Material taken from OWASP.org for this lecture
Cyber Security Fundamentals (M): Web application attacks
Structure of Lectures
Sections that will be covered:
Cyber Security Basic background, Look into networking,
Cyber Attacks and defence,
Web applications’ vulnerabilities, Trending in Cyber,
Penetration testing & Digital Forensics.
CSF 2021 Maria Evangelopoulou Web application attacks
Lecturer’s instructions
When you see the red sign in a slide it means that you must not use anything described in the specific slide without the necessary authorisation. The lecturer of this course will not be responsible for any misuse.
When you see the green sign in a slide it means that you can use anything described in the specific slide on your own.
CSF 2021 Maria Evangelopoulou Web application attacks
This Photo by Unknown Author is licensed under CC BY-SA
CSF 2021 Maria Evangelopoulou Web application attacks
@wired.com
Notes
➢ Gary McKinnon he claimed to be curious and wanted to gain information on UFOs. So he thought it would be better to get a direct access into the channels of NASA and get the information he wanted. It is claimed that he managed to infiltrate and infect 97 US military and NASA computers and also delete files from these computers, from his girlfriend’s aunt house in London. However, McKinnon (known as SOLO) didn’t stop there but also shamed their security levels by leaving notices on their websites regarding their implemented security. But McKinnon is known as the hacker that managed to make the biggest military hack of all time (shutting down the US Military’s Washington Network – around 2000 computers). But this didn’t stop there he has been accused of hacking into more than 90 unclassified Pentagon and NASA systems in 2001 and 2002, causing some of them to crash. Authorities say his actions led to $900,000 in damages.
➢ Sentence: Originally facing a sentence of between six months and six-and-a-half years in prison → he rejected a plea offer of prison sentence of 12 months in USA with a six month parole afterwards in UK. He ended up spending 10 years in prison as he fought extradition and he wanted to be trialled in UK and not USA.
CSF 2021 Maria Evangelopoulou Web application attacks
@imdb.com
Web & Web Application attacks
➢ What is a Web Application?
CSF 2021 Maria Evangelopoulou Web application attacks
@sciencesoft
Notes
➢ What is the difference between web application and webpage?
➢Website/webpage is something static on the other hand web application is something dynamic. Web application is a client server program which the client has to run in a browser.
CSF 2021 Maria Evangelopoulou Web application attacks
Web application attacks cont…
➢What is a Web application attack? ➢What is the purpose and the end goal? ➢Can you name any?
Notes
➢Web application attack is the attempt to exploit an application running on a web server through a web site. The purpose and goal could vary as it can be about making the web application unresponsive, manipulate/steal data of users or customers, take control of the web application, cause disruption and even defacement that can be probably used for phishing purposes.
Web application attacks OWASP Top 10
CSF 2021 Maria Evangelopoulou Web application attacks
@owasp.org
Notes
➢OWASP is a non profitable organisation focusing on improving software security and provides many parallel cyber security projects and training environments (open source). It is essentially a hub of information that is being controlled by the community.
➢In this lecture we will see the identified OWASP top 10 vulnerabilities for web applications of 2017.
Number 1: Injection
➢ Injection flaws → untrusted data is sent to an interpreter as part of a command or query. The attacker tries to trick the interpreter into executing unintended commands or accessing data without proper authorization.
➢ There are different types of injection, like: SQL, XML, LDAP, HTML and more.
➢ Two types of injection attacks:
➢Manual: When the attacker manually types code in the website to
retrieve errors and gain access.
➢Scripted: When the attacker uses tools who’s sole purpose is to execute all known attacks to speed up process.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ SQL (Structured Query Language) is the language that is being used for communication between databases. Let’s consider as a simplified example the teaching office that needs to handle and store students’ data including course id, exam marks etc. You need to imagine that there is a database for students and each database is constructed of different tables depending on the subject. For example, a table with the name exam mark can have columns with Student ID, Course ID, Assessment mark, Exam mark and Final mark. In order to extract specific information someone can use SQL queries. Similar approach is taken on storing and handling data of users for a website in terms of authentication purposes (username and password).
➢ XML (eXtensible Markup Language) is similar to HTML. XML was designed to store and transport data. LDAP (Lightweight Directory Access Protocol); Internet protocol that programs like email use to look up information from a server (access directory services).
