 Hello everyone, welcome to computer science e1. This is lecture six all about security And so we're going to start off today with a quick question So how many of you have either sold or given away one of your computers in the past? Only two of you okay, so a fair number of you and so for those of you that have done it How many of you have formatted or erased your hard drive when you gave it away? Okay, so here's an even further question so for those of you that formatted and erased your hard drive How many of you went so far as to actually destroy the hard drive? Okay, good So that's actually sort of the the first point in all of this and that if you if you want to give away your computer Pass it on to somebody else the only real safe way of Destroying all of the data that's contained within it is to actually destroy the hard drive as well And I do mean in addition to physically destroying the hard drive which actually can be a really fun endeavor It can actually just be really stress relieving to pull a hard drive out open it up and take a hammer to its platters They shatter in a very satisfying way even though they're kind of mirror-like and those of you that are somewhat superstitious might Be a little wary and doing it. It's still I think a very fun exercise through though Obviously, it's not necessarily the cheapest or easiest thing to do But for those of you that have given away a computer or sold a computer And have just taken the hard drive and perhaps done a format or an erase on it So-called realize that the data could still be on that hard drive even though there's all these fancy warnings that say Warning the heart the contents of this hard drive will be erased That is sort of a little bit of a white lie because it's true in the sense that when you turn on the computer again None of your data is going to be there, but it's false in the sense that it's it's it's not Irrecoverable you can actually go through read the hard drive and be able to recover a lot of the data That was previously on it and so this has actually some pretty interesting implications if you delete a file for example This implies that maybe the file isn't actually deleted But something else has happened to it and such that we can actually still recover the data from this file So really the only safe way for us to destroy the data on a hard drive is to actually destroy the hard drive itself or to Write over the entire contents of the hard drive in order to pretty much erase everything So how does file deletion actually work well if we have we may have gone over this in the hardware lectures But just as a quick review All of the data on a hard drive is stored as you know on the platters of the drive itself And it's a little bit different when we're talking about Other storage devices like SSDs it's not quite so circular It's in fact just a bunch of memory chips held within its its boundaries But this it does it's sort of the same idea even for that for that's general purpose So we have here just a platter that is meant to be a hard drive and in this platter. There are a whole bunch of Just a whole bunch of concentric circles that write the data Contained within your hard drive and obviously these are more ovals than circles But you get sort of the idea and there is actually a table contained somewhere within this hard drive that your computer knows about that in many especially older Computers is called the file allocation table or the fact and so this is used in particular by some older file systems But it's sort of the same I the same idea the same concept remains the same today So we then have this table that basically describes to us a variety of files Let's say that I have a file called. I don't know exam One dot doc for example, which is a word doc containing the contents of exam one then in this file Allocation table is a mapping of the name of this file to its actual location on the hard drive itself And so this location is actually just some computer speak And we really don't have to know or care what it actually is But it's actually just some address representing perhaps some number or some address that is on the hard drive itself So something like this. I don't know something that looks like this o x 4 c 8 e a that's just a bunch of random Letters in word letters and characters that might represent the address for this So when if this file is erased the contents of its data are not actually erased the data itself is not actually erased But rather its reference within this file allocation table is erased telling the computer that okay Well now this location no longer has memory or no longer has data contained within it So I am pre to write another block of data over it So I could have another file for example exam 2 doc that now overwrites that previous one It may not but it certainly could overwrite the previous block of data So now now that we have actually overwritten some data in that particular location Can we safely say that that file is indeed gone? So what this means is that the very first time that you drag a file from your computer into its recycle bin or to its trash can and Empty it that file is deleted as we have seen before But really all that means is that its reference is deleted rather than the data being deleted itself So it is in fact entirely possible for somebody who has physical access to your hard drive To be able to read through all of the so-called sectors within your hard drive and try to figure out what Contents what files actually existed there all the while ignoring this file allocation table So if we were to format the drive for example or erase the drive and it tells you it gives you this warning that okay All of the drive all the data on this drive is about to be erased You click yes, and you say that that's okay for you to do all it's saying is that this file allocation table? And there's some other data as well, but it's not it's not the actual data in the files themselves This file allocation table is essentially just destroyed and the rest of the data is in fact Remaining on the platters of your hard drive So this is actually sort of an interesting thing because if you want to sell your computer give it to somebody else And you want to preserve the privacy of your data. It's not sufficient to just delete the files It's not sufficient to just format the hard drive because a sophisticated person could actually go through and read that information In fact, you don't even have to be that sophisticated You can download some software that will try to recover files for you automatically Even though the file has been deleted at some previous point obviously now There's some limitations to that if that file if the data at that address has actually been Overwritten by some other data that most likely you're not actually going to be able to recover the original file exam one Dot doc out of this, but you might be able to retrieve this new exam to dot doc data that was there before yes So that's a good question so because sometimes bits of files are actually stored At non sequential locations on the hard drive, then how does it know where to go next? It doesn't necessarily it just goes sequentially and tries to figure out what it can usually Earlier pieces of data they're not it's not going to the file isn't going to be written in reverse necessarily So it will be written from the the first byte all the way to the last byte Even if that spans longer than the the size of the file itself on the hard drive So you we might get some junk data within it. That is certainly a possibility But many times especially if your computer modern computers will actually do some slight Defragmentation so what we're talking about is is fragmentation basically so if we have The same idea of having a platter here and we have some file That's that would we would probably assume to be written along something like this Just some sector in the hard drive and continuously written on some sector in the hard drive It's not necessarily true, and it's not you're not certainly guaranteed that all of the data will be in one long Continuous string on the hard drive in fact the computer will realize okay Well, maybe I only have a third of the available space available here like this So this is one third of my data, and then I have another third of it's available here And then I have another third available here It will actually fragment this file so-called into three different locations on the hard drive And so you might have heard of this process called defragmentation Where the theory is that? Fragmentation will actually cause your computer to slow down a bit because in order for it to find all of the pieces for one Individual file will take it longer to jump from this location in this location in this location Then it would if the entire file were located just in one continuous block on your computer And that it certainly is true, especially with hard drives with spinning platters. It's not Quite so much of a problem on SSD drives but this is something that manufacturers have tried to battle by coming up with utilities called defragmentation utilities and you might have run this on your windows computer in the past and basically what it does is it Analyzes everything and will try to then make everything Into a continuous block like it should be and erase the the previous blocks of data And so the question then is if this is in fact fragmented and we actually run some software that tries to recover some Individual files then how do we know that the file starts here if it's been deleted if its references have been deleted off The file allocation table and we don't know that it's been broken up into three parts And we don't know where the these three parts are located How do we then know that it's the three parts are located at these specific regions on the disk and the answer Is that we don't really But we will get some junk data in between all of these fragmented pieces But sometimes we might be able to tell if there's another file that's been started in the middle just based on its headers So one of the things that we've been talking about with files is that they all have Specific file format so like JPEG for example has its own Specification it has its own file format to jiff file has its own specification and file formats You can actually look up these specifications online and see the first few bytes that actually signify one of these types of files and an actual bitmap file for example begins with some of the Beginning bytes the very beginning is something the ASCII Characters BMP so that you can actually look for a known sequence of characters within these fragments And if you find that that exact sequence like BMP existing in the first four or so bytes of the file itself Then you can say read you can be reasonably sure that this file might be then a bitmap file So this is how we would then search the hard drive for one of these files If we wanted to look for all of the JPEGs that have existed on our computer for example We would perhaps look up the specification for JPEG find the bytes in that file That's that make it a JPEG file There will be some known bytes at the very beginning of the file called the header of the file that Specify that it is actually a JPEG file And we will then search all of the sectors on our hard drive that match that header when we found it And we can be reasonably sure that we found The beginning at least of a JPEG file and similarly we will know that the footer of a