Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Correct_Horse_Battery_Staple/Presentation.html
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
664 lines (606 sloc)
19.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<meta name="generator" content="pandoc"> | |
<title>Correct Horse Battery Staple</title> | |
<meta name="apple-mobile-web-app-capable" content="yes"> | |
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui"> | |
<link rel="stylesheet" href="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/dist/reset.css"> | |
<link rel="stylesheet" href="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/dist/reveal.css"> | |
<!-- DG for Source code Highlighting --> | |
<link rel="stylesheet" href="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/highlight/monokai.css"> | |
<style> | |
.reveal .sourceCode { /* see #7635 */ | |
overflow: visible; | |
} | |
code{white-space: pre-wrap;} | |
span.smallcaps{font-variant: small-caps;} | |
div.columns{display: flex; gap: min(4vw, 1.5em);} | |
div.column{flex: auto; overflow-x: auto;} | |
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} | |
/* The extra [class] is a hack that increases specificity enough to | |
override a similar rule in reveal.js */ | |
ul.task-list[class]{list-style: none;} | |
ul.task-list li input[type="checkbox"] { | |
font-size: inherit; | |
width: 0.8em; | |
margin: 0 0.8em 0.2em -1.6em; | |
vertical-align: middle; | |
} | |
.display.math{display: block; text-align: center; margin: 0.5rem auto;} | |
</style> | |
<link rel="stylesheet" href="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/dist/theme/league.css" id="theme"> | |
<style> .container{ display: flex; } .col { flex: 1; } </style> | |
</head> | |
<body> | |
<div class="reveal"> | |
<div class="slides"> | |
<section id="title-slide"> | |
<h1 class="title">Correct Horse Battery Staple</h1> | |
<p class="subtitle">Passwords and other Fun</p> | |
</section> | |
<section> | |
<section id="introduction" class="title-slide slide level1"> | |
<h1>Introduction</h1> | |
</section> | |
<section id="print-hello-world" class="slide level2"> | |
<h2>10 Print “Hello World”</h2> | |
<div class="container"> | |
<div class="col"> | |
<figure> | |
<img data-src="God_Emperor1.jpg" height="450" | |
alt="Actual In Class Footage" /> | |
<figcaption aria-hidden="true">Actual In Class Footage</figcaption> | |
</figure> | |
</div> | |
<div class="col"> | |
<ul> | |
<li>Dan Goldsmith</li> | |
<li>CD Ethical Hacking</li> | |
<li>CL Technical Computing</li> | |
</ul> | |
</div> | |
</div> | |
</section> | |
<section id="print-hello-world-1" class="slide level2"> | |
<h2>10 Print “Hello World”</h2> | |
<div class="container"> | |
<div class="col"> | |
<figure> | |
<img data-src="God-Emperor.webp" height="450" alt="With Marking" /> | |
<figcaption aria-hidden="true">With Marking</figcaption> | |
</figure> | |
</div> | |
<div class="col"> | |
<ul> | |
<li>Dan Goldsmith</li> | |
<li>CD Ethical Hacking</li> | |
<li>CL Technical Computing</li> | |
<li>Computer Scientist.</li> | |
</ul> | |
</div> | |
</div> | |
</section> | |
<section id="ethical-hacking-cu" class="slide level2"> | |
<h2>Ethical Hacking @ CU</h2> | |
<div class="container"> | |
<div class="col"> | |
<ul> | |
<li>EH Degree for 15 or so years</li> | |
<li>Strong focus on Practical Aspects.</li> | |
<li>Excellent Student CTF team.</li> | |
</ul> | |
</div> | |
<div class="col"> | |
<p><img data-src="Hacker18.webp" /></p> | |
</div> | |
</div> | |
</section> | |
<section id="you-teach-what" class="slide level2"> | |
<h2>You teach What???</h2> | |
<ul> | |
<li>Cyber is essential for everyday lives.</li> | |
<li>Good guys who can think like the bad guys is a good thing.</li> | |
<li>If my folks break into your system and tell you how to fix it, its | |
much better than the bad guys doing it</li> | |
</ul> | |
</section> | |
<section id="what-i-do" class="slide level2"> | |
<h2>What I Do</h2> | |
<figure> | |
<img data-src="wombles.jpg" height="450" | |
alt="Underflow, Overflow, Use after free" /> | |
<figcaption aria-hidden="true">Underflow, Overflow, Use after | |
free</figcaption> | |
</figure> | |
