SQL Injection

A SQL Injection is an attempt to “inject” or rather execute malicious code in the form of a SQL query to a database. This is often done by exploiting forms of input data or entry fields within the application. Clever hackers can use this technique to gain access to sensitive information. There are many different types or methods implemented, so for simplicity we’ll just consider one example and explore how to prevent it. To start, imagine a website with a login input form that contains a username and password field.

username = getRequestString("Username");
txtSQL = "SELECT * FROM Users WHERE Username = " + username;

The above code snipped, in theory, could run without the proper protection. Two common methods of protection include input validation and parametrization. Input validation checks to see if the given input is allowed. This is essentially the same as checking if the input is in the correct format. As for parametrization, we define the SQL code so that we can later pass the parameters for the query to be executed. In a way, the database can now differentiate between executed code and legitimate input data.

Cross-Site Scripting

Similarly, Cross-Site Scripting (XSS) is another injection attack where the hacker attempts to insert malicious code, usually by getting the browser to execute some extra code. The three types of XSS to note are Stored, Reflected, and DOM based. Stored is when the script is aimed at the database. Secondly, Reflected is when the script comes from a HTTP request. Lastly, DOM based XSS resides in the client-side, as to the server-side. A common technique used to prevent something like this would through a form of encoding data. For instance, if there exists data as output in HTTP responses, it would make sense to encode the output. Often this requires some use of HTML, CSS, URL, or JavaScript encoding. [1]

XML External Entity Attack

XEE, for short, is way to exploit applications that parse XML input. XEE’s can be used to obtain sensitive data or even lead to server-side request forgery (which will be discussed below). Generally, this occurs within applications that use XML to communicate between the browser and server. Here’s an example below that is designed to reveal information, specifically /etc/password [2]:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

Server-Side Request Forgery

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. [1] This gives the hacker access to services that normally would be off limits. Particularly, they would be able to make the server communicate with external systems. There are various forms of SSRF, but we’ll take a look at a small example where an SSRF attack is performed against the server itself. This image is taken from online; the source can be found in the References section.

Denial-of-Service Attack

A Denial-of-Service Attack is when the hacker attempts to take down a service or network of sorts by “flooding” the target, particularly by sending tons of information. Two common techniques worth mentioned are ICMP and SYN floods. The first is when the hacker repeatedly sends packets meant to ping all systems on a target, as to a single instance. On the other hand, a SYN flood repeatedly sends requests to connect to a server. It keeps doing this process until more and more ports open up. This allows the hacker to send large amounts of SYN requests.

References

1. https://portswigger.net/web-security
2. https://owasp.org/

5 Common Security Vulnerabilities You Should Know was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

What is Phishing?

Phishing is a social engineering cybercrime where the attacker attempts to lure confidential information from a target, often by impersonating a more reputable organization or individual. Various phishing attacks primarily revolve around a hacker spoofing a website or sending messages, so that the they may have the ability to do anything ranging from instantiating malicious software like spyware to gaining access to secure information through a backdoor.

URL phishing, the practice where hackers implement fraudulent websites meant to deceive the target into revealing sensitive data by aiming to appear like a legitimate institution, will act as the center of this article. By mapping the ego network of a given webpage, it is possible to create a binary classification model that predicts whether or not the sourced webpage is malicious.

Designing the Model

The model designed takes a series of URLs strictly in the form of “https://www.example.com” and assigns it a binary label. For example, the source website is marked 1 if malicious or 0 if safe. To start, observe what techniques make phishing attempts successful. In other words, what patterns in hyperlink manipulation are commonly utilized to not only remain undetected from phishing detectors, but also seem authentic. Authenticity is defined to be the ability to masquerade as a target or legitimate website. On the other hand, remaining undetected relies more on the linking structure of the source webpage. These two characteristics will be the main basis for how the features for the classification model are defined.