➢ HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
Number 1: Standard SQL injection
CSF 2021 Maria Evangelopoulou Web application attacks @portswigger.net
Notes
➢ SQL injection is when an attacker manually or scripted tries to trick the database which communicates with the front end website in order to retrieve valuable information which eventually will grant them access.
➢In order to try SQL injection someone can use SQL statements in every entry point of a web application for testing purposes. For example; login/register form, feedback form, search bar and more.
Number 1: Standard SQL injection
➢ Problem: User data used with no sufficient checks.
➢ SELECT * FROM Users WHERE Username = ‘$username’
AND Password = ‘$password’
➢This can lead to stolen user data, takeover and denial of access.
➢ Types of SQL injection: ➢ Blind
➢ Error-Based
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ The reason that injection is mostly possible is bad coding. This means the code is not validated and not clean so in consequence arguments like ‘ = can cause the database to give results that was not supposed to release.
➢ In an SQL Injection attack sometimes, the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. In blind SQL injection when an attacker attempts to exploit an application rather than getting a useful error message, they get a generic page specified by the developer. This can make the attack harder in succeeding but not impossible. On the other hand, error-based SQL injection is a technique in which vulnerabilities of the system become known by causing the database to throw errors on purpose. In this case an attacked can gain information like the database version, Operating System in use and more.
Simple Generic SQL injection
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
‘OR”=’
Notes
➢This website contains a vulnerable application for testing purposes so feel free to have a look and try some things if you want.
➢In this case we try to exploit the authentication mechanism by using ‘OR‘’=‘ statement as username and password. The result would be to login as the first user on the table and you can see on the next screenshot that we have access to this account and essential information of the user like email, credit card number and more.
Simple Generic SQL injection cont…
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
Blind SQL example
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
Notes
➢In the above attempt we enter an SQL query on the url of the website that asks for information for the admin page. The 20% are symbols used for empty space. You will notice that we weren’t given access and an error message appeared.
➢ For more info https://www.eso.org/~ndelmott/url_encode.html
Blind SQL example
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
Notes
➢ In the above attempt we entered an SQL query on the url of the website that asks for information about the user page. You will notice that we acquired access and no error message was encountered.
Number 1: Injection Guessing SQL table
➢ If there is any kind of login or subscription area that means that an SQL database is being used. Adding “+order+by+6753′′ at the end of the URL→“6753” is used because most websites don’t have more than 6753 columns. If an error returns then the website is vulnerable to SQL injection. You can keep guessing with a smaller number in order to identify the exact column numbers of the SQL table. The next step would be to start guessing the name of each column.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ There are different types of SQL injection attacks and as you can see from what is described from the slide above, sometimes attackers try to guess information about the database. How many columns are being used? If this becomes known then they use queries and start guessing combination of letters so they can identify the names of the columns. By building slowly knowledge about the exact structure of the database afterwards they can easily extract information.
Number 2: Broken Authentication
➢Scenario: Airline reservations application supports URL rewriting, putting session IDs in the URL. The user wants to let his friends know about the sale, so e-mails the link which contains his session ID. When his friends use the link they will use his session ID and possibly the credit card, if the user moved on with a purchase.
➢ Compromise of the system, unauthorised information disclosure and more.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢When a visitor signs in to a website, the site uses a proprietary algorithm to generate a unique session ID. This becomes the key between the server and the visitor and identifies the visitor’s unique identity. What if there is no encryption in place? That means that information exchange takes place in plain text so if someone intercepts this communication can easily impersonate the visitor by using his/hers unique session ID. This is a big danger especially in places with free Wifi. Moreover, the danger of being able to share through a link your session ID also exists, but nowadays is something that is not often encountered.
Number 3: Sensitive Data Exposure
➢ Many web applications and APIs do not properly protect sensitive data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
➢ Scenario: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
➢ Lack of data protection → Loss of trust and offense against privacy laws.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ General this flaw refers to unprotected data; lack of encryption in place; the methodology of communication like it will be mentioned in the cryptography lecture (use of public keys only) and more.
Number 4: XML External Entities (XXE)
➢Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
➢
]>
➢Trusting user input→extraction of data and information gathering.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢In the previous slide a piece of XML code is given. The vulnerability in this example is that the path is clearly visible of the password file. This gives important information on where valuable information is stored and how.
Number 5: Broken Access Control
➢ Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc
➢ Trusting user input → privilege escalation.