file the very end of file We'll probably end in some known sequence of bytes So we can then search to the very end of that file and then consider that to be one JPEG file and like we said before we could actually have some Some bad data in between especially if there's been some fragmentation But that's just sort of the the problem that can happen with fragmentation On a computer. Did I see a question? Yes How useful is defragmentation actually it's useful enough that Apple has decided to do it automatically on their on their Mac OS Operating system such that small files that it considers fragmented It will actually delete those files off the hard drive and then write them elsewhere in a continuous block just so that they are properly defragmented I Just anecdotally when I had a when I used to use Windows many years ago And I would defragment the machine after a long while of not doing it There was actually a noticeable increase in performance at least in reading files Just because the the head the so-called head the piece of of the hard drive that actually seeks Across all of this data, which as you probably recall from the hardware lectures was just a little microscopic thing That floats very close above the platter of the head will actually or rather over the over the platter itself Actually has to move to seek to find all of these Bits of information and the more that it has to search for even for one file The longer it will take for us to load or to write to that file. So there is in fact a Perceivable change it just depends on how badly fragmented your heart your hard drive happens to be The other questions Okay, so we have then this problem where we can delete files But it's still possible for us to be able to recover them And in fact, this is something that you should you should definitely pay attention to if you ever plan on On on giving your computer to somebody else saw I don't want to say solvent if you actually want to sell it to somebody else Then this is actually a legitimate problem for you. How do you actually delete the files off of it? Well, I mentioned before that there's one solution You can remove the hard drive off of the computer and actually physically, you know destroy the hard drive That's really the only surefire way of being able to destroy the data within it If you really have some data that you really don't want anybody else to have that's probably your only recourse But another thing that you can do is to actually zero out the drive There exists some software called d-band Derek's boot and nuke and there's also some similar software available for Mac OS as well That allows you to basically just destroy all of the bits on each of the sectors in the hard drive And what is different about this is that not only will this eliminate the file allocation table and all of the references to the files Contained on the hard drive, but it will also go over every Single sector every single byte on the hard drive and overwrite it with zeros Meaning effectively that all of these all of this left over stuff that we had before is going to be gone Now you can do a similar thing in Mac OS if you go to the disc utility. There's a this part of the erase feature There's a secure erase button I think that will actually allow you to zero out the drive that also is a sufficient thing to do so long as you are not Booted up from the same hard drive You actually will want to be booted up from say a CD or something else that is actually not booted from the same hard drive Just to ensure that all files are actually Securely erased off of this drive now this will actually eliminate all of the contents on the entirety of the drive Everything will be gone on the drive itself But if you want to actually selectively destroy some some files, there does actually exist them a secure file erase on On this on even the latest versions of Mac OS that takes the files that are contained within your Recycle bin or your trash can and will actually just overwrite those with zeros in addition to removing The reference from file allocation table will actually write zeros over the sectors on the hard drive Directly leaving all the other data intact And so this is a good way if you just want to remove a couple of files rather than destroying the entire hard drive I'm moving all of the data off of that hard drive This is a good way of going about that and so this is something that is certainly worthwhile now if you want to Make sure that this data cannot be read now There is in fact another problem with this and that is that if somebody has physical access to your hard drive or In fact to your computer at all. There's no guarantee that your data is in fact safe now get to that in just a moment I think I saw a question If you do okay good questions if you So let's say you have some Fragmented file like like we had discussed before and you actually do a security race just on this one particular file Even though this file is now fragmented the OS should be smart enough to not only delete the three references from the file Allocation table, but also zero out all of the individual fragments of the file as well So the entire file should in fact be erased If it's been if it's been defragged Yeah, so if it has actually been Defragmented and then you do a security race. I imagine that there's been no So if we change the order of operations here such that this file exists and is Fragmented and then we actually want to defragment this file so that now it actually becomes you know properly Elongated in one portion of the hard drive then most likely this data is not overwritten with zeros It's been overwritten by some other data potentially or by nothing and so that data is still read but you are guaranteed that at least However many fragments you have if you have n fragments at least one over n of those will be completely gone meaning that this data Will is especially if it's the beginning of the file will be effectively erased from from the computer Meaning that most of the data at least will be safely safely erased So the the takeaway here is that yes There are some potential other attacks that we could go through to be able to find at least some remnants of some data Even if we securely delete an individual file Then there is perhaps the possibility that maybe other portions of that file because Just through this fragmentation that we just discussed There does exist the possibility that we could actually retrieve some of this data And in fact this is also this brings us back to the same concept that I was talking about a second ago Where if somebody has physical access to your machine? Doesn't matter if you have a fancy screensaver password or awake from sleep password or an account password anything like that your data is Still written unencrypted on the hard drive itself It's frankly relatively trivial to overcome these passwords and read the data off the hard drive directly Anytime somebody has physical access to your machine the jig is up your data is basically exposed And so the only way to protect your data on your computer is to not only use this these same sort of concepts of Every time you want to delete a secure file you actually securely erase it But also you encrypt the data directly on your hard drive, especially the ones that are particularly sensitive And what this means is that the ones and zeros that make up the bytes and the that make up the data on your hard drive Will actually be encrypted so that somebody that actually has physical access to your machine Won't be able to just read the files off of the hard drive They will they will need to know some password in order to decrypt these files and be and be able to read them So there there do exist of course some software Mechanisms that you can use for this on max. There is the the concept of file vault, which is basically just It's an it's encrypting your home directory, which might include things like your documents and your and your pictures and your desktop files and and whatever else, but it doesn't in fact Encrypt the entirety of your hard drive that will actually change It's supposed to change the next major version of OS 10 that's coming out I believe later this year or maybe early next year But if you are on Windows or if you're on a Mac and you want to selectively encrypt some things one of the best software That's one of the best pieces of software that's out there for this sort of thing is true crypt And this is a program that will actually allow you to create a Section on your hard drive that is in fact encrypted so that you can put files in in this encrypted Directory when it's basically what it is It's basically just an encrypted directory and you will be sure that those files are Even when they're saved on the hard drive relatively secure even if your computer has been stolen and Somebody has physical access to your machine even for a short while You can be reasonably sure that the data on this drive is will actually be safe from prying eyes And this is actually a pretty good way to go Especially if you like to save some of your data on online services like Amazon s3 or Dropbox or any number of these other services that can actually share data from one computer to another This is this might actually be a relatively smart thing to do just to make sure that your data is safe From one computer to the next and in fact cloud services Well, they are most likely and all likelihood relatively secure not only from hackers Trying to hack into them and try to find the data that's contained within them But also from the employee presumably from the employees themselves from being able to snoop around on their own computers and look at the data That's contained on their so-called cloud machines It is if you're for particularly sensitive documents a good idea to encrypt everything with things that only you can Decrypt and there's a lot of a whole bunch of features that true crypt has in fact You could go sort of the all out and you can use some two-factor authentication Which we'll talk about more and just a little bit but that basically requires not only a password But also something else that actually proves that you are the person that you that you claim to be when decrypting This information now this is a This is especially useful if you if you are particularly prone to having computer problems And you have to send your computer in for repair now It's certainly the case that many people that are going to that repair your computer going to be you know legitimate They're going to be professional. They're not going to necessarily go snooping around in your computer But there's no guarantee that those people that have again physical access to your machine Won't necessarily look at the data that's contained within it's encrypting this data is another way of protecting that Especially if you there is a problem with your hard drive Let's say that you have all this data on your hard drive and for some reason there is a malfunction Such that you cannot actually write data to it anymore You perhaps have a backup of your data so you can fetch that that sensitive data that you have before But if you actually need to replace this drive you can't actually write to it just as an example There's no way for you to now now that you have to send it in for service Write over the entire contents of the drive just because the drive has a malfunction You're not able to do so thereby making your data Accessible just because it's now encrypted you're not able