Sourcing the Dataset

Malicious URLs were sourced from PhishTank and OpenPhish, collectively. Safe URLs were based on the most commonly visited websites on the World Wide Web. All of these URLs were downloaded and saved into a CSV file. Next, a Pandas dataframe was created from the CSV filed containing all the links along with their respective label. Now, any URL that was not valid was removed from the dataset. This includes the following: URLs not in the correct format, phishing links that were no longer functional, any URL resulting in a status code greater than 200, or links that were yielding timeout errors when connecting. The resulting dataset contained 300 malicious and 300 safe URLs. Lastly, the python Requests library was used to fetch the html links from the given URLs. Those links were then saved into another CSV file where the file contained a series of dataframes.

Building the Networks

First, a pandas dataframe was created from the CSV file containing all the queried URLs. After splitting the dataframe into multiple dataframes where each dataframe represented the source URL and its respective links, the program used NetworkX to create a graph from the edgelist. The resulting graph represents the ego network, as a whole, with the source URL as the center node. The surrounding nodes are represented as webpages, while each directed edge symbolizes a hyperlink connection. Then, the graph was colored using following algorithm:

for each node in G do
 if source is node URL then
  color node red
 else if source and node URL have same domain then
  4 color node orange
 else if source node URL have same subdomain (but same domains) then   
  color node yellow 
 else if node URL is invalid then 
  color node green
 else ▷ likely other valid URLs or links to other webpages color 
  node blue

To put it simply, the algorithm iterates through each node assigning it a color depending on its relationship with the source node. For instance, the domain, subdomain, and validity are all factors that determine the color of any given node. Note, the ordering of the nodes does not matter and the center node is always colored red being that its the source node. Consider the colored ego network of https://www.google.com as an example:

Binary Classifier

By exploiting the properties of the network structure, a series of features can be extracted, so that a classification model may be trained. In this list, the formula for each feature will be shown along with an explanation as to why that chosen attribute is implemented within the classifier. Each feature that shares a similar justification will be placed into a category for strictly readability purposes. In total, there are 11 features.

Category 1

Percent of Orange Nodes

Percent of Yellow Nodes

Percent of Orange and Yellow Nodes

Reasoning: Each of the percentages listed can be used to determine how dominant the source domain or its respective subdomains are within the ego network. Websites with higher percentages of orange or yellow nodes tend to be more legitimate. Additionally, the percentage of orange and yellow nodes are also calculated, because authentic websites may also have a percentage of links that share a domain or subdomain. To put it simply, they have many domains and subdomains.

Category 2

Percent of Green Nodes

Percent of Blue Nodes

Percent of Green and Blue Nodes

Reasoning: A high percentage of green or blue nodes may suggest that the website is implementing some level of hyperlink manipulation. As a matter of fact, certain phishing websites may have a series of unnecessary links added to seem far more believable to unsuspecting users. This approach is very popular due to its ease of implementation. [3] Notably, it also critical that the percentage of blue nodes is calculated, because it is not guaranteed that blue nodes represent malicious external URLs. Likewise, green nodes may just represent URLs that are experiencing downtime. Although, this is incredibly unlikely and is usually a sign of suspicious activity.

Category 3

Size of Green Nodes

Size of Blue Nodes

Reasoning: It is essential that the difference between percentages and number of total external or invalid links is accounted for within the model. A safe website may have a high percentage of blue nodes, but that does not necessarily correlate with the URL being malicious. These features allow the model to consider instances where there are few blue nodes, despite having a high percentage. In addition, websites with a strangely high number of null links or redirects is another to reason to suspect malicious intent.

Category 4

Out-Degree of Source Node

Reasoning: More legitimate webpages tend to have arbitrarily reasonable number of links. If a webpage has an unusually high number of hyperlinks, this usually suggests a form of hyperlink manipulation.

Category 5

Out-Degree Centrality Mean

Density

Reasoning: This density feature is similar to Google’s PageRank feature in the sense that it allows us to relate the total number of edges to the given number of nodes. According to the dataset, malicious URLs tend to be denser than safe URLs

Training the Model

After using NetworkX to perform each of the listed calculations, all the results were then saved to a CSV file. Each row in the CSV file represented one URL with each column being a feature. The last column was labeled 1 or 0. Now, there exists a proper dataset and the machine learning model is ready to be trained. Subsequently, the data was split into test data and training data. XGBoost and scikit-learn were the libraries used to create the supervised model. The code for the whole process can be found on https://github.com/avyahsharma/phishing-detector.

