WEBVTT

00:00.210 --> 00:07.500
We live in a world of open and I mean wide open 10:42 networks we could go to an airport and find an

00:07.500 --> 00:13.200
open network we can go to a coffee shop and find an open network we can go almost anywhere and find

00:13.200 --> 00:14.360
an open network now.

00:14.610 --> 00:19.890
That's kind of a good thing because it provides us instantaneous and easy access to the Internet which

00:19.890 --> 00:26.370
is maybe why we're doing this and there's no other really easy practical way to handle that other than

00:26.400 --> 00:27.770
passing everybody out.

00:27.840 --> 00:32.480
Pre-shared keys are giving everybody usernames and passwords on 8:0 2.1.

00:32.490 --> 00:36.930
So the bottom line is is we live in a world of open networks.

00:36.930 --> 00:42.430
The problem with this is open networks by definition are absolutely wide open.

00:42.430 --> 00:44.410
Now to show you how bad the problem is.

00:44.460 --> 00:46.010
I've got a little setup here.

00:46.020 --> 00:51.650
So what I have here is a little home router This is a little aces 8 to 11 Acey home router.

00:51.660 --> 00:57.660
Very popular I use these in all my courses over here I've got my windows 10 laptop he's just a regular

00:57.660 --> 00:59.220
laptop nothing special.

00:59.430 --> 01:06.000
And he is connected to a wireless network called simple which is being passed out by this guy and over

01:06.000 --> 01:12.720
here I've got my Linux system I'm running colleague Linux with a whole bunch of toys up and running

01:13.020 --> 01:19.140
and I'm using a very special wireless network card that is designed to allow us to be able to go into

01:19.140 --> 01:24.690
a promiscuous mode to get out there and monitor what's going on in the network and we can do all kinds

01:24.690 --> 01:26.100
of fun stuff like this.

01:26.100 --> 01:32.760
So with this little set up in mind one of the things you need to understand first and foremost is anything

01:32.760 --> 01:38.230
that I'm doing on here unless very specific things are done on an open network.

01:38.340 --> 01:40.000
I can see it all over here.

01:40.020 --> 01:45.180
Now here I have Cali Linux running over on this system and what you're looking at is all the data that

01:45.180 --> 01:47.940
I've captured off this wireless network.

01:47.970 --> 01:48.720
Don't look too close.

01:48.720 --> 01:51.960
Kids I didn't give you anything that you can actually do any danger to me with.

01:51.990 --> 01:56.100
So being able to just capture data is fairly trivial.

01:56.100 --> 01:58.290
Now of course you'd have to be good at Wireshark.

01:58.290 --> 02:03.150
You'd have to know how to follow TCAP streams and be able to look for different types of data searching

02:03.150 --> 02:11.480
for HTP searching for someone being silly enough to check their email insecurely do something like that.

02:11.490 --> 02:16.410
But if you're comfortable with wireshark you've basically got keys to the kingdom and you look at anything

02:16.410 --> 02:17.000
you want.

02:17.130 --> 02:20.580
So in and of itself that's already bad.

02:20.640 --> 02:22.530
But I can make it worse.

02:22.800 --> 02:31.290
One of the problems we run into is the idea of using cookies for sessions so I could go up to a particular

02:31.290 --> 02:37.020
Web site and I will create a session cookie that will exist during the length of whatever session I

02:37.020 --> 02:38.010
might have.

02:38.010 --> 02:43.260
Now the session cookies hold different types of information and a lot of times especially if you're

02:43.260 --> 02:45.840
typing in user names and passwords.

02:45.840 --> 02:52.980
What will happen is this website will go to HTP S and you type in your username and password securely

02:52.980 --> 02:55.200
which I'm not going to be able to do anything with.

02:55.230 --> 03:00.910
But then the server is going to pass down a cookie which gives your authentication information in it.

03:00.960 --> 03:03.570
So this can be a big problem.