to do it and again This is just in the case where you have not encrypted your data And there's a hard drive malfunction and you send it in for service your data is in fact at risk Every time you're somebody else has physical access to your machine There is a potential risk for your data to be exposed somebody else can download your data or do Whatever they want with it as long as some you're not Encrypting it as long as you are not actually going through some security practices to ensure this the privacy and security of that data Contained within the drive. Yeah, did I see a question? Mm-hmm if you save So if you save all of your files on a cloud service on a remote machine like Gmail or Or Amazon or Dropbox or what have you the risk on your own machine? It really depends on on the service itself So if you are using some software for example that might cache the information Locally on your own machine So Dropbox is an example of this where Dropbox is basically a service for those of you that are unfamiliar That you can specify a folder on your hard drive that should be shared amongst multiple computers This is actually I love Dropbox actually use it all the time. It's fantastic software But what it does is that it allows you to share one folder on your computer across multiple computers sort of Transparently what happens is that every time it detects that a file has changed within that folder? It uploads the changes to its server and then on all of the computers that have access to the same folder usually all of Your own computers so for example I have a laptop and a desktop and Dropbox folders on each of those Then what then as soon as there's a change to one of these files then the other computer will download that change as well Thereby making it synced this folder is synced between the two computers It's actually pretty fantastic. It's really nice to have all of your files available on all of the computers that you use and Dropbox actually has quite a bit of if we were to believe their marketing they have quite a bit of security not only do they use SSL or you know the equivalent of HTTPS when transferring the data between your computer and their servers But they also make sure that everything that's written on their servers is encrypted so that only you have access to it We're to believe that that's relatively secure However, there is a copy of all of this data on my computer Which means that if somebody were to gain physical access to my computer even though they don't have my Dropbox password They will see they could actually see the Dropbox folder and its contents Just because those are written in an unencrypted form on my computer's hard drive as well They are in fact cashed locally in other words. Yep Sure That's a that's a great another great question. So if we have if you use some online service like Amazon Dot-com you're not even using some some service that saves data Remotely is your password at risk that really depends on the types of sites that you're frequenting frankly because while Good security practices dictate that sites will not write your passwords to Unencrypted files either on their and or your end or even across the wire It is certainly possible that people that frankly don't know what they're doing Could do that and they could in fact write your password And so this is one of the reasons why so many people say do not use the same password for everything Just because if that password is exploited in one location It's possible that they can then have access to everything that you could possibly use So the short answer is there's no guarantee that the passwords that you use even if it looks like it's a secure website are Not in fact stored in a secure manner on your computer or on the remote machine You frankly have no insight into what the the the company is doing with those passwords Other than frankly just trusting them that they know what they're doing and saving them as appropriate Well, we're going to talk more about them internet security in just a little bit Any other questions about this stuff before we move on? Okay So, what is the takeaway here if you have if you have data that you consider to be sensitive and in fact for those of you that do anything Reasonable on your machine like say your financial documents your taxes all you know anything that you might save in store And that's the sort of personally identifiable stuff that people might be at be able to use against you say in some sort of a Identity stealing fashion then most likely this is data that's considered sensitive And you should probably take some steps in protecting And so what are some of the steps that you can do first of all use some way of encrypting this data on your computer Make sure that you're not actually saving this computer or rather saving this data at any time in an encrypted fashion on your computer So that means if you have a word document for example That's unencrypted is not password protecting you know nothing like that that has a list of your passwords That is a bad thing and you should be reprimanded right now that it's not a good way of Storing the passwords that you actually use if you have a post-it note on your monitor next to your computer That has your list, you know it has your one password That's maybe your dog's name or your birthday or something like that That's actually your password that also is not a good thing to do just because then people that see this information Whether inadvertently or intentionally then have full access to anything that is Authenticated with that password that you've set there and so and to make it even more general like we were talking about before If you have these sensitive documents anything that's personally identifiable tax documents that you may have on your computer Medical records anything like that. It's worthwhile in all likelihood to actually then encrypt it in some way If not with true krypton perhaps with some other Reliable encryption software just so that you would then be able to make sure that that data is well encrypted well protected from prying eyes whether it be intentional or Accidental just because this is not stuff that you really want to mess with in fact There's there's good data in a study that was released a few years ago That says that the vast majority of machines that are thrown out or sold or given away to other people have information contained on their hard drive Unencrypted that could identify the person in fact could be used against them in some sort of identity theft Manor it's just something that would be potentially dangerous for the person that had actually given away this machine So this is in fact very important and not enough emphasis is placed in protecting your own data Now of course This does lead to the point that if you are doing something like encrypting your heart your your your data And you actually want to make sure that it is protected. Well, then you do in fact have to make sure that your backups And you are backing up right your backups are also encrypted And so one of the easiest ways to do this is just to back up the encrypted file itself or just the encrypted bytes That way you are then sure that you have you are safely Encrypting or backing up the encrypted information as well and backup is a very important topic that we will address again Probably next week any questions on this stuff Now all of this stuff applies in fact to a computer and more specifically to a computer with a hard drive with this actual spinning platter Things get a little bit more complicated when we start talking about things like SSDs or Even computers or smartphones that in fact don't use hard drives But perhaps use some sort of flash memory to store all of their information now the concepts are pretty much the same there But the big gotcha with those with these things is that the the secure delete option that I had mentioned before the one that can Actually take an individual file and zero out that individual file just so that you know that that one file has been Has been predictably erased and all of its contents are actually gone This is not considered reliable on flash memory So at least for now until this has this sort of thing has been fixed I would not rely on secure delete to you to securely erase the the contents of or rather the the contents of a file Individually of an SSD drive something using something like zeroing out a drive will in fact still delete the contents of it But it's still something that you should be aware of and in fact if you have something Like a smartphone like an iPhone for example one of the ways that an iPhone when you actually tell it to erase one of The ways that it works is that it actually encrypts all of the data on its memory And when you tell it to erase the memory it deletes the so-called encryption key There's an encryption key stored within it and he races that so that the data cannot be unencrypted on the hard drive And this has been found to be Relatively secure except that now the encryption key because it's on the on the device itself can actually be found and Decrypt the entire drive again. This is something that we might talk about later next week So we have all of this stuff now if you want to be sure that what you are doing is securely Deleting or being keeping your say your data in a secure fashion Encrypted first of all encrypt encrypt encrypt all the time just for things that are very important to you there is a cost that comes with encryption in terms of time and Generally, you should be aware that that is going to be true So you probably shouldn't encrypt things like movies just because that's going to be a performance it on your computer But if you can use your own judgment when encrypting this and when you give away throw out sell your computer Do anything that? Relinquishes physical access to that machine be sure you use something like d-band for windows or disc utility on Mac to effectively Zero out the entire drive just to make sure that it is then safe for you to give away Without risking your data being lost to the hands of somebody potentially malicious. Yes Right so as of right now my understanding is that Zering out individual files on an SSD is not necessarily reliable But zeroing out the entire drive is so when when in doubt Especially if you're not sure whether your computer has a SSD or an H or a hard disk drive with the actual physical platters Just nuke the whole thing just destroy it in some way Or you can physically destroy it by taking it out of your computer taking a hammer to it You can punch a hole through it's in some if you have a very strong drill Or you can zero out the drive with one of these pieces of software that we had mentioned before Mm-hmm. So what is formatting? So this is like we talked about before where we basically just take essentially the file allocation table and just destroy it completely The contents the data that's contained on the platter Persists there's some other things get that get erased as well that are pretty low level and specific to the hard drive itself But formatting any and or erasing the drive the two are used sort of interchangeably Does not it's actually sort of a misnomer in that it does not actually erase the contents of the drive And so it's still prone to these attacks that we had mentioned before where you could use some software to actually read Individual or you could try to find Individual files on the hard drive itself even though its reference has been deleted