Results

Utilizing sklearn.metrics, a number of metrics were used to measure the performance of the the model. An image containing some relevant statistics is attached below:

Each metric was calculated using the given formulas such that TN is True Negative, TP is True Positive, FN is False Negative, and FP is False Positive.

Improvements

A number of improvements can be made to optimize this model. To start, consider the Jaccard Score. While it seems unreasonable, most hackers employ the same techniques when designing phishing websites, hence why the dataset is so similar.

Another key improvement would be adding the ability to query for an additional level of webpages. By scraping for more hyperlinks, a larger graph can be built, thus allowing the model to collect more information on phishing websites that can better maneuver around detectors. Competing models implemented a similar approach and they received stronger results, because it also allowed them to test for more features. These include developments like a stronger PageRank algorithm, checking if graphs are semiconnected, and searching for more loops. In fact, when competing models included these features specifically, they noticed an increase in performance depending on the machine learning technique used.

As mentioned before, the code can be found at https://github.com/avyahsharma/phishing-detector. Any changes or improvements would be greatly appreciated; kindly leave comments, questions, or suggestions and I’ll do my best to reply!

[1]: Jones, Caitlin. “50 Phishing Stats You Should Know in 2021.” Expert Insights, 26 Oct. 2021, https://expertinsights.com/insights/50-phishing-statsyou-should-know/.

[2]: “How to Recognize and Avoid Phishing Scams.” Consumer Information, 18 Oct. 2021, https://www.consumer.ftc.gov/articles/how-recognize-and-avoidphishing-scams.

[3]: “What Is Phishing? Examples and Phishing Quiz.” Cisco, 29 Oct. 2021, https://www.cisco.com/c/en/us/products/security/email-security/

[4]: Tan, Choon Lin, et al. “A Graph-Theoretic Approach for the Detection of Phishing Webpages.” Computers & Security, vol. 95, 2020, p. 101793., https://doi.org/10.1016/j.cose.2020.101793.

[5]: Aleksandersen, Daniel. Most of Alternate Web Browsers Don’t Have Fraud and Malware Protection, 16 Aug. 2016, https://www.ctrl.blog/entry/fraudprotection-alternate-browsers.html.

[6]: Page, Lawrence, et al. “The PageRank Citation Ranking: Bringing Order to the Web.” Stanford InfoLab Publication Server, Stanford InfoLab, 11 Nov. 1999, http://ilpubs.stanford.edu:8090/422/.

[7]: “Introduction to Boosted Trees.” Introduction to Boosted Trees — Xgboost 1.5.1 Documentation, https://xgboost.readthedocs.io/en/stable/tutorials

URL Phishing Detection using Machine Learning and Graphs was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

My personal experience looking for a summer internship. Below, I’ve outlined what the internship search process was like for me, as well as some key details that can hopefully help you.

A Little About Me

So before I dive into the specifics, I think it’s best that you have somewhat an idea of my background and technical interests. This way, you’ll have a stronger understanding of what some of my goals were and why I chose to pursue them. To start, I’m currently a third-year studying Mathematics-Computer Science and Chinese Language at University of California, San Diego. A few of my academic interests include the following: Machine Learning, Cryptography/Security, and Algorithms plus Graph Theory. As for my personal hobbies, I enjoy cooking, playing games, solving puzzles, reading, golfing, and browsing the internet while listening to music.

Ask Yourself What You Want

I’d say the first step before doing anything is asking yourself what you want. Essentially, ask yourself what kind of internship do you want and what experience are you looking to get out of it. There are plenty of internships available and I think it’s definitely important to have an idea of what kind of work you want to be doing. Here are some great questions to ask yourself: what do I want to do, what do I want to learn, what kind of people do I want to be working with, what size company would have a working environment that I’d like, and etc. Applying to companies that align with your best interests will likely be the ones that not only give you best chance during the application process, but also will probably be the most enjoyable!