</section> | |
<section id="but-its-not-just-hacking-we-teach" class="slide level2"> | |
<h2>But Its not just Hacking we teach</h2> | |
<ul> | |
<li>Security Operations.</li> | |
<li>Digital Forensics</li> | |
<li>Legal, Ethical and Business, Factors</li> | |
<li>Network Security</li> | |
<li>Computer Science.</li> | |
</ul> | |
</section> | |
<section id="fancy-a-job" class="slide level2"> | |
<h2>Fancy a Job?</h2> | |
<ul> | |
<li>Hard but Rewarding.</li> | |
<li>Not recruitment at the moment</li> | |
<li>If you are interested come talk to me, ready for the next | |
round.</li> | |
</ul> | |
</section> | |
<section id="talk-overview" class="slide level2"> | |
<h2>Talk Overview</h2> | |
<ul> | |
<li>Talk about a common security issue. Passwords | |
<ul> | |
<li>What they are</li> | |
<li>How we can chose good ones</li> | |
<li>Some of the things not to do.</li> | |
</ul></li> | |
<li>Hack Some Things</li> | |
</ul> | |
</section></section> | |
<section> | |
<section id="passwords" class="title-slide slide level1"> | |
<h1>Passwords</h1> | |
</section> | |
<section id="passwords-1" class="slide level2"> | |
<h2>Passwords</h2> | |
<p><img data-src="password_stock.jpg" /></p> | |
</section> | |
<section id="history" class="slide level2"> | |
<h2>History</h2> | |
<div class="container"> | |
<div class="col"> | |
<ul> | |
<li>Roman Empire: Watchwords</li> | |
<li>Prohibition: Get access to the pub</li> | |
</ul> | |
</div> | |
<div class="col"> | |
<p><img data-src="duck_soup.jpg" /></p> | |
</div> | |
</div> | |
</section> | |
<section id="first-computer-passwords" class="slide level2"> | |
<h2>First Computer Passwords</h2> | |
<ul> | |
<li>1960: First computer password. (CTSS) | |
<ul> | |
<li>To Control access to a shared system.</li> | |
</ul></li> | |
</ul> | |
<div class="element: fragment fade-up"> | |
<ul> | |
<li>1962: The first password Theft…. | |
<ul> | |
<li>Users had a limited weekly time allocation.</li> | |
<li>Allen Scherr needed more time for his PHD.</li> | |
<li>Passwords Stored in plain text. == Print the password file.</li> | |
</ul></li> | |
</ul> | |
</div> | |
</section> | |
<section id="a-necessary-evil" class="slide level2"> | |
<h2>A Necessary Evil</h2> | |
<ul> | |
<li>Estimate we now have 100-150 passwords to remember | |
<ul> | |
<li>Biometrics / Keys / Certificate based auth trends</li> | |
<li>BUT: The easiest and most common fallback if these fail.</li> | |
</ul></li> | |
</ul> | |
</section> | |
<section id="dont-be-green" class="slide level2"> | |
<h2>Don’t be green</h2> | |
<p><img data-src="Reduce_Reuse.webp" /></p> | |
<ul> | |
<li>80% of data breaches due to reused, weak or stolen passwords.</li> | |
</ul> | |
</section> | |
<section id="most-common-passwords" class="slide level2"> | |
<h2>Most Common Passwords</h2> | |
<ul> | |
<li>What is the most common password</li> | |
</ul> | |
<div> | |
<ul> | |
<li class="fragment">Off to seclists | |
https://github.com/danielmiessler/SecLists/blob/master/Passwords/2023-200_most_used_passwords.txt</li> | |
</ul> | |
</div> | |
</section> | |
<section id="ncsc-list-2019" class="slide level2"> | |
<h2>NCSC List (2019)</h2> | |
<p><img data-src="Most-Comon-Password.png" /></p> | |
</section> | |
<section id="storing-passwords" class="slide level2"> | |
<h2>Storing Passwords</h2> | |
<ul> | |
<li>Hopefully not plain text</li> | |
<li>Hashes are used to store passwords</li> | |
<li>“Impossible” to reverse hash value to derive passwords</li> | |
<li>Not all hashes are equal.</li> | |
</ul> | |
</section> | |
<section id="hashing-issue" class="slide level2"> | |
<h2>Hashing Issue</h2> | |
<div> | |
<ul> | |
<li class="fragment">To Cyberchef….</li> | |
<li class="fragment">To Crackstation</li> | |
</ul> | |
</div> | |
</section></section> | |
<section> | |
<section id="password-strategies" class="title-slide slide level1"> | |
<h1>Password Strategies</h1> | |
</section> | |
<section id="so-what-makes-a-good-password" class="slide level2"> | |
<h2>So What makes a good password?</h2> | |
<ul> | |
<li>Suggestions?</li> | |
</ul> | |
</section> | |
<section id="uppercase-lowercase-numbers-and-symbols" | |
class="slide level2"> | |
