Cyber Security Basics
5 Best Hacking OS tier list
1. Kali Linux (for beginner in ethical hacking)
2. Parrot Security OS (more refined than kali, difficult to track online activity)
3. Backbox (user friendly + speed & efficiency)
4. BlackArch Linux (Largest hacking & cybersecurity tools available)
5. Pentoo Linux (Customization & flexibility)
Notes by WsCube
TCP/IP Model
Cyber Security Basics
1
TCP vs UPD
Cyber Security Basics
2
TCP (Transmission Control Protocol)
Connection-oriented: Establishes reliable connection before transfer.
Reliability: Guarantees ordered delivery with retransmission.
Error Checking: Ensures data integrity.
Flow Control: Prevents network congestion.
Applications: Web, email, file transfer (HTTP, SMTP, FTP).
UDP (User Datagram Protocol)
Connectionless: No connection setup, faster but less reliable.
Reliability: No delivery guarantee or packet ordering.
Error Checking: Basic, without retransmission.
Flow Control: None, may cause congestion.
Applications: Streaming, gaming, VoIP.
IP Address
What is IP Address?
IP = Internet Protocol Address
When one device communicates with other device, It require address to
communicate. So device’s IP address is used. Every device has it’s own unique
IP address.
IP is made within range of 0-255 numbers.
Cyber Security Basics
3
IPv4 vs IPv6
Types of IP Address
1. Public
Used in WAN, when you want to communicate around the globe you use
Public IP address.
2. Private
Used in LAN, within nearby distance. Private IP address are not reachable
by other device on Internet that are outside your home.
3. Static
An IP address that remains constant and does not change over time. It is
manually assigned to a device. a company's main website might have the
static IP address 192.168.1.100.
4. Dynamic
An IP address that is assigned temporarily and can change over time. It is
automatically assigned by a DHCP server.
Your home Wi-Fi network. When your laptop connects to the Wi-Fi, it
might be assigned the IP address 192.168.1.5 today, but a different one like
192.168.1.10 next week.
Cyber Security Basics
4
Routers
A Router is a networking device that forwards data packets between computer
networks, it manages traffic between different networks and permits several
devices to share an Internet connection.
Domain & DNS
DNS stands for Domain Name System. It is a system that translates humanfriendly computer hostnames into IP addresses. Stores all data in form of
records in Zone File.
Example : Google.com, Facebook.com, etc.
OSI vs TCP/IP Model
What is OSI Model?
Open Systems Interconnection Model is a set of rules that explains how
different computer systems communicate over a network.
7 Layers of OSI Model
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Cyber Security Basics
5
Session Layer
Presentation Layer
Application Layer
What is TCP/IP Model?
It stands for Transmission Control Protocol/Internet Protocol, which are the
core protocols of the Internet. This model defines how data is transmitted over
networks, ensuring reliable communication between devices.
4 Layers of TCP/IP Model
Link Layer
Internet Layer
Transport Layer
Application Layer
Cyber Security Basics
6
CIA Triad
C = Confidentiality
I = Integrity
A = Availability
Confidentiality: This principle ensures that sensitive information is
accessed only by authorized individuals and protected from unauthorized
access. Techniques like encryption and access control help maintain
confidentiality.
Integrity: This ensures that data remains accurate, consistent, and
unaltered during storage and transmission. Measures like checksums,
hashes, and digital signatures are used to verify and maintain data
integrity.
Availability: This principle ensures that information and resources are
available to authorized users when needed. This involves maintaining
hardware, updating software, and implementing redundancy and failover
mechanisms to prevent outages.
Termux in Phone
Termux is a free and open-source terminal emulator for Android which allows
for running a Linux environment on an Android device.
Cyber Security Basics
7
apt upgrade : Updates all installed packages on system to newest versions.
apt install nmap : to install nmap
ifconfig : to configure network interface
nmap <ip address here> -v : to scan IP address, The -v option increases
verbosity, providing more details about the scan results.
nmap <ip address here> -v -sn : the -sn option added.
-sn
stands for "ping
scan" or "host discovery". This tells nmap to only check if the host (IP
address) is online.
Email info gathering
To install holehe you need python. pkg install python-pip
: holehe is a tool for checking if email addresses are used on
various social media platforms.
pip3 install holehe
: attempt to find if that email address is associated with
accounts on various social media platforms and other online services.
holehe targetemail
Location tracking
git clone
https://github.com/techchipnet/hound
cd hound
bash
hound.sh
it will ask “Do you want to use cloudflared tunnel?” press “n”
ssh-keygen -t rsa -b 2048
cat ~/.ssh/id_rsa.pub
ssh -R 80.localhost:8000 ssh.localhost.run
(port should be changed according to
requirement)
The location will be only displayed if target user has accepted location
permission.