➢ Scenario: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page. If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ When you login to a page you will notice that the URL is modified accordingly to demonstrate your session. For example on Facebook at some point they were allowing Facebook users to obtain their personalised URL. This of course was used in order to make people easier to identify you on Facebook. But some websites have broken authentication flaws and allow unauthorised access.
CSF 2021 Maria Evangelopoulou Web application attacks
Number 6: Security Misconfiguration
➢ Security misconfiguration; a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Lack of securely configurations, patching and timely upgrades.
➢Lack of knowledge→information gathering, unauthorised access, system takeover.
➢ Scenario: The application server comes with sample applications that are not removed from the production server. These sample applications have known security flaws attackers use to compromise the server. If one of these applications is the admin console, and default accounts weren’t changed the attacker logs in with default passwords and takes over.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ In this case two issues are identified:
1) Admin is not aware that new updates of the system are available or even is not knowledgeable on how to setup the system with settings that will enhance the cyber security level.
2) Admin is aware that there are some updates that need to take place but doesn’t identify them as critical or have the “if it works, no reason to change” attitude or maybe “why should I spent resources? The system would never become a target.”
Moreover, it is good for you to remember that in critical infrastructures patching is usually avoided as the risk of the system becoming unresponsive is generally high.
Number 7: Cross-Site Scripting (XSS)
➢XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user- supplied data using a browser API that can create HTML or JavaScript.
➢Trusting user input→hijack user sessions, deface web sites, or redirect the user to malicious sites.
CSF 2021 Maria Evangelopoulou Web application attacks
Number 7: Cross-Site Scripting (XSS) cont.
➢ Persistent/Stored XSS; the malicious string originates from the website’s database.
➢ Reflected XSS; malicious string originates from the victim’s request.
➢DOM-based XSS; client-side code vulnerability and not server-side code.
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢DOM based XSS is not something that will be encountered in a usual rate.
➢In XSS is all about where the script originates from; if it is from user input or stored. But someone would say why use XSS? What can we do with XSS? The first example given below is just creating an alert message through user input. This shows us that the web application is vulnerable to XSS and scripting can be used for various purposes. Let’s see more in depth below.
XSS example
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
XSS example cont.
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
XSS commands
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
Notes
➢ First when testing a web application someone would use a simple approach. Trying to write something underlined hello or bold hello. This would give an indication that no user input sanitization is in place. The next stage would be what has been presented in the previous slide; using a script for creating an alert or error message or similar. If this works too then it can be used for various things. Above an example is shown where the script statement is changed with document.cookie. In this case the cookie of the session can be acquired and by using this someone can create something known as a cookie grabber (code presented in slide). Then a script statement would be used by adding the created cookie grabber and the previously acquired cookie. In this way the script is uploaded and that means every time someone accesses the web application the creator of the cookie grabber acquires cookie information as presented in the next slide.
XSS commands
CSF 2021 Maria Evangelopoulou Web application attacks http://testphp.vulnweb.com/index.php
Number 8: Insecure Deserialization
➢Receival of hostile serialized objects cause insecure deserialization. Serialized objects can be tampered, deleted and more so It can lead to elevation of privileges and remote code execution.
➢ Acceptance of serialized objects from untrusted sources + no sufficient checks in user data → elevation privileges + remote code execution
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢ Serialization is the process of converting an object to a byte stream. In Java objects can be used when a class or any superclass implements a serializable interface. Deserialization represents the opposite process. The conversion of a serialized object back to its original form.
Number 9: Using Components with Known Vulnerabilities
➢Libraries, frameworks and other components run with the same privileges as the application. If a components is exploited there can be serious data loss or server takeover.
➢ Privileges’ policy + lack of knowledge → privilege escalation, remote execution, data loss + takeover
CSF 2021 Maria Evangelopoulou Web application attacks
Notes
➢Imagine having an application that relies on different libraries, frameworks and more and is hosted on a server. If someone manages to exploit for example one of the libraries this incident will destabilize the application and not only this but might be able to open a door for further exploitation on other domains too. This is why it is important to make sure individually and as a group that a certain cyber security level has been achieved. However, this level is not something that can be easily defined.
Number 10: Insufficient Logging & Monitoring
➢ A combination of this with missing or ineffective integration of incident response allows attackers to further attack system, maintain persistence, tamper, pivot to more systems, extract or destroy data. Studies show that the time of detection of a breach is around 200 days and usually comes by external parties and not by internal processes in place.
➢ Insufficient logging and monitoring + lack of knowledge → privilege escalation, remote execution, data loss + takeover and more.