Anything else? All right scared yet No good because we've got some great stuff coming up right now So if we switch gears a little bit all a lot of this talks about Local problems problems that are local to your individual computer And like I said if somebody has physical access to your computer the jig is out anything any Insecurity that you have is going to I mean it's just going to be completely meaningless. And so if you have Account password on your computer and yes, that does help but usually for other attacks if you have You know bios password even on your computer realize that all of this stuff can be circumvented if somebody has physical Access to your machine and so none of these are adequate protection Against some attack that allows somebody to actually read the contents of your hard drive in order to do that again You have to encrypt the data on the hard drive itself But perhaps one of the scarier things is in fact all of the things that can happen on the internet itself So one of the things that that can happen is if you are logged into a website for example There exists this concept called session hijacking Let's say that you're logged into Amazon.com or Facebook.com or any number of websites that requires you to log in and maintain a session with them Well, what happens is that there are there exists software that makes it very easy for people to be able to pull your session away from you and be able to start browsing of Amazon.com or Facebook.com as you with your account information. This is in fact It's actually been made quite easy in recent months with the software called fire sheep Which basically just uses it's basically at least at the time was a Firefox plug-in That allows you to sit at an internet cafe or a coffee shop of some kind that has Unprotected wireless network and look at all the traffic that's going between the the machines and the router itself and actually find The cookie information and try to hijack some of the information or try to hijack the session From a person and so what does this mean if we were to break this down? What does it actually mean? Well, if we recall from our discussion about the internet some weeks ago We talked about HTTP and how there's this this information that flows that we don't see all the time those HTTP headers that are sent between our computer and the remote server that defines a bit of information like some things are Really vital like the actual information that we're requesting and the response from the server like whether or not the the requests Completed successfully and what kind of data we're going to expect from the server all that sort of stuff But also there's additional information. That's tacked on as well And the reason that we have this whole headers protocol the reason that we have all of this is that HTTP and HTTPS Are our calls essentially stateless their stateless protocols and what stateless means is that as soon as that some Transaction has occurred so a transaction in this case would be my computer Requesting some information from a server then that server responding to my computer with that information Stateless means that once that has occurred the connection between the computer and the server is terminated It's shut down So what that means is that state any state that I have that I have created is not preserved from one web page for you to The next so what this means essentially is that if I'm viewing a web page and I go to another link for example There's no guarantee that the server is going to know who I am that I'm still logged in as my username But obviously this sort of contradicts what we've seen in in our experience on the internet when we use a Website like Amazon.com or when we use a website like Facebook calm clearly when you load a page and you click on another link It still remembers you it still knows who you are And so the way that people have overcome this statelessness of HTTP because this does in fact exist is To use this concept of cookies that we had mentioned briefly a couple weeks ago But we're going to talk a little bit more about today And so a cookie is basically just a small piece of information that a server will send to our computer in the HTTP headers and more specifically in the response headers from an HTTP server and will tell our computer to save This little piece of information for some future point in the next and the next time that my computer goes to that same website It will then send this cookie information over So I could then get a cookie for example from a remote server that looks something like this Maybe it's going to be username and Then a colon or a semi colon and then maybe some long string of random Of random words and letters or just letters and numbers that look something like this 7c6 4 3 2 something that looks like this So this is just one of many types of cookies that we can get basically a cookie It really can be anything that can be represented in text anything that can be represented in text a server can actually Tell our computer to write and store in memory and that same information will be sent back to the server So this goes back to this question that we had earlier on when we were saying well Is there a chance that when I type in a password? To a website and it sends that password is there the possibility that this password could actually be saved in some unencrypted form on my computer and The answer we said was relatively complicated, but it is possible and it is in fact possible with cookies There's nothing stopping a server from sending a cookie that it doesn't look like this with some random collection of numbers and letters and my username But is in fact my username and then after like a semi-colon the password that I had actually used Meaning that this password that I use that is now vital to log into this input to to this website is now stored unencrypted on my hard drive and Many of us I certainly know that I don't go through all of the cookies on my computer We may not even know that this password is then saved now This is obviously a very bad thing and if there are websites that are doing this They're doing security wrong most of the time especially the bigger more secure websites That have been around for a while like Amazon and Facebook they know not to do this But some of the smaller sites they may be less experienced they may not know not to do this and so this is in fact a Possibility so like we said before don't use the same password for all of the websites because it's possible That that password is actually stored unencrypted on your computer without you even knowing now coming back to this point Though we have a cookie and the cookie again is just some information that is written on our computer that a server has Requested so a server said I want you to remember this information Until the next time you visit this website and that's all your computer is doing is it's just blindly Saving this information somewhere on on its hard drive and the next time you visit That's that same website it then sends this cookie information to the server again And so in this way it can then be able to say okay well Looking at this random number with this username. I can then remember oh, yeah I sent that username this random number therefore this person is still logged in and that's basically in essence How this actually works how your session is preserved how when you go to Amazon calm or Facebook calm And you click on one web page and you go from one page to the next even though HTTP is stateless How these web servers still know who you are is using a cookie in this manner Now of course we could they could use something like this, but again This is bad and generally we're not going to see this very much But the possibility does exist so just be wary of that fact now most of the time though like you said that doesn't happen now if Let's say for just as an example This actually was a real cookie that I had written and this cookie represents my session ID It's actually a session identifier that identifies me to a server like Amazon or Facebook And you go in and you modify your own cookie you actually change your cookie that would say your you know your own username and your own Random number that was assigned to you by the server you actually change that to represent mine and you load up the web page What do you think is going to happen? if you're to in essence use my cookie instead of your own cookie and this cookie is meant to identify me on To this web server to this website. What might happen? Yep? Right, so you're gonna hijack that sessions What this means is that if this was a real cookie if this was actually my username if this was actually the set the sequence of random numbers and Letters that represented my session with that server and you start using this same information What this means is that the server is then going to be able to the server will just think that It is then me on your computer There's nothing stopping it because there's no real way for the server to identify again because this Hcdp is a stateless Connection once the connection has been formed and then the data requested then that connection is is killed It's quit so that there's no way for the server to know that the next person that the next request coming in is You or if it's somebody else it has to rely on some information Provided on the computer to be able to identify itself as being the same user. Yes So, yes, so generally if you log out for example, this cookie will be destroyed Then when you log back in you will get a new sequence of numbers and characters here Right, so that's a good point So how so do you have to be on the same router? Do you have to have the same IP address because say you're at the same coffee shop in order for session hijacking to work again? It varies it depends it depends on the security mechanisms in place for for the particular website Some of them might say that okay This username and this random set of numbers and letters has to match with this IP address But the problem is that if you might you might recall from our discussion in about the internet IP addresses can change because of DHCP your IP address can actually change on the public network and this would be annoying to users if Because of some unknown reason all of a sudden they were just logged out of their machine So most of the time I would wager that many websites are not actually tying IP addresses to this information So most likely you could actually hijack a session from anywhere in the world potentially Now there again this varies based on the on the company that you're working with or you know Whose website you're visiting but in all likelihood in order to avoid this issue all together They might just allow this cookie from any website or from any from any IP address So it's review what is going on here? Well recall that HTTP like I said is stateless that means that when I contact a server and I log in for example It sends me only the response the the web page for example that says that I'm logged in and then that connection is severed So there's no way for that server to know once I try to visit another web page That I'm the same person that I've already logged in it can't use IP addresses because because of gnats There could be multiple people connected to the same public IP address We can't use the huge the user agent string which you might recall from the network discussion the internet discussion Says some information about the computer, but