0.

Securing Accounts
1. Securing Data
2. Securing Systems
3. Securing Software
4. Preserving Privacy

Lecture 0-Securing Accounts

 Security
 Defending Against Attacks
 National Institute of Standards and Technology (NIST)
 Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
 One-Time Password (OTP)
 Keylogging
 Credential Stuffing
 Social Engineering
 Phishing
 Machine-in-the-Middle Attacks
 Single Sign-On (SSO)
 Password Managers
 Passkeys
 Summing Up

Securing Accounts
 This is Southway Infotech Institutete’s Cerificate course to cybersecurity.
 Today, we will focus on the security of your accounts.
 Let’s begin by talking about security itself.

Security
 We might imagine security in the real world as a key to a physical lock.
 In the digital world, there are numerous building blocks to security.
 Authorization is the act of verifying that you are, indeed, the person who should have
access to this account.
 Usernames are one way that you attest that you should have access to an account.
 Passwords are another way that you attest that you should have access to an account.
 The idea is that, theoretically, only you should be able to provide both a valid username and
password.
 Dictionary attacks are one way that bad actors attempt to guess your password. Indeed,
hackers may use a “brute-force attack” by trying lengthy lists of possible passwords to
attempt to guess your password. Therefore, it’s very important you defend against attacks by
having a very good password.
 When considering security, one should consider the tradeoffs between usability and security.
A highly secure service may become less usable. Hence, as you consider your options for
maintaining security, think about what makes the most sense for your use case.
Defending Against Attacks
 Consider how many possible number combinations you could have if your password (for
your phone or otherwise) was secured by only a four-digit password. There are 10,000
possible digits. Generally, we could consider the possibilities as follows:
10 x 10 x 10 x 10

Notice that, in the worst case, bad actors would need to attempt 10,000 possible passwords.
 We could attempt to represent this in code. VS Code is a development environment whereby
we can write and execute code.
 Consider the following code-based representation of the above problem:
from string import digits

for i in digits:
for j in digits:
for k in digits:
for l in digits:
print(i, j, k, l)

Notice that this code, written in Python, iterates through each possible combination of numbers
 Executing crack.py in a terminal window (where we can issue commands to our
computer), we can see that it takes only a few milliseconds for adversaries to produce all the
possible passwords.
 What would happen if we asked for a password that was four letters?
 If we allow for both uppercase and lowercase versions of 26 letters, we could represent this
mathematically as:
52 x 52 x 52 x 52

Notice we have over 7,000,000 possibilities.

 We can modify our code as follows:
from string import ascii_letters

for i in ascii_letters:
for j in ascii_letters:
for k in ascii_letters:
for l in ascii_letters:
print(i, j, k, l)

Notice that we invoke ascii_letters, which includes uppercase and lowercase versions of
each letter. Similar to our previous program, this program iterates through all possible
combinations.
 Executing this code, we discover that it still does not take much effort at all for a hacker to
discover all possible passwords.
 What would happen if we asked for a password that was four letters, numbers, or
punctuations? We would have over 78,000,000 possibilities open to us!
 We can modify our code as follows:
from string import ascii_letters, digits, punctuation
for i in ascii_letters + digits + punctuation:
for j in ascii_letters + digits + punctuation:
for k in ascii_letters + digits + punctuation:
for l in ascii_letters + digits + punctuation:
print(i, j, k, l)

 Executing this code, we notice that it takes significantly longer to discover all possible
passwords in the worst case.
 The most important takeaway from the above is that as long as we raise the bar for the
adversary in terms of time, the less likely the adversary will have the time to crack your
password. However, the difficulty for the user is that longer, more complex passwords take
longer to type and are more difficult to remember. Therefore, there is a balance between
security and usability.

National Institute of Standards and Technology (NIST)

 NIST issues recommendations on how to protect your accounts more effectively.
 You can use their recommendations and best practices in your own work and, perhaps, at
your place of employment or business. Some of their recommendations include the
following considering passwords (paraphrased for brevity):
 Memorized secrets should be at least eight characters in length.
 Verifiers should allow all printed ASCII characters and Unicode symbols up to 64
characters in length.
 Verifiers should compare prospective secrets against available dictionary words,
repeat sequences, breached password lists, and context-specific words.
 Verifiers should not allow unauthenticated claimants to access password hints.
 Verifiers should not require periodic changes to passwords.
 Verifiers should limit the number of failed authentication attempts and lock out
potential adversaries.

Two-Factor Authentication (2FA) or Multi-Factor

Authentication (MFA)
 There are three components of multi-factor authentication.
 Knowledge: Something only you know.
 Possession: An item or device only possessed by an authorized user.
 Inherence: Only a factor you could obtain, like your fingerprint, face, or other
biometrics.

One-Time Password (OTP)

 One could obtain a special key fob or device that provides one-time passwords.
 Frequently, OTPs are obtained from a device or app.
 Some of these OTP methods are more secure than others.
 Text-message-based OTPs can be quite easy to be fooled through SIM swapping, where an
adversary obtains and clones a SIM card and gets access to your text messages.
 More secure are OTPs obtained from an app on a secure device, like an authentication app
on your phone.
Keylogging
 Usernames, passwords, and OTPs are vulnerable to adversaries logging your keystrokes.
 Keylogging is accomplished by installing malicious software on a computer.
 Best to ensure you are only logging onto devices to which you only have access.