CSF 2021 Maria Evangelopoulou Web application attacks
Case Study 1
➢ The FBI has disrupted an international cyber fraud operation by seizing the servers that had infected as many as two million computers with malicious software, by the use of Botnets. The Department of Justice received search warrants to effectively disable the Coreflood botnet by seizing the five U.S. servers used by the hackers.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Case Study 2
➢ On September 9, 2013, Rebecca Sedwick (12-year old) took her own life. She was repeatedly bullied by other teenage girls (raised to 15 in number) on social media and by other electronic means on a daily basis, for almost a year. Rebecca was forced to change schools but the bullying didn’t stop there. The two main perpetrators of age 12 and 14 showed no remorse according to the sheriff.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Case Study 3
➢A 10-year-old boy (2013) suddenly went missing from Brentwood, Maryland. Two pedophiles and a larger ring of online child pornographers were uncovered. Predators had moved online, setting up several private computer bulletin boards not only to “chat” with boys and set up meetings with them, but also to share images of child pornography.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Case Study 4
➢Led by a computer programmer in St. Petersburg, Russia, a compromise of a major U.S bank took place, in which the attackers started stealing money. A total of $400,000 was missing from accounts by using as a main target the institution’s cash management computer system.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Case Study 1
➢ The FBI has disrupted an international cyber fraud operation by seizing the servers that had infected as many as two million computers with malicious software, by the use of Botnets. The Department of Justice received search warrants to effectively disable the Coreflood botnet by seizing the five U.S. servers used by the hackers.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Notes
➢ I think that two important lessons can be taken from this case. First that it is not always possible to identify who is responsible for a cyber crime as the investigation can lead to inconclusive evidence. Secondly, this doesn’t mean that everything is over, and no prosecution can be made.
➢ In this case 13 people were identified as engaging in wire fraud, bank fraud and illegal interception. These people were not identified so a civil complain was filed against them as “John Doe”. John Doe is the name being used when a person is not identified; for example, if there are patients in a hospital that can’t remember anything relevant to their identity; they are originally claimed as John Does. However, in this case the command-and-control servers that were communicating with the virus were identified and a search warrant was given. Moreover, a seizure warrant was issued for 29 domain names that were used by the attackers.
➢ It might be surprising to you but normally if an attack was generated by a group, they announce it in media and claim themselves as the attackers; some of them are also releasing any confidential information they acquired. This is why cyber monitoring centres are always including intelligence teams for social media.
@fbi.gov
Case Study 2
➢ On September 9, 2013, Rebecca Sedwick (12-year old) took her own life. She was repeatedly bullied by other teenage girls (raised to 15 in number) on social media and by other electronic means on a daily basis, for almost a year. Rebecca was forced to change schools but the bullying didn’t stop there. The two main perpetrators of age 12 and 14 showed no remorse according to the sheriff.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Notes 1/2
➢ Cyberbullying is a serious issue at this era. The inappropriate use of Internet, chat rooms, social media, emails and more in order to harass, demean, intimidate and embarrass someone else is what cyberbullying is all about. The anonymity that can be used act as a positive feature that cyberbullies can take advantage of and at the same time even though they are claims that cyberbullying is something normally encountered between teenagers, they are actually people that enjoy this act. In cyber you will notice that most of the crimes are being charged based on sociology laws; so, there is nothing exclusively for cyber crime except a few laws that we will discuss as on later slides. This gap has identified as most cases are being treating in terms of prosecution, based on outcomes of other similar cases and at the same time the last three years a specialized cyber crime court is rumored to be created in London soon. So, in the case of cyberbullying charges might be harassment, libel, assault, and even terrorism. Cyberbullies may be held responsible for the damage they do in a civil lawsuit, where they may be ordered to pay medical bills and other expenses, as well as money for pain and suffering and mental anguish.
@fbi.gov
Notes 2/2
➢ In Rebecca’s case we are talking about enablement; people led her in a mental state that she thought she had no other choice. In Rebecca’s case, two girls age 12 and 14 were arrested and charged with aggravated stalking. The kind of shocking reaction was that the girls admitted that they were cyberbullying Rebecca but had no remorse and they were satisfied of Rebecca’s action. This also emphasizes the dangers of using “the online world” by children at this sensitive age. So parental control is something that needs to be active in underage children as for lots of reasons children are still vulnerable.
