10/31/2020
CIS 122 Web Internet
Technologies
Security, Etiquette, Privacy Basics
David Maier, Ph.D.
1
Agenda
• Security
– Importance of security: what is hacking is why
does it happen?
– Instances of Hacking
– Two concepts: CIA Triad & Defense in Depth
– Sample of Threats and Protections
– More on Secure Coding
• Netiquette
• Privacy
• Ethics
2
1
10/31/2020
Importance of Security
What is hacking is why does it
happen?
3
Importance of Security
• Computer security is important to prevent hacking
– Incidents of hacking, electronic financial fraud,
disclosure of private information (e.g. credit card
information, social security numbers), ransomware,
government espionage, etc. have dramatically
increased
– Exposure and potential harm may continue to
increase as more of the world goes online and
becomes interconnected, e.g. more electronic
payments, Internet-of-Things, etc.
4
2
10/31/2020
Importance of Security
• Hacking was a term originally coined to refer to
individuals with extremely good programming
skills; it has since gone on to often refer to those
who use them for malicious purposes.
• I was once asked by someone not in the IT field –
“why do people hack”? The reasons are many:
• Intellectual property (IP) theft – one company or
country stealing the trade secrets and intellectual
property of another company or country, e.g.
software code, solar power technology IP, military
designs, etc.
5
Importance of Security
• Why do people hack, continued:
– Government/state sponsored hacking/espionage
• Theft of government information, military secrets
• Hacking is a form of asymmetrical warfare, i.e. allows
an adversary with less military power to damage a
country with more powerful traditional military
• Threats to utility systems, e.g. power, water, disruption
of economy, etc.
• Disinformation campaigns, overturn/destabilize
governments
– The F.B.I. now has a “Cyber Most Wanted”” list
of the most wanted cybercriminals
• https://www.fbi.gov/wanted/cyber
6
3
10/31/2020
Importance of Security
• Why do people hack, continued:
– Financial theft
• Credit card information
• Ransomware where bitcoin must be paid to
unlock encrypted computers and networks
• Identity theft which then leads to financial theft
• Extortion of money by using sensitive information
as blackmail
7
Importance of Security
• Why do people hack, continued:
– Hactivism – derived from the words “hack” and
“activism”; hacking done because someone
believes they are exposing something wrong or
unjust.
– Curiosity/mischievousness – some hack out of
curiosity, boredom or basic mischievousness
– Legal hacking
• One can be hired to perform legal, penetration testing
on a computer system/network to find vulnerabilities
8
4
10/31/2020
Importance of Security
• Why do people hack, continued:
– Legal hacking
• Many companies offer monetary rewards to anyone
who can find and inform them of vulnerabilities to
their software
• Google Vulnerability Reward Program (VRP) Rules
– https://www.google.com/about/appsecurity/reward-program/
– https://www.forbes.com/sites/daveywinder/2019/07/22/googl
e-will-pay-you-up-to-150k-if-you-can-breakit/?sh=9cc1f4645087
– https://www.cnet.com/news/google-will-now-pay-up-to30000-for-reporting-a-chrome-bug/
– https://gadgets.ndtv.com/mobiles/news/pixel-bug-bountyusd-1-5-million-google-android-rewards-increased-2136946
9
Instances of Hacking
10
5
10/31/2020
Instances of Hacking
• 2013-2015 hack of personal and basic
employment data on between 4 and 22 million
United States Federal employees and their
families via security/network/data breach at the
Office of Personnel Management (OPM) and the
Interior Department
– https://www.csoonline.com/article/3318238/the-opmhack-explained-bad-security-practices-meet-chinascaptain-america.html
11
Instances of Hacking
• 2015 hack of the second-largest health insurance
company in the United States - Anthem, Inc.
– Between 37 and 80 million customer records stolen, e.g.
names, birth dates, medical IDs, social security numbers,
home addresses, email address, employment information,
income.
