resource locatorDomain nameType theoryLaserService (economics)Memory managementWebsiteOperator (mathematics)Goodness of fitMultiplication signOrder (biology)CountingDenial-of-service attackQuicksortMereologyContinuum hypothesisThread (computing)Metropolitan area networkNumberBitCuboidTrailSoftwareIP addressUser interfaceBlogAssociative propertyProcess (computing)Right angleHydraulic jumpRoundness (object)Scripting languageComputer iconOperational amplifierWeb pageThomas BayesOrbitCanonical ensembleHecke operatorGame theoryLie groupComputer clusterKey (cryptography)WhiteboardComa BerenicesSimilarity (geometry)Negative number2 (number)Arithmetic meanComputer animation
41:13
CAPTCHATape driveComputer networkStreaming mediaBootingElectronic mailing listService (economics)TheoryLine (geometry)SoftwareMereologySoftware testingComa BerenicesInterface (computing)PiInternet service providerQuicksortWordLevel (video gaming)NumberMathematical analysisVideoconferencingThresholding (image processing)Point cloudStress (mechanics)BitWebsitePasswordOnline gameTerm (mathematics)IP addressGoodness of fitShared memoryFamilyMotion captureSpecial unitary groupRobotWeb pageDenial-of-service attackStructural loadBookmark (World Wide Web)XML
44:36
Cellular automatonIRIS-TMaizeTorusHill differential equation10 (number)Term (mathematics)DialectInheritance (object-oriented programming)PasswordPoint (geometry)String (computer science)Traffic reportingPhysical systemMusical ensembleHash functionBit1 (number)DeterminismAlgorithmSign (mathematics)RobotBridging (networking)Address spaceEncryptionEmailComputer animation
47:18
Personal digital assistantPasswordHash functionReverse engineeringMiniDiscTwitterInformationString (computer science)Pressure volume diagramInheritance (object-oriented programming)Menu (computing)Musical ensemblePasswordInformationOrder (biology)Information securityResultantTraffic reportingQuicksortPosition operatorStress (mechanics)Pell's equationData storage deviceGraphics processing unitMultiplication signNumberNeuroinformatikWebsiteCybersexHash functionCoefficient of determinationPlanningStandard deviationComputer animation
49:15
Hacker (term)Computer-generated imageryNeuroinformatikWebsiteConnected spaceQuicksortHydraulic jumpTraffic reportingCASE <Informatik>SoftwareAlgorithmPerspective (visual)Coefficient of determinationWeb browserFreewarePasswordWeb 2.0NumberInformationServer (computing)Metropolitan area networkBitSign (mathematics)Moment (mathematics)Point (geometry)Information securityWave packetData conversionChainWireless LANGodMassDependent and independent variablesVirtual machineFilm editingThomas BayesAreaMultiplication signMilitary base
53:53
Computer-generated imageryWebsitePoint (geometry)Web browserPublic key certificateEncryptionVotingInformation securityType theoryComputer animation
55:17
Discrete element methodComputer-generated imageryProgrammable read-only memoryMultiplication signWebsiteMoment (mathematics)ResultantSoftwareWeb browserDigital photographyComputer animation
56:17
Video game consoleWeb pagePrice indexMenu (computing)Maxima and minimaGoogolComa BerenicesSource codeCodierung <Programmierung>EmailDependent and independent variablesHTTP cookieContent (media)Data typeComputer configurationCommunications protocolFormal languageWeb browserInternetworkingResultantDependent and independent variablesInformation securityNumberMaxima and minimaAddress spaceConnected spaceEmailBit2 (number)Parameter (computer programming)Coma BerenicesWebsiteDomain nameGoogolVideo gameProjective planeTrailExpressionEvent horizonComputer animationXML
58:22
Inclusion mapTime domainDomain nameElectronic mailing listGraphical user interfaceWebsiteTrigonometric functionsWeb browserInterface (computing)FreewareProjective planeWeb pageWebsiteInternetworkingMultiplication signMoment (mathematics)WhiteboardSoftware testingPoint (geometry)Interactive televisionBitXML
59:23
Euler anglesExecution unitNormed vector spaceHill differential equationSoftwareAddress spaceConnected spaceDistanceDigital photographyRight angleSoftware testingVirtuelles privates NetzwerkPerspective (visual)QuicksortInjektivitätDifferent (Kate Ryan album)Control flowBroadcasting (networking)Tablet computerSystem callCausalityMenu (computing)SpacetimeTerm (mathematics)WebsiteCommutatorDependent and independent variablesComputer programmingComputer-assisted translationMoment (mathematics)Source code
01:03:37
Software developerMessage passingJSONXMLUML
Transcript: English(auto-generated)
00:10
Yes, learning Australians is not easy. They really are a funny bunch of people, or should I say dickheads.
00:20
Hello and welcome to the first chapter of How to Talk Australian. Hello Skippy. Over the coming weeks you will learn everything about the land down under, Australia.
00:40
You will learn about their culture. They keep their beers cold by putting them in an esky. Their people. A recent survey revealed that 30% of Australians are casual racers, which means that the other 70% are full time.
01:03
And of course, their culture. If you throw this, it will come back. Let's learn a bit about their history.
01:21
Australia was first discovered in 1988 by an explorer called... The first landing was at Botany Bay on January 26th. Though many believe that the Dutch had already been there.
01:44
In the classroom, Miss Shiva teaches the students some everyday Australian lingo. Dickheads. Sheep shatters. Sheep shatters. Knockers. Knockers.
02:00
Shit for brains. Shit for brains. No, Australians run it all together. Shit for brains. Shit for brains. Let's do it once again. Shit for brains. Shit for brains. That's better. Let's move on. Jimmy Grant. Jimmy Grant. It's an Australian slang for an immigrant. Jimmy Grant immigrant.
02:23
Burp. Burp. I'm sorry, Miss Shiva. It is an ass-wife. Sorry. Ass-wife. Ass-wife. Let's move on. Thank you.
03:01
I really like the baby, Joey. The what? The Joey. That is what the baby is called. Well, all of them. All the babies are called Joey. What's the mother called? No, no. The mother is called the kangaroo. Well, that's stupid. Why does baby get a name and mother does not? What if little Joey grows up to be a woman?
03:38
Who wants to come to Australia now?
03:43
We outsource everything to India, believe it or not. So I thought we better start by giving you a little bit of information about what you can expect if you do come to Australia since so many of you want to. Now, you probably have visions of Australia that are a little bit like this and there are some things that are like this.
