CS4Programming4May2015

From GIS CS4
Jump to: navigation, search

Welcome back to the final 5 weeks of CS4 Programming.

Monday

No School

Tuesday

Continue above (no school)


Wednesday (Lab)

Technology Friday

Your Facebook Provide - What I Know About You!

http://www.takethislollipop.com/


Strategic Cyber Defense

https://www.youtube.com/watch?v=f-gABzKZN38

Fiction or reality?


Man-In-The-Middle

Yes - it is THAT easy!

https://www.youtube.com/watch?v=OtO92bL6pYE

This is a classic Down-Grade attack - the user requests HTTPS (secure encrypted), but the Man-In-The-Middle causes the connection to be downgraded to HTTP (plain text).

Note - the reason for showing you these videos it to demonstrate just how easy these attacks are done - but it is just as easy to protect yourself by applying a bit of common sense.

  • BEWARE - DOING THIS ON SOMEBODY ELSE'S NETWORK IS ILLEGAL


HTTP Strict Transport Security

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol.

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://www.youtube.com/watch?v=zEV3HOuM_Vw

https://www.youtube.com/watch?v=JdItXP4NuzY

Website adds the following to the headers it sends to the web client:

HTTPS: Strict-Transport-Security: max-age=31536000; includeSubDomains;

Note - a Man-In-The-Middle can effectively perform a denial of service attack on any UNENCRYPTED (HTTP) website by inserting the above header sent to the web client. The web client will then obey the instruction, and always request HTTPS - if the web server does NOT support HTTPS, everything breaks!


Creating A More Secure Public WIFI Access Point

  • Enable WIFI Client Isolation (http://www.wirelessisolation.com/)
  • Force DNS Server to OpenDNS (208.67.222.222, 208.67.220.220 - https://www.opendns.com/)
  • Configure Firewall for all traffic from WIFI as follows:
    • Disable ALL local network access (including router)
    • ONLY allow following outgoing ports:
      • 80 TCP (unencrypted HTTP Web Browsing)
      • 443 TCP (Encrypted HTTP Web Browsing)
      • 995 TCP (Secure POP3 EMail - receiving EMail)
      • 993 TCP (Secure IMAP EMail - receiving EMail)
      • 465 TCP (Secure SMTP EMail - sending EMail)
    • Redirect traffic to itself for following ports:
      • 123 UPD (NTP clock Queries - make sure it is update-to-date! Otherwise vulnerable to reflective attacks)
      • 53 UPD (DNS Queries - required to make the internet access work)
      • 67-68 UDP (DHCP Queries - required for connecting clients/computers/phones to establish a connection to your access point)
    • Disable ALL other TCP ports
    • Disable ALL UDP ports
      • Normal Internet usages (Web Browsing, EMail) only makes use of TCP which is a stateful protocol - it ensures that both ends are real IP addresses. Normal Internet does NOT use UDP which is a state-less protocol - a sender can fake their address, and therefore is often used maliciously. Therefore it is a good idea to completely disable all UDP traffic and to only access TCP.
    • Optional - redirect all allowed traffic via VPN or via TOR
      • If somebody mis-uses your Internet account, the mis-use will be attributed to yourself by your ISP. Redirecting ALL traffic on the Public WIFI access point via a VPN or via TOR protects you from your ISP monitoring this Public WIFI traffic and therefore from blame.


More information http://wiki.openwrt.org/doc/recipes/guest-wlan