<h2>Uppercase, Lowercase, Numbers and Symbols?</h2> | |
<div> | |
<ul> | |
<li class="fragment">swordfish</li> | |
<li class="fragment">Swordfish</li> | |
<li class="fragment">Swordf1sh / Swordfish1</li> | |
<li class="fragment">Swordf1sh!</li> | |
</ul> | |
</div> | |
</section> | |
<section id="why-this" class="slide level2"> | |
<h2>Why this?</h2> | |
<ul> | |
<li>Trying to introduce complexity, make them harder to guess. | |
<ul> | |
<li>Lowercase == 26 Letters</li> | |
<li>Upper Lower == 52</li> | |
<li>Common Symbols, Numbers etc ~ 100</li> | |
</ul></li> | |
</ul> | |
</section> | |
<section id="cracking-passwords" class="slide level2"> | |
<h2>Cracking Passwords</h2> | |
<ul> | |
<li>Try to guess the stored password | |
<ul> | |
<li>a, b, c, d</li> | |
<li>aa, ab, ac, ad ….</li> | |
</ul></li> | |
<li>2018 RTX2080 == 40 Billion guesses a second</li> | |
<li>2022 RTX4090 == 164 Billion guesses a second.</li> | |
</ul> | |
</section> | |
<section id="more-complex-harder-to-guess" class="slide level2"> | |
<h2>More Complex == Harder to guess</h2> | |
<p><img data-src="cracking.jpeg" height="500" /></p> | |
</section> | |
<section id="cracking-passwords-1" class="slide level2"> | |
<h2>Cracking Passwords</h2> | |
<figure> | |
<img data-src="https://imgs.xkcd.com/comics/security.png" height="500" | |
alt="Obligatory XKCD" /> | |
<figcaption aria-hidden="true">Obligatory XKCD</figcaption> | |
</figure> | |
</section> | |
<section id="the-ideal-password" class="slide level2"> | |
<h2>The Ideal Password</h2> | |
<div> | |
<ul> | |
<li | |
class="fragment"><code>Nksi%c3&9#pZ$hn$jB9@bzf^1#ZKtnl1</code></li> | |
<li class="fragment">Good luck remembering that</li> | |
</ul> | |
</div> | |
</section> | |
<section id="the-3-4-words-approach" class="slide level2"> | |
<h2>The 3 / 4 Words approach</h2> | |
<ul> | |
<li>Recommended by NCSC</li> | |
<li>Pick 4 Random Words</li> | |
<li>Use these as a passphrase</li> | |
</ul> | |
</section> | |
<section id="correct-horse-battery-staple" class="slide level2"> | |
<h2>Correct Horse Battery Staple</h2> | |
<figure> | |
<img data-src="https://imgs.xkcd.com/comics/password_strength.png" | |
height="500" alt="More XKCD" /> | |
<figcaption aria-hidden="true">More XKCD</figcaption> | |
</figure> | |
</section> | |
<section id="so-we-are-safe-right" class="slide level2"> | |
<h2>So We are safe right ?</h2> | |
<p>That ones in the List…</p> | |
<div> | |
<ul> | |
<li class="fragment">It depends on the password cracking strategy</li> | |
<li class="fragment">If we use letter by letter, then the length is our | |
friend</li> | |
<li class="fragment">If we assume using the 4 words strategy | |
<ul> | |
<li class="fragment">170,000 words in the English Dictionary</li> | |
<li class="fragment">170,000 * 4 == 680,000 Guesses == Instant</li> | |
</ul></li> | |
</ul> | |
</div> | |
</section> | |
<section id="phishing-for-information" class="slide level2"> | |
<h2>Phishing for Information</h2> | |
<ul> | |
<li>Rather than brute force, use social engineering</li> | |
<li>Folk like passwords to be meaningful to them. | |
<ul> | |
<li>Pornstar / Starwars names</li> | |
<li>Numbers / Symbols are a speed-bump</li> | |
</ul></li> | |
</ul> | |
</section> | |
<section id="being-a-bit-sneaky" class="slide level2"> | |
<h2>Being a bit sneaky?</h2> | |
<ul> | |
<li>Perhaps they have use the password before?</li> | |
<li>Of course that information is only available to l33t Hax0rs | |
right?</li> | |
</ul> | |
</section></section> | |
<section> | |
<section id="a-better-approach." class="title-slide slide level1"> | |
<h1>A Better Approach.</h1> | |
</section> | |
<section id="password-managers" class="slide level2"> | |
<h2>Password Managers</h2> | |
<ul> | |
<li>Personally, I recommend a password manager | |
<ul> | |
<li>Remember one or two passwords.</li> | |
<li>Rest are randomly generated (so strong)</li> | |
<li>Will also avoid re-use.</li> | |
</ul></li> | |
</ul> | |
</section> | |
<section id="password-managers-1" class="slide level2"> | |
<h2>Password Managers</h2> | |
<ul> | |
<li>Lots of choice.</li> | |
<li>Still a healthy debate over wisdom of keeping things in a desirable | |