@fbi.gov
Case Study 3
➢A 10-year-old boy (2013) suddenly went missing from Brentwood, Maryland. Two pedophiles and a larger ring of online child pornographers were uncovered. Predators had moved online, setting up several private computer bulletin boards not only to “chat” with boys and set up meetings with them, but also to share images of child pornography.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Notes
➢In this investigation it was discovered that two neighbours (male) wanted to spend time with underage children, took them on holidays and also bought them lots of gifts. This raised an alarm in the investigation and both men were ultimately convicted of abusing children, but there was no evidence to link them to the boy’s disappearance. Because of this case a program was opened in FBI were investigators would pose as underage children. This on 2007 led to more than 20000 cases identified and more than 6800 convictions. Unfortunately in this case the little boy was never found, but because of him countless victims of child sexual exploitation over the years were saved and the FBI dedicates its continuing work today to this boy.
@fbi.gov
Case Study 4
➢Led by a computer programmer in St. Petersburg, Russia, a compromise of a major U.S bank took place, in which the attackers started stealing money. A total of $400,000 was missing from accounts by using as a main target the institution’s cash management computer system.
CSF 2021 Maria Evangelopoulou Cyber Legislation @fbi.gov
Notes
➢ 1995 Levin arrested in London → extradited back to the United States →pled guilty in January 1998.
➢ This is believed to be the first online bank robbery. This was a needed wakeup call for the financial industry and law enforcement. The victim bank put corrective measures in place to shore up its network security. Though the hack didn’t involve the Internet, the case did generate media coverage that got the attention of web security experts. The FBI, for its part, began expanding its cyber crime capabilities and global footprint, steadily building an arsenal of tools and techniques that help us lead the national effort to investigative high-tech crimes today.
@fbi.gov
Cyber Crimes according to the Crown Prosecution Service
➢ Cyber Dependent crimes: ➢ Hacking
➢ Disruption of computer functionality
➢ Cyber Enabled crimes: ➢ Economic
➢ Marketplaces with illegal products
➢ Malicious and offensive communications
➢ Offences targeting individuals like VAWG
➢ Child sexual offences and indecent images of children ➢ Extreme pornography and obscene publications
CSF 2021 Maria Evangelopoulou Cyber Legislation
Notes
➢ Cybercrime covers a lot of different things and is a complicated term in terms of content. In November 2016 the UK Government’s National Cyber Security strategy was published and defined two distinct categories for Cybercrime.
1) Cyber-dependent crimes→crimes that can take place only through Information and Communication Technology (ICT) devices. The devices are both used as tools for committing the crime and targets. Hacking, disruption, functionality degradation are some of them.
2) Cyber-enabled crimes→refers to traditional crimes which increase in scale and reach by the use of ICT devices. Fraud, Intellectual property crime, online marketplace for illegal items, malicious and offensive communications, offences targeting individual groups like VAWG (violence against women and girls), child sexual offences and inappropriate images, extreme pornography are some examples.
Can you think some countries that differ on some of these laws?
@cps.gov.uk
Cyber legislation according to the Crown Prosecution Service
➢ Cyber Dependent crimes:
➢ Computer Misuse Act 1990.
➢ Regulation of Investigatory Powers Act 2000. ➢ Data Protection Act 1998 new version 2018.
➢ Cyber Enabled crimes:
➢ Fraud Act 2006, Theft Act 1968, Theft Act 1978, Computer Misuse Act
1990, Forgery and Counterfeiting Act 1981 and Proceeds of Crime Act
2002.
➢ For piracy: Copyright Designs and Patents Act 1988, Counterfeiting and
Forgery Act 1981, Video Recording Act 2010, Registered Designs Act
1949.
➢ Online purchasing: Criminal Law Act 1977, Serious Crime Act 2007,
Misuse of Drugs Act 1971, Firearms Act 1968.
➢ Communications: Sexual Offences Act 2003, Malicious Communications
Act 1988 or Communications Act 2003, Serious Crime Act 2007, Children Act 1960, Protection of Children Act (PCA) 1978, Criminal Justice Act (CJA)2015, Obscene Publications Act (OPA) 1959.
CSF 2021 Maria Evangelopoulou Cyber Legislation
Notes 1/2
➢ In the previous category for every crime different laws that are relevant were presented. As you will have noticed, there are not so many laws cyber specific but imagine that different laws as a tree structure and cyber crime using different branches depending on the content of the crime. It is worth to mention two Acts that are quite popular.