04:02
There are other things, though, that are not quite the same, not quite as friendly. We've got a lot of stuff in the water that will kill you. A lot of stuff in land that will kill you. A lot of stuff that will come out of the water onto the land and then kill you. A lot of stuff everywhere that will kill you. Stuff falling out of the trees that will kill you.
04:24
One of the most fearsome animals we have in Australia at the moment is one of these. He's our Prime Minister. Another little bit of Australian lingo for you. He's wearing what we call budgie smugglers because it looks like he's got a budgie done.
04:41
Fearsome animals. Now, what's even more fearsome, though, than these animals themselves who are a level higher on the food chain than what we are, is the ones that are a level higher again than them on the food chain because our scary things eat other scary things in all sorts of ways you wouldn't believe. Who wants to come to Australia?
05:01
There were less then. If you come, get some travel insurance. Before I came here, I told my mum, I said, I'm coming to Norway. You're on the other side of the world. She said, oh, you probably should get some travel insurance. Look where I've come from. Do you really reckon I need it?
05:21
Norway's got squirrels, right? What's the problem? Squirrels are nice little fluffy friendly animals, I imagine. We do have some fluffy friendly animals in Australia. They'll kill you too.
05:42
So Australia is an interesting place to visit and I would like everybody to come down because it's not quite all that bad. But we'll see. Come and see for yourself. Travel insurance. Okay, let me get on with it because I want to start to talk about making hacking child's play. And I want to talk about how easy it is for kids to break into your things.
06:02
And how you can teach your kids to break into other people. How you can teach your kids to learn about application security. Because there are some really interesting things out there and it's amazing when you see the sorts of things that kids can do. Now two more things before I jump into it. So number one, Pluralsight. I've got 500 Pluralsight passes here.
06:21
Everyone gets a month of free Pluralsight. So on your way out, grab a pass before you press that green button. Thank you very much. And number two, everything I show you today is being live tweeted. So there'll be a tweet to every link, every video, everything of interest. So if you watch me on Troy Hunt, at Troy Hunt, you'll find links to all of these things.
06:41
So let's jump into it and I want to start talking about kids and hackers. And there are hackers everywhere. Our kids are hackers. Our kids are being hacked. Our kids have access to hackers. Our kids can learn how to hack. And it's amazing just how easy it is for kids to learn how to be hackers.
07:00
I talked about this a couple of days ago, how anybody could become a hacker because it is so easy. Now a really good example of just how easy it is, is let's think about the ways we protect our kids online. So we have things like this. Safe search for kids. Because we want to make sure that when our kids search for things online, they don't get things that they shouldn't get.
07:22
So let's take some examples. We're going to do lots of demos today. So I'm going to jump over into the browser. And if we go to somewhere like Safe Search for Kids, we should be able to search for porn and we should get nothing. We should have internet. Very good. And stop, your kids cannot search for porn, which is good. This is what we want.
07:42
We don't want our kids searching for things that they shouldn't be getting their hands on. Now let's put this in a hacker context because what are kids going to be searching for in a hacker context that we might be a bit concerned about? So it turns out that there are malicious cyber actors out there using advanced search techniques.
08:03
This is a real advisory from the FBI from last year. And what they're talking about is using Google Docs. So Google Docs being these very carefully crafted searches which can find things on the internet that probably weren't meant to be found. Now since the NSA thinks it's so scary, we probably should take a look at it and see what it is.
08:23
So we can jump over to a site like Exploit Database. And the thing about Exploit Database is it has a lot of interesting information on it about how you can hack systems. So for example, we could say let us go and find any of these categories and we might go files containing passwords.
08:43
So let's have a look at these guys, see what we find. Now this is going to show us a number of very carefully crafted search terms which will help us find sites on the internet with exposed passwords. So for example, we will see things like extension CSV in text password and we can right click and we can search for that.
09:04
And it will give us a whole bunch of files on the web that have passwords in them. Some of them will be innocuous, many of them will not. Now here's the interesting thing, our kids can grab things like this. And our kids may not be able to search for porn but they can certainly search for exploits on the web, which is interesting.
09:28
Now we definitely don't want them seeing porn, we probably don't want them seeing exploits as well. So these safe search tools only keep them so safe, they only get so far. There are still a lot of things that our kids can access which we probably didn't want them in in the first place.
09:42
So this is interesting and there is obviously a real sort of seedy underbelly of the web because all of this sort of stuff is out there as discoverable exploits. It's as easy as just going and finding it, clicking on links and then going and owning systems. And the real concern there is that it does make it so easy for kids because any of us can go to these websites and search for things and break into systems.
10:06
Now on the seedy underbelly of the web, here's another thing that we see a bit of. So these are rats, but not the friendly, furry, probably disease ridden, a bunch of them kind of rats, but remote access Trojans.
10:21
So what we're seeing on the top right hand corner is a machine that is viewing a person infected with the remote access Trojan. We're seeing the victim's webcam. So these rats and the people who say that they are not remote access Trojans, so that they're remote administration tools, which is a nice way of saying malware that I'm going to put on your machine.
10:41
They do get around a lot and they get around a lot into kids machines because kids are easy targets. Kids have very easy going social networks. They're very trustworthy. They'll distribute things around between them at school. And when something like a remote access Trojan does actually run up on the machine, it gives the owner of that Trojan an enormous amount of control over the victim.
11:06
In fact, the owners often call them slaves. How many slaves do I have? And the one we're looking at here is called Dark Comet. Looks like this. So this is what the owner of the Dark Comet malware, or rather the owner who distributed it to their victims would be seeing.
11:22
So every row we're seeing there is a different victim. Different IP address, what their computer name is, what their operating system is, what they're running. And the owner of the Trojan, the one who's distributed it, the one who effectively now controls the botnet, has an enormous amount of access and you can see some of the options in this window that sits in front of the other one.
11:42
So they can do things like access files on the remote machine. They can get a remote shell. They can pop the CD ROM out if they like. They can turn on the microphone, turn on the webcam. Or they can use what's very friendly referred to as fun functions. Makes it sound much less evil when they're fun functions.
12:02
So fun functions could be, why don't we just play the piano on the victim's machine? We could do that. Why don't we pop up a message box? Do a few other random things. It's really, really nasty malware though. And it's not just infecting kids. We've also seen it used by nation states, like Syria.
12:22
Syria has distributed this in order to monitor people within the Syrian nation. So it's very malicious software. We've also seen it distributed in the wake of the Charlie Hebdo attacks earlier this year. And we often see this. There's a real disaster. Things like the Malaysian plane that went down in the ocean.