Camera access
Cyber Security Basics
8
git clone https://github.com/techchipnet/CamPhish
cd CamPhish
bash
camphish.sh
After that :
Select 2,
then Choose Template whichever you want.
Hacking Instagram
git clone https://gitlab.com/KasRoudra/PyPhisher
cd PyPhisher
python pyphisher.py
It will ask “Do you have loclx authToken?” enter “n”
CCTV access
ifconfig
copy ip address displayed in output
nmap -sP 192.168.1.0/24
Now there will be list of ip addresses available in output. Use all ip address
available with prefix nmap Example : nmap 192.168.1.212
Look for devices that have a web server running: CCTV systems typically
have a web server running on them that allows you to access the camera's
feed. If you find a device that has port 80 open, it is possible that it is a
Cyber Security Basics
9
CCTV system.
get that ip address paste it in google following with :80, CCTV’s website
will open, most of the camera’s login credential is ‘’admin’’.
more Termux Commands :
https://www.termuxcommands.com/termux-commands-cheat-sheet/
Kali Linux Installation
David Bombal : https://youtu.be/MPkni85O9JA?si=0keyAYlYiIpZVFLe
Download Software in Kali Linux
sudo su
The command sudo su in Kali Linux allows you to temporarily switch to the root
user. Here's a breakdown:
sudo: This command allows a permitted user to execute commands as
another user, often the root user. It's a way to gain temporary
administrative privileges.
su: This command stands for "switch user." By itself, it prompts for the
root user's password, allowing you to become root.
apt update
Updates package information
apt install packageName
apt upgrade
: update all packages available
dpkg -i filename
: installs .deb package
BlackArch Installation
Import it in Oracle Virtual Machine
Type: Linux & Version: Arch Linux (64-bit) [It will be selected automatically]
Hardware
Base memory: 5 or 6 GB min
Cyber Security Basics
10
Processors: 4 min
Hard Disk: between 100-200 GB
user : root
password: blackarch
Further Installation in This video [Time stamp - 3:10:00] :
https://youtu.be/v3iUx2SNspY?si=IUwsONr-WeC8h80d
Once Installed Reboot, Then
Mobsf Installation
1. Using a Virtual Environment (Recommended for Project-Specific
Installations):
Create a virtual environment:
Bash
python3 -m venv mobsf_venv
This creates a directory named mobsf_venv containing an isolated Python
environment.
Activate the virtual environment:
Bash
source mobsf_venv/bin/activate
Your shell prompt will change to indicate that the virtual environment is
active.
Install MobSF within the virtual environment:
Bash
pip install mobsf
Cyber Security Basics
11
To deactivate the virtual environment when you're finished:
Bash
deactivate
HTTP Request and Response
What is a HTTP Request?
A packet asking to load a website. Includes GET/POST, Headers and Body
What is HTTP Response?
Packet Providing Permission to access website and content (result of our
request). Includes GET/POST, Headers and Body.
Types of request and responses.
GET : Data transfer through URL easily visible and not secure.
POST: Sends user information & files in body, to server using html forms.
PUT: Replaces all current representations of the target resources with the
uploaded content.
PATCH: It is similar to PUT request, but the onyl difference is, it modifies a part
of the data. It will only replace the content that you want to update.
DELETE: This request is used to delete the data on the server at a specified
location.
OPTIONS: Describes the communication options for the target resource.
Cyber Security Basics
12
TRACE: Performs a message loop-back test along the path to the target
resources.
CONNECT: Establishes a tunnel to the server identified by a given URI
Apache Server
A client (e.g., a web browser) connects to a server (e.g., your Apache HTTP
Server), with the specified protocol, and makes a request for a resource using
the URL-path.
To start apache server, In Kali Linux Terminal
service apache2 start
Web Site Content
Web site content can take many different forms, but may be broadly divided
into static and dynamic content.
Static content is things like HTML files, image files, CSS files, and other files
that reside in the filesystem. The DocumentRoot directive specifies where in your
filesystem you should place these files. This directive is either set globally, or
per virtual host. Look in your configuration file(s) to determine how this is set
for your server.
cd /var/www/html
Typically, a document called index.html will be served when a directory is
requested without a file name being specified.