1) Computer Misuse Act 1990 which is the main piece of UK legislation relating to offences or attacks against computer systems such as hacking or denial of service. This specific act has different levels of offences.
Section 1 – unauthorised access to computer material. This offence involves ‘access without right’ and is often the precursor to more serious offending. There has to be knowledge on the part of the offender that the access is unauthorised; mere recklessness is not sufficient. There also must have been an intention to access a program or data held in a computer.
Section 2 – unauthorised access with intent to commit or facilitate commission of further offences.
Section 3 – unauthorised acts with intent to impair the operation of a computer. The offence is committed if the person behaves recklessly as to whether the act will impair, prevent access to or hinder the operations of a computer. Section 3 should be considered in cases involving distributed denial of service attacks (DDoS).
@cps.gov.uk
Notes 2/2
Section 3ZA – Unauthorised acts causing, or creating risk of, serious damage, for example, to human welfare, the environment, economy or national security. This section is aimed at those who seek to attack the critical national infrastructure.
Section 3A – making, supplying or obtaining articles for use in offences contrary to sections 1,3 or 3ZA. Section 3A deals with those who make or supply malware.
➢ 2) Regulation of Investigatory Powers Act 2000 → when intentionally and without lawful authority, intercepts at any place in the United Kingdom, any communication in the course of its transmission by means of a public telecommunication system.
@cps.gov.uk
How can you hide messages?
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@https://xkcd.com/525/
Notes
➢Humans always wanted to communicate and share information but also selectively. This led to the art of hiding content of communication; sharing secrets and this is when cryptography was born. You might have had similar experiences in your younger age trying to send messages to your friends that no one can understand or even see. Might have used lemon juice as invisible ink. Cryptography is the combination of two Greek words; Crypto→hidden and graphy→writing. Cryptography is considered to be born as civilizations evolved. What about hieroglyphics? What about at time of war? How were the important messages distributed? What about if the messenger was attacked?
Cryptography basics
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@amazon.com
➢Two main activities: Encryption and Decryption.
➢Plaintext message→ use of cipher→creation of ciphertext
➢Do you know any known ciphers?
➢What about obfuscation?
Notes
➢ This is not only a problem for the past but also for the future. What about our bank details? Bank statements? Accounts? Information is important so everything demonstrates how important cryptography is. Known ciphers: Enigma.
➢ On the top left of the slide; Thomas Jefferson’s cipher replica that can be bought by amazon is demonstrated. This cipher had 36 disks that could be reordered in the cylinder containing all the alphabet per disk in a random order. The sender of the message would give the order that the disks should be placed and a random message with no sense. The receiver would place the disks as instructed and move them in order to replicate the message. Then this would lock the position of the disks and the receiver would have to look around the cylinder for a more reasonable message. The downside with this approach is that most of the times the reasonable messages identified were more than one.
➢ What is obfuscation? The art of making something unclear, scrabble a message in order to make it impossible to read without the required information.
➢ The difference in cryptography is that something called a cipher is used for encryption and then decryption. So even if someone knew the method without the cipher (key) still wouldn’t be able to extract the information.
Caesar’s Cipher
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
➢Or Caesar’s shift→substitution cipher ➢Replacement of letters by a fixed number
of positions.
➢Example: VLR KBBA QL OBXA.
Can you decrypt this message by knowing that a left shift of 3 was used?
➢ Any ideas if this cipher is vulnerable? Can it be easily broken?
Notes
➢This cipher is relying on shifting letters by an agreed number (three most common choice) and direction.
➢The downside is that this cipher can be easily broken by frequency analysis. Which letters are most frequent? Small phrases? And more.
Caesar’s Cipher decryption
➢Example: VLR KBBA QL OBXA.
Can you decrypt this message by knowing that a left shift
of 3 was used?
A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z.
HELLO would be→EBIIL
➢Any ideas if this cipher is vulnerable? Can it be easily
broken?
➢ So what is Cryptography and Cryptanalysis? CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢ The message that is given in previous slide is….
➢So basically cryptography can be seen as the art of making a cryptosystem capable of providing information security. But what is Cryptanalysis then? Cryptanalysis is mainly the opposite definition; the art of breaking the cipher text. In one side cryptography is dealing with the design and security of cryptosystem and cryptanalysis with breaking the cryptosystem.