12:42
The other one that's disappeared somewhere over Ukraine. All of this stuff creates a whole sense of sort of fear, uncertainty and doubt. People are emotional. People are on edge. And they get something cute like this. So this was a photo which led people into a Trojan that started to run dark comet on their machine.
13:00
So they're emotional. They're vulnerable. They run this stuff up. And they end up on a site like this. They end up infected and they end up as slaves. So remote access Trojans remain a thing. And this is why we want to be particularly careful with kids. They're particularly vulnerable to it. And they're the last people in the world we want to be at the end of a master's webcare.
13:21
So this is a real seedy underbelly of the web. Here's another part of the web. It's a little bit seedy. Now who had an account on adult friend finder? One, two, three. None. Wow. Who had an account and doesn't want to admit it? No one. Now just in case you haven't heard of adult friend finder.
13:42
It is, how should we put this? It's a site for meeting friends. You may be a man who wants to meet another friend who is a man or another friend who is a woman. Or two friends that might be men and women. Or basically any combination or permutation you can think of. And the site was very good at doing that.
14:01
Now just in case you're unsure of what it means to make friends on adult friend finder. After you sign up they give you a guarantee. This is not a guarantee that you see very often on the web. So it's those sorts of friends.
14:21
And the interesting thing about those sorts of friends is that it tells a lot about your innermost thoughts and your desires. It's a very intimate sort of thing. And clearly it's the sort of information which is very personal. It's the sort of information that we want to protect very very carefully. But what we found is that adult friend finder did get breached.
14:42
So this was only a few weeks ago. So they had a major incident. They had about 4 million accounts leaked. Now this is obviously pretty serious. Because when you leak accounts like this you know that someone has an interest in a certain type of person. A wife knows the husband is playing around.
15:01
It's probably not really looking for friends let's face it. Now here's the interesting thing. So when this vulnerability happened and the exploits and the breach all unfolded. They sent this message. Now what's kind of interesting with this is you look at the security update page. And this is what they call out. This is what was important to adult friend finder.
15:22
Your financial info is okay. Your passwords are okay. The fact that you're playing around on your other significant partner. Okay well that didn't seem to get a mention here. But this is the interesting thing. Because we don't want financial information compromised. But we have fraud detection. We can get money back.
15:41
We get various defenses from the bank to try and stop fraud from happening. Passwords. We don't really want to use passwords. But at least we can make them unique. We can keep the damage to one location. We don't always do that. We'll look a bit more at passwords a bit later on as well. But the risk of passwords can be mitigated.
16:00
The real problem with this is that it leaked something very important and very personal to people. Now I run a service called Have I Been Pwned. It's a website where you can search through breaches. And it looks like this. Now the way this website works is when there are major data breaches. And they're released publicly.
16:20
So they're out there for everyone to see. I aggregate them. I make them searchable. And then people can come and find if they've been impacted. They can get notifications so that they learn very early that they've been impacted. And I've got about 185 million accounts on there. Thanks mostly to Adobe on which I had three accounts. Thank you Adobe. But here's the interesting thing.
16:41
So I loaded Adult Friend Finder in there. And just afterwards I got an email. And it was the first time I'd ever had an email like this. 185 million accounts. The word lawyer was used a few times. Because somebody was enormously upset that now they could be found as having had an account on Adult Friend Finder.
17:04
Maybe they're worried about their wife or their partner or their partners. Who knows? It's that kind of site. So the guy was a bit upset. And I thought, alright, what should we do with this? Because I knew that it was a bit of a hollow argument. Which is what I'm about to show you. But I deleted his account. It's easier to make emails about lawyers actually go away rather than argue about them.
17:24
But here's the thing with Adult Friend Finder. This is the site. Now fortunately I'm not logged in. Because when I prepared for this demo yesterday I was logged in. And I saw things on the screen that would probably cause me not to be invited back again if they ended up there. Use your imagination.
17:42
Now, we can go to the forgot password page. And we can enter an email address. And we'll just make something up. Whatever we want. Dot com. And we complete the captcha. 453 go. Invalid email. So that email address doesn't exist on the system.
18:03
Let's make it a bit more interesting. Who wants to share? No, no one's going to share one. Nobody ever says yes. Okay, so let us try this instead. I'll reload the page so we get a new captcha. We will do ndc2015 at notmailinator.com. Does everyone know what Mailinator is?
18:22
So Mailinator is a free service where you go to mailinator.com. You can send an email to anything you like at mailinator.com. And then go and check the mailbox anonymously. So you don't have to create an account or anything like that. It's great for creating temporary accounts. The reason here that I'm using notmailinator.com is because adult friend finder doesn't let you use mailinator.com.
18:43
Which is why mailinator.com has about 150 other domains you can use because sites can't blacklist them all. Now what that means is that when we go over to here and we enter 857. We go like that. It's going to look for this account.
19:00
And it's going to confirm that it exists. They didn't have to get breached in order for significant others to learn about their partners having accounts here. And most websites will do this. Most websites will confirm the existence of an account. Confirm or deny it depending on what you're actually looking for. So this is an enumeration risk
19:21
because what it means is is that you can take an email address throw it at the site and it will say yes or no. Depending on whether or not there's any brute force protection you can take a million email addresses. Dot gov email addresses. And there are a lot of dot gov email addresses in here too. You can take these, you can throw it at the site and it will come back and it will confirm everyone who has an account or who does not have an account.
19:43
An adult friend finder was just a perfect example of the sort of site that should never have an enumeration risk. So for something like this you have to give the same response. Whether the person has an account or not you have to say we've sent you an email. And then you can send them an email and say hey you didn't have an account
20:00
maybe you had an account on a different email. Or you can send them a password reset. But you can't give them an answer like this that confirms or denies. The other place this happens a lot is on the registration screen. So when you go and register and you provide an email address it will come back and say I'm sorry you can't register with that email address. So it's the same answer again.
20:21
You have to give a response which is the same whether there's an account or not. You have to say we've sent you an email. And then perhaps you can do an email verification and say that's great now we know you're a real person and you wanted the account. Or in that tiny little edge case where someone's just trying to probe for email addresses doesn't really matter what you say. There could be some people who try to create an account again
20:41
without realizing it and then you can say well look you've already got an account. I'm telling you via email I'm not telling the general public. So of course that depends on the sort of site as well but you just want to have a think. Do we actually want the general public to know that our users have accounts on the site or not? There's a privacy discussion to be had there.