In my experience, I originally wanted an internship from a larger company that focused on software development. I also wanted to be located near a bigger city. However, all of my desires changed throughout the process. As school progressed, I wanted a position that was far more “mathematical”. To be more specific, I wanted something that was related more to some of the subjects I studied as a math major rather than software engineering itself. A field that seemed really attractive to me was cybersecurity, so I decided to pursue that. Note, the COVID-19 pandemic changed a lot of things for as well as everyone I know, so adjusting to the new expectations was definitely a challenge.

Qualities Companies Look For

Observe what companies look for in applicants and consider that in your decision process. While I recommend to apply to as many internships as soon as possible (due to the nature of the recruitment cycle), I somewhat take caution to this advice. If a company is hiring Quantitative Analysts and your interests lie strictly within Web Development, I’d normally have you reconsider making that internship a top priority. Take note of what technologies and characteristics a job is looking for. If the technologies are aligned with what you like and that company is looking for someone with your expertise, then I think that you would make a much stronger applicant.

My experiences and knowledge was kind of all over the place. I didn’t really specialize in any one area and I was spread thinly. Nonetheless, I still had a lot of internship experience, which is something I definitely emphasized. At first, I tried applying to as many internships as possible, which proved to be not a super effective strategy. I was able to land a series of interviews, but not all of them were successful. With security on the other hand, I was able to better tailor my application by focusing on my cryptography classes and internship where I worked in the cybersecurity space. I also researched the companies that I applied to.

Preparations and Interviews

At this point, you now know what you are looking for and how to market yourself. The next step is to submit the actual application and, hopefully, go through the interview process. Most internship applications consist of the following: resume, cover letter, referral, and personal information. I’ll go through everything I did and maybe you can learn something useful.

First thing I did was prepare a resume. There are two strategies here, either you can tailor a resume to each individual company you apply to or use a general one. I used a general one. The template you see above came from the university career center. On a separate note, I did receive much help from various student organizations, particularly ACM. Generally, students will have a very good idea of how the internship application process works and seeking advice from them is strongly recommend. In fact, they were arguably the biggest factor in helping me find an internship. Anyway, your resume is obviously up to you, but I recommend including some contact information, related experience, academic achievements, contests, technical skills, projects, and education. There are probably others I’m forgetting, but those are the ones I included. As for the cover letter, an example can be found from the university at this link: https://jobs.ucsd.edu/CoverLetterTips.aspx Last and most certainly not least is the referral. Having someone who works at your desired company write a strong referral is a massive benefit to your application. I highly recommend exploring this option if possible. Even if it cannot be done, there is a strong importance to networking. Unironically, leveling your speechcraft can help you better navigate the workspace, make connections, and leverage deals.

Now you are at the interview stage. Different jobs will have different interview styles, but most will be either technical or behavioral. Most likely, you will undergo a series of interviews as to just one. To prepare for the technical interviews, I did two things. First was the LeetCode Blind 75. Here’s the link: https://leetcode.com/discuss/general-discussion/460599/blind-75-leetcode-questions LeetCode is a powerful tool, but how you use it can greatly influence how you absorb information. Personally, I recommend selecting topics that more commonly appear in interviews. This can be found out by researching the company beforehand, or by doing the Blind 75. This list includes a list of questions that have the greatest chance of appearing on any interview. Second thing you can do is prepare any technical knowledge or facts that you can be asked. Cybersecurity interviews are more like the latter, so I prepared topics like Incident Response, Programming Concepts, DevSec Ops, Networking, and Basic Cryptography. I even went as far as to just google “most common cyber security interview questions”. At the bottom, I attached some of the links I used. As for the behavioral interviews, take note of the STAR Method. Follow this link to get a better understanding of how this works: https://www.themuse.com/advice/star-interview-method. Keep your responses short and effective. If you don’t need to elaborate on something or if something can be shortened, shorten it.

“Simplicity is the ultimate sophistication” (Da Vinci)

Ending

You just finished your interviews. After waiting some time, hopefully you got an offer. I applied to countless (and I mean literally countless) internships and ended up with only 2 offers. Out of the two, I decided to accept one of them as a Security Intern at Confluent, a medium-sized company based in Mountain View. Throughout the application process, I was definitely discouraged by my rejections and sometimes I didn’t even hear back. Very often was I greatly disheartened, but I knew I couldn’t let that stop me. While it sounds rather cliché, I genuinely do believe that you can produce a similar magic as I did in “finding the light at the end of the tunnel”. With some studying and good preparation, I too think that you can land the internship of your choice.