To Edit index.html : gedit index.html
For example, if DocumentRoot is set to /var/www/html and a request is made
for http://www.example.com/work/ , the file /var/www/html/work/index.html will be served to the
client.
Cyber Security Basics
13
Burp Suite
[resource]
Burp Suite is a powerful tool for testing the security of web applications. It
allows to intercept, monitor, and manipulate web traffic between browser and
target application.
Installation : https://portswigger.net/burp/documentation/desktop/gettingstarted/download-and-install
secure website using WAF
Web Application Firewall
A web application firewall (WAF) is a security solution that filters, monitors,
and blocks HTTP traffic to and from a web application. It is different from a
regular firewall in that it is able to filter the content of specific web applications
while regular firewalls serve as a safety gate between servers.
Installation [in terminal]
apt install libapache2-mod-security2
Next,
cd /etc/modsecurity
(This is the path to the directory where the ModSecurity web
application firewall's configuration files are typically stored.)
This command is used to edit modsecurity.config
Inside file there is “SecRuleEngine” which is bydefault off, we have to replace
Detection Only with On
gedit modsecurity.config
SQL Injections
What is SQL Injection?
SQL Injection (SQLi) is a security vulnerability that occurs when an attacker
is able to manipulate a web application’s database queries by
inserting malicious SQL code into user input fields. These injected queries
Cyber Security Basics
14
can manipulate the underlying database to retrieve, modify, or delete
sensitive data.
Types of SQL Injection
In-band SQLi:
The attacker uses the same communication channel to
both launch the attack and retrieve the results.
Error-based SQLi: Relies on database error messages to
gain information about the database structure.
Union-based SQLi: Combines multiple SELECT statements
to retrieve data from different tables.
Blind SQLi (Inferential SQLi):
The attacker cannot directly see the results of the SQL
queries.
Boolean-based SQLi: The attacker crafts queries that
return true or false results, allowing them to infer
information bit by bit.
Cyber Security Basics
15
Time-based SQLi: The attacker uses time delays in the
database response to infer information.
Out-of-band SQLi:
The attacker uses a different communication channel to
retrieve the results of the attack.
This is typically used when in-band techniques are
blocked or unreliable.
This method is less common, as it requires specific
database server configurations.
Tools used for sql injection automation
SQLMap
jSQL Injection
BBQSQL
SQL Ninja
How to perform
1. Selecting Target Parameter
2. Testing for manual SQL Injection
3. Use Tools to Exploit the DB
4. Report the Vulnerability
Where to check for vulnerability
URLs
Request & Responses
Input Boxes
Hidden Input Boxes
Cyber Security Basics
16
Cross-Site-Scripting (XSS)
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers
to inject malicious scripts into web pages viewed by other users. This
vulnerability enables attackers to bypass the same-origin policy, which is
designed to segregate different websites from each other.
Types of XSS
1. Reflected XSS
2. Stored XSS
Cyber Security Basics
17
Bug Bounty
Recommended Books
Bug Bounty Bootcamp ~ Vickie Li
Real World Bug Hunting: A Field Guide to Web Hacking ~ Peter Yaworski
Website to Practice Bug Bounty
VulnHub
OverTheWire - Bandit
HackThisSite
API Protocols & Architecture
API Protocols
1. RPC
2. SOAP
3. REST
Cyber Security Basics
18
API Architecture
The process of developing a software interface that exposes backend data
and application functionality.
API Gateway
Mainly concerned with security, caching, and orchestration purposes acts as
the single gateway into the internal API architecture.
NMAP
Nmap is a free and open-source network scanner that provides information
about the hosts and services on your computer network
Goals
1. Host Status
2. Open Ports
3. Services
4. Software versions
5. OS
Types of Scan (Nmap)
TCP : -sT
nmap -sT 192.168.1.1
UDP : -sU
nmap -sU 192.168.1.1
SYN : -sS
nmap -sS 192.168.1.1
Cyber Security Basics
19
ACK : -sA
nmap -sA 192.168.1.1
Port Forwading in Android - NGROK
Port forwarding, sometimes called port mapping, allows computers or services
in private networks to connect over the internet with other public or private
computers or services.
Stenography
Stenography is a technique where you can combine any secret data or any
file.
Notes by CS50
Lecture 0 - Securing Accounts
Passwords
Authentication : Refers to process digitally of proving who you are.
Authorization : Whether or not you should have access.
Dictionary Attacks : Collection of words containing actual english words that
are usually used as password.