21:00
Now here's the interesting thing with Adult Friend Finder as well. When you do that password reset it sends you an email to change your password which is fine. In fact it gives you a confirmation code. You enter that in the page that you're just on. But I like this bit. Another member may have entered your username by mistake.
21:20
That's possible. It's also possible your wife entered it by mistake. Because this is the way it works. So this is interesting. This is a problem and it's a really, really, really common problem. Bigger problem in some sites as opposed to others. Now moving on, another problem that we do still have a lot of is XSS.
21:42
Particularly funny XSS and we will look at funny XSS. So XSS does remain a serious risk on the web. It's always up there in the top 1, 2, 3 risks depending on whose stats you look at. And cross-site scripting allows attackers to do some pretty nasty things. Now I want to give you an example of what I mean by cross-site scripting
22:01
and then we'll actually have a look at some interesting precedents. So let's do this. I'm going to jump over to this website here. Hackyourselffirst.troyhunt.com Anyone can go to this website and hack it. Maybe after this demo you can hack it. I use it in a bunch of my Pluralsight courses. It's got about 50 different vulnerabilities, SQL injection, XSS as you'll see in a moment,
22:22
and a whole bunch of other things. Now here's how XSS works. And we're going to look at reflected XSS. So we're going to search for something. We'll just search for say, FUBAR. Now when we search for FUBAR, it says you searched for FUBAR. So it's reflecting the user input back into the response.
22:41
If we have a look at the source code of the page and we search for FUBAR, we can see that FUBAR appears here in the HTML context. So what I mean by that is it's in there amongst HTML tags. We can also see that it appears in the JavaScript context. This is the most pointless, stupid piece of jQuery ever.
23:01
However, it does appear down here in the JavaScript context. So there are two different places where whatever you put in the URL appears to appear in the source code. Now when you can do that, it means you can do things like this. I can copy a pre-prepared attack. I can jump back to the browser. I can replace FUBAR with the attack.
23:22
Load the page, and that's it. Your account's hijacked. So let's have a look at how it's hijacked. You can see there's a broken image over to the left of the screen just here. Now I want to show you what happens. We'll run up the dev tools. We'll go to network. We'll reload the page.
23:41
And what we'll see down towards the bottom is that one of these requests goes off to attacker.com. And in fact, it's sending the cookies. If we look at this a little bit closer, we'll drill into that request. What we'll see in here is that one of the cookies it's actually sending is this guy here, the auth cookie.
24:02
So HTTP is a stateless protocol. You connect to a website, and that is a connection that has a response, and then the connection is discarded. And then you come back and you make another request, and that's a whole brand new connection. So we need a way of knowing who is coming back each time because once you log on and authenticate, we want to make sure that we've got the right person.
24:22
So that's what the auth cookie does. So we need to protect those auth cookies very, very carefully. Now the way this actually happened is much clearer when you look at the source code. So jump into the source of the page. It's down towards the bottom, and here it is, line 81. And all we've done is we've just closed off the piece of JavaScript
24:42
that that reflected user input was entered into, and then we've written our own statement. Create an image, set the source of the image to the attacker's website, and then add the cookies onto it. And then we'll hide the text in the H2 tag, and instead we'll put in nothing interesting to see here at all. So we kind of cover our tracks a little bit.
25:01
We could have made the visibility of the image hidden as well so that nobody would see that. So we can do really nasty things with XSS, and there are multiple ways we can defend against it. And I'm going to show you one of those ways in just a moment. But a lot of people see this and they say, well, isn't XSS a fairly trivial thing that really only happens to dodgy little sites?
25:21
I mean, it doesn't happen to major important websites, right? Let's have a look at some Dutch banks. This is an XSS attack. All of these are real XSS attacks that were done against Dutch banks in order to demonstrate the risk.
25:59
Banks!
26:01
So this is amazing. We still have this serious risk, and it is such a simple risk as well, but it still happens a lot. Now, some of you look like you like that, like you like the idea of banks doing the Harlem Shake. So I want to show you how you can get a bank to do the Harlem Shake. So here's what we're going to do. We will jump back over to the browser.
26:23
And so there's an interesting thing. So last year when I was here, we hacked some Swedish websites. Now, is there still a thing with Sweden? Is it still good to do things to Swedish sites? Yes? Is anyone here Swedish?
26:40
Oh, shit. Okay, well, look, it's all good fun anyway. All right, so here is how you can hack any Swedish website. Well, let me... We're not filming, right? I'm going to rephrase. Here is how you can get any Swedish website to do the Harlem Shake. Let me show you what you can do. There is a piece of script, which I would have live tweeted out right around now,
27:02
which we can then grab. Like so. And we can go to a Swedish bank. And here's what you do. You go into the developer tools. You go into the console. You paste in the text and you run it.
27:21
And nobody wants to listen to the rest of that. Now, is this a security risk or not? Oh, yeah, we're in Norway. Anyone who is not Norwegian or Swedish, please, is this a security risk? Do we care that we can modify the DOM
27:41
once the page is already loaded? Because a lot of people... Well, someone said yes. So they know the answer, so I'm not going to ask you. Because a lot of people say no. Like this is already on your machine, right? Like why do we care if we modify something whilst it's already on your machine? Let me answer this with a demonstration.
28:00
So I'll go back to my Have I Been Pwn site again and let's make that one do the Have I Been. Make it do the Have I Been. Make that do the Harlem Shake. We'll just give that guy a reload and we'll try this again. All right, so paste in the Harlem Shake. Go. And there is no shaking.
28:21
So I can't make this site do the Harlem Shake. Now, remember, we're only modifying the DOM on the client. We're not modifying anything on the server. We're not modifying it on the wire. We're not doing anything tricky like that. But I still can't make that site do the Harlem Shake, which is kind of an interesting thing. So let's have a look at why that is because we can see some errors down the bottom here.
28:41
Refuse to load the style sheet and then refuse to load media. So this is the browser saying, you want me to load something from these Amazon URLs. You can see the URLs after both those lines. And the browser is saying, no, I'm not going to do it because it violates the following content security directive.
29:03
So this is what you call a CSP, or a content security policy. And I've got content security policies which say these are the things that the browser is allowed to do on the client. This is where it is allowed to load images from. This is where it's allowed to load scripts from. It's a white list of what is allowable. And you can see this CSP in the response headers.
29:23
So I'm going to reload the page and I'm going to have a look at the first response here. And if we scroll down a little bit, we will see content security policy. And then a whole bunch of stuff afterwards. I'm going to show you an easy way to read this in a moment. But this is just a response header. So you've got to think about the attacks that this prevents against.
