GT Tech Challenge 2018 Submission! Hail the Commonwealth of the Internet!
About this Site
Most people use poor practices when ensuring the security of computers. Passwords like "123456" are very common. Some people actively refuse to update, and vulnerable software is everywhere. This website documents the ways in which criminals could access your computer - and how to avoid being a victim.
If you are confused by anything on this site and it is GT Night, you might find me at Ian's Diamondaverse presentation or at my personal booth.
I could write a book about proper security, but you wouldn't read it. The bottom line of this entire website is: be smart. Don't run EXE, BAT, APPIMAGE, DMG, or VBS files (or any files, really) whose providers you don't trust, or those you downloaded expecting another type of file. Before installing an application, ensure that it is still supported by its developers. Check its website - if that has been updated recently, the application is still being updated and supported. Remember to regularly seek updates to these applications. Encrypt sensitive data using tools like Bitlocker(Windows), FileVault(MacOSX), or Plasma-Vault(Linux). Don't make a file named "passwords" containing all of your passwords - use a secure password manager like KeePass instead. Don't click on links before first hovering to determine where the link actually points, but really, just use common sense.
About Me
I am an amateur security researcher and really just a nerd. I have worked with my school's art teacher to improve website security and contributed to the TTS Bug Bounty Program to improve their security.
I created this website to popularize good network security practices by students all accross Jeffco.
The Least Secure Applications
Here are some apps to avoid using if you want to remain secure.
Adobe AIR is a program for running Flash applications on the desktop. From day one, it has been widely considered insecure because it allows vulnerabilities that are normally only able to gain access to websites to escape into an end user's computer. Tons of code execution vulnerabilities exist for AIR. Don't. Use. It. Alternative: None for users, Java for developers. Vulnerability level: 9.6
Adobe Flash is the predominant flash player and also the least secure. It receives updates so often because a lot of vulnerabilities appear. Its software development kits often have memory corruption issues, just like other apps by Adobe. Alternative: Chrome's built in Flash player. Vulnerability level: 9.5
Microsoft Office is an application that everyone uses. It's also not very secure; features like Word macros and Excel programming often allow arbitrary code to be executed, such that an entire class of malware has been created by Microsoft Office. Outlook has been a ground for spreading the most widespread malware. Alternative: LibreOffice. Vulnerability level: 9.3
Adobe Acrobat is the world's #1 used, and #1 least secure PDF viewer. There are a myriad of ways in which a malformed PDF file, opened with Adobe Acrobat, could write out of bounds into the memory of a computer, allowing for arbitrary code execution. Alternative: GNOME Evince for viewing, Scribus for editing. Vulnerability level: 9.2
Internet Explorer is an application that I am glad is going out of favor. Buffer overflows and other memory corruption issues in its scripting engine make it quite vulnerable, and it's likely to be discontinued very soon. Hopefully you aren't using it, and if you are, you should stop. Alternative: Google Chrome. Vulnerability level: 8.8
SQL Injection is when an input form is used as part of a search through a website's database and an adversary can add additional parameters to the search by entering something like an end-quote to the input.
Command Injection is when an input form is used as part of a command issued to the command prompt and an adversary can add additional parameters to the command by entering something like an end-quote to the input.
Buffer Overflows are issues in which a program reads user input and the user manipulates the data so that it seems as though the input is shorter than it is. This causes the program to overwrite the computer's memory with user input, which can lead to all sorts of issues. An example is the OpenSSL Heartbleed vulnerability.
Cross-Site Scripting is when an input form is used as part of a website's content, for example in a comments section, allowing adversaries to run arbitrary site scripts, including those which might steal data. More info...
Backdoors are intentional ways in which a developer, government, or even an adversary who has infiltrated the developer community, can bypass security systems. These are easily discovered by adversaries.
No Authorization. That's right, a good number of programs simply don't require authorization for key portions of software.
Hardcoded Credentials are usernames and passwords hidden within a program's code. It's trivial to decompile the code and read these credentials, then use them more directly.
Unencrypted Data means that sensitive information can simply be intercepted and read without complication. Usually programs use complex mathematics to make sensitive data unreadable to somebody who is reading all of the data on the network. More about encryption...
Unregulated Uploads to a website can be very dangerous. An adversary can upload a program to the server this way which, for example, gives them access to the website's command prompt.
Use of Untrusted Input as the sole information used for a security decision, such as computer addresses or password length, significantly increases the risk of an adversary accessing a resource by pretending to be something that they are not.
Cross-Site Scripting - More Info
Most web pages use a document format called HTML. Special features of HTML are that it is easy to code with, it supports complex styling using CSS, and most notably, it allows websites to embed scripts in the full-featured programming language Javascript. Furthermore, HTML sites can embed Javascript scripts from other sites. These types of features are very useful when trying to develop any site more complex than a simple document, but it is also useful to evil people.
If user input is interpreted as a link, HTML, or anything else that allows Javascript to be included, the script could be used for a number of malicious purposes, from simply annoying users to downloading a virus or stealing authentication data. But perhaps the most famous use was to create a self-retweeting post on Twitter.
Issues like this can be surprisingly hard to mitigate, since Javascript on the Web is everywhere. Javascript can be included in links, and in HTML can be added to a hyperlink, script, or any number of other tags. In general it is best to prevent user input from including any of the common special characters of Javascript or HTML.
For a demonstration of this, here are two code snippets. See if you can tell the difference.