– https://en.wikipedia.org/wiki/Anthem_medical_data_breach
• 2015 Starbucks Hack
– Starbucks mobile app was compromised and money
siphoned out of some customer accounts.
– https://money.cnn.com/2015/05/13/technology/hackersstarbucks-app/index.html
12
6
10/31/2020
Instances of Hacking
• 2017 Equifax hack (major credit reporting agency)
•
– Private records of 147.9 million Americans, along with
15.2 million British citizens and about 19,000 Canadian
citizens compromised
– https://en.wikipedia.org/wiki/2017_Equifax_data_breach
2018 Dubsmash hack
– New York-based video messaging service Dubsmash
had 162 million email addresses, usernames, PBKDF2
password hashes, and other personal data such as
birth dates stolen, all of which was then put up for sale
on the dark web
– https://www.csoonline.com/article/2130877/the-biggestdata-breaches-of-the-21st-century.html
13
Instances of Hacking
• There are hundreds of other major attacks with
billions of records stolen. Thousands more attacks
of other size. Hacking is going all day every day.
• The Internet of Things (IoT) bring all new concerns
to hacking
– Network cars and trucks
– A wi-fi barbie doll had security vulnerabilities possibly
allowing someone to listen to conversations
– Wi-fi medical devices – pacemakers, drug infusion
pumps
– Home thermostats, refrigerators, Alexa, home security,
smart doorbells, etc.
14
7
10/31/2020
Instances of Hacking
• Hacks of country utility systems, grids/ and
infrastructure
– 2015 hack of German steel mill
https://www.bbc.com/news/technology-30575104
– 2013 hack of New York Dam
https://www.wsj.com/articles/iranian-hackersinfiltrated-new-york-dam-in-2013-1450662559
– 2010 hack of Iranian nuclear facilities (Stuxnet)
https://en.wikipedia.org/wiki/Stuxnet
“Experts believe that Stuxnet required the largest and
costliest development effort in malware history.”
15
Two concepts
CIA Triad & Defense in Depth
16
8
10/31/2020
CIA Triad
• A model for information security indicating
what is to be protected
•
Integrity is the ability to ensure the data
is accurate and has not been altered
from its original state or source.
• Confidentiality is the ability to ensure
that those with proper authorization can
only access data and systems.
• Availability is the ability to ensure the
data and information systems are
accessible by authorized users when
necessary and not by unauthorized
individuals.
17
Defense in Depth
• Defense in Depth
– Model for information security where multiple
layers of security are implemented in an IT
system to increase security protections in the
event one layer fails or is comprised
– Also referred to as layered defense, onion
defense, or redundant security
– https://en.wikipedia.org/wiki/Defense_in_depth_(com
puting)
18
9
10/31/2020
Defense in Depth
• Defense in Depth
There are many
diagrams
depicting this
model
https://thorteaches.com/cissp-defense-in-depth/
19
Defense in Depth
• Defense in Depth
– Implement many layers / practices of defense *
Code reviews
Physical security
Honeypot
Server
virtualization
Patch
management
VoIP protection
Virtual firewall
Virtual desktop
Database security
App testing
Risk management
Rights
management
Auditing/logging
VPN
Incident reporting,
detection and
response
Wireless security
Antivirus/Antimalware
Password rules
Penetration
testing
Secure DMZs
* There are dozens more methods
20
10
10/31/2020
Sample of Threats and
Protections
There are more than just these
21
Threats and Protections
• Threat: Obtaining passwords
• Methods:
–
–
–
–
–
–
–
–
Brute force attack - trying all possible combinations
Dictionary attack – trying dictionary words
Social engineering - tricking user to give away password
Phishing – tricking user to give it away (type of social
engineering) by pretending to be trusted source
Rainbow tables – pre-computed hashes to test encrypted
passwords
Malware / login spoofing – software keystroke logger
Physical keystroke logger
Shoulder surfing – watching, post-it notes, etc.