Links

• Top 20 Incident Responder Interview Questions and Answers
• Top 30 Incident Responder Interview Questions and Answers for 2019 - Infosec Resources
• What is the OSI Model?
• 14 common network ports you should know
• What Is Incident Response? Strategy, Process, Templates & More
• Top 50 Cybersecurity Interview Questions | Cybersecurity Training | Edureka

Landing the Internship of Your Choice was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

The best place to start is asking the question of ‘What is multi-factor authentication?’ Now a lot of people might get upset at this question and say well you should know what it is because a lot of different accounts support it. I don’t think this is the way to look at it though. Let’s start with the technical definitions of what is considered ‘authentication’ in the security world (and yes a lot of this can apply in the real world outside of technology as well). At this point in time, there are 5 categories of authentication: 1) Something you know 2) Something you are 3) Something you have 4) Something you do and 5) Where you are. So these are factors (as referenced in Foundation of Information Security) of security and using more than one of them is multi, hence the name multi-factor. That’s a great start, but what does each of these mean for us? Well, let’s do a quick definition and example of each of these:

1) Something you know is probably the most common of the factors that you see in technology and your day to day life. The password you enter to see your email account, the pin you use to access your work or debit card, or even those weird security questions that some accounts use to verify you are all things that you know. It also tends to be called the weakest in security since we humans (yes including me) tend to be terrible at remembering things and making up original things. Think of 5 of your most used accounts and their passwords. Are they all the same and if they aren’t do they use a similar base for the password with slightly different variations? If you answered yes, don’t be embarrassed, we all do it, but that’s what we are here to learn about!

2) Something you are is one that has become much more prominent in recent years on more mobile technology such as smartphones and laptops. Think of the fingerprint scanner (ex: Touch ID on iPhones) or face scanner (ex: Windows Hello) on your phone or laptop. These are actually fairly secure since replicating a biometric attributes is fairly difficult for the normal person. This does not mean it’s impossible and there have been instances of people taking fingerprints from water glasses at restaurants, making 3d printed faces, and even printing pictures of irises and using contact lenses to fool scanners. Scary stuff, but that doesn’t mean that you should immediately turn off your fingerprint scanners and face scanners because quite frankly, it would have to be targeted at you specifically, so at that point your threat model would be significantly different from a normal person. One thing I will mention in closing is that once this particular form of authentication has been compromised, it is compromised forever unless you can change fingerprints or faces, so out of all of these it is the one that cannot be changed.

3) Something you have is the factor that you may not think you use, but that you actually use fairly often. So, as a few examples of something you have in no particular order: debit cards, identification such as driver’s license, and physical keys (both real and things like Yubico keys). As you can tell, out of all the factors we have listed so far, this one is one of the few that would be fairly difficult to replicate without stealing something or having advance knowledge of a particular security model. However, like other factors, it is still not invulnerable. If someone steals your keys, then this entire factor is basically moot, assuming you have nothing else in place. Often, it is also fairly difficult to change something like a house lock for every door and same goes for things like debit cards, if they get stolen. As we will talk about later, this is often why things like Yubico keys (physical keys for online accounts) and Debit cards require something like a password or PIN to access, even if you have the key or card. Another common form of this factor is one-time codes, those 6 digit numbers that change every 30 seconds that you might have in an app on your phone. This form is one that would require someone to steal your phone, which is why it constitutes something you have.

4) Something you do is one of the more uncommon ones and often is the least used in the security world because it tends to be the most unreliable in terms of false positives. An example of this would be doing something like a Captcha which is those popups online that have you confirm if really blurry pictures have buses or bikes. While this may not seem like authentication, you are authenticating that you are a human, not a bot. I think everyone here can agree that Captchas are annoying. They do serve their purpose of keeping bots out of sites and logins, but they are generally not a great experience for the user. I can’t tell you the amount of times I’ve failed a Captcha because of the unreadable word or weird looking buses, that even with my college eyes, I cannot for the life of me read. The point being is that this authentication factor isn’t usually used for security, but actually tends to be one of the better ones because it is so difficult to replicate. Not only this, but it can be changed fairly easily too unlike something you are.