Credential Stuffing
 Another attack, credential stuffing, involves the use of an obtained list of usernames and
passwords from a compromised website on another website.
 If you are using the same password on multiple websites, best to change them to unique
passwords.

Social Engineering
 Rather than a technological attack, a social engineering attack involves the use of social
pressure and trust to compromise your credentials.
 A person may pose as a trusted party to get your credentials or details about your life.
 Furthermore, adversaries may seek to find details about your life, like your pet’s name, etc.

Phishing
 Phishing uses social engineering in a technological way to obtain your credentials and
details by posing as a trusted website.
 For example, you may be directed to something that looks like a Google login page but is, in
fact, an adversaries page.
 Never blindly trust links provided in emails. Consider going to a web browser and directly
typing a trusted URL there.

Machine-in-the-Middle Attacks
 Devices in between you and the source of the data you are downloading, such as routers and
switches, can be compromised by very sophisticated attackers.

Single Sign-On (SSO)

 Since so many different services require so many varying password requirements and
considering the advice offered earlier about never utilizing the same password for different
services, there are many ways you can bolster your security.
 SSO allows you to use Google or Facebook logins to access services not provided by
Google or Facebook.
 Therefore, you have the ability to easily access other services with less friction and greater
security.

Password Managers
 A password manager is a piece of software that can manage complex passwords and save
them for you.
 This allows you to not memorize the password.
 Further, many password managers will recognize phishing websites.
  Different from browser password-saving, which has been available for years, password
managers are a separate piece of software that can provide your password in multiple
services.
 The downside is that, effectively, you are “putting all your eggs in one basket.” You will
need to remember one password to access all the other passwords.

Passkeys
 An emerging technology, passkeys are automatically generated passwords that leverage
cryptography.
 Passkeys involve a public key and a private key. The public key is held by a service (such as
a website), while the private key is held by your device.
 Passkeys will enable you to log in without the need to type in a password.
 However, to understand more about this technology, we will need to learn more about
cryptography.

Summing Up
In this lesson, you learned about the tradeoff between security and convenience. You also learned
about various attacks that can make you and others vulnerable. Finally, you learned about some
ways by which to protect your login credentials. Specifically, you learned…
 There are tradeoffs between security and convenience.
 Generally, your behaviors and awareness are what make you more secure from digital
adversaries.
 NIST provides guidelines relating to security.
 2FA, MFA, and OTPs are some ways by which you can be more secure.
 Common attacks include keylogging, phishing, credential stuffing, and social engineering.
 You can enjoy further security by utilizing SSO or password managers.
 Passkeys, in the future, will offer even greater security.
Lecture 1- Securing Data
 Passwords
 Hashing
 Salting
 One-Way Hash Functions
 Codes
 Ciphers
 Keys
 Cryptanalysis
 Public-Key Cryptography
 Key Exchange
 Digital Signatures
 Passkeys
 Encryption in Transit
 Deletion
 Full-Disk Encryption
 Quantum Computing
 Summing Up

Securing Data
 This is Southway Infotech Institutete’s Cerificate course to cybersecurity.
 Last week, recall we focused on accounts.

Passwords
 We focused on our responsibility to keep our data secure.
 However, a third party is always involved in the storing of our data.
 You can imagine how a system may store usernames and passwords within a text file.
 You can also imagine how an adversary may get access to such a text file.
 Could we minimize the risk of storing passwords in plain text?

Hashing
 Hashing is a method by which we convert some plain text and output it as a hashed value
that is less readable.
 Therefore, a hash function creates a hash value. A password is provided to a hash function
and then is outputted as a hashed value.
 Without access to the precise hash function, an adversary cannot output the correct
password.
 Generally, we want the hash function to output something very cryptic and lacking a pattern.
Accordingly, adversaries cannot guess what the algorithm is doing.
 With the username and hash values stored in the server, an adversary cannot easily access
the accounts on that server.
 When a user now inputs their password to log in, the password is passed to the hash
algorithm again and compares the hash value created with the hash value stored.
  Hence, we have increased the cost, time, and resources required for an adversary to access
protected data.
 Still, a dictionary attack could input one value after another from a dictionary into a hash
function as a way by which to break it.
 Further, a brute-force attack could attempt to sequentially feed one character after another to
attempt to break the password.
 Hypothetically, rainbow tables are another threat, whereby the adversary has a table of all
the potential hashed values in a hash table. This, however, would take terabytes, if not
petabytes, of storage capacity to accomplish.
 Finally, a problem arises when users utilize the same password and the hashed value of these
passwords is exactly the same. How could we solve this problem?

Salting
 Salting is a process by which an added value is “sprinkled” into the hash function, such that
a hash value changes.
 The utilization of a salt value nearly guarantees that the hash values provided by users, even
those that have the same passwords, receive a different hashed password.
 Therefore, again, the cost for adversaries to crack these passwords is quite costly.
 NIST recommends that memorized secrets be both hashed and salted.

One-Way Hash Functions

 One-way hash functions are written in code and take in a string of arbitrary length and
output a hash of a fixed length.
 Utilizing such a function, the holder of the hash value and hash function will never know the
original password.
 Indeed, in some systems utilizing a one-way hash function, certain passwords may map to
the same hash value.