target</li> | |
<li><strong>Please Keep Autofill turned off.</strong></li> | |
</ul> | |
</section> | |
<section id="mfa" class="slide level2"> | |
<h2>MFA</h2> | |
<ul> | |
<li>We also should use MFA</li> | |
<li>Phone app, or similar used alongside password</li> | |
<li>Challenge -> Response when logging in.</li> | |
</ul> | |
</section> | |
<section id="mfa-1" class="slide level2"> | |
<h2>MFA</h2> | |
<ul> | |
<li>Extra layer of defence, but not without its own problems. | |
<ul> | |
<li>Can be a PITA.</li> | |
<li>Buildings that are Faraday Cages</li> | |
<li>Not 100% Secure</li> | |
</ul></li> | |
<li>Of course, if your phone with password manager gets stolen…</li> | |
</ul> | |
</section></section> | |
<section> | |
<section id="a-bit-of-fun" class="title-slide slide level1"> | |
<h1>A Bit of Fun</h1> | |
</section> | |
<section id="stealing-passwords-from-a-password-manager" | |
class="slide level2"> | |
<h2>Stealing Passwords from a Password Manager</h2> | |
<ul> | |
<li>Combining a web vuln to snarf credentials</li> | |
<li>Code is classic sort of thing GPT / Students write.</li> | |
</ul> | |
</section> | |
<section id="the-issue" class="slide level2"> | |
<h2>The Issue</h2> | |
<ul> | |
<li>Cross Site Scripting (XSS)</li> | |
<li>Let me inject code into the page, run on your browser</li> | |
</ul> | |
</section> | |
<section id="version-1-redirect" class="slide level2"> | |
<h2>Version 1: Redirect</h2> | |
<ul> | |
<li>The Classic “My Facebook got hacked”</li> | |
<li>Ask the browser to load a different Page</li> | |
</ul> | |
<pre><code><script>window.location="http://evil.org"</script></code></pre> | |
</section> | |
<section id="version-2-fake-login-page" class="slide level2"> | |
<h2>Version 2: Fake login Page</h2> | |
<ul> | |
<li>Password manager detects login fields</li> | |
<li>Looks at site URL and checks for known passwords</li> | |
<li>Offers (or worse) auto completes.</li> | |
</ul> | |
</section> | |
<section id="version-3-hidden-login-page." class="slide level2"> | |
<h2>Version 3: Hidden Login Page.</h2> | |
<ul> | |
<li>Thats a bit Noticeable though.</li> | |
<li>We can hide fake page from the user, but browser will still see | |
it.</li> | |
</ul> | |
</section></section> | |
<section> | |
<section id="summary" class="title-slide slide level1"> | |
<h1>Summary</h1> | |
</section> | |
<section id="summary-1" class="slide level2"> | |
<h2>Summary</h2> | |
<ul> | |
<li>Passwords an essential part of life</li> | |
<li>Often easily guessable</li> | |
<li>How to make them hard to guess, but easy to remember?</li> | |
</ul> | |
</section> | |
<section id="summary-2" class="slide level2"> | |
<h2>Summary</h2> | |
<ul> | |
<li>Longer is Better</li> | |
<li>Don’t Reuse</li> | |
<li>Avoid common words</li> | |
</ul> | |
</section> | |
<section id="summary-3" class="slide level2"> | |
<h2>Summary</h2> | |
<ul> | |
<li>Password manager isn’t ideal, but its a good compromise | |
<ul> | |
<li>Makes it easy to have long, random passwords</li> | |
<li>Avoids Re-use</li> | |
</ul></li> | |
<li>MFA is also a great idea.</li> | |
</ul> | |
</section></section> | |
</div> | |
</div> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/dist/reveal.js"></script> | |
<!-- reveal.js plugins --> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/notes/notes.js"></script> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/search/search.js"></script> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/zoom/zoom.js"></script> | |
<!-- Dans Plugins --> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/highlight/highlight.js"></script> | |
<script src="https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/plugin/menu/menu.js"></script> | |
<script> | |
// Full list of configuration options available at: | |
// https://revealjs.com/config/ | |
Reveal.initialize({ | |
// Display controls in the bottom right corner | |
controls: true, | |
// Help the user learn the controls by providing hints, for example by | |
// bouncing the down arrow when they first encounter a vertical slide | |
controlsTutorial: true, | |
// Determines where controls appear, "edges" or "bottom-right" | |