Brute-Force Attack : you’re using a software to digitally try all possible
passwords. The hacker tries multiple usernames and passwords, often using a
computer to test a wide range of combinations, until they find the correct login
information.
crack.py
// generates all combo of 4 digit numbers & alphabets
from string import digits
for i in digits:
Cyber Security Basics
20
for j in digits:
for k in digits:
for l in digits:
print(i,j,k,l)
//---------------------------------from string import ascii_letters
for i in ascii_letters:
for j in ascii_letters:
for k in ascii_letters:
for l in ascii_letters:
print(i,j,k,l)
Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is a security method that adds an extra step
to protect your online accounts. Instead of just using a password, you also
need to enter a code sent to your phone or use a fingerprint scan.
One-Time Password (OTP) : It is a password that is valid for only one login
session or transaction on a computer system or other digital device. OTPs are
designed to avoid several shortcomings associated with traditional (static)
password-based authentication.
Sim Swapping : also known as SIM hijacking, is a type of fraud where an
attacker tricks a mobile carrier into transferring a victim's phone number to a
new SIM card.
Credential Stuffing
using a list of already known usernames and passwords from some other
application or websites to try to stuff them into a different website.
Cyber Security Basics
21
There are chances that your credential of one website might be same as other
website.
Phishing
Phishing is a type of cyber attack in which scammers attempt to deceive
individuals into providing sensitive information, such as usernames,
passwords, and credit card details, by pretending to be a trustworthy entity.
This is often done through emails, messages, or fake websites that mimic
legitimate ones.
Man-in-the-Middle Attacks
A Man-in-the-Middle (MitM) attack is a serious cybersecurity threat where an
attacker secretly intercepts and possibly alters the communication between
two parties who believe they are directly communicating with each other.
Here’s how it typically works:
1. Eavesdropping: The attacker intercepts the communication channel,
monitoring the data being exchanged without the knowledge of either
party.
2. Data Manipulation: The attacker can alter or inject malicious content into
the communication, potentially causing significant harm.
Single Sign-On (SSO)
It refers to ability to sign up for, to log in to one’s website using an account that
you already have on another website.
Password Managers
A password manager is a tool designed to securely store and manage your
passwords. Password managers can generate strong, unique passwords for
Cyber Security Basics
22
each of your accounts, reducing the risk of using weak or repeated
passwords.
Some Examples : Apple iCloud Keychain, Google Password Manager,
Microsoft Credential Manager
Lecture 1 - Securing Data
Hashing
Hashing is a process of taking a password as input and somehow converting it
into hash values. Hash value is fixed-size string of characters, which typically
appears as a sequence of random letters and numbers. This transformation is
performed using a function known as a hash function.
if password is “apple” → “ejUxfG25m” (hash value)
Salting : It involves adding a random string of characters to each password
before it is hashed and stored.
Secret-Key Cryptography
Encode : plaintext → codetext
Decode : codetext → plaintext
Ciphers : Ciphers, or codes, are methods used to encrypt and decrypt
information, ensuring that only the intended recipient can understand the
message.
Encrypt : plaintext → ciphertext
Decrypt : ciphertext → plaintext
Keys : a key is a piece of information that determines the functional output of a
cryptographic algorithm. The key is used both for encryption and decryption.
Without the correct key, the encrypted message remains unreadable.
Cyber Security Basics
23
Symmetric-Key Encryption : Symmetric-key encryption is a method where the
same key is used for both encrypting and decrypting the data. It's like having
a single key that locks and unlocks a treasure chest.
Asymmetric-Key Encryption : Asymmetric-key encryption, also known as
public-key encryption, uses a pair of keys—a public key and a private key—for
secure communication. Unlike symmetric-key encryption, the keys are
different, and knowing one key does not reveal the other.
Cryptanalysis : Cryptanalysis is the art and science of breaking cryptographic
systems and deciphering encrypted information without knowing the key. It
involves analyzing and attempting to defeat the security of encryption
algorithms, often by discovering vulnerabilities or weaknesses.
Brute-force attack
Known plain text
Chosen plain text
…more
Public-Key Cryptography
Public key cryptography provides a secure way to exchange information and
authenticate users by using pairs of keys. The public key is used for
encryption and signature verification, while the private key is used for
decryption and signing. When the two parties communicate with each other to
transfer the intelligible or sensible message, referred to as plaintext, is
converted into apparently random unreadable for security purposes referred
to as ciphertext.
If you share your public key with someone else on the internet they can use
that public key to encrypt a message and then send it to you over email,
message. Meanwhile, when you receive that message , you can use your own
private key and ciphertext you’ve just received to get back the plaintext.