29:41
It won't help you prevent against attacks on the wire because the attacker could modify the traffic on the wire. But it will help you prevent against attacks that run in the browser and then try to load in external resources. So it would help against that XSS attack I just showed you because the browser would not load the image on the external site. There are other XSS attack vectors but it certainly fixes that one.
30:03
It stops other people doing the Harlem Shake on your site, just in case you're worried about that. But the important thing is it will stop other content from being loaded in. Now one of the things we can do is we can take this URL, put it on the clipboard, and jump over to reporturi.io.
30:21
Now this is a service made by a guy in the UK called Scott Helm. It's a great service. It does a number of things. And one of them is it can analyze your CSP. And the reason why I like it is it makes it much, much easier to read what is otherwise just a great big long line of text. So this is what I allow and have been pwned. So for example, on script sources, I allow unsafe inline script.
30:43
And the reason is I've added the CSP much later on after I've built the site and I had places where I've got script in the HTML. It's inline. It will allow unsafe eval. And this was because one of the external services I use uses the eval function within JavaScript. It builds up a command, chucks it in eval, and executes it.
31:02
I allow Google Analytics because I've got Google Analytics. I allow New Relic. I allow certain external sources because that's what helps my site run. None of these allow the resource that the Harlem Shake was trying to execute from. Now another interesting thing down the bottom, you see we've got report URI.
31:21
And what report URI does is it allows the browser to report back to your server when there's been a violation. So I'll show you what I mean by that. You see my report URI here is webresource.axd. Let's go back into the browser and let's go to the console and let's paste in that Harlem Shake again.
31:41
I'll just need to grab it from there again. Paste it in. Run it. Doesn't work. And down in the network, we'll see two requests to webresource.axd down here. So these are the reports. And if we have a look at one of these guys, what we'll find is right down here in the request payload,
32:01
this is everything about the request. So it was trying to load from s3.amazonaws.com. It breached the style-src directive. This is the entire policy. This is the directive it violated. So it has all of this information in there, which is really, really neat,
32:21
because when you roll your site out to places and someone's trying to XSS it or do something nasty, you get a report back. The other interesting side benefit, which I didn't realize myself until I started doing this, is that when you've got malware on the user's machine, particularly malvertizing software, so this is software that you get from things like browser toolbars,
32:43
tries to inject their own ads into the page. This blocks it. So there are other things happening on the client's machine, not a risk on your website, but a risk in their environment that tries to load external resources and you get all the reports of those. You can get quite a large number of reports as well, as I've found out.
33:01
So you find interesting things. So CSPs are a really good idea. Now while we're talking about CSPs and XSS and all these sorts of things, just in case you do want to go and find some sites that might be at risk, you can go to xssposed.com. And you can go through here and have a look at submissions of websites that have XSS risks,
33:23
websites like this, which then have the attack vector, explained here very nicely. So a lot of this stuff actually gets indexed. You may not have any attack vectors or any risks in your site at the moment, but having things like a CSP help ensure that if you do in the future,
33:42
the ability to exploit it is limited. And CSPs are free. It's just a response header. It's a few bytes. So it's just about nothing. So CSPs are interesting. Now another thing that's been really interesting in recent times is distributed denial of service attacks.
34:01
And this is awesome. This is a static picture of attacks that were happening at one point in time. And we can see the attack origins up on the top left. A lot of stuff coming from China. Apparently they like this sort of stuff. A lot of stuff going to Milgov and United States. Apparently they're big targets for DOSs. And DOSs are kind of interesting
34:20
to watch happen in real time, which you can do with this site. So if we jump back over to here and we jump all the way over to there, we can see DOS attacks happening in real time. And this is enormously cool. It's almost like mesmerizing. Because you look at it and you go, okay, who's going at who?
34:41
A lot of stuff going to the US. There's someone there in Africa who's really copping it. I don't know what those guys did wrong. So they get a lot of activity. And it's just amazing to sort of see all of this stuff that's going on while we're sitting here kind of relaxing in Norway. Other side of the world, here's all these DOS attacks that are happening.
35:01
Now you may be wondering, what the hell do DOS attacks have to do with kids and child's play? And it turns out that you can get some very good DOS services from kids. And I'm here to promote Guapo's professional, cheap, DDoS service.
35:21
It's strong, fast, and trusted with no entitlement. What we do is we take it on large websites, large forums, game servers, and website blogs. You can blow your competition and web enemies away. You reach us at Skype via Hulu or MSN at the bottom, and we look forward to doing business with you. But she's so cute.
35:41
She's such a sweet girl. Professional DDoS services that it probably looked more professional if she wasn't in her bedroom recording it. But this is the thing. Kids can get involved so easily. Kids love getting involved in DDoSs in particular. Maybe because a DDoS attack is kind of like throwing your toys.
36:00
So kids love this kind of thing. And you can often see kids getting involved in DDoS attacks via things like Twitter. So you look at the messages that come out where there's all of these tweets about fire your lasers. Fire your lasers at this URL or at this IP address. And if you can get enough people to fire their lasers at the same time,
36:22
then you have a DDoS attack. Now I'm curious about this. Who has never launched a DDoS attack before? Lots of people. What about this guy? You want to come up here and we'll do a little exercise? Yeah, don't look so surprised. You're not sweetie, are you? Okay, good.
36:40
All right, excellent. Jump straight on the stage. What's your name? Peter. So what we want to do is have a bit of a look at a DDoS attack. I was going to incentivize people too because apparently giving Tintams works well but you come up without them so too bad. No, I'll give them to you later. All right, so here's what we're going to do. We want to launch a bit of a DDoS attack and we want to sort of see how this works.
37:01
Except it won't be a DDoS attack because it'll kind of be like a DDoS because we're not distributors, only one of us. So you can come and drive. It's on camera. Okay, you can use. Yeah, that doesn't work. All right, so here's what we're going to do. So what you're seeing in front of you here is LOIC or the Low Orbit Ion Cannon.
37:21
And this is the thing that the kids fire the lasers from. And it's just a little software product but if you get enough people that run it at the same time and do nasty things then, you know, there's a problem. Now where are you from, Peter? Not Sweden? England. Okay, awesome. So you probably don't like Sweden either, right?
37:42
Good. I'm going to get some reds. Do you like ABBA? Okay, very good. He doesn't like ABBA. All right, so let's fire the lasers at ABBA. So what you're going to do, you're going to do is in the URL at the top of LOIC there, we're going to type ABBA's website. Now don't put abba.com because that's American Bed and Breakfast Association
38:00
and those guys scare the hell out of me. So we're going to do abbacite.com. No, just abbacite.com. And then we're going to click the lock on button. Just to the right of it. It's only one mouse, mate.