03:03.570 --> 03:09.650
So one of the tools we can use is for example what I have over here is a wonderful tool called kooking

03:09.650 --> 03:12.980
Cadger cookie Cadger only has one job.

03:13.110 --> 03:19.020
He looks out to anybody who's passing out just cookies just HGP cookies that's all he's looking for

03:19.350 --> 03:22.400
and he grabs them and he brings them down into the system.

03:22.440 --> 03:27.120
And if I want to I can go ahead and do something called a replay attack with these.

03:27.120 --> 03:28.860
Let me show you how this works.

03:28.860 --> 03:35.290
Here is my happy little victim computer merely logging onto the Internet onto some u r l that is in

03:35.290 --> 03:39.350
Cicare so we'll call it some very insecure sounding name.

03:39.390 --> 03:45.180
Now a lot of times when people log in if they're typing in usernames and passwords a lot of Web sites

03:45.180 --> 03:45.820
will shift.

03:45.890 --> 03:46.680
HTP.

03:46.680 --> 03:51.330
As for the actual authentication of that particular system.

03:51.330 --> 03:53.970
So this is done in such a way that it's encrypted.

03:53.970 --> 03:55.370
Nobody can get to it.

03:55.410 --> 04:02.070
However a lot of times after this is done some form of cookie holding authentication information is

04:02.070 --> 04:04.540
held on the victim computer.

04:04.540 --> 04:12.960
Now us using our evil computer over here we can use tools like cookie Cadger to intercept the actual

04:12.960 --> 04:19.370
cookies the cookies themselves are not sent over secure they're sent over insecure.

04:19.410 --> 04:21.520
Only the actual log on itself was.

04:21.600 --> 04:25.130
So we can grab this make a copy for ourselves.

04:25.290 --> 04:32.310
And even after the victim leaves we can go ahead and use the authentication information in this cookie

04:32.820 --> 04:38.620
to in essence replay just as though we were the original victim ourselves.

04:38.700 --> 04:41.940
And that is a classic replay attack.

04:42.000 --> 04:48.660
So what do we do to protect ourselves what can we do on our good computers to prevent these bad computers

04:48.660 --> 04:50.250
from sniffing our networks.

04:50.250 --> 04:55.980
What do we do to keep these bad guys using tools like cookie Cadger from grabbing our cookies and taking

04:55.980 --> 05:01.340
out all that SSL information and using it against us in these replay attack which by the way is also

05:01.340 --> 05:04.400
known as SSL stripping so be comfortable with that term.

05:04.400 --> 05:05.350
So what can we do.

05:05.360 --> 05:06.890
Well there's a lot of things you can do.

05:06.890 --> 05:13.700
Number one use secure protocols when you're on insecure wireless networks if you're going to be doing

05:13.730 --> 05:20.490
FGP you secure FGP if you're going to be getting e-mail you secure e-mail do what you can to be secure.

05:20.540 --> 05:27.080
In particular though I want to concentrate on HTP s because well people use the web a lot so I want

05:27.080 --> 05:31.000
to talk about in particular some of the things we can do.

05:31.010 --> 05:35.180
Number one what I'd like you to do is that you need to watch your browser bar so if you take a look

05:35.180 --> 05:38.230
up here you can see right here I'm on a secure Web site.

05:38.240 --> 05:42.990
Of course it says a TTP Yes but it also shows very very clearly secure.

05:43.040 --> 05:46.100
Now over here is a very insecure web site.

05:46.100 --> 05:47.240
This is my own web site.

05:47.240 --> 05:50.290
Trust me if you try to buy something online we go very very secure.

05:50.300 --> 05:53.360
But at this point it is insecure.

05:53.360 --> 06:00.530
So you need to be able to have the wherewithal to think about what are you doing on a particular site

06:00.770 --> 06:05.070
you might be on just one particular Web site but it can pop from HTP to HTP.

06:05.390 --> 06:10.550
If you're insecure you probably don't want to be typing in usernames and passwords on that particular

06:10.550 --> 06:11.480
page.