Vigenere Cipher
➢Plaintext: Bitcoin Keyword: tol
Uwevctg
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢ This is another cipher called a polyalphabetic cipher as it relies on multiple alphabet substitution. In this case you use the table containing the 26 letters of the alphabet. You can choose your plaintext to be mapped either vertically or horizontally as the result will be the same. Depending on your choice the remaining option will be used for your keyword. If your keyword is smaller from the plaintext; a repetition of the keyword will start until the plaintext is completely converted to a cipher text.
➢Polymorphism is another term that needs to be explained. Basically is a cipher that changes itself with each use; so every time is used the results are different. So for exactly the same plaintext multiple ciphertext can be produced.
What about Steganography?
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢ Steganography is the art of hiding information on different types of file. It can be a message hidden in a picture, in a voice recording, in a document. In this case someone is unaware that a secret communication (one way) is taking place. In cryptography an intruder is normally aware that a communication takes place.
Steganography Vs Cryptography
➢ Existence of message is unknown in steganography.
➢Purpose of steganography is to hide the existence of communication. In cryptography the communication is known but it is used to hide the messages through communication. Steganography is using technology that covers different formats and cryptography is using known algorithms.
➢One message detected in steganography this is it; cryptography need expensive equipment in order to crack the encryption. Cryptography also alters the structure of the message.
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Types of Cryptography
➢ Hashing; conversion of message into an unreadable string. ➢Symmetric encryption; use of a single key for
encryption/decryption.
➢ Asymmetric encryption; use of public and private key.
➢Key exchange algorithms; for the secure exchange of keys (like Diffie-Hellman).
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Hashing
➢Usually used on transmission of large files or software (known as one way encryption).
➢ Treats data as a binary data stream and not a text.
➢ 1000100101000011 → 1000/1001/0100/0011 → 8/9/4/3 →
hash algorithm to produce the hash value→fingerprinting
➢ Do you know any hashing algorithms? Can you predict any
issues?
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢ Hashing algorithms are used in different ways. Storing important information on databases. Ensure code integrity by creating hashes per blocks of program. So in general it is claimed that cryptographic hash algorithms produce unique and irreversible hashes. That means by having the hash value you can’t figure out what the original piece of data is and that two different pieces of data cannot produce the same has value.
Hashing attributes
➢ How do we know if a hashing algorithm is good?
➢Hashing algorithm must be able to produce a unique value for every possible input. The possible values is 0 and 1; so every algorithm has a certain value of combinations which is the number of bit raised to the number of possible values. So for SHA-256 it would be 2^256.
➢ However the construction of the algorithm is also important. CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢If a hashing algorithm is supposed to produce unique hashes for every possible input, just how many possible hashes are there? A bit has two possible values: 0 and 1. The possible number of unique hashes can be expressed as the number of possible values raised to the number of bits. The larger the number of possible hashes, the smaller the chance that two values will create the same hash. So, eventually, every hashing algorithm, including a secure one, produces a collision (meaning same hash for two different things).
Hashing collisions
➢ Classical collision attack → hash(m1) = hash(m2) ➢Chosen prefix collision attack→hash (p1/m1) = hash
(p2/m2), where p1 & p2 are different prefixes.
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@https://xkcd.com/680/
Notes
➢Classical collisions; for this purpose, we discussed the birthday attack problem. Imagine you are in the room with 10 people; what are the chances of getting a person with the same birthday as you? Now imagine you are in a room with 150 people; are your chances different? In this way you can consider that the bigger the hashing algorithm the more chances a collision to occur.
➢Chosen prefix attack; the attacker knowns the hash value and tries to manipulate a document in order to have the same value in the end.
Symmetric cryptography
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@ibm.com
Notes
➢Symmetric Cryptography (most traditional form); use of a single key to encrypt a message and then decrypt upon delivery. This means that a lot of attention is given to the secure channel that the key is going to be transferred through. So primarily application is protection of resting data (hard drives, databases etc.). Most modern symmetric cryptography relies on AES (Advanced Encryption Standards).
Asymmetric cryptography
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@ibm.com
Notes
➢Asymmetric Cryptography; use of a pair of keys (private and public). In this case only the private key can be used to decrypt encrypted messages sent from the public key. Applications: use of https in browser, transmission of emails, digital signed PDFs and more.
Key exchange algorithms
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
@codeproject.com
➢ Diffie-Hellman algorithm ➢Pick two prime numbers g and
p and share.
➢Pick a secret number a and compute g^a mod p = A and for B = g^b mod p→ Exchange A & B.