it's not uniquely identifiable. It doesn't uniquely identify a person so what they do is they use this concept of a cookie which and a cookie is is sent to our computer in an HTTP response and our computer will actually write this information on its hard drive and every time we visit that Website again, we use the same cookie our computer sends the same cookie Back to the server so that the server is then able to identify us and the way that servers are able to safely identify Us is with some random set of numbers and characters that it remembers also the server also remembers And we remember and when it matches the two up it then says okay This is actually Dan Armand Aris. He's actually logged in to Amazon comm So then this web page that I'm going to show him is going to assume that it is Dan Armand Aris But this brings up the larger issue that we had addressed early on in this discussion And that this notion of session hijacking if this cookie goes out to the open if somebody actually Looks at my packets as they're being sent from my computer to the remote server And they actually find this cookie that is being sent from my computer to the remote server They can use this cookie and essentially use the same cookie in their own browser and act as though They are logged in as me on this same website. This is a session hijacked They have then this malicious person has then hijacked my session They're then being there then acting as me on Amazon comm or Facebook comm just by looking at my cookies and Pulling that information from it. So this is not a good thing. And in fact, there's some not a lot that we can do if we are Using unencrypted means of communicating between our computer and a remote server if we're using HTTP All of this stuff is sent in the clear if we are connected to a coffee shop With some wireless that's not protected by a password all of this stuff is sent in the clear and it becomes very easy And with with some software like fire sheep almost trivial to do session hijacking Against people that don't know any better that just use unencrypted connections all of the time And so is there a way that we can fix this? Is there some way that we can prevent session hijacking from happening? Yeah HTTPS very good So HTTPS is a great solution for this because what this means is that when I send all of when I send my Request to the server all of that request is in fact encrypted That includes all of the HTTP headers like the user agent string the request itself the IP address all of this stuff is Actually encrypted and the cookie as well So now when this malicious hacker is sitting you know at Starbucks sipping coffee using fire sheep trying to session hijack He can't actually decrypt this information because it's private only to me and the remote server and This this data will then be protected this person will not be able to or at least it greatly increases the Greatly decreases the chance of them being able to read this this session cookie and being able to hijack My session with this server Yeah Yes, these are yes excellent excellent questions again. So how does the computer know? How do we actually ensure that this encrypted message remains encrypted all the way to the remote server rather than allowing somebody else to do it? This uses there's a variety of encryption mechanisms that we can use to ensure that Once something has been encrypted that only the person that is authorized to decrypted can do so But this will most likely talk about next week just because it's sufficiently complicated that it's Probably not something good to to talk about at least right now but there there do exist a variety of ways that we can encrypt things and And the remote server at least the one computer that we want to decrypt it is then allowed to decrypt it There are ways that this is possible. Mm-hmm Yes, it is possible so when so when the when your computer is communicating with the server and there's basically this this What's so-called handshake that occurs in order to negotiate What the proper encryption is going to be between one computer and the next it is possible for and this is a specialized type of attack for Something called a man in the middle to occur where somebody that is not authorized It actually relays they actually read this information and they create an encrypted Connection to your computer and they relay that information to the the remote server for you But they are then because they are sort of in the middle and they're able to Encrypt and decrypt all of the information coming not only from your computer to the server But also vice versa they act as a man in the middle They can read all of the information that's being sent back and forth, but this is a much more sophisticated attack that goes beyond Sort of the scope of using HTTPS at least HTTPS blocks this low-hanging fruit of just being able to look at the the data That's being sent unencrypted on the airwaves and figure out what that session ID is going to be and using that Against you man in the middle attack that actually uses SSL is a bit more or uses HTTPS is a bit more Sophisticated in order for that to to work, but it is yes, of course in fact possible any questions Let's take a quick five-minute break when we come back. We'll continue talking about session hijack Hello everyone welcome back So before the break we were talking about cookies and how they are important for maintaining sessions So sort of a weak analogy that we could use for cookies is sort of like how when you go to an amusement park For example, and you get your hand stamped so that gives you readmission for that day It's the same sort of concept if you leave the The amusement park then how are they necessarily going to know that it was actually you that had been there before well They rely on these on these hand stamps and while admittedly this is probably less secure because if you were to just find a Copy of this hand stamp around you could stamp your own hand and receive admission It's the same sort of idea where this server has then provided admission to you by providing this information to you To your computer in in a form of a cookie and then every time you want admission again to this website every time You visit this website or you visit this page on this website It's it's as if your computer is then flashing its hand stamp to the server by providing this information That was stored in its cookie to the server and saying okay. I am allowed Admission to this particular website and more specifically. I am allowed admission and and logged in as Dan Armandaris Just as an example and so realized that not a lot of information has to be stored on your computer in order for this cookie to be To be relatively successful So there are a number of websites that actually store quite a bit of information about you like Amazon.com stores credit card information Facebook stores all sorts of personal information, and you know There's dozens and dozens of examples like this and realize that this Information isn't necessarily stored in the cookie This would be a bad thing if Amazon.com were to save your credit card information in a cookie in a cookie Unencrypted on your computer, but instead what they do is save this information on their own servers And so how secure that information is on their servers is really dependent on how secure their infrastructure is So how much you actually trust their servers to be secure from hacking and from other people being able to snoop into their data And also how secure your own account is how secure is your password from prying eyes? Are you actually using? HTTPS whenever possible so that you are encrypting all of this information Between your computer and high and session hijacking is therefore less is less reliable or is less of a problem and Even Amazon.com has a variety of provisions to try to prevent this even if you don't use HTTPS they do do some things to try to protect your information even more like every time you try to If you may have you may have noticed this just ordering some things off Amazon.com whenever you place an order You have added items to your cart and you've you've verified the billing address and all of this stuff It actually asks you to enter your password again Even though you're already authenticated the purpose for this is if your session has been hijacked Then this person would then also have to know your password as well And if Amazon.com is using something like this a random set of numbers and letters to identify you rather than the password itself Then that person even though they've hijacked your session is not necessarily going to be able to pull this information Or at least order some things on your behalf But just because that is true doesn't mean that you should rely on this information There's a lot of websites that don't go through that much trouble to ask you for your password every time you do some Modification or you do something like Facebook for example you post something on your wall or what have you it doesn't actually ask you to re-authenticate at least I don't think I haven't posted to my wall in many many years But it doesn't ask you to authenticate and so that is then more prone to this sort of session hijacking So in general you should try to protect yourself globally Just be sure that you have strong passwords that you have unique passwords for all of these for all of these Websites and that you're not using in fact words necessarily as passwords that you're mixing a lot of Characters and numbers and symbols together based on you know However secure you can actually be and you might say well how on earth am I going to be able to memorize and remember all of these passwords There is in fact software that can help you with this same concept in fact one of the things that I use for example is software called one password and what this does is this is actually really nice software it's It is it writes all of your passwords in a secure manner on your computer And you can actually enter in passwords on in this software and it remembers them and every time you go to a website You can actually hit just hit a couple of keys and it will then fill out the form It will fill out the username and password that you've selected for that website Automatically has strong password generators that sort of thing But what's nice is that you then are not saving this this information in an unencrypted form on your computer You're not saving it on a post-it note next to your computer screen You have one password what's called the master password and it should be you know a hefty very big very very good password And that by entering that information you then unlock all of the passwords that you've stored for those websites And this is separate from this whole concept of cookies and HTTP This is actually just the program that saves this information on your computer and there's other programs as well There's one called key pass which is used them Which is a bit more? Is open-source and it is I think Compatible more with Windows machines even though there does exist Mac and Linux versions as well So you should find one this is actually a good way of ensuring that you can reliably and efficiently use Multiple passwords because I certainly know that all of this advice You know using multiple passwords for all the different websites quickly becomes a huge pain when you have to remember very complicated passwords for each of these separate websites, but This does not help you in terms of