Codes
 Cryptography is the study of transmitting secure data from one party to another.
 One way we can secure data is through codes.
 Codes convert the words we want to say into a less understandable string of words.
 Encoding involves taking plaintext and converting them into codetext.
 Decoding is the opposite, converting codetext into plaintext.

Ciphers
 Ciphering involves taking plaintext and enciphering them into ciphertext.
 This process of ciphering is called encryption. The process of deciphering them is called
decryption.

Keys
 Keys are really big strings. These keys are used in encryption and decryption.
 Secret-key cryptography involves the passing of a key and plaintext into an encryption
algorithm, where ciphertext is outputted.
  In this scenario, both the sender and receiver have a shared secret with one another in that
they both have access to the encryption and decryption algorithm.

Cryptanalysis
 Cryptanalysis is the field of study and practice where individuals study how to encrypt and
decrypt data.
 By evidence of your being part of this course, you, too, may be interested in cryptanalysis.

Public-Key Cryptography
 You can imagine a scenario where the sender and receiver of secure data may have never
personally met. How can one establish a shared secret between two such parties?
 Public-key encryption or asymmetric-key encryption solves this problem.
 First, the sender uses a public key and plaintext and feeds these into an algorithm. This
results in ciphertext.
 Second, the receiver uses their secret key, feeding in both this secret key and ciphertext into
the algorithm. This results in deciphered text.
 RSA is a standard of encryption that describes this process.

Key Exchange
 An alternative algorithm is called Diffie-Hellman, the goal of which is key exchange.
 An agreed upon value g and a prime value p are used.
 Party A and Party B have a shared secret value called s.
 Both Party A and Party B have their own private keys.

Digital Signatures
 Using the building blocks of public keys and private keys, you can use these to sign
documents.
 One can sign a document through a two-step process.
 First, a message, the content of a document, is passed to a hash function, resulting in a hash
value.
 Second, a private key and a hash are passed to a digital signature algorithm, which results in
a digital signature.
 The recipient is able to verify your digital signature by passing the message, the content of
the document, to the hash function and receiving a hash. Then, the recipient passes the
public key and the signature provided to the decryption algorithm, resulting in a hash value
that should match the hash value previously calculated.

Passkeys
 Passkeys or WebAuthn are a more and more widely available technology.
 Soon, usernames and passwords will become less frequent.
 Passkeys will be device-dependent. For example, when visiting a website on your phone that
prompts you to create an account, your phone will generate a public key and a private key.
 Then, you will send your public key to the website.
  From that point forward, to log into the website using that device, or a service that
synchronises your passkeys across devices, you will pass a private key paired with a
challenge value. An algorithm will produce a signature.

Encryption in Transit
 Encryption in transit relates to securing data as it moves back and forth through data
networks.
 Imagine a scenario where two parties want to communicate with one another.
 We want to prevent a third party from intercepting data in between.
 Third-party services–like email providers–that function as intermediaries may indeed be
reading your emails or viewing your messages.
 End-to-end encryption is a way by which users can guarantee that no third party in between
can read the data.

Deletion
 Let’s now consider a fairly mundane scenario, like deleting a file.
 Once files are deleted on a computer, a fingerprint of those deleted files may still be on your
computer.
 Operating systems often delete files by simply forgetting where they exist. Hence, the
computer may overwrite previous files with new files.
 However, there is no guarantee that the free space on your hard drive is entirely wiped off
the fingerprints of old files.
 Secure deletion is a process by which all the remnants of deleted files are changed to zeroes,
ones, or a random sequence of zeros and ones.

Full-Disk Encryption
 Full-disk encryption or encryption at rest entirely encrypts the content of your hard drive.
 If your device is stolen or you sell your device, no one will have access to your encrypted
data.
 However, a downside is that if you lose your password or your face changes enough, you
will not have access to your data.
 Another downside is that hackers may use this same type of technology through
ransomware to encrypt your hard drive and hold it hostage.

Quantum Computing
 Quantum computing is an emerging computer technology that may be able to provide
exponential computing power to adversaries.
 This technology may be used by adversaries to cut down on the time required to guess
passwords and break encryption.
 Hopefully, we will have access to such computing power before bad actors do.

Summing Up
In this lesson, you learned about securing data. You learned…
 How websites and services store passwords;
 How text values can be hashed to ensure secrecy;
 About the roles of salting, one-way hash functions, keys, encryption, and decryption in
securely storing data;
 About public and private keys;
 How technologies leverage public and private keys to keep data secure;
 How to secure your own hardware;
 Emerging benefits and threats posed by quantum computing.
Lecture 2-Securing Systems
 Securing Systems
 Wi-Fi
 HTTP
 HTTPS
 VPN
 SSH
 Ports
 Malware
 Antivirus
 Summing Up

Securing Systems
 This is Southway Infotech Institutete’s Cerificate course to cybersecurity.
 This week, we are going to focus on networks and systems.
 Last time, we introduced encryption as a way by which to secure information.

Wi-Fi
 Chances are, you have recognized that there are secured and unsecured networks.
 Secured networks utilize encryption to protect data between you and other devices.
 Wi-Fi Protected Access or WPA is a form of encryption utilized to secure networks.