controlsLayout: 'bottom-right', | |
// Visibility rule for backwards navigation arrows; "faded", "hidden" | |
// or "visible" | |
controlsBackArrows: 'faded', | |
// Display a presentation progress bar | |
progress: true, | |
// Display the page number of the current slide | |
slideNumber: false, | |
// 'all', 'print', or 'speaker' | |
showSlideNumber: 'all', | |
// Add the current slide number to the URL hash so that reloading the | |
// page/copying the URL will return you to the same slide | |
hash: true, | |
// Start with 1 for the hash rather than 0 | |
hashOneBasedIndex: false, | |
// Flags if we should monitor the hash and change slides accordingly | |
respondToHashChanges: true, | |
// Push each slide change to the browser history | |
history: false, | |
// Enable keyboard shortcuts for navigation | |
keyboard: true, | |
// Enable the slide overview mode | |
overview: true, | |
// Disables the default reveal.js slide layout (scaling and centering) | |
// so that you can use custom CSS layout | |
disableLayout: false, | |
// Vertical centering of slides | |
center: true, | |
// Enables touch navigation on devices with touch input | |
touch: true, | |
// Loop the presentation | |
loop: false, | |
// Change the presentation direction to be RTL | |
rtl: false, | |
// see https://revealjs.com/vertical-slides/#navigation-mode | |
navigationMode: 'default', | |
// Randomizes the order of slides each time the presentation loads | |
shuffle: false, | |
// Turns fragments on and off globally | |
fragments: true, | |
// Flags whether to include the current fragment in the URL, | |
// so that reloading brings you to the same fragment position | |
fragmentInURL: true, | |
// Flags if the presentation is running in an embedded mode, | |
// i.e. contained within a limited portion of the screen | |
embedded: false, | |
// Flags if we should show a help overlay when the questionmark | |
// key is pressed | |
help: true, | |
// Flags if it should be possible to pause the presentation (blackout) | |
pause: true, | |
// Flags if speaker notes should be visible to all viewers | |
showNotes: false, | |
// Global override for autoplaying embedded media (null/true/false) | |
autoPlayMedia: null, | |
// Global override for preloading lazy-loaded iframes (null/true/false) | |
preloadIframes: null, | |
// Number of milliseconds between automatically proceeding to the | |
// next slide, disabled when set to 0, this value can be overwritten | |
// by using a data-autoslide attribute on your slides | |
autoSlide: 0, | |
// Stop auto-sliding after user input | |
autoSlideStoppable: true, | |
// Use this method for navigation when auto-sliding | |
autoSlideMethod: null, | |
// Specify the average time in seconds that you think you will spend | |
// presenting each slide. This is used to show a pacing timer in the | |
// speaker view | |
defaultTiming: null, | |
// Enable slide navigation via mouse wheel | |
mouseWheel: false, | |
// The display mode that will be used to show slides | |
display: 'block', | |
// Hide cursor if inactive | |
hideInactiveCursor: true, | |
// Time before the cursor is hidden (in ms) | |
hideCursorTime: 5000, | |
// Opens links in an iframe preview overlay | |
previewLinks: false, | |
// Transition style (none/fade/slide/convex/concave/zoom) | |
transition: 'slide', | |
// Transition speed (default/fast/slow) | |
transitionSpeed: 'default', | |
// Transition style for full page slide backgrounds | |
// (none/fade/slide/convex/concave/zoom) | |
backgroundTransition: 'fade', | |
// Number of slides away from the current that are visible | |
viewDistance: 3, | |
// Number of slides away from the current that are visible on mobile | |
// devices. It is advisable to set this to a lower number than | |
// viewDistance in order to save resources. | |
mobileViewDistance: 2, | |
// reveal.js plugins | |
plugins: [ | |
RevealNotes, | |
RevealSearch, | |
RevealZoom, | |
RevealMenu, | |
RevealHighlight | |
], | |
menu: { | |
numbers: true, | |
themes: true, | |
themesPath: 'https://github.coventry.ac.uk/pages/aa9863/RevealTemplate/reveal.js/dist/theme' | |
} | |
}); | |
</script> | |
</body> | |
</html> |