5) Where you are is the factor you probably have the least direct interaction with, but is probably the one that has allowed you to find attackers more than any other factor on this list. Take your Netflix, Google, or Amazon account as an example and let’s say you live in Canada. If you or another person attempts to login to any of these accounts from Germany then these accounts will often block you and send an email to the associated email on the account. It usually says something along the line of ‘Hey, we noticed some suspicious activity on your account that is being logged in from Germany. Was this you?’ Unless you’re actually in Germany, usually this means your account password has probably been compromised and it’s time to change it. This is the most common form of authentication and this one is fairly hard to spoof without breaking the account login, it isn’t uncommon for companies to let accounts still be logged in and instead just warn the customer via email, so take of that what you will.

That was a lot, but now we have listed and defined the ‘factors’ that will help us understand multi-factor. Multi-factor is defined as any authentication that requires 2 different factors from the above list and no, using two of the same factors above does not count. For example, having a password and then having to use a fingerprint scanner is a two-factor authentication since it’s a combination of something you know and something you are, but we already know this, so why is having the same factor such as two passwords not multi-factor? It is true that it would theoretically make it harder for an attacker to get access to an account if both passwords were completely different passwords and you didn’t know one of them. So that’s easy right? Well not exactly and yes, that is how that would be secure. The problem with using the same factor is that often it is easy to find the same factor if it is used in conjunction with the same factor. Take our password example and consider how the average person makes a password. It’s not hard to show that humans are not very good at coming up with original ideas. Take passwords where the word ‘password which has been seen 3,861,493 times in it’s plaintext and hashed form according to haveibeenpwned. That’s crazy, but now consider somebody who has to make two passwords for an account. Yeah imagine using password and then password1. This is the problem with using the same factor. We can even switch out the second password for those security questions that some companies require you to fill out like the name of your best friend, birthday, and SSN. However, somebody who is looking to break into your account can easily find most of this information online through a Facebook profile (which doesn’t even need to be yours!) or through some googling.

Alright we are officially through the background, but why do we need multi-factor? Straight off the bat, it is more secure. If an attacker breaks into any of your accounts because they know your password, they are immediately blocked by another layer of authentication that requires them to get a hold of another factor that might be significantly harder to acquire. Now this does not mean you should make a weak password and strong second factor. The idea is that having two layers of security is better than one, which doubles the effort it takes for an attacker to get into your account. What about accounts that aren’t important like that random account you made that one time to access a sketchy movie online or something like that? Well, if you put your real name, email, birthday, or logged in, you have already given information to that account that is personal to you. It can be used to potentially steal your identity or build a profile for you that can be used for social engineering. Even just logging in means the site has your ip address which could lead to somebody finding your general location. That is a threat that you should be worried about. Or what about somebody using that same information to threaten a family member saying all these things they know about you and then using that information to get money out of them without ever having to make the actual threat? That is the potential harm of not utilizing more secure login tools like multi-factor authentication. Yes it is more inconvenient, but in the long run it could save you a lot of trouble, time, and even money. A lot of people will say that I have nothing to hide and that if they get access they can’t do anything with my accounts because I have nothing important on there. We have already tackled this a little bit, but let’s go in-depth.

Let’s tackle the argument of I have nothing important and/or nothing to hide. The simple argument I will make against this is the question: “Would you leave your front door open and unlocked?” I think the immediate answer would be no. You may have nothing to hide, but I think most people would be reluctant to leave their front door open to the world. What about the nothing important argument? Well, if you forget your bank password, how do you reset your password? One word. Email. So, when I say that you should use multi-factor on something like your email, it’s not because I am trying to make it more inconvenient for you, it is because somebody who has access to your email can reset most passwords to every other account you own, including banks, cellular accounts, and even things like your work accounts at times. Ironically, enabling multi-factor on all of these accounts might save you from somebody that manages to break into your email. The idea is that you assume you are already compromised and you are making it harder for an attacker to move across all your other accounts even if one is compromised. This is the power of multi-factor authentication. Everyone, no matter who you are should use it. Google is already going to make it a default for any eligible accounts and if you don’t already have it enabled, you should enable it. I will attach a few resources below for the most common email accounts and other accounts to get you started.