Cyber Security Basics
24
RSA
RSA stands for Rivest-Shamir-Adleman, which is a widely used encryption
algorithm. It is an asymmetric cryptographic algorithm used to secure
sensitive data transmission, particularly in internet communications.
Here are the core formulas used in the RSA algorithm:
1. Key Generation:
Choose two distinct prime numbers pp and qq.
Compute n = p ∗ q .
Compute the totient function, ϕ(n) = (p − 1) × (q − 1).
Choose an integer ee such that 1 < e < ϕ(n)1 < e <
ϕ(n)andgcd⁡(e, ϕ(n)) = 1 gcd(e, ϕ(n)) = 1(typically, e =
65537e = 65537)

Compute dd as the modular multiplicative inverse of
eemoduloϕ(n)ϕ(n), i.e., d × e ≡ 1 ( ϕ(n))

The public key is (n,e)(n, e), and the private key is (n,d)(n, d).
2. Encryption:
Convert the plaintext message MM into an integer mm such that 0 ≤
m < n

Compute the ciphertext cc using the formula:
c ≡ me ( n)c ≡ m
e
( mod n)

1. Decryption:
Compute the plaintext message mm from the ciphertext cc using the
formula:
m ≡ cd ( n)m ≡ c
d
( mod n)

Convert the integer mm back to the plaintext message MM.
Cyber Security Basics
25
Digital Signatures
A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document.
Passkeys
Passkeys or WebAuthn are a more and more widely available technology.
Soon, usernames and passwords will become less frequent.
Passkeys will be device-dependent. For example, when visiting a website
on your phone that prompts you to create an account, your phone will
generate a public key and a private key.
Then, you will send your public key to the website.
From that point forward, to log into the website using that device, or a
service that synchronises your passkeys across devices, you will pass a
private key paired with a challenge value. An algorithm will produce a
signature.
Encryption in Transit
Imagine a scenario where two parties want to communicate with one
another.
We want to prevent a third party from intercepting data in between.
Third-party services–like email providers {Google}–that function as
intermediaries may indeed be reading your emails or viewing your
messages.
End-to-end encryption is a way by which users can guarantee that no third
party in between can read the data.
Cyber Security Basics
26
Deletion
Once files are deleted on a computer, a fingerprint of those deleted files may
still be on your computer. Operating systems often delete files by
simply forgetting where they exist. Hence, the computer may overwrite
previous files with new files. However, there is no guarantee that the free
space on your hard drive is entirely wiped off the fingerprints of old files.
Secure deletion is a process by which all the remnants of deleted files are
changed to zeroes, ones, or a random sequence of zeros and ones.
Full Disk Encryption
Full-disk encryption or encryption at rest entirely encrypts the content of
your hard drive.
If your device is stolen or you sell your device, no one will have access to
your encrypted data.
However, a downside is that if you lose your password or your face
changes enough, you will not have access to your data.
Another downside is that hackers may use this same type of technology
through ransomware to encrypt your hard drive and hold it hostage.
Ransomeware
Ransomware is a type of malware that encrypts a victim's data, rendering it
inaccessible until a ransom is paid, often in cryptocurrencies like Bitcoin,
which complicates tracing the perpetrators.
Quantum Computing
Quantum computing is an emerging computer technology that may be able to
provide exponential computing power to adversaries.
Cyber Security Basics
27
This technology may be used by adversaries to cut down on the time required
to guess passwords and break encryption.
Lecture 2 - Securing Systems
Wi-Fi
Secured networks utilize encryption to protect data between you and other
devices. Wi-Fi Protected Access or WPA is a form of encryption utilized to
secure networks.
HTTP
Hypertext Transfer Protocol, or HTTP, is an unencrypted way by which to
transfer data.
Utilizing HTTP, one is vulnerable to Man-in-the-Middle attacks where an
adversary could inject additional HTML code into what one is downloading.
Advertisements could be injected into all the web pages you are accessing via
HTTP. Further, malicious code could be inserted as well.
Packet Sniffing
It is a way by which an adversary may look inside data that is being
transferred between parties. You can imagine how a credit card number
placed within an unsecured packet could indeed be detected and stolen by an
adversary.
Cookies
Cookies are small files that websites put on your computer. Cookies may be
used by websites to keep track of who you are, present your emails, or keep
track of your shopping cart. Cookies make one vulnerable to session
hijacking, whereby an adversary could inject a supercookie to track you.
Session Hacking : is a security attack on a user session over a protected
network. The most common method of session hijacking is called IP
Cyber Security Basics
28
spoofing, when an attacker uses source-routed IP packets to insert
commands into an active communication between two nodes on a network
and disguise itself as one of the authenticated users.