HTTP
 Hypertext Transfer Protocol, or HTTP, is an unencrypted way by which to transfer data.
 Utilizing HTTP, one is vulnerable to Man-in-the-Middle attacks where an adversary could
inject additional HTML code into what one is downloading. Advertisements could be
injected into all the web pages you are accessing via HTTP. Further, malicious code could be
inserted as well.
 Indeed, there are other threats too. Packet sniffing is a way by which an adversary may look
inside data that is being transferred between parties. You can imagine how a credit card
number placed within an unsecured packet could indeed be detected and stolen by an
adversary.
 Cookies are small files that websites put on your computer. Cookies may be used by
websites to keep track of who you are, present your emails, or keep track of your shopping
cart. Cookies make one vulnerable to session hijacking, whereby an adversary could inject a
supercookie to track you.
 How might one defend against such a threat?

HTTPS
 HTTPS is a secure protocol for HTTP.
 Traffic between parties is encrypted.
 This is accomplished through TLS through public key cryptography.
  A website has a public key that is signed by a third-party called a certificate of type X.509.
These websites also have a private key.
 Certificate authorities or CAs are trusted third-party companies that issue certificates.
 When you visit a website, your browser downloads the certificate of that website, runs it
through an algorithm, and creates a hash.
 Then, it uses the public key of the website and the signature of that certificate provided to an
algorithm to verify that it creates the exact hash found prior.
 If these match, the web browser application is satisfied that this is a secured website.
 HTTPS mathematically does keep us secure, but there are exceptions.
 SSL Stripping is an attack by which an adversary uses HTTP on a website to redirect traffic
to a malicious website. An adversary may even redirect one to an HTTPS-secured domain
that is not the intended website.
 One way of mitigating this threat is by implementing HSTS or HTTP strict transport
security, whereby the server tells the browser to direct all traffic to a secure connection.

VPN
 A VPN, or virtual private network, establishes an encrypted channel between two points.
 Within a VPN, all traffic is encrypted.
 However, there are some side effects.
 Because the pipeline between two parties results in receiving an IP address from the second
party, it will appear to services throughout the web that your IP address is that of the second
party: not your original IP address!
 Indeed, people often use a VPN to masquerade as being in another country.

SSH
 SSH is a secure protocol by which you can execute commands on a remote server.
 If one wants to communicate with a remote computer and execute commands there, one may
issue an ssh command. The following is an example of using the SSH command to connect
to a server at Stanford University. You would still need appropriate credentials and
permissions to successfully connect.
ssh stanford.edu

 If one has the appropriate access rights, one can execute commands directly on a remote
server.

Ports
 Port numbers are used to direct web traffic toward specific services on a server.
 For example, port 80 directs to HTTP, 443 to HTTPS, and 22 to SSH.
 Servers listen to these ports for incoming traffic.
 Accordingly, adversaries may engage in port scanning where all potential ports are tried to
see if they are accepting traffic.
 Penetration testing is an activity that a professional may engage in to check for port-related
security vulnerabilities.
 Ethical hacking is the legal business of testing for such vulnerabilities.
  A firewall is a piece of software that protects various services by blocking unauthorized
access, including from compromised services on a device.
 Firewalls utilize IP addresses, unique numbers assigned to each computer on a network, to
prevent outsiders from participating in traffic.
 Firewalls can also use deep packet inspection, where they examine the data within packets
for material that may be of interest to your company. This can be used to check to see if you
are emailing the press or other parties that may be considered adversaries by your company.
 Deep packet inspection is used via proxy, where a device in the middle is used as the path by
which traffic comes in an out of the network. It is on this proxy that your school or company
may change URLs, log what URL you are attempting to browse to, and, hopefully, protect
you against potentially harmful behavior.

Malware
 Malware is malicious software that damages a computer or compromises its security.
 A virus is a piece of software that attaches itself to your computer. Once installed, it can do
nearly anything!
 A worm is a malicious piece of software that can move from one computer to another via
holes in security.
 A botnet is malicious software that, once installed on your computer, infects other computers
and can be used by an adversary to issue commands to thousands of infected computers.
 Computers infected by botnets can be used to issue denial-of-service attacks whereby lots of
requests can be issued to a server for the purpose of slowing or shutting it down. Because so
many computers are in a botnet, this type of attack can be called distributed denial-of-
service attacks from thousands of IP addresses.

Antivirus
 Antivirus software detects viruses and hopefully can remove them.
 Automatic updates must be enabled to fix security holes in previous iterations of the
software.
 Still, one may be vulnerable to zero-day attacks, which exploit unknown vulnerabilities in
software before the software company has had a chance to create a fix.