22
11
10/31/2020
Threats and Protections
• Threat: Obtaining passwords
• Protection methods
– Enforce use of strong passwords, e.g. >10 characters,
mixed case, numbers, special characters
– Lock account if incorrect password entered 3 times
– Require frequent changing of password
– Be sure all software and hardware is not using default
username and password, e.g. database server,
firewall, etc.
• Oracle database: default username: system default password:
password
• 3COM Switch 3300XM: admin/admin
• Cisco 2600 router:
Cisco/{none}
https://us-cert.cisa.gov/ncas/alerts/TA13-175A
23
Threats and Protections
• Threat: Obtaining passwords
• Protection methods
– Require new password be significantly different than
previous password (not one letter difference)
– Implement two factor authentication
• SMS message
• Hardware security key
• Biometric security, e.g. fingerprint
24
12
10/31/2020
Threats and Protections
• Threat: Obtaining passwords
• Protection methods
– Utilize the Principle of Least Privilege: log into
systems, use username and passwords in scripts,
assign file permissions, and start processes with the
very least privileges needed to accomplish the given
task.
• This way, if an account is compromised, it
minimizes damage that can done because of limited
access of the account.
– Use completely different passwords for different
web sites, e.g. school, bank, etc.
25
Threats and Protections
• Threat: Unauthorized access to a system computer, server, network, software, data, etc.
• Protections:
– Before-mentioned password policies and practices
– Software updates
• Ensure all software, firmware, and operating systems (OS)
are up-to-date and have all the latest patches, updates, or
service packs installed to prevent known exploits.
• Sign up for security alerts from security companies and
software vendors so you can be made aware whenever
there is a new exploit
• Note: a zero-day attack is a new/unknown vulnerability
26
13
10/31/2020
Threats and Protections
• Threat: Unauthorized access to a system computer, server, network, software, data, etc.
• Protections:
– Secure coding
Examples of software security vulnerabilities requiring testing
and secure coding.
SQL Injection
Cross-Site Scripting
(XSS attack)
Remote File Inclusions
Directory traversal
Buffer overflow
Unsure web services
and APIs
Broken authentication
Session Hijacking
Security
misconfiguration
27
Other Threats
• There are many other threats. And common
protection methods assist with many of the threats.
• Other common threats:
– Man-in-the-middle attack
• Attack where communication is secretly relayed
(and possible altered) between two parties.
Eavesdropping.
– Denial of Service attack or Distributed Denial of
Service attack (DoS and DDoS)
• Making servers/network unavailable by flooding then
with traffic
28
14
10/31/2020
Other Threats
• Ransomware
– Attack where a computer (client or server) is taken
over and hard drive/data locked or encrypted until
ransom paid (sometimes with threat to publish
private/customer data if not paid)
• Botnet
– A network of hijacked computer devices used to carry
out various scams and cyberattacks. The term “botnet”
is formed from the word’s “robot” and “network”. Each
device/computer in the botnet is referred to as a
zombie computer.
29
Other Protections
•
Use encryption methods (there are many ways to), i.e.
encryption makes data/traffic unreadable by those
without key
– HTTPS – encrypted web pages/traffic
– WEP/WPA/WPA2 - wireless data encryption
– SFTP – encrypted FTP traffic (we use with FileZilla)
– SHA-1/SHA-3/MD5 - Encrypted/hashed password
– PGP - encrypted email
– BitLocker – encrypted file systems
– VPN – Virtual private network; encrypted internet
connection/traffic
30
15
10/31/2020
Other Protections
• Install Firewall
– Firewall - a network security device or software
that monitors incoming and outgoing network
traffic and decides whether to allow or block
specific traffic based on a defined set of security
rules
– Software firewalls: McAfee, Norton, Bitdefender,
Avira, Windows Firewall, ZoneAlarm, Tinywall
– Hardware firewalls: WatchGuard, Barracuda,
Cisco
31
Other Protections
•
•
•
•
•
•
Safe browsing habits – visit safe web sites
Avoid P2P and file sharing networks
Use antivirus and anti-malware software
Use anti-phishing web browser extensions
Do not download unknown email attachments or visit
web site links from/to unknown sources
Use Intrusion Detection Systems (IDS) and auditing
systems to detect and collect information on attack and
intrusion attempts
32
16
10/31/2020
Other Protections
•
Consider implementing honeypots and honeynets for
diversionary and information collection purpose
– “A honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract
attempts at unauthorized use of information systems.