Super Cookies : Supercookies are a serious threat to internet privacy.
They are not stored on your computer but can identify your web traffic and
are tremendously tough to detect. They are often located in online video
advertisements
HTTPS
HTTPS is just HTTP with encryption. The primary distinction between these
two names is that HTTPS is more secure than HTTP since it uses Transport
Layer Security (SSL) encryption for all HTTP requests and answers, even the
standard ones.
Certificate authorities or CAs are trusted third-party companies that issue
certificates. When you visit a website, your browser downloads the
certificate of that website, runs it through an algorithm, and creates a
hash.
SSL Stripping is an attack by which an adversary uses HTTP on a website
to redirect traffic to a malicious website. An adversary may even redirect
one to an HTTPS-secured domain that is not the intended website.
HSTS : One way of mitigating this threat is by implementing HSTS or HTTP
strict transport security, whereby the server tells the browser to direct all
traffic to a secure connection.
VPN
A VPN, or virtual private network, establishes an encrypted channel between
two points. Within a VPN, all traffic is encrypted.
However, there are some side effects. Because the pipeline between two
parties results in receiving an IP address from the second party, it will appear
Cyber Security Basics
29
to services throughout the web that your IP address is that of the second
party: not your original IP address!
Indeed, people often use a VPN to masquerade as being in another country.
SSH
SSH is a secure protocol by which you can execute commands on a remote
server.
If one wants to communicate with a remote computer and execute commands
there, one may issue an ssh command. The following is an example of using
the SSH command to connect to a server at Stanford University. You would
still need appropriate credentials and permissions to successfully connect.
ssh stanford.edu
If one has the appropriate access rights, one can execute commands directly
on a remote server.
PORT
Port numbers are used to direct web traffic toward specific services on a
server.
For example, port 80 directs to HTTP, 443 to HTTPS, and 22 to SSH. Servers
listen to these ports for incoming traffic.
Penetration Testing : is an activity that a professional may engage in to
check for port-related security vulnerabilities.
Port Scanning Attack : A Port Scan attack is a dangerous type of CyberAttack revolving around targeting open ports that are vulnerable to attack.
A Port scan attack helps attackers to identify open points to enter into a
cyber network and attack the user. Ports are really significant as they help
in tracking the traffic that enters and leaves a computer network. Packets
and data that are transmitted over ports tell Cyber-Attackers if the specific
port can be vulnerable to attack. they then aim to capture to send and
receive information.
Cyber Security Basics
30
Firewall : is a piece of software that protects various services by blocking
unauthorized access, including from compromised services on a device.
Firewalls utilize IP addresses, to prevent outsiders from participating in
traffic. It can also use deep packet inspection, where they examine the
data within packets for material that may be of interest to your company.
This can be used to check to see if you are emailing the press or other
parties that may be considered adversaries by your company.
Deep packet inspection : is used via proxy, where a device in the middle is
used as the path by which traffic comes in an out of the network. It is on
this proxy that your school or company may change URLs, log what URL
you are attempting to browse to, and, hopefully, protect you against
potentially harmful behavior.
Proxy
An intermediary that allows you to access websites and online services
without revealing your true identity or location. It forwards user requests to
web servers on their behalf, effectively masking the user's IP address.
Malware
Malware is malicious software that damages a computer or compromises its
security.
Virus : it is a piece of software that attaches itself to our computer.
Worm : It is a malicious piece of software that can move from one
computer to another via holes in security.
Botnet : It is malicious software that, once installed on your computer,
infects other computers and can be used by an adversary to issue
commands to thousands of infected computers. Computers infected by
botnets can be used to issue denial-of-service attacks whereby lots of
requests can be issued to a server for the purpose of slowing or shutting it
down.
Cyber Security Basics
31
Antivirus
Antivirus software detects viruses and hopefully can remove them. Automatic
updates must be enabled to fix security holes in previous iterations of the
software.
Zero-day Attack
A zero-day exploit is a form of attack whereby the attacker takes advantage of
an undiscovered hole in a software program, a piece of hardware, or firmware.
It occurs on the same day the software, hardware, or firmware flaw is
detected by the manufacturer.
Example :
Code Red Worm (2001): This worm exploited a vulnerability in Microsoft
IIS servers and spread rapidly worldwide. It infected over 359,000
systems in less than 14 hours, causing an estimated $2 billion in
damages.