Summing Up
In this lesson, you learned about securing systems. You learned…
 How networks are secured in wireless networks;
 How unsecured and secured protocols can be used to send and receive data within a
network;
 How virtual private networks can encrypt network traffic;
 About ports and the vulnerabilities that adversaries use to exploit them;
 About malware of various kinds;
 How antivirus software can assist in preventing malicious software from being installed on
your computer.
Lecture 3-Securing Software
 Securing Software
 Phishing
 Code Injection
 Reflected Attack
 Stored Attack
 Character Escapes
 HTTP Headers
 SQL Injection
 Prepared Statements
 Command Injection
 Developer Tools
 Server-Side Validation
 Cross-Site Request Forgery (CSRF)
 Arbitrary Code Execution (ACE)
 Open-Source Software
 Closed-Source Software
 App Stores
 Package Managers
 Bug Bounty
 Identifying Vulnerabilities
 Summing Up

Securing Software
 This is Southway Infotech Institutete’s Cerificate course to cybersecurity.
 This week, let’s focus on securing software that you use or software that you create.
 Last time, we introduced various attacks that could be used by adversaries to obtain
information from you.

Phishing
 We introduced an attack called phishing, where an adversary tricks you into providing
information of some kind.
 In the source code of a website, for example, in the language of HTML, you may see code
like this:
<p>...</p>

Notice in the code above that a paragraph starts and ends. It begins with an opening tag and a
closing tag.
 Similarly, links in web pages use a specific type of tag called an anchor tag to take users
from one web page to another.
 Such code looks like this:
<a href="https://harvard.edu">Harvard</a>

Notice that this code is an anchor tag that allows the user to click the word ‘Harvard’ and visit
harvard.edu.

 On an actual web page, you could move your mouse over such a link and see where this
precise link will take you.
 Adversaries may take advantage of your lack of attention to claim you are linking to one
web page when you are actually linking to another one.
 For example, an adversary could provide code like this:
<a href="https://yale.edu">https://harvard.edu</a>

Notice that this code is an anchor tag that tricks the user into clicking https://harvard.edu
when it actually browses to yale.edu. While the user will think they are clicking a link for
Harvard, they are actually browsing to Yale.
 You can imagine how this strategy can be used by an adversary to trick you into thinking
you are visiting one website when you are actually visiting another.
 Adversaries often create fake versions of websites for the sole purpose of tricking users into
inputting sensitive information into those websites. For example, if you were a Harvard
student visiting such a fake Harvard website, you may attempt to log in and provide your
username and password to an adversary.

Code Injection
 Cross-site scripting, or XSS, is a form of attack where a website is tricked into running
malicious code via a user’s input.
 For example, on Google, when you type a search for the term “cat”, notice how the term
appears on the screen elsewhere, showing you how many results are present for this search.
 Imagine that an adversary who knows a bit about the web could insert code as input as a
way of tricking the website into running such code.
 For example, consider the following code that could be inserted into a search field:
<script>alert('attack')</script>

Notice how this script displays a notification that says “attack.” While the Google website will not
display such a notice due to security, this is representative of what an adversary could attempt.
 If a website blindly copies user input and outputs what the adversary typed, this is a major
security concern.

Reflected Attack
 A reflected attack is one that takes advantage of how websites accept input to trick a user’s
browser into sending a request for information that results in an attack.
 Imagine that a user could be tricked to click a link structured as follows:
<a href="https://www.google.com/search?q=%3Cscript%3Ealert%28%27attack%27%29%3C
%2Fscript%3E">cats</a>
Notice that this link includes the exact script presented above that is intended to create an attack
alert on the user’s screen.
 The user’s actions trick their own web browser into reflecting back an attack upon the user.

Stored Attack
 A website could be vulnerable to an attack where it is tricked into storing malicious code.
 Imagine where one could email malicious code. If an email provider blindly accepts any
code sent to it, any person receiving the malicious code may become a victim of an attack.

Character Escapes
 Services use character escapes as a way by which to protect against such attacks. Software
should escape potentially troublesome characters that represent common coding-based
characters.
 For example, code like the following…
<p>About 6,420,000,000 <script>alert('attack')</script></p>

will be outputted by secured software as…

<p>About 6,420,000,000 &lt;script&gt;alert('attack')&lt;/script&gt;</p>

While a bit cryptic, notice that &lt; is used to escape potential characters that would pose a threat
to the software. The output of the above then becomes a text-only representation of the malicious
code.
 Commonly escaped characters include:
 &lt;, which is is the less-than sign, “<”
 &gt;, which is is the greater-than sign, “>”
 &amp;, which is the ampersand, “&”
 &quot;, which is the double quote, “, itself
 &apos;, which is the single quote, ‘

HTTP Headers
 Recall that HTTP headers are additional instructions that are provided to the browser.
 Consider the following header:
Content-Security-Policy: script-src https://example.com/

Notice that the above security policy in a website header will only allow Javascript to be loaded via
separate files, usually ending in .js. Thus, <script> tags inside HTML will not be run by the
browser when this security policy is in place.
 Similarly, the following header will allow CSS only from .css files:
Content-Security-Policy: style-src https://example.com/

Notice that style-src indicates that only CSS that is loaded from a .css file will be permitted.
SQL Injection
 Structured query language or SQL is a programming language that allows for retrieving
specific information from a database.
 Consider how an adversary may attempt to trick SQL into executing malicious code.
 Consider the following SQL code:
SELECT * FROM users
WHERE username = '{username}'

Notice that here a user’s inputted username is inserted into the SQL code.
 Never trust a user’s input.
 All input should be scrubbed such that all user input is escaped.
 Suppose that an adversary inserted the following code into the username field:
malan'; DELETE FROM users; –-

Notice that in addition to a username, malicious code is inserted.