session hijacking It's not actually prevent you from being hijacked From your session being hijacked just because this is independent from this whole concept of cookies like we had mentioned before So we said we had proposed the Affix for session hijacking now is to use HTTPS And this is in fact a very good way that we will be able to prevent session hijacking But not all websites actually use HTTPS all the time This is changing now Luckily one of the good things about that application fire sheet coming out recently is that now People are more aware of this problem that this problem of session hijacking exists thereby putting pressure on on more companies to actually encrypt more of their webpages But what many companies did for a long time was only use HTTPS when you were actually logging in So every time you entered your username in your password that website that page would be encrypted with HTTPS But once you logged in and it wrote a cookie to your computer Then it considered you to be logged in and it switched you back to HTTP Now this was fine because your username and your password at least were not sent in the clear So that information was at least protected But that did at least open up this problem with using the session hijacking because of this this cookie information Especially now that people that tend to be using laptops more frequently in in areas with unencrypted wireless network So even if you are and realize that there's an important difference between Wireless networks that require you to authenticate and perhaps agree to some set of terms of service and Wireless networks that are actually encrypted Harvard University for example when you first brought your laptop here You opened it up and you tried to log in to the network here It asks you for your HEID and password right so you might assume that it's encrypted But in fact it is not the wireless network here is in fact unencrypted The way that you know is that when you first connect to the network the very first time if that asks you for a password if Mac OS or if Windows asks you for password then it is an encrypted wireless network but if you don't happen to see the little padlock icon little padlock icon next to the The the SSID so-called the the little string that actually tells you what What network you are connected to then that means that it is not going to be Encrypted you actually have to have that little padlock you actually have to enter a password to be on to get accepted into an encrypted wireless network, so we can see here On this this is actually a separate Separate application, but we can see all of the nearby wireless networks We can see that the one I'm connected to right now is staff and this one is in fact encrypted You can see a little padlock icon there and then all of these other ones Harvard University notice There's no padlock there meaning that it is unencrypted So if you are on Harvard University's network you are actually prone to having your session hijacked even though You have first had to enter your your HEID and password just realize that that is separate That's actually to grant you access to the network rather than Entering a password for an encrypted network now It's not to say that an encrypted network is actually all that secure There's a variety of ways that we could encrypt a wireless network And I think we might have mentioned this very briefly and maybe one sentence But we had talked about WEP as one method of encryption WPA and WPA2 do not use WEP You are essentially using an unencrypted wireless network if you're using it It's been cracked for a long time people can unencrypt that very very easily WEP is useless Don't even bother using it WPA is a bit better But WPA2 is currently the best standard the best way of encrypting wireless traffic information But it is still not foolproof It is actually it has actually been cracked even though it takes a little bit longer It is actually possible to crack the encryption in WPA2 So what this means is that yes You can use an encrypted wireless network and be reasonably protected from things like this But you're still not 100% safe. So you should use layered security You should use probably encrypted wireless network and you should probably still use HTTPS even if you're at home even if you trust your own wireless network There's no guarantee that there's not somebody you know Sitting in a sketchy van outside and trying to read all of the bits that are flying between your computer and the router Or even if you live especially in in the close quarters of all of the residences here in Cambridge and Boston It's very easy for you to pick up lots and lots of Wi-Fi networks just surrounding this particular area You probably have the same problem in your own apartments or your own home Where you see dozens of wireless networks as a result You can be sure that your data that you are sending Wirelessly is then sent to everybody even if it is encrypted It is still being sent to everybody and it is possible for people to read this data Even if it is encrypted they'll get the encrypted bits but dependent on the type of encryption You're using for your for your wireless network. You could be more prone to attack than other forms So again, WPA2 is good, WEP is bad So don't use WEP but on top of all of this We do want to in fact continue using HTTPS to make sure that our data is encrypted from one From one point from our computer to the next How do you set up WEP or WPA? So this is something that's set up on a per router basis if you go to a coffee shop for example You cannot say I want to use WPA because it's whatever they had set up their own router with So when you if you when you set up your router at home It's but it basically whatever security is provided by your router nowadays I believe they come enabled by default with WPA2 But it used to be even maybe even a year ago or slightly older than that Did they come with the capability to encrypt traffic as WPA2, but it just wasn't enabled So if you have a wireless router at home Most likely you should look up its instructions and try to find out how you can view its settings view the wireless security settings Or whatever it will be a call that's appropriate for that wireless or for your wireless router and activate the wireless security The WPA2 for your router It's not necessarily provided by the ISP But it is in fact provided by the router itself and not all routers older routers Especially just don't have the capability for some of these newer security Encryption code some of the newer security like a WPA2 if you have a really old router WEP might be your only Line of defense in which case I would recommend chucking it just going out to Best Buy and getting a $40 router Something just because now routers these days that have WPA2 are relatively cheap nowadays rather than even just a couple of years ago So this is something that again you would set on a router level not on not based on the ISP And it's not something that you you are at the whim of the the person who set up the router So here we cannot actually use encrypted wireless connection between our computer and the Harvard network Just because it has been set up to be an open wireless network. There's actually no There's no encryption allowed But again, this is the other reason why it's important to use things like HTTPS Or in fact another thing that you can do and in fact, this is something this is actually what I do all together is Use VPN because VPN then tunnels all traffic everything that goes out to the Internet in an encrypted form So whereas HTTPS is only going to be secure with that one website And every time you go to another website You have to make sure that you're using HTTPS and by the way if you're using Firefox a good plug-in It's called HTTPS everywhere. It will try to enable HTTPS on every website that you visit if possible And this is actually greatly enhances security for you But VPN whereas this really doesn't guarantee that everything is going to be encrypted VPN ensures that everything between your computer and the VPN server is going to be encrypted now of course, this does mean that there is Some level of insecurity still because there could be a malicious person between the VPN server and the end server like right Amazon.com or Facebook.com there could be somebody in the middle that's still intercepting this traffic, but the The probability of that is much lower than somebody sitting next to you in a coffee shop with an unencrypted wireless network and just Reading all of the traffic that's happening on this unencrypted wireless network So again, this is one of the big reasons why encrypting everything is is good or at least using VPN is good because it encrypts Absolutely everything and you can be at least more assured as to the security of your of your data as you send it back and forth Over the wireless network Yes Yes What are the risks if you are using a desktop computer that's connected with a wired connection or even a laptop that's using wired connection? The risks are lower it becomes more difficult for a person to be able to read the traffic That's being sent between your computer and the server, but it's not impossible still There it's still possible to route traffic and be able to obtain that data So you shouldn't feel that it is going to be much safer but at least it is it at least eliminates a lot of these very easy problems that that are that come up through using Unencrypted Wi-Fi networks on in a public space for example at least then it's not quite as much of a problem But still I would recommend that you take heed of all of this advice still just because it's definitely a problem Even with with desktops as well. Yes Certain governments being interested in that's accepting wireless traffic Yes, though if if governments are really interested in intercepting your traffic Then they don't have to go through the trouble of patching into every wireless network They could just go to the router level in fact that seems to be what's happening in China Where they seem to be doing some pretty good inspection of the traffic that flows out of the major routers from You know within China to the outside world and vice versa trying to determine what's going on in fact the The censorship in China seems to be increasing as my understanding though I haven't had any first-hand experience now in a little while But it seems that now they might even be cracking down on VPN connections from inside the country to outside Preventing you from encrypting all of your traffic through through these routers And that was actually the the thing that I had recommended Some months ago was that if you were in China you want to try to visit some websites without having the government and Inspecting your traffic VPN is the way to go and in general This is in fact a good way to go because then you are ensuring Encrypted connection between your computer and this computer presumably somewhere in some location that you trust back home or or your work Computer or what have you and then you will have a more Reasonably secure connection. Did I see a question? Yeah, how do you set up a VPN connection? So a VPN connection over the internet is very much like a client in a server sort of deal that we've talked about before So you have to have access to a VPN server. So if you are Skilled enough it's possible for you to operate your own VPN server, but most of the time. That's pretty difficult Better would be to use one of the VPN services