… a honeypot consists of data … that appears to be a
legitimate part of the site that seems to contain
information or a resource of value to attackers, but
actually, is isolated and monitored and enables
blocking or analyzing the attackers. This is similar to
police sting operations, colloquially known as "baiting"
a suspect.” https://en.wikipedia.org/wiki/Honeypot_(computing)
33
Other Protections
•
•
•
•
Install/use email spam filtering to help avoid phishing
Only install and use trusted smart phone apps
Maintain up-to-date data backups
Install and use a virtual operating system for sensitive
work
– A virtual machine (VM) is a fake computer running inside
your real computer. Each VM gets to use a chunk of your
computer’s memory while it’s running and has its own
virtual hard drive, which is just a file on your real hard
drive.
https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/
– Examples: VirtualBox, VMWare, Microsoft Hyper-V
34
17
10/31/2020
Other Protections
•
•
Shred documents with sensitive data and information
on them (prevent dumpster diving technique)
Be knowledgeable of common security threats to
protection against social engineering
– “the psychological manipulation of people into
performing actions or divulging confidential
information”
https://en.wikipedia.org/wiki/Social_engineering_(security)
35
Secure Coding
Examples of Secure Coding Books
36
18
10/31/2020
Secure Coding
•
•
•
A lot of security vulnerabilities in software are the
result of a few common bad programming practices
These are few related resources online
– https://www.securecoding.cert.org/confluence/displ
ay/seccode/SEI+CERT+Coding+Standards
– https://docs.microsoft.com/en-us/previousversions/visualstudio/visual-studio2008/d55zzx87(v=vs.90)
In web programming, one important secure coding
technique is to filter / sanitize user input and web
page output
37
Secure Coding
• Input filtering
– Input filtering is the process of ensuring users cannot
include any malicious code as input from a user interface
(such as an HTML web page) to the server.
– Without input filtering, SQL injections and other types of
code injections are possible.
– These injections allow the hacker to use the input form to
submit code to the server that runs and allows them to
extract information from the server and, in many cases,
take control of various aspects of the server, e.g. install
hacker tools, query databases, view password files, etc.
38
19
10/31/2020
Secure Coding
• Well-known comic illustrating SQL injections
39
Secure Coding
•
•
•
If you allow user input to web page (e.g. Contact Us
form, Register form, Payment form), you create
opening for hacker
Always assume someone will try to exploit your web
page via input forms (e.g. text boxes, etc.)
Protection methods:
– Input filtering
– Parameterized SQL calls
40
20
10/31/2020
Secure Coding
• User Input filtering
– Many methods (PHP built-in commands)
<?php
$site = substr(filter_input(INPUT_GET, 'site', FILTER_SANITIZE_STRING),0,8);
$terms = substr(filter_input(INPUT_GET, 'terms', FILTER_SANITIZE_STRING),0,25);
?>
•
•
FILTER_SANITIZE_STRING is a PHP built-in function that strips or
encodes potentially harmful characters from input.
substr(*,0,8) truncates any characters after 8 – can be used to ensure
no input longer than should be entered is accepted to the server
41
Secure Coding
• User Input filtering
– Many methods (PHP commands)
<?php
$email = $_POST['email'];
$firstname = $_POST['firstname'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
$firstname = filter_var($firstname, FILTER_SANITIZE_STRING);
echo "<p>Email: $email</p>";
echo "<p>First Name: $firstname</p>";
?>
42
21
10/31/2020
Secure Coding
• User Input filtering
– Many methods (PHP commands to validate email
address)
<?php
$email = "bob_name123@gmail.com";
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false)
{
echo("$email is a valid email address");
}
else
{
echo("$email is not a valid email address");
}
?