 What results because of the above input is the following:
SELECT * FROM users
WHERE username = 'malan'; DELETE FROM users; --'

Notice that the adversary’s malicious input adds additional code to the query. What results is the
deletion of all users from the system. Every account on the system is deleted.
 Suppose that a user is asked for a username and password as follows:
SELECT * FROM users
WHERE username = '{username}' AND password = '{password}'

Notice a user is asked for a username and password.

 An adversary could insert the following into the password field:
' OR '1'='1

 The following SQL code will then execute:

SELECT * FROM users
WHERE username = 'malan' AND password = ''
OR '1'='1'

Notice grammatically, this results in providing all the users in the database.
 To see this more plainly, notice the additional parentheses added below:
SELECT * FROM users
WHERE (username = 'malan' AND password = '')
OR '1'='1'

Notice that this code will either show all users where the username and password combination are
true OR all users.

 Effectively, the above input is always true. Through this security vulnerability, the adversary
may have information about all users on the system, including the administrator.
Prepared Statements
 Prepared statements are pre-designed snippets of code that correctly handle many database
functions, including user input.
 Such statements, for example, ensure that user-inputted data is properly escaped.
 A prepared statement will take code as the following…
SELECT * FROM users
WHERE username = '{username}'

and replace it with…

SELECT * FROM users
WHERE username = ?

 Prepared statements will look for any ' characters and replace them with ''. Hence, our
previous attack shown above would be rendered by the prepared statement:
SELECT * FROM users
WHERE username = 'malan''; DELETE FROM users; --'

Notice that the ' at the end of ‘malan’ is replaced with '', rendering the malicious code inoperable.

 What results is that malicious characters are escaped, such that malicious code cannot run.

Command Injection
 A command line interface is a method by which to run a computer system using text-based
commands, as opposed to clicking on menus and buttons.
 A command injection attack is one that issues a command on the underlying system itself.
 Should a command be passed from user input to the command line, the effect could be
disastrous.
 Two common places of vulnerability are that of system and eval, wherein if you pass
user input without sanitization, malicious commands could be issued on a system.
 Always read the documentation to learn how to escape the user’s input.

Developer Tools
 Let’s return to the world of HTML and the web.
 In the context of the browser, developer tools allow you to poke around some of the
underlying code in a web page.
 Consider what we can do using developer tools. Here is the code for a textbox:
<input disabled type="checkbox">

Notice that this creates a type of input called a checkbox. Further, notice that this textbox is disabled
and not usable via the disabled attribute.

 Perhaps a challenge with the security of HTML is that the HTML is resident on their
computer. Therefore, the user could be able to make changes to a local file on their
computer.
 A user with access to HTML on their own computer via developer tools can change HTML.
<input type="checkbox">

Notice that a local copy of the HTML here has the disabled attribute removed.

 You should never trust client-side validation alone.

 Similarly, consider the following HTML:
<input required type="text">

Notice how this text input is required.

 Someone with access to developer tools could remove the requirement of this input as
follows:
<input type="text">

Notice the required attribute is removed.

 Again, never trust that client-side validation will ensure the security of your web application.

Server-Side Validation
 Server-side validation provides security features to ensure that user input is appropriate and
safe.
 While this topic is beyond the scope of this class, simply trust in the principle that user input
should be validated on the server-side. Never trust user input.

Cross-Site Request Forgery (CSRF)

 Another threat is called cross-site request forgery or CSRF.
 Websites use two primary methods to interact with users called GET and POST methods.
 GET gets information from a server.
 You might consider how Amazon uses the GET method for the following HTML:
<a href="https://www.amazon.com/dp/B07XLQ2FSK">Buy Now</a>

Notice how with a single click, one can buy this product.
 You can imagine how one may trick someone into buying something they don’t intend.
 One could provide an image that is automatically attempting to buy a product:
<img src="https://www.amazon.com/dp/B07XLQ2FSK">

Notice that no image is provided here. Instead, the browser will attempt to execute the GET method
using this web page, making a possibly unauthorized or unwanted purchase.
 Similarly, adversaries can use the POST method to make unauthorized purchases.
 Consider the following HTML of the ‘Buy Now’ button:
<form action="https://www.amazon.com/" method="post">
<input name="dp" type="hidden" value="B07XLQ2FSK">
<button type="submit">Buy Now</button>
</form>
Notice how a web form, as implemented above, could naively make one believe that one is safe
from an unauthorized purchase. Because this form includes a hidden value that is used by
Amazon, hypothetically, for validation, it may make a programmer think that users are safe.
 However, as is the case with many exploits, this feeling of safety is misplaced.
 Indeed, adding only a few lines of code could subvert the above. Imagine an adversary has
the following code on their own website (not Amazon’s):
<form action="https://www.amazon.com/" method="post">
<input name="dp" type="hidden" value="B07XLQ2FSK">
<button type="submit">Buy Now</button>
</form>
<script>
document.forms[0].submit();
</script>

Notice how a few lines of code on an adversary’s website could locate a form and submit it
automatically.
 This ability to trick a user into executing commands on another website is the essence of a
CSRF.
 One way to protect against an attack such as this is a CSRF token,where a secret value is
generated by the server for each user. Thus, a server will validate that one’s CSRF token
presented in their submissions matches the token expected by the server.
 These tokens are often submitted via HTML headers.