that are made available to you So all of you as students at Harvard are actually able to use FAS's VPN service You can go to I think it's downloads dot fas dot Harvard edu. I believe is the Is the URL and from there you might have to log in Which I will do off-screen, but once you are logged in you would then be able to Download the VPN client software and what that means is that you would then be able to let's see where is this? Nope, that's the wrong one. Let's try this again Now what this means is that you would then have the client installed on your computer and every time you wanted to be able to connect you would just open this VPN client software and you would then connect to Harvard's VPN server and Have a connection between your computer and the server. So if this is going to okay So here we go and we can search for VPN VPN down here at the very bottom of the site We can see that we can download some VPN software for our computer and this is a good Solution unless you are in a country like like China again with actually block access to all of the IP addresses Associated with a particular location when I was there that happened to be the case They're actually blocking all connections from any computer inside of China to all of the IP addresses at Harvard Just was not possible So then you're sort of screwed then you kind of need to have another VPN server made available to you Which you might be able to get if you have a if you work for a sophisticated company Many of them have VPN connections that allow you to connect using similar VPN software to their own VPN server But really this is sort of this is something that generally it's a service that if you do not have access to through an institution like Harvard Or through a company like your own Like your own work, then you might have to pay some number of dollars to gain access to a VPN server Good question Any other questions about this Okay, so we've talked about how HTTPS and VPN are sort of good ways to protect yourself now There are still some additional things that could be problematic Perhaps when we're dealing with each of these things if you're using only HTTPS and let's say that you are in some Some location that is particularly impressive whether it be You know a nation that's that has an oppressive government or a work that a work location That doesn't allow you to visit Websites that might actually be somewhat useful to you then there's no guarantee that using something like HTTPS is going to protect you From that sort of thing because recall that HTTPS only encrypts the traffic between your computer and the server It doesn't necessarily encrypt the data doesn't necessarily Protect you or maintain your privacy when you're visiting that particular website And and what I mean by that is that it still looks like you were making an encrypted connection from your computer to this website XYZ.com now if this website is blocked by this oppressive government or by this by some by some particularly You know heinous I don't know restrictions at work that it's still possible even though you're using HTTPS for them to see that You're at least connecting to this website They may not be able to see the data itself the cookie the or the actual information that's being sent to and from They might actually just be able to see the domain that you're trying to visit That might be enough that might be enough to get you in trouble with any number of Authorities and so how can you ensure that this is going to be something that you can protect yourself against as well? And this brings up a whole different issue known as internet anonymity And there's a whole variety of ways that we can do that But one of the more common things that we can use is some other software altogether called Tor and Tor is basically just anonymity online it allows you to It basically looks as though you are connecting to some random computer on the internet And what that random computer does you connect to this random computer on the internet? And then you send to that random computer the actual information that you want you actually send This this URL request that you that you ultimately want to this one computer And then that one computer sends it to another random computer Then that other random computer sends it to a third random computer before finally actually making the final connection And so as a result performance goes down quite a bit But this at least helps protect your anonymity when you're actually trying to visit websites and realize that this is different again From actually encrypting the data what we're talking about here Is that even though you have encrypted the data going between your computer and the remote server? It's still as possible to see that you are connecting to that remote server xyz calm And it's in this case that you might need to use something like Tor which provides this level of anonymity So you could really go all out with the paranoia You could go crazy with the paranoia and use something like Tor with HTTPS everywhere Just to make sure that you know everything that you were doing is is ultimately private and encrypted But obviously you have to sort of weigh all of the performance decreases that you get out of using something like HTTPS Which does actually take additional time It does actually take additional CPU cycles for not only your computer to encrypt all of the data But also for the server to decrypt it and that's why like we had mentioned before That's why a lot of websites didn't actually use HTTPS on every single web page just because it took a little bit longer time It's not necessarily noticeable to one of us But to when there's when we're serving thousands of people that time that little bit of extra time to encrypt this data adds up So results in fewer people being able to connect to a server Which means that these people have to buy more service ultimately it comes down to money, right? it takes more money to encrypt everything then it does to not encrypt everything but Using these things we can at least try to protect ourselves against a variety of attacks that that could be our Downfall for any number of reasons now this does even so this there's even a separate issue Altogether where if we try to log in to a website that asks for say a username and a password Let's say that because of either Stupidity or through negligence or what have you our username and our password is actually known to somebody else Let's say that I didn't follow my own advice And I actually have a post-it note next to my desktop that has my username and a password You know with you know, that's my birthday or something stupid like that And it's the same username and password that I use absolutely everywhere just as an example now This brings up a different issue all together in that yes now even though I'm using all of the security I'm encrypting my cookies as it's being sent over the wire with HTTPS I'm using VPN to ensure that all of my data is being encrypted from one end to the other Maybe I'm using Tor separately from VPN to be able to Anonymize my my browsing habits or what have you all of this sort of pointless if I am using Insecure usernames and passwords or if I am using secure usernames and passwords somebody's able to find this information out Whether through any variety of means because they're able to hack into a Server and that server's security was sufficiently low that they were able to see my username and password Then use that against me on other websites on other popular websites or maybe because they hacked into Any number of sites that that could do a similar thing or they just asked me for it through some other Means like phishing or some other social engineering thing that we'll talk about again next week But through any number of means somebody could actually obtain my username and password How can a website that's particular that needs to be particularly secure like a bank website? Actually ensure that even if this information has gone out to the open that it is still you that wants to connect There's this concept called two-factor Authentication and this uses one more so whereas a password is one factor of authentication This uses something else all together to try to reveal some additional information and usually what this does is it requires a Separate physical device so you might have seen Maybe you've seen somebody that actually has a device that looks like a little keychain for example And I don't have mine with me right now But it actually looks like a little USB thumb drive or something like that and on it is a little screen with some numbers For example, and that's that those numbers actually change every minute or so This is something that that people actually use in two-factor authentication So that not only do they need to know the password to access some to access some service They also have to have this physical device with the number or with some unique identifier that actually changes Every so often so that you have to have not only the password in your memory But also this actual number that exists in order for you to obtain access to this website And there's a variety of ways that we could actually Accomplish this one of the ways would be to use something like SMS So one of so for example Bank of America what they do is they actually allow for two-factor authentication Which by the way if you are allowed the opportunity I actually recommend especially if you're a paranoid about logging into banking websites Just because if your password happens to go out into you into the open It requires some additional factor to be able to access your website, but they might be able to do for example Rather than you having a separate fob or some separate device that will actually show you some set of numbers They will actually text you though those set of numbers or this second factor of authentication And because you have your phone in your physical preference and your physical presence and that Information has been texted only to your phone then presumably it is relatively secure So you might have something that actually provides a set of numbers like this for example That they're only going to be valid for the next minutes or so So I'm not too concerned about showing this set of numbers especially since you don't know What username this applies to or what the password happens to be for this But this actually shows the similar sort of thing where this is something that actually changes every minute to access some account Based on just some information And so then by entering in my username and password for this account Then ask me for this this number this second factor for authentication Then I enter that information in as well and only having these two unique things My able to access this account and this is a great thing to have for particularly sensitive accounts like banking Information for example anything that you need to where you can actually move some money around This is a great additional layer of security to have so bank of america has it and I think What is it? I think Charles Schwab also happens to have two factor authentication where you can actually get A key fob and it's actually kind of cool to have one of these little key fobs because you look really important having one of these things But it's the security is actually beyond this as well It is actually better security to be able to have multiple layers Involved in logging into some particularly sensitive Place or some