38:20
All right. Now, when you click lock on, that invokes a very high-tech process which is resolving an IP address from a domain name, which is that IP address. Now what you've got to do is you've got to decide the attack method you like. And you'll see there's a little box there that says method. And you can choose from methods.
38:40
So there's something about ScriptKitties. They design horrible user interfaces. Yeah. All right, now we're going to choose HTTP because all we're going to do is make some HTTP requests. So that means you probably won't go to jail for too long as opposed to if it was UDP or TCP or something like that. All right, now you've got to choose a number of threads. So how many simultaneous threads shall we throw at it?
39:02
All of them. All of them, the man says. All right, how many do you want? We'll do 100. All right, now you hit the I'm a charge in my lasers button. Now just so that it's clear on the camera, I am not the one hitting the button. I sincerely hope you can guess what this button does. I just saw that, it's a tool tip.
39:20
That's awesome. Okay, quick, stop it, stop it, quick. All right, it doesn't count if it's only a second. That's it. That is one part of the DDoS attack.
39:40
And then you do that like 10,000 times over because you're a ScriptKitty with enough followers that they all jump on board at the same time and you have a real DDoS attack. So give Peter a round of applause. Well done. Take it Tim Tams. Thanks mate, well done. Don't teach your kids this. Don't let them run LOIC either. That sort of stuff does get you into a whole heap of trouble.
40:03
And interestingly I wrote a blog post on, in fact I think the title was Can I go to jail for using LOIC? And effectively the answer was, you know, if you're part of a great big continuum of people all attacking a website in order to take it offline, well yes you can. And in fact some of the people I showed in my talk, in fact a couple of days ago, did go to jail for running tools like LOIC
40:23
in order to perform malicious activity. ABBA doesn't count because they deserve it. Anyway, so moving on. So you do have these DDoS sort of attacks using services like Christa's service, but frankly Christa's service to me looks a bit like a backyard operation.
40:40
I can't really take Christa seriously. And mounting a DDoS attack by just getting all your mates to do it as well, I mean it's a bit public, they'll track you down, but there are dedicated DDoS services out there. So there are services like this.
41:33
I'm going to go and shut up and take my money. Was it the epic DDoS interface? Is that what I got you? Once you saw that I said I'm acknowledging a DDoS attack.
41:42
And this is the thing, because DDoS attacks are out there to hire, or DDoS services are out there to hire. And they're used for a number of reasons. So one thing that they're used for is kids use them to take other players offline in online games. If they can discover the IP address that the opponent is using, then they can go and hire a DDoS service.
42:02
They've got to get the money from somewhere, I guess, but let's assume they get the money, and then they can take it offline. And part of the problem is that sometimes they are very cheap and they're very easy to find these services. So as an example of a DDoS service, we'll go and pick one from my bookmarks here, NetworkStresser.com.
42:20
Now NetworkStresser.com is a little bit interesting in terms of a DDoS service. So it's like many in that you go out and you go online and you create an account and you pay some bitcoins, and then they will actually create an account which you can draw down on, and you will choose who you want to target. But here's the interesting thing. So does anyone know what this page is?
42:41
So this is Cloudflare. Cloudflare is the world's largest provider of DDoS protection services, hosting the DDS service, which is kind of interesting. Now, Cloudflare is actually an awesome, amazing service. I published a course on it just this week, so I am actually quite invested in it. And they do wonderful things.
43:01
But I did think it was a little bit funny that they're hosting the DDoS service behind the guys who make a lot of money by providing DDoS protection. But it seems to work for them. So we'll answer the capture. And while that's loading, by the way, the reason why I open this in Tor is Cloudflare's protections have various sort of levels of threat analysis.
43:22
And when you go to a website protected via Cloudflare and it sees Tor, it says you're basically at the threshold where we need to make sure that you're a human before you progress because you look a little bit like a bot the way you're coming in in an anonymous fashion. And then here it is. This is your network stressor service. And the thing with these is,
43:40
these network stressors, and you'll see them called stressors or booters, in theory, are there for you to load test. Yes, you can load test someone else's site, which is kind of the problem, but they promote them as load test services. So DDoS remains a serious problem, and in all honesty, services like Cloudflare are actually very good at protecting from it.
44:03
So that's DDoS. But I do want to take a while as well to talk a little bit about passwords, bad passwords. And we still have an enormous problem with passwords. And it's interesting now, I've got two little kids, they're about three and six, and they're going to need to start getting passwords soon.
44:23
So we're going to have to teach them about passwords. We're going to teach them about how to create good passwords, what are bad passwords, don't share your passwords, all of these sorts of things. And the other day they were sitting down watching some TV, and they actually got a lesson in passwords from a movie they were watching, which I thought was pretty cool. It was a good idea of me to make all passwords password. It's so easy to remember.
44:44
His password is unique. This is good. This is what we want our kids to learn. The evil alien attackers have a heart attack when they find out that your password is unique. And it's nice that we can teach kids this
45:01
from a really early age as well. It's great that they start out young, realizing that unique is good. It's a shame a lot of adults don't realize that, and this is where things get kind of interesting. What you're looking at here is from Stratfor. So Stratfor was a company that provided intelligence reports,
45:23
was a company that provided intelligence reports, until the hacktivist LulzSec in 2011 decided that they didn't like Stratfor. In fact, Stratfor believed that they were going to unmask people behind LulzSec. So LulzSec went in and pulled out all their data. So what we have here is a data dump,
45:42
just like the ones I load into Have I Been Pwned. This is a perfect example, actually. This one is in there, 860,000 accounts. So when you see on the news a system has been attacked and the data has been leaked, this is what comes out the other end. It's normally something like this. So you can see here it's comma delimited. We can see the titles there. User ID, name, password, email, so on and so forth.
46:03
And of course, there are passwords in here, but they're hashed passwords. But they're very, very badly hashed passwords, and this lets us learn certain interesting things about the way people choose passwords. Now let's make it a little bit more interesting. Let's find a .gov email address.