Arbitrary Code Execution (ACE)

 Arbitrary code execution, or ACE, is the act of executing code that is not part of the intended
code within software.
 One such threat is called buffer overflow, where software is overwhelmed with input. Such
input overflows into other areas of memory, causing the program to malfunction. For
example, the software may expect input of a short length, but the user inputs an input of a
massive length.
 Another similar threat is called a stack overflow, where overflows can be used to insert and
execute malicious code.
 Sometimes, attacks such as these can be used for cracking or bypassing the need to register
or pay for a piece of software.
 Further, attacks such as these can be used for reverse engineering to see how code functions.

Open-Source Software
 One way to circumvent threats like this is to use and make open-source software. Such
software’s code is published readily online for anyone to see.
 One can audit the code and make sure that there are fewer security threats.
 These pieces of software are still vulnerable to attacks.

Closed-Source Software
 Closed-source software is the opposite of open-source software.
  Such software’s code is not available to the public and, therefore, may be less vulnerable to
adversaries.
 However, there is a tradeoff between open-source software, where thousands of eyes are
looking for vulnerabilities in the software, and closed-source software, where code is hidden
from public view.

App Stores
 App stores are run by entities like Google and Apple, where they monitor submitted code for
adversarial intent.
 When you install only authorized software, you are far more protected than installing
software from any developer without using an app store.
 App stores employ encryption to accept only software or code that is signed by authorized
developers. In turn, app stores sign software with a digital signature. Thus, operating
systems can ensure that only authorized, signed software is being installed.

Package Managers
 Package managers adopt a similar signing mechanism to ensure that what you download
from third parties is trustworthy. However, there is no guarantee that one is entirely safe.
 Still, we are always attempting to raise the bar for adversaries to install adversarial code.

Bug Bounty
 Bug bounties are paid opportunities for individuals to discover and report vulnerabilities in
software.
 Bounties such as these may effectively influence would-be adversaries to opt to be paid for
finding vulnerabilities rather than deploying them as an attacker.

Identifying Vulnerabilities
 Developers can examine a database of common vulnerabilities and exposures or CVE
numbers to see what adversaries are doing worldwide.
 Further, they may examine the common vulnerabilities scoring system or CVSS to see how
severe such threats are.
 There is also an exploit prediction scoring system or EPSS that allows developers to see the
potential for vulnerabilities worldwide to allow them to prioritize their security efforts.
 Known exploited vulnerabilities or KEV database is a list of known vulnerabilities.

Summing Up
In this lesson, you learned about securing software. You learned…
 How adversaries use attacks such as phishing, code injection, reflected attacks, SQL
injection, and stored attacks to infiltrate software;
 How character escapes, HTML headers, prepared statements, and server-side validation may
help thwart the attacks of adversaries;
 How app stores, package managers, and developer signatures help protect against the
installation of malicious code;
 How experts in the cybersecurity field track exploits.
Lecture 4-Preserving Privacy
 Preserving Privacy
 Web Browsing History
 HTTP Headers
 Fingerprinting
 Session Cookies
 Tracking Cookie
 Tracking Parameters
 Third-Party Cookies
  Private Browsing
 Supercookies
 DNS
 Virtual Private Network (VPN)
 Tor
 Permissions
 Summing Up

Preserving Privacy
 This is Southway Infotech Institutete’s Cerificate course to cybersecurity.
 Today, let’s consider what information we are sharing without our knowledge and how we
can restrict that sharing.

Web Browsing History

 Your browsing history is both a feature and a potential threat to privacy.
 You may not want someone to have access to what websites you have visited.
 You can clear your browser history. However, you may be logged out of all services.
 Servers typically have logs that track user activities. Therefore, even when you clear your
browser history, servers keep track of what you have accessed.
 A server log may appear as follows:
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

Notice that this includes your IP address, your local time, and other details are shared in these
digital envelopes being shared between computers.
 How can we exert some sort of control over what we can share?

HTTP Headers
 As we discussed, HTTP Headers are key-value pairs sent between your computer and a
server.
 Consider the following URL that may be visited using the link shown in the following
HTML file.
<a href="https://example.com">cats</a>

This HTML presents a link called cats that directs the user to example.com.

 When you visit a website, the browser shares by default the link that referred you there.
 When you click a link, the browser shares with websites what website referred you. Hence,
the following header is shared from the browser to the server:
Referer: https://www.google.com/search?q=cats

Notice that this header shares what you were searching for.
 Would it not be nice to be able to suppress what is being shared? Consider the following:
Referer: https://www.google.com/

Notice the following only shares the origin: Not the specific search you were doing.
 The following meta tags can be added to your website to restrict sharing only the origin of
traffic.
<meta name="referrer" content="origin">

Notice the content attribute is set to origin.

 One can restrict further by adding the following to your website to provide no referrer
information.
<meta name="referrer" content="none">

Notice the content attribute is set to none.