06:11.480 --> 06:15.450
Now the problem is as security people we can think this much about it.

06:15.500 --> 06:17.410
Unfortunately users don't.

06:17.420 --> 06:22.760
So we need tools to help them make sure they're always in a secure environment.

06:22.910 --> 06:31.650
One of the great tools we use and I use this in Chrome all the time is something called HTP s everywhere.

06:31.710 --> 06:38.140
So if you take a look right up here you'll see I've added a little extension called HTP everywhere.

06:38.250 --> 06:43.560
And what I'm going to do is I'm going to turn it on by blocking all unencrypted requests.

06:43.600 --> 06:46.980
Now right now you'll see that I'm on a secure Web site.

06:46.980 --> 06:49.820
Watch what happens when I go back in.

06:49.920 --> 06:55.980
You'll see that it's popped instantly to a secure w w w dot total some dot com and that's the power

06:56.250 --> 07:04.980
of HDTV as in fact making people use HTP is so critical that even the industry has developed protocols

07:05.190 --> 07:09.290
where servers require your browser to go to HTP.

07:09.510 --> 07:16.830
This is known as HTP strict transport security or h s ts in it is a beautiful thing it pretty much auto

07:16.830 --> 07:20.640
magically does what HTP everywhere does for you.

07:20.640 --> 07:24.750
So it's a very very powerful tool but only on servers that actually use it.

07:24.750 --> 07:33.060
So between h s ts and HTP everywhere and watching the little green bar at the top I'm pretty safe from

07:33.060 --> 07:35.340
bad guys doing naughty things.

07:35.340 --> 07:37.490
Now there's one more thing I'd like to add.

07:37.580 --> 07:39.870
NET is a VPN.

07:39.870 --> 07:46.290
If you really want to be secure what you do is get on the Internet but have everything go through a

07:46.290 --> 07:48.020
VPN they got to be careful here.

07:49.660 --> 07:55.720
You could have a corporate VPN where you Dayalan to the Internet and get online for your corporate stuff

07:55.730 --> 07:57.010
and that's great.

07:57.190 --> 08:03.460
But a lot of corporations will set up a VPN not for you to just access the internal network but as a

08:03.460 --> 08:09.760
tool that makes sure all the corporate computers when they're at airports or when they're in some foreign

08:09.760 --> 08:15.970
country with open networks can be guaranteed that anything's machines do allows them to do it through

08:15.970 --> 08:16.650
the VPN.

08:16.660 --> 08:18.480
Even just general browsing.

08:18.550 --> 08:19.820
Now you've got to be careful with this.

08:19.840 --> 08:21.760
I want to show you some VPN.

08:21.850 --> 08:23.350
And again I'm doing this and chrome

08:27.340 --> 08:31.360
if you go through you'll see that there's a lot of extensions that are offered in Chrome and in no way

08:31.360 --> 08:35.450
am I going to offer any of these up to you these different proxies.

08:35.710 --> 08:41.200
The problem with these V-P ends is that while they're free so anytime something's free that means you're

08:41.200 --> 08:45.090
the product so they tend to look at information you may not want them to.

08:45.130 --> 08:52.150
Also these VPN that you'll see are often used by bad guys that what they'll do with the VPN is that

08:52.150 --> 08:58.960
they can set the VPN so they come out in the UK if they want to watch Manchester United are some soccer

08:58.960 --> 08:59.260
team.

08:59.260 --> 09:05.180
So there is a bit of a nefarious side to using these VPN as well as a very good aspect of it.

09:05.350 --> 09:10.920
And that is simply using it to prevent bad guys from doing things in open networks.

09:10.930 --> 09:13.930
So there you go we've got a number of different tools for you.

09:13.960 --> 09:16.000
You're going to be seeing a lot of this on the exam.

09:16.060 --> 09:17.680
So take some time and be comfortable.

09:17.770 --> 09:20.500
You can do to protect yourself on open networks.