46:22
We'll pick the first .gov email address here, and we'll take this person's hashed password. So remember what hashing really is. It's a one-way deterministic algorithm. You provide a string. Out the other end comes the hash. You can't unhash, but you can provide the same string later on,
46:40
like when you log in, and you can compare the two hashes together. And if they match, because it's deterministic, then it's the correct password. The problem is also being deterministic. Once one person uses a password and then someone else uses the same password, the hashes are the same. The other problem is, is that because they're not salted in any way,
47:01
so salt being random bytes that you add before you hash, so that the cipher is always different, because they're not salted in any way, we can go and find these hashes online. And this is one of the first things people tend to do when they actually locate an interesting hash or an interesting data breach. They will go, and they'll just search for it. So we'll just whack this into here.
47:23
And here are results. And what we're going to get here is a whole bunch of useful information. So we can pick one of these results, and it will tell us exactly what the password for Stratfor was. This is not telling us that it was the password for Stratfor.
47:41
This is telling us that the password was Stratfor. So this individual from the government used the password Stratfor. And you kind of look at it, and you go, well, you know, one person does it. That's not so bad. We've used it. Let's see what sort of results we get. And before you know it,
48:00
there are actually 32,000 people that use the password Stratfor on the website Stratfor in order to get intelligence reports about things like security. And that's how password hashing works. So here are the lessons from that. So number one is obviously that adults are still using very, very bad passwords, and they probably should watch
48:20
more kids' cartoons to learn the basics. And that is about as bad as it gets short of plain-tech storage. Even other variants that are very common are still pretty terrible by today's standards. There was a time where we considered it was all right, and then technology moves on and computers get faster
48:41
and GPUs ramp up, and all sorts of reasons why it did make sense before now no longer make sense. Now, when I was thinking about passwords, it got me a little bit interested because finding bad passwords through data breaches and things is one thing. It's not just bad passwords.
49:01
But there are easier ways to find someone's password. Recently Jimmy Kimmel went and spoke to some people, sent a reporter out, and they asked people about their password habits. And they found a really, really good way of discovering passwords. We're talking about cybersecurity today and how safe people's passwords are.
49:20
What is one of your online passwords currently? It is my dog's name and the year I graduated from high school. Oh, what kind of dog do you have? Jameson. Jameson. And where did you go to school? I went to school back in Greensburg, Pennsylvania. What school? Hintfield Area Senior High School. When did you graduate? In 2009. Oh, great.
49:44
She's so happy, too. Hey, Mom, I'm on TV. But this is the interesting thing because really this is social engineering, right? And think about what the reporter did. It was a nice, friendly discussion. The girl's probably a little bit blinded by the lights, a little bit starstruck.
50:02
So in a general conversation, asked something generic, not sort of going in hard and going, hey, what's your password? Started a conversation, lulled her into a false sense of security and then asked the key questions after there was this rapport with the reporter. So it remains really, really easy to socially engineer this sort of information out
50:21
no matter how good your hashing algorithm is on your server and no matter how strong your password is. If you give it to someone, you're screwed. So that's passwords. Now, bring it back to kids for a moment. Is anyone giving the kids one of these?
50:43
Because I look at this and having gone through toilet training with two kids now and thinking about my valuable electronic devices and I see this and I say, no. This is not what I would do. Now, in its defense, it does have a splash guard. But no, I would not do this.
51:01
But it also gets you thinking how early kids get exposed to technology, how early they get exposed to being able to interact with the machine and in the case of things like this, how early they get exposed to Wi-Fi. And it makes you wonder, are our kids learning good Wi-Fi habits?
51:21
Do they know what to connect to, what not to connect to, what they can trust? And I sort of looked at it from that perspective and said, you know, we need to teach our kids the right things. And then when I was looking around the web a little bit, I found that kids are actually very, very good at being malicious with Wi-Fi as well. This is how good they can be.
51:41
I found lots of just like numbers and like signs just all together which really doesn't quite make sense but then when you go get into it, you'll get it and it'll like, it'll come clear to you. Betsy set up her computer to pretend to be the Wi-Fi hotspot as it were in the cafe.
52:01
So when the victim connected it actually connected to her computer and it was that way that all of their data went through her computer and she was able to see usernames and passwords and that kind of thing. And it's known as a man in the middle attack. It's a little seven-year-old girl in the middle attack.
52:21
But what's funny about this is you see Betsy sitting there with a cappuccino and she's using WiShark. I look at WiShark and I'm confused, you know. But somehow Betsy has mastered it. And it does beg the question, how easy is it to actually be malicious with Wi-Fi? Can a seven-year-old really do it?
52:42
There's actually an easy answer, yes, they can. So let me show you what I mean by that. I have a wireless access point somewhere which will be Betsy's free Wi-Fi which we'll connect to. Now Betsy's free Wi-Fi is this little guy down here. This is my Wi-Fi pineapple. Some of you may have heard it mentioned in hush tones before.
53:04
And what it does is this wireless hotspot allows me to stand up that network which was called Betsy's free Wi-Fi. And people will see Betsy's free Wi-Fi and they'll say, hey, it's free, let's jump on. And they make the connection because when they're at the cafe or the airport or somewhere where they want some free Wi-Fi,
53:21
they'll jump onto it. No one here has done this today? We all have because it's so damn convenient, that's the problem. But when you are connected to free Wi-Fi, you can start to do some pretty interesting things if you're the person who owns the Wi-Fi connection. So as an example, we'll take a new tab
53:41
and we could say, let's pick a Swedish site. So who have we done? We did the Swedish bank, we did ABBA, IKEA. IKEA is a big Swedish site. Let's go to IKEA.
54:01
IKEA. Now we can do this because it's an HTTP request. Because it is not encrypted, this kind of goes to Bruce Shnay's point on Wednesday morning as well, no encryption. Because there's no encryption, we can get in the middle and we can serve a site that these guys think or rather the browser thinks is the legitimate site.
54:21
There's no certificate in which to verify that the site is legitimate. So that one's interesting. Now it's not just IKEA. Let's not be too hard on the Swedish because I do want some green votes. We could go to somewhere like American Express.
54:42
Now the problem is American Express, when you go to American Express and you make an HTTP request, which is what your browser will default to if you type in www., it won't make it over HTTP, it will make it over HTTP. American Express will see that and it will go on and it will say, no, I'd really like you to come in over HTTPS.
55:01
So it sends an HTTP 301 redirect and it tells the browser, now go and make a secure request. But that doesn't solve the problem of the first request being insecure. So what it means, you know what, let's just pick one more. Just because they're topical at the moment, let's do the FBI.
55:23
The poor audio guy's only jumping off his seat every time this ramps up. So we can do this with the FBI and it does the same thing. They say, make an HTTP request and then we will respond and we'll give you an HTTPS redirect and then that request will be secure. Let's try one more.