Fingerprinting
 Each browser presents more or less information about your identity and behavior than
others.
 Regardless of the browser you choose, servers log your activities.
 Fingerprinting is a way by which third parties can identify you based upon clues that are
available, even when you have restricted your browser from sharing as much information
about you as possible.
 One such piece of information is the User-Agent request header, which describes your
device as follows:
Mozilla/5.0 (Linux; {Android Version}; {Build Tag etc.})
AppleWebKit/{WebKit Rev} (KHTML, like Gecko)
Chrome/{Chrome Rev} Mobile Safari/{WebKit Rev}

Notice that your browser, OS version, and device are identified.

 Web servers can also locate your IP address and log it.
 Web servers can also discover your screen resolution, extensions installed, fonts installed,
and other information.
 When this information is gathered together over time, it can make you more and more
identifiable.

Session Cookies
 Recall cookies are like a virtual hand stamp to track you individually.
 Session cookies are a piece of information that servers place on your computer to identify
you.
 A session cookie may appear as follows:
HTTP/3 200
Set-Cookie: session=1234abcd

Notice that this cookie tells the server that your session is 1234abcd.

 Every sequence of session numbers or characters will be unique for each user.
  Session cookies typically expire after a period of time determined by the server.

Tracking Cookie
 Tracking cookies are designed to track you.
 Third parties use such cookies to track your behavior on a website. Consider the following:
Set-Cookie: _ga=GA1.2.0123456789.0; max-age=63072000

Notice that this Google Analytics cookie lasts two years and tracks your activity by presenting itself
to each new site you visit.

Tracking Parameters
 Where cookies are hidden “under the hood” of your browser, tracking parameters are visible
in the links you access.
 Consider the following URL:
https://example.com/ad_engagement?click_id=YmVhODI1MmZmNGU4&campaign_id=23

Notice that the value for click_id, YmVhODI1MmZmNGU4, tracks you specifically.

 While cookies are tracked in the background, you can see how links you visit (based on the
URL) can track you.
 More and more, browsers are tending toward sanitizing tracking parameters. Consider the
following URL:
https://example.com/ad_engagement?campaign_id=23

Notice that this link only tracks the campaign to which you are responding. There is no longer a
value for click_id.

Third-Party Cookies
 Another type of cookie is a third-party cookie.
 Third parties (i.e., other servers or companies) want to understand how you travel between
websites. Consider the following HTTP request:
GET /ad.gif HTTP/3
Host: example.com
Referer: https://harvard.edu/

Notice that this request specifically asks to GET a file called ad.gif from example.com.

 Automatically, the server responds with the following headers:

HTTP/3 200
Set-Cookie: id=1234abcd; max-age=31536000

The Set-Cookie response header sets a cookie called id that lasts three years.

 If you browse to another website that utilizes the same ad, example.com now knows you
are browsing both harvard.edu and yale.edu. Say you later make the following
HTTP request:
GET /ad.gif HTTP/3
Cookie: id=1234abcd
Host: example.com
Referer: https://yale.edu/

Notice that the third-party cookie from earlier, id=1234abcd, is now being shown to
example.com again, thus revealing that you’ve later visited yale.edu.

 Third-party cookies can be used to track us and monetize information about us.

Private Browsing
 One method by which to help protect your activity is private browsing.
 In a private browsing window or tab, past cookies are eliminated.
 Still, the web still works as the web does! New cookies can still be formed in the ecosystem
of a private browsing window.
 Even more poignant, servers can still track your activity within your single browsing
session.

Supercookies
 Whoever provides your internet service can always inject their own cookies into your HTTP
headers without your knowledge.
 You may be able to opt out of supercookies with your internet provider.

DNS
 The Domain name system or DNS is a service by which website names, like
harvard.edu, are resolved to specific IP addresses.
 By convention, traffic to DNS is entirely unencrypted. Hence, you are announcing to the
world what website you are attempting to visit.
 Your internet service provider and DNS services know exactly where you are attempting to
visit.
 An alternative called DNS over HTTPS or DoH, as well as DNS over TLS or DoT, are
services by which you can encrypt your DNS requests.

Virtual Private Network (VPN)

 VPNs, recall, are a way to connect the internet in such a way that it appears you are doing so
from a different device.
 VPNs establish an encrypted connection between your own computer (A) and a trusted
server (B). Server B then sends your request to the internet, so it appears as if your traffic is
coming from B and not A.
 VPNs do not protect you if your computer is infected with malware.
 VPNs will make it appears as though your traffic is coming from the VPN’s IP address
instead of your own computer’s.

Tor
 Tor is a piece of software that redirects your traffic to a node of Tor servers.
  Traffic is directed through many encrypted nodes.
 By design, the software does not remember much of your activity.
 Utilizing such a service provides a high likelihood that little can be identified about you.
 However, do note that if you are the only person utilizing Tor on a local network at your
place of work or school, it is quite possible through other means to identify who you are.
 No technology provides you with absolute protection.

Permissions
 Operating systems are, by growing convention, asking to utilize certain permissions on your
device.
 Location-based services, by default, provide your geographic location. Best to be mindful
that Apple Maps and Google Maps are very much aware of where you are at any given time
if you provide them with such permissions.

Summing Up
In this course, we discussed…
 Many lessons that have, hopefully, raised your awareness about what information is
provided to third parties;
 How vulnerabilities arise in computers, servers, software, and your overall privacy;
 How you can mitigate these vulnerabilities with your increased awareness; and
 How you can better manage your privacy and those of others you serve.