43
Secure Coding
• User Input filtering
– Many methods (PHP command to validate numeric
data type)
<?php
$age = $_POST['age'];
if (isset($_POST["age"])) {
$age = $_POST["age"];
}
else {
$age = false;
}
if (!is_numeric($age)) {
echo "<p>You did not enter a numeric value.</p>";
}
?>
44
22
10/31/2020
Secure Coding
• User Input filtering
– Many methods
$query = 'SELECT * FROM table WHERE
value='.mysql_real_escape_string('$string').' LIMIT 1,1';
$query2 = 'UPDATE userdata SET password = '".$password."'
where username = admin limit 1';
// Alternate method to use function
$name = mysql_real_escape_string($name);
45
Secure Coding
• User Input filtering
– Many methods
$name = addslashes(htmlspecialchars(strip_tags(trim($iname))));
•
•
•
•
The addslashes function returns a string with backslashes to single quote (‘),
double quote (“), backslash (\) and NUL (the NULL byte).
The htmlspecialchars function converts special characters to HTML entities.
For example & (ampersand) becomes &amp; and ‘”‘ (double quote)
becomes &quot. This function prevents user-supplied text from containing
unintended HTML markup.
The strip_tags function strips HTML and PHP tags from a string. It
suppresses unwanted HTML markups from being displayed and prevents
malicious PHP code from being executed.
The trim function strips white space from the beginning and end
of a string.
46
23
10/31/2020
Secure Coding
• User Input filtering
– Many methods
– Prepared statements are very useful against
SQL injections.
– http://www.w3schools.com/php/php_mysql_prep
ared_statements.asp
– http://php.net/manual/en/pdo.preparedstatements.php
– http://bobby-tables.com/about.html
47
Secure Coding
• Output filtering
– Output filtering assists in the preventing of Cross Site
Scripting (XSS) attacks.
– An XSS attack is one in which a malicious user
embeds scripting commands in data/content that will
be displayed to visitors of the web site, and thus
executed in the visitor’s web browser when they
browser your web site.
– Can allow attacker to steal sensitive information, install
malware, etc.
48
24
10/31/2020
Secure Coding
• Output filtering
– Many methods (PHP built-in function)
<?php
$firstname = $_POST['firstname'];
$firstname = htmlspecialchars($firstname);
echo "<p>First Name: $firstname</p>";
?>
•
htmlspecialchars can help prevent XSS attack by
escaping output to render it harmless
49
Secure Coding
• Output filtering
– Many methods (WordPress output filters)
–
–
–
–
esc_html()
esc_url()
esc_js()
esc_attr()
50
25
10/31/2020
Secure Coding
• Other security techniques involve changing
server configuration options
• With PHP, turn off allowing errors to be displayed
back to browser
log_errors = On
display_errors = Off
51
Secure Coding
• With PHP, turn off or verify any include
statements do not allow for external files to be
accessed
allow_url_fopen – indicates whether external files can be included.
Keep this set to off.
allow_url_include – indicates whether the include(), require(),
include_once(), and require_once() functions can reference
remote files. Keep this set to off.
52
26
10/31/2020
Secure Coding
• Another filtering technique that can be used is
Apache ModSsecurity.
• ModSsecurity is a free web application layer
firewall that contains an assortment of filters,
rules, and other security features to block
common exploits and injections.
53
Secure Coding
•
•
•
•
There is another hacking technique known as “session
hijacking”
Web pages do not, by default, remember or save
information as you move from web page to web page,
even when on the same web site.
Sessions are commonly used in web sites for features
such as shopping carts or the status of whether a visitor
is logged into the web site. Session hijacking is a
technique used in XSS attacks where a hacker finds out
another visitors session ID and can then act as though
they are them for that session.