It's pretty easy for a computer to guess a password these days. Modern PCs can make 300 guesses in one second over the network and millions in one second if they have already downloaded a website's database. There are two types of password cracking methods. The simplest is to guess every possible password, starting with the shortest, until the right one is found. The site HowSecureIsMyPassword determines how easily this method will crack your password and does so without sending it over the Internet. More advanced is guessing the most common passwords based on a list of already cracked ones, and perhaps mutating the passwords based on known common prefixes, suffixes, and replacements. One such list ofthe most commonly stolen passwords is here. Feel free to ctrl-F for your password.
Keeping adversaries from using these type of methods usually involves creating a long and seemingly random password. Choose a password like "wS,hRi28.q" which has likely never been used. Passwords should be at least 8 characters long and include capitals, special characters, and numbers, though a 20-digit password is also acceptable, as is a 12-letter password. If that seems too hard to remember, try abbreviating some lyrics from your favorite song or words from your favorite poem, then adding numbers and special characters; for example, "in-dothsathovanoVagan3xre" abbreviates a famous Einstein quote.
It is also important to use a variety of different passwords in the case that one is discovered due to a cryptographic algorithm being reversed or the password being read as it is still being tested by or transmitted to the site. Doing this minimizes risk. Take special care for your email account, as it can be used to recover passwords to other account.
Mathematics of Security: Encryption and Hashing
Computers are basically pre-programmed calculators connected to input devices, storage devices, and displays. Everything has to do with mathematics, including securing data stored with them. A field of mathematics called cryptography deals with mathematical ways to secure data. There are two types of algorithms important to this: encryption and hashing.
Encryption is used for storing sensitive information. It performs an operation between two pieces of data - a key and the plaintext - such that the plaintext cannot be recovered without the key. This is used for password-based authentication and for the storage of secrets. Some encryption algorithms use separate keys for encryption and decryption, and as a result can be used to authenticate identities and share other passwords securely. Most operating systems have ways to encrypt external drives - right click on them and select the appropriate option in the file manager in Windows, reformat them as LUKS in Linux, or enable FileVault on a Mac. So store all sensitive data on those, and remember to encrypt them.
Hashing is used for storing passwords - it has consistent, repeatable results, but cannot be reversed. Today, salting is used in addition to hashing. Salting is when data is added to the password before it is hashed to make it harder to simply look up the password in a hash-password dictionary. Hashing can also be used to authenticate data, as a small change in data can result in a large change in its hash.
Social Engineering and How to Stop It
Most attacks on a network involve tricking some person on that network into letting the attacker in. This is why it's important for everyone to be smart on cybersecurity, because one undereducated coworker could destroy the entire network.
In May 2000, the ILOVEYOU worm was among the worst and most widespread malware that ever occured. It spread entirely by social engineering. The virus would use hacked Microsoft Outlook email accounts to send mail encouraging users to read a "love letter." The file's name was LOVELETTER.txt.vbs, though the VBS extension was hidden automatically by Outlook. Once opened, the user would realise that this "love letter" is actually a program designed to render his or her computer unusable and take over their e-mail account to spread the virus. This and many other widespread attacks happen entirely due to the incompetence of most computer users.
The easiest way to avoid attacks like this is: never trust a link or attatchment in an email. Don't believe that links can be dangerous? Read this. The risk of an attack is far too high. It might be a good idea to disable HTML email if your mail client has the option, though this can also make some unreadable. Also: never give passwords, credit cards, or social security numbers to ANYONE over a call or the Internet, even if you trust them. Doing so significantly increases the risk of an attack.
The danger of links
Links are dangerous. REALLY dangerous. It's pretty amazing how much can be done with links. If you have the power to make a link, you have the power to hack someone's computer.
First, HTML links can be used for more than just linking to other pages. HTML Links also have an omouseover attribute, in which JavaScript code can be placed. The first vulnerability I ever reported was a mouseover attribute self-XSS.
Even if you can't use the onmouseover attribute, for example if you are only allowed to upload through a Markdown parser, you can still do damage with links. Links that begin with javascript: rather than https:// can include JavaScript as well, and some applications have issues that allow JavaScript to be placed in the webpage URL.
JavaScript can be used for a number of malicious purposes. It can, as has been demonstrated, exploit Spectre vulnerabilities (vulnerabilities allowing access to some data of other applications by looking at their predicted actions). JavaScript can also exploit vulnerabilities in browsers to download malware without even asking the user, open popups beyond a popup blocker, and even corrupt a user's memory or cause a crash.
In other words, trust links about as much as you do random EXE files.
Social Engineering and How to Stop It
Most attacks on a network involve tricking some person on that network into letting the attacker in. This is why it's important for everyone to be smart on cybersecurity, because one undereducated coworker could destroy the entire network.
In May 2000, the ILOVEYOU worm was among the worst and most widespread malware that ever occured. It spread entirely by social engineering. The virus would use hacked Microsoft Outlook email accounts to send mail encouraging users to read a "love letter." The file's name was LOVELETTER.txt.vbs, though the VBS extension was hidden automatically by Outlook. Once opened, the user would realise that this "love letter" is actually a program designed to render his or her computer unusable and take over their e-mail account to spread the virus. This and many other widespread attacks happen entirely due to the incompetence of most computer users.
The easiest way to avoid attacks like this is: never trust a link or attatchment in an email. Don't believe that links can be dangerous? Read this. The risk of an attack is far too high. It might be a good idea to disable HTML email if your mail client has the option, though this can also make some unreadable. Also: never give passwords, credit cards, or social security numbers to ANYONE over a call or the Internet, even if you trust them. Doing so significantly increases the risk of an attack.