Lecture 3 - Securing Software
Code Injection
Cross-site scripting, or XSS, is a form of attack where a website is tricked into
running malicious code via a user’s input.
For example, on Google, when you type a search for the term “cat”, notice how
the term appears on the screen elsewhere, showing you how many results are
present for this search.
Imagine that an adversary who knows a bit about the web could insert code as
input as a way of tricking the website into running such code.
<script> alert ('attack')</script>
If a website blindly copies user input and outputs what the adversary typed,
this is a major security concern.
Cyber Security Basics
32
Reflected Attack
A reflected attack is one that takes advantage of how websites accept input to
trick a user’s browser into sending a request for information that results in an
attack.
Imagine that a user could be tricked to click a link structured as follows:
<a href="https://www.google.com/search?
q=%3Cscript%3Ealert%28%27attack%27%29%3C%2Fscript%3E">cats</a>
Notice that this link includes the exact script presented above that is
intended to create an attack alert on the user’s screen.
The user’s actions trick their own web browser into reflecting back an
attack upon the user.
Stored Attacks
A website could be vulnerable to an attack where it is tricked into storing
malicious code.
Imagine where one could email malicious code. If an email provider blindly
accepts any code sent to it, any person receiving the malicious code may
become a victim of an attack.
Character Escapes
Services use character escapes as a way by which to protect against such
attacks. Software should escape potentially troublesome characters that
represent common coding-based characters.
For example, code like the following…
<p>About 6,420,000,000 <script> alert ('attack')</script></p>
will be outputted by secured software as…
<p>About 6,420,000,000 &lt;script&gt;alert('attack')&lt;/script&gt;</p>
Commonly escaped characters include:
Cyber Security Basics
33
&lt; , which is is the less-than sign, “<”
&gt; , which is is the greater-than sign, “>”
&amp; , which is the ampersand, “&”
&quot; , which is the double quote, “, itself
&apos; , which is the single quote, ‘
HTTP Headers
Recall that HTTP headers are additional instructions that are provided to the
browser.
Consider the following header:
Content-Security-Policy: script-src https://example.com/
Notice that the above security policy in a website header will only allow
Javascript to be loaded via separate files, usually ending in .js .
Thus, <script> tags inside HTML will not be run by the browser when this
security policy is in place.
Similarly, the following header will allow CSS only from .css files:
Content-Security-Policy: style-src https://example.com/
Notice that style-src indicates that only CSS that is loaded from a .css file
will be permitted.
SQL Injection
Structured query language or SQL is a programming language that allows for
retrieving specific information from a database.
Consider how an adversary may attempt to trick SQL into executing malicious
code.
Consider the following SQL code:
SELECT
*
FROM users
WHERE username
=
Cyber Security Basics
'{username}'
34
Notice that here a user’s inputted username is inserted into the SQL code.
An adversary could insert the following into the password field: ' OR '1'='1
The following SQL code will then execute:
SELECT
*
FROM users
WHERE username
= 'malan' AND password
=
''
OR '1'
= '1'
Notice grammatically, this results in providing all the users in the database.
To see this more plainly, notice the additional parentheses added below:
SELECT
*
FROM users
WHERE (username
= 'malan' AND password
OR '1'
=
'')
= '1'
Notice that this code will either show all users where the username and
password combination are true OR all users.
Effectively, the above input is always true. Through this security
vulnerability, the adversary may have information about all users on the
system, including the administrator.
Prepared Statements
Prepared statements are pre-designed snippets of code that correctly handle
many database functions, including user input.
Such statements, for example, ensure that user-inputted data is properly
escaped.
A prepared statement will take code as the following…
SELECT
*
FROM users
WHERE username
= '{username}'
and replace it with…
SELECT * FROM users
WHERE username
Cyber Security Basics
35
=
?
Prepared statements will look for any ' characters and replace them
with '' . Hence, our previous attack shown above would be rendered by
the prepared statement:
SELECT
*
FROM users
WHERE username
= 'malan''; DELETE FROM users; --'
Notice that the ' at the end of ‘malan’ is replaced with '' , rendering the
malicious code inoperable.
Command Injection
A command line interface is a method by which to run a computer system
using text-based commands, as opposed to clicking on menus and buttons.
A command injection attack is one that issues a command on the underlying
system itself. Two common places of vulnerability are that of system and eval ,
wherein if you pass user input without sanitization, malicious commands could
be issued on a system.
Cross-Site Request Forgery (CSRF)
Websites use two primary methods to interact with users
called GET and POST methods.
You can imagine how one may trick someone into buying something they don’t
intend.