55:41
You ready, audio guy? He's up. Ah, tricked you. This site doesn't do that and there's some very, very high-tech magic behind this, which the FBI seems to be unaware of how to do with their own website, which is this.
56:00
Let's make this request again and see what happens. Let's even do it over HTTP explicitly because I keep defaulting to HTTPS and you'll see why in a moment. Now here is what we will see. We will actually see two requests and we see this first one up here.
56:21
This results in a 307 internal redirect. Now an internal redirect happens within the browser so the request never goes over the wire. My browser will not make a request to have I been pwned in an insecure fashion over the internet. It will only ever make the request, or it will only ever redirect the request
56:41
internally within the browser and do it over HTTPS. So this one just here went out over HTTPS. Now the way we do this is really easy. We'll go down and we'll have a look at this second request because in this second request we have a response which is worth noting. This is a response header. It's called Strict Transport Security, HSTS,
57:01
HTTP Strict Transport Security. There are a few interesting things here. So number one is we have a max age and this max age is the number of seconds after which the browser is allowed to start making HTTP requests again. But that's a year. So what it means is that once my browser gets this,
57:21
for the next year it cannot make an insecure request to my website. Now what the other parameters do is they make sure that it includes the sub domain. So this means that even if I have something dot have I been pwned dot com if I try to go to the HTTP address inside the browser it will make it a secure request
57:41
before it actually goes out over the wire. And I can also preload and this is where it actually gets kind of interesting. The problem with everything up until that preload bit is that you can only set the Strict Transport Security response header when you can actually make a secure connection. So even if American Express goes and implements this tomorrow
58:01
and you go www.americanexpress.com that first request is still vulnerable. If it gets through okay and you get the HSTS header you're okay for the next year but you've still got to get the first request through. What preload does is it sets you up for the browser vendors to be able to bake it into the browser.
58:20
I'll show you what I mean by that. You can go off to HSTS preload, search in your Googles, you will find HSTS preload submission page and you can submit your site there. You've got to have HSTS already enabled on your site and they've got to review it. This is run by the Chromium project by the way.
58:40
They'll review it, they'll make sure it's okay and then they'll submit it to be baked into the browser, baked into Chrome, baked into Firefox. It's about to be baked into Internet Explorer 11 as well so we'll have it pretty much across the board. And this will mean that even the first time you ever go to a website in your browser and you make an HTTP request the browser internally will redirect it.
59:02
So this is allowing us to circumvent a lot of the attacks against the wire such as we saw earlier on. So this is really good. Do your HSTS. But I do want to go back to the pineapple for a moment because we can make this a lot more interesting. So what I did before is I just called it Betsy's Free Wi-Fi and I had to explicitly connect to it.
59:22
There is a nice little interface here for the pineapple and I want to log into it. Now this is a $100 piece of equipment that is a penetration testing tool to use for penetration testing and I do the air quotes because not everyone uses it for good purposes. So we're going to go and enable a few things on here
59:40
and this is where it gets interactive because you get to see things on your devices and the people sitting at the front in particular get to be interactive now. So what we're going to do is what the pineapple does now is it looks for your phone. I'm just seeing all the people pull out their phones. Give it a moment, let it start, then you'll see it. So it's looking for your phone
01:00:00
for phones and devices, so tablets, PCs, all that sort of thing, that are sending probe requests. Now, the probe request is your device looking for a network that it knows, that it's seen before. So, when you go home – I'll take a photo of the people looking at their phones. Smile. No, don't put them away. Take them out. That's awesome. All right. Thank you. I'll post that later.
01:00:21
It's funny how many people will just suddenly go, oh, shit, what's going to happen now? What are you saying, Noel? Turn on WLAN1. No, I wouldn't know. He's very good at this. All right. So, what the pineapple does is it looks for these probe requests, and when your phone is trying to connect to a network, it says, where is my network?
01:00:41
Where is this network? That network? Other networks that you've been to before that it will auto-connect to later on. And this device then sees those requests, and it responds, and it says, I'm the network you're looking for. And all going well, we should be able to see the different devices which are now connecting to here automatically.
01:01:00
Eileen. Eileen's. Eileen's. Who's this? Is anyone there? I know Norway doesn't want to put their hands up. Is this anyone's iPhone? Because you're connected. This guy. I can't even pronounce that name. He's connected. This guy's connected. And the interesting thing is, is that when you look down this column to the left, this is the network they think they're connected to. They think they're connected to NDC 2015, except they're not.
01:01:24
They're connected to there. And they're presently getting the NuneCat on HTTP requests. So once you can get in the middle of the traffic, you can start doing anything. You can just dump all the unencrypted packets. You can inject NuneCat and Dancing Bananas and whatever the hell you like. If we click it again, we'll see if there's many more.
01:01:43
Because it is enormously effective at getting these requests. Does anyone see themself on here? Does anyone see themself on here and like Australian chocolate? Anyone else? Anyone else see themself on here?
01:02:01
Or you just don't like Australian chocolate? All right, let's try something different. We can also look at the log. In fact, what we might do is we'll go here and we'll see all of the networks it's now broadcasting. Now one thing that is a bit interesting from an interactive perspective is open your phone and have a look at how many networks you can see around you. Because all of these are now being broadcast.
01:02:22
Can anyone see a network they recognize? And likes Australian chocolate? The hell is that? That's Barry. No, you're getting it anyway. Well, don't worry about that. I got more. He thought I was trying to throw it to him. Okay, so there's that. That's kind of cool.
01:02:41
We can also see the log of probe requests. So these are all the requests for networks happening from all the devices. Now what we're seeing here is the MAC address which is unique to the device. And then the network that it is trying to connect to. Does anyone see a network here they recognize? I'm not giving you Tim Tams.
01:03:01
Anybody else? How far do you reckon I can throw? Seriously? Can you really see your network from all the way out there? Or are you just trying to get free chocolate? Who is within throwing distance and can see the network? One over there. That wasn't very good. Sorry, mate. Anybody else? Someone further up. We'll see how far we can go.
01:03:21
No, that's too far. All right, on the corner there. That lady there. Ready? Oh, look at that. Another thing about Australia. We know how to throw. Okay, so that is why everyone should be absolutely paranoid about their networks and use VPNs and HTTPS things. And that is the end of my talk. Thank you very much for everyone for coming here.
01:03:48
And on your way out, as you go to press the green button, take a pass. I've got 500 Pluralsight passes. So there's one for everyone. Thanks, guys. Thanks, bud.