particularly sensitive Piece of information and another thing that you can use is also google if you use gmail for example You can actually set your google account to use two factor authentication Which can use an app similar to the one that I just showed you to be able to To log in to your google account Relatively safely using a second factor of authentication So how does the server so yes, so how does the server know What number you are supposed to have so the server When it's set up it actually the server will actually provide some piece of information either to the application Or if you have a little fob, there'll be a little identifier at the back that actually has Known sequence of random numbers so it will be able to Randomly generate the numbers based on some known sequence And so it's the two are synced up because they both know The sequence but only though these two devices know the sequence only the server knows the proper sequence of numbers How to randomly generate this number and only the device knows how to randomly generate the same number So it is it is a secret that only these two devices have They're not talking to each other at all. There there's a period of initial setup Where you actually have to tell the server that i'm using a fob with this id Or you're if you're using an app for example The the server actually programs the app to use a specific id but then after that the communication is cut And it is possible for the two to get out of sync especially if because if it happens every minutes maybe one updates every You know 59.9 seconds and the other one updates every 60.01 seconds It is there does exist the possibility for it to get out of sync But you can then just re-sync that information If you have two factors of authentication Any other questions? So um Let's see so we have then a variety of things that are useful to us And when in prevent in preventing this sort of thing, but we're really talking about prevention On our own end the client side how we can actually protect ourselves and our own data Against attack, but how then is a person able to attack a server? How is a person able to try to obtain Despite all of your hard work as as a client and encrypting all of your information As it travels between your computer and the remote server and encrypting all of the files on your hard drive Making sure your passwords are secure. How can a hacker actually obtain access to a remote server? There's a variety of ways of course that this can happen But one of the most popular ways is through something called a sequel injection attack Sequel is this sequel injection basically and sequel is just a type of server It's just some software that is basically a database software If you've ever used excel you you've used something that's similar to this software because it's basically just a collection of rows And columns and you can store a whole bunch of information In these in this software and the details about sequel are not really important to us Just realize that there's this software that acts as big database software that a lot of companies use A lot of companies use this sort of thing sql It's just sort of a standard that that people tend to use and you can um You can actually perform queries or what are called queries against the sequel database in in forms of a statement So you can actually say that you want to insert some data and this is very this is again is The details are not very important But just realize that it's this same sort of thing that we're talking about where we can insert some data into Something something something and so we would actually issue a statement like this To a sequel server in order to perform some action on it So in this case we would obviously then be inserting some data Into our database and maybe instead of inserting we actually wanted to retrieve some data We would perhaps use a different Um a different statement all together called a select statement. So select from rather than Insert into and so it's this In or it's this select from that's actually the most common of these statements So imagine that we have a database that stores all of our user names and passwords for example for a for a website And so a lot of this is a very common thing for a lot of websites Do they will use some software like sql and they'll actually whenever they want to authenticate a user Against some known set of users. They'll actually use a statement that looks like this select from and in this they can say select from Some database select from db for example, where Let's see where I can't I cannot write straight for the life of me apparently so select from db where user name Equals something I don't know. Let's say dan And password So this is you might think that this looks a bit like programming. It's not really programming. We're just issuing a statement It's just some way of of creating a statement that we can actually perform a query and again You don't have to know what this says. We're not we're not going to quiz you or test you on on sql statements This is mostly just to provide some background information about how this attack actually works Um, but we can say that um, my password then looks like this So then we would perform a query like this and the sql server would come back and say, okay Yeah, I have a I have a row of data in my database where there's a username of dan and the password of 1234 Okay, so let's say that there is a way There's some there's some programmatic way that we are able to connect a form a username and password form on a website With this statement So just I mean the details again are not important But realize that this is possible and this is in fact how a lot of websites do their authentication They will actually Pull the data from a form that you would have on a on a website a username and password form They'll actually plop it into this statement You know changing the username and the password is appropriate and ask the server For this the sql database server for this information the server will either respond with yes I have this information or no I don't meaning that the user cannot be authenticated But what's important here is this bit Right here username equals and then in single quotes My saying the username and in single quotes. Am I saying the password? Now let's say that I am an attacker and I want to try to bring down this server I want to actually try to bring down this website Then I would use this sql injection attack to take advantage of the fact that I know how this this query is going to look Generally take advantage of it. So let's say that right now When me as the good user I input my username as dan, right? So in that full in that field that said username and there was the little box There it was actually a box, you know, and I typed in the word dan But let's say for a moment that I was a bad guy and instead of doing this I typed in something that looks like this instead single quote or one equals One like that Now this string is actually going to be injected here So now what the new thing looks like is that it's going to be username equals And then in parentheses nothing or One equals one and then it closes The the single quotes here. So in essence, I'm taking advantage of the fact that I know that this query is most likely going to be made with single quotes And I'm going to end those single quotes And add my own sql query to it And in essence, all I have to do is then just do this and well, it's a little bit more complicated than this This is not actually completely perfect But I can do something like this and I could potentially be logged in now as this user or as a user Now instead of having something like this imagine that I had something even more malicious So instead of doing this I did delete from Delete Such that I actually am issuing the statement to this server that I want to delete from and what's important again is this first quote Right here Because that first quote ends this string right here This that first quote ends that part right there and then I can start typing in Others parts of this query. So again, I realize I understand that this is you know, a bit more detail than you You probably need to know but this it basically explains how sql injection attack actually works just by Taking advantage of the fact that we know how a sql statement has been made and Using it so that using it against the server so that if I had something that looks like this delete from I could actually then potentially delete an entire table Because the sql server will just assume that whatever statement I provided to it is correct In fact, this is a very popular type of attack where people are actually able to Delete entire databases from servers or in a bit more sophisticated form of the same attack They could actually gain access and look at the contents of the entire database And see all of the user names and passwords and again You don't have to know precisely how this is done Just realize that there is this concept or there is this software called sql It has statements that looks like this and we can perform an attack against it to basically do what we will against these this Against this the same statement here Now this is actually pretty easy for web servers to be able to counteract They just the people that that write them that make these web servers just have to know about it And frankly you as a user you going on to a website There's nothing that you can do to protect a website against this this problem It's either going to have this problem that the the administrators of this website are going to be able to fix Or it's not going to have this particular problem But this does show that there are ways that even though you're doing everything right on your end That the servers themselves are not completely secure So all of the data that you are sending over the internet and putting on some remote server your username your password Your credit card number your billing information Anything like that you are trusting the servers to be written well enough to actually be set up well enough Such that attacks like this cannot actually be possible And that's a very important thing this concept of trust How much do you actually trust this website to maintain this data in a secure fashion so that when you Visit this website you are sure that the data that you've sent to it cannot be read by somebody else That's not you that will not be read even by employees of the same company that cannot be deleted accidentally Or intentionally by hackers or what have you and in fact this is in a grand scheme of things a difficult problem to solve but there are There's not much that we can do we just have to trust The websites that we're placing this data. So what's the solution for this? Well, don't place data that you want placed out into the open Into websites that you don't trust frankly And so there's a number of websites that do have a pretty good History of security like amazon for example They haven't had many breaches of of data I say many just because I don't know if they've had any if they had any they haven't seemed to be Very major at least but realize that there are smaller websites That maybe don't know quite so much what they are doing and they are perhaps open to attacks Just like this one making your data even though you might trust this website available to other people as well So with that, I thank you all for coming. We'll convene again in one week when we'll continue talking about security