One could provide an image that is automatically attempting to buy a product:
<img src="https://www.amazon.com/dp/B07XLQ2FSK">
Notice that no image is provided here. Instead, the browser will attempt to
execute the GET method using this web page, making a possibly unauthorized
or unwanted purchase.
This ability to trick a user into executing commands on another website is the
essence of a CSRF.
Cyber Security Basics
36
One way to protect against an attack such as this is a CSRF token,where a
secret value is generated by the server for each user. Thus, a server will
validate that one’s CSRF token presented in their submissions matches the
token expected by the server.
Open Worldwide Application Security Project (OWASP)
OWASP is a global community that provides open source projects, education,
and collaboration for improving application security.
Arbitrary Code Execution (ACE)
Arbitrary code execution, or ACE, is the act of executing code that is not part
of the intended code within software.
One such threat is called buffer overflow, where software is overwhelmed
with input. Such input overflows into other areas of memory, causing the
program to malfunction. For example, the software may expect input of a
short length, but the user inputs an input of a massive length.
Another similar threat is called a stack overflow, where overflows can be
used to insert and execute malicious code.
Sometimes, attacks such as these can be used for cracking or bypassing
the need to register or pay for a piece of software.
Further, attacks such as these can be used for
reverse engineering to see how code functions.
Open-Source Software
One way to circumvent threats like this is to use and make open-source
software. Such software’s code is published readily online for anyone to
see.
Cyber Security Basics
37
One can audit the code and make sure that there are fewer security
threats.
These pieces of software are still vulnerable to attacks.
Closed-Source Software
Closed-source software is the opposite of open-source software.
Such software’s code is not available to the public and, therefore, may be
less vulnerable to adversaries.
However, there is a tradeoff between open-source software, where
thousands of eyes are looking for vulnerabilities in the software, and
closed-source software, where code is hidden from public view.
App Stores
App stores are run by entities like Google and Apple, where they monitor
submitted code for adversarial intent.
When you install only authorized software, you are far more protected than
installing software from any developer without using an app store.
App stores employ encryption to accept only software or code that is
signed by authorized developers. In turn, app stores sign software with a
digital signature. Thus, operating systems can ensure that only authorized,
signed software is being installed.
Package Managers
Package managers adopt a similar signing mechanism to ensure that what
you download from third parties is trustworthy. However, there is no guarantee
that one is entirely safe.
Bug Bounty
Cyber Security Basics
38
Bug bounties are paid opportunities for individuals to discover and report
vulnerabilities in software.
Bounties such as these may effectively influence would-be adversaries to opt
to be paid for finding vulnerabilities rather than deploying them as an attacker.
Lecture 4 - Preserving Privacy
Logs
Servers typically have logs that track user activities. Therefore, even when
you clear your browser history, servers keep track of what you have
accessed.
A server log may appear as follows:
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
HTTP Headers
HTTP Headers are key-value pairs sent between your computer and a server.
Fingerprinting
Fingerprinting is a way by which third parties can identify you based upon
clues that are available, even when you have restricted your browser from
sharing as much information about you as possible.
Web servers can also locate your IP address and log it.
Web servers can also discover your screen resolution, extensions
installed, fonts installed, and other information.
When this information is gathered together over time, it can make you
more and more identifiable.
Cyber Security Basics
39
Session Cookies
Session cookies are a piece of information that servers place on your
computer to identify you.
Every sequence of session numbers or characters will be unique for each
user.
Session cookies typically expire after a period of time determined by the
server.
Tracking Cookies
Tracking cookies are designed to track you. Third parties use such cookies to
track your behavior on a website.
Notice that this Google Analytics cookie lasts two years and tracks your
activity by presenting itself to each new site you visit.
Tracking Parameters
Where cookies are hidden “under the hood” of your browser, tracking
parameters are visible in the links you access.
Consider the following URL:
https://example.com/ad_engagement?click_id=YmVhODI1MmZmNGU4&campaign_id=23
Notice that the value for click_id , YmVhODI1MmZmNGU4 , tracks you specifically.
While cookies are tracked in the background, you can see how links you
visit (based on the URL) can track you.
Private Browsing
In a private browsing window or tab, past cookies are eliminated and search
history is not stored. Still, the web still works as the web does! New cookies
can still be formed in the ecosystem of a private browsing window.
Cyber Security Basics
40
Supercookies
Whoever provides your internet service can always inject their own cookies
into your HTTP headers without your knowledge.
You may be able to opt out of supercookies with your internet provider.
Cyber Security Basics
41