There are three PHP functions that and help prevent this.
54
27
10/31/2020
Netiquette Basics
55
Netiquette Basics
• Netiquette - acceptable and responsible
behavior in an online or digital situations
• Email netiquette
– Don’t forward e-mail hoaxes or chain letters
– Do not spam message boards, instant messaging
(spim), social networking spam, etc.
– Be careful with the use of Reply All (issues: time,
server space)
– Use BCC if emailing group of people who do not know
each other (netiquette and privacy)
56
28
10/31/2020
Netiquette Basics
– Email netiquette
• Use descriptive Subject lines in e-mails
• Choose a good/professional e-mail address and write
professional e-mails
– A Greetings (salutation) and complimentary close
(valediction), e.g. Hello, Regards, etc.
• Spellcheck emails
• Check to be sure question not already asked if posting a
to message board/forum
• Avoid flaming and trolling (i.e. insults and argumentative),
sarcasm
• Respect others privacy
57
Netiquette Basics
• The now common use of virtual meetings (e.g.
Zoom, Microsoft Teams, etc.) is introducing new
netiquette norms
– Mute your microhome if not speaking – helps reduce noise
– There is often a “raise your hand” feature you can use to ask
a question
– Avoid multi-tasking during meeting so your attention is on the
meeting
– State your name before question so others know who is
speaking
– Ensure you have good video/audio/internet quality
– Dress and speak professionally
– Etc.
58
29
10/31/2020
Privacy Basics
59
Privacy Basics
• Respecting privacy can assist in preventing:
–
–
–
–
–
Stalking
Harassment and cyberbullying
Identity theft
Financial theft
Employment problems
60
30
10/31/2020
Privacy Basics
• Privacy tips
– Do not post personal/sensitive information online (web
pages, Facebook, etc.)
• Birth date, home address, last name, etc.
• Be careful what photos you post online – the vast
majority of companies Google potential hires and
numerous graduate and medical schools have for
applicants
• Information you post online can be permanent (some countries
are enacting laws to help remove personal information online)
– https://en.wikipedia.org/wiki/Right_to_be_forgotten
61
Privacy Basics
• Privacy tips
– Use a disposable e-mail address with no personal
information in them for web sites that require you to register
• e,g. do not put your birthday in your email address
– Set your web browser to not allow Third-Party Cookies
which can track the web sites you visit
– Some web browsers have a “private browsing” feature you
can use to not record (on client not server) web pages you
visit (History list)
– User VPN when web browsing
– Shred sensitive papers and mail
– Browse reputable web sites
62
31
10/31/2020
Privacy Basics
• Privacy tips
– Be aware that your web browsing and e-mail at work is not
subject to privacy since you are using company resources
and time
– Check company policy on use of computers and internet
– Be careful of browsing sites on public wi-fi
– Be careful of phishing (do not reveal private information)
– Some web search engines are said to be more private/not
save personally identifiable information and web sites you
browse, e.g. DuckDuckGo
63
Privacy Basics
• Mobile Privacy tips
–
–
–
–
–
Add login passcode or other access control
Keep operating system up-to-date
Avoid open/non-secure wi-fi networks
Be cautious on which apps you download and use
Consider processes that allow you to remotely wipe/erase
your phone if stolen
– Be cautious in using public charging stations
– Minimize tracking features, e.g. GPS
– Turn Bluetooth off when not using
64
32
10/31/2020
Ethics
65
Ethics Basics
• Respect copyright laws, e.g. content, images, music,
video, etc.
– Use public domain or creative commons work
– Give credit to sources when you use them
• Many netiquette guidelines are also ethical guidelines,
e.g. do not flame, do not spam, respect others privacy
online, do not troll, do not cyberbully, etc.
• Do not access someone else’s e-mail, computer, web
sites, USB drive, etc. without permission
• Be polite, have empathy
66
33