➢ g^ab mod p = g^ba mod p
Notes
➢ There are algorithms that ensure that key exchange is secure. One of them is the Diffie- Hellman algorithm. Oversimplification of the issue. Imagine Alice wants to send a file to Bob. She sends a locked box to Bob containing the file. Bob does not have the key and adds another lock onto the box. Alice receive the box back with the two locks and takes out her lock, then resends the box to Bob. Bob receives the locked box but with his own lock only; in this case unlocks the box and receive the information. Notice that in this case the box have been locked all the time during the transportation. However, the goal of this algorithm is not to share the secret key but to create the key with the other party.
➢ This can be better explained on the schema given above. Alice and Bob have chosen a common color (needs to be different each time). Each one of them choses their secret color and add it into the common one. This creates a mixture of a different color for every party. Then Alice and Bob exchange their mixtures and each one add their secret color to the unknown received mixture. Because the ingredients in the end are the same for both parties they end up with the same mixture. This mixture is the created secret key. In this way the secret key can’t be intercepted as its created and not shared. The mathematic approach is also given in slides. Remember that reverse engineering a color is much easier that trying to find out the secret ingredients by using mod calculations.
Cryptographic Functions
➢ Authentication; use of certificates.
➢Non repudiation; especially used for bank
transactions.
➢ Confidentiality; keep documents confidential.
➢Integrity; ensure data are not viewed during transmission or storage.
➢ Do you know the CIA triad? CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
Notes
➢ Certificates; The SSL/TLS protocol is used to enable secure transmission of data from one device to another across the internet. The SSL certificate file is tasked with providing the necessary information needed for authentication. More specific SSL certificates bind a specific public key to an identity. Every SSL certificate contains a public key that can be used by the client to encrypt data, and the owner of said SSL certificate securely stores a private key on their server which they use to decrypt that data and make it readable. Every system needs to have a reliable way of knowing who owns the encryption key that its using. When a certificate is issued, it is digitally signed by the Certificate Authority (CA) you have chosen as your certificate provider (for example Sectigo, DigiCert, etc). This signature provides cryptographic proof that the CA signed the SSL certificate and that the certificate has not been modified or reproduced.
➢ Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over the exchange of data. Basically, it is assurance that an entity cannot refuse ownership of a previous commitment.
➢CIA→Confidentiality, Integrity and Availability. These are terms used in cyber research and values that are taken into serious consideration. For example in critical infrastructures there is a big amount of the research community that supports that availability is the number one priority with others supporting the integrity of data.
Cryptocurrency
CSF 2021 Maria Evangelopoulou Trending in Cyber – Cryptocurrency
➢ Digital currency.
➢Digital ledger→blockchain ➢ Wallet
➢ Mining
➢ Adaptive Scaling
➢ Open Source? Protection? @pwc.co.uk
Notes
➢ Cryptocurrency (open source) is similar with using Paypal or a Debit card; it is a part of digital currency transferred between peers (no banks involved). Digital currency is virtual money that they have actual value. In order to start with cryptocurrency you need to open a Coinbase account. However, nowadays you can purchase cryptocurrency through a bank, specialised companies and more. There are different currencies with different value; Bitcoin, Ether, Litecoin are some of them. Their value is not steady but instead is like stocks. For example a few years back Bitcoins value jumped from 5k to 18k and now had a dive to almost 3k. So how does cryptocurrency work? Every single transaction is registered to a public digital ledger. In order to be able to make transactions you need a piece of software called a wallet. The digital ledger (blockchain) register all transactions anonymously by the use of cryptography. There are no names, addresses or any type of information that is connected to your transactions; only your wallet. This information is being issued and kept by an algorithm (decentralized). The cryptocurrency community helps in all the procedures, so no banks or governments are involved. How you can obtain cryptocurrency? You can buy from a provider or you can mine them. In this case you provide computing resources in a pool (team) with a goal to break a specific cryptographic puzzle which creates new coins (proof of work system). The first “miner” to solve the puzzle adds a block of transactions to the ledger. If the puzzle is solved easily in 15 days for example the next puzzle will be harder and the opposite (adaptive scaling). Each block is connected to the data in the last block via one-way cryptographic codes called hashes which are designed to make tampering with the blockchain very difficult. This opens a new type of cyber crime where people take advantage networking infrastructures in private environments (like your own working environment) in order to mine cryptocurrency.