In conclusion, I hope I was able to persuade you on why you should use multi-factor authentication for your accounts and even if you don’t fully agree with me, I do hope that you at least consider making your one factor accounts a little more secure. My goal here is not to force my security posture on you, but to make you more aware of the dangers of overlooking security as a secondary thing in this online world that we live in. We are constantly seeing news and articles of ‘accounts being hacked’ or ‘accounts being breached’ when it was a bad password and no multi-factor authentication. Sometimes that’s all it takes to get access to a whole corporate network. The hackers you see in movies are for the most part far and in between. So what can you do? Make a long password — the longer the better — and make every account a different password as a first. Any account that has multi-factor (2-factor in most cases) should be turned on. Share and spread this article around to inform your friends and family about the risks that they expose themselves to everyday!

If you have any questions or feel that anything is incorrect, please reach out to tristantjan@pm.me and stay safe out there as we learn about this digital world together!

References:

• https://frsecure.com/blog/what-authentication-means-in-information-security/
• https://haveibeenpwned.com
• Foundations of Information Security by Jason Andress Publisher: no starch press: Amazon.com: Foundations of Information Security: A Straightforward Introduction eBook: Andress, Jason: Kindle Store
• FIDO Alliance — Open Authentication Standards More Secure than Passwords
• USB-A YubiKey 5 NFC Two Factor Security Key | Yubico
• www.apsanlaw.com
• 12 famous passwords used through the ages | InsiderPro (idginsiderpro.com)

Some accounts that allow multi-factor authentication:

• Google Account — Protect your account with 2-Step Verification — Computer — Google Account Help
• Microsoft Accounts — Turning two-step verification on or off for your Microsoft account
• Apple ID — Two-factor authentication for Apple ID — Apple Support
• Amazon Accounts — Amazon.com Help: About Multi-Factor Authentication
• Epic Games Accounts — Enable Multi-Factor Authentication (MFA): Epic Games Account Security & Privacy
• Steam Accounts — Steam Guard — Steam Support (steampowered.com)
• US Bank — How to change my Login & security authentication options. (usbank.com)
• Wells Fargo — Two-factor authentication helps protect the one and only you (wellsfargo.com)

What is Multi-Factor Authentication? was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

Learn more about ACM Cyber member Gideon Tong!

What’s your major? What drew you to this field?

I study Electrical Engineering with focus on machine learning and controls — I think it’s really cool to bridge the gap between building great software and building great hardware, and with a better understanding of hardware, I can write software that runs faster than anyone else’s. It’s also great to expand a little and not totally be stuck in the computer science bubble as well. My dad taught me how to build my first computer when I was 4, and gave me a Borland C++ book for my 5th birthday, to which I learned programming on. This was long before I had any internet access and I actually installed the IDE via a CD, which no one uses anymore.

How did you become interested in cybersecurity?

I didn’t have WiFi in my house and I had a Wii which I wanted to play Mario Kart Online, and began my foray into the world of Linux utilities like airmon-ng for cracking WiFi passwords. While this might not have been the most ethical thing in the world, a week after I cracked it my neighbor removed the password from their WiFi, thus allowing anyone to connect and allowing me to play Mario Kart Online to my heart’s content. My interest throughout the years has been very surface-level, so naturally I wouldn’t be able to tell you anything about what to study to obtain an A+ certificate.

What are some cool cybersecurity related/other projects you’ve undertaken? Or have there been any fun CTFs you’ve participated in recently?

I recently set up a compute cluster of Chinese single-board computers, Raspberry Pi’s, and iPhones totalling 96 cores and 54 GB of RAM. It sips power since I’ve throttled each board to 5W of usage through a custom power delivery solution I built myself (is this the EE in me speaking?) and it’s wired up using a random gigabit switch I bought from eBay. That, in turn, is built into a larger network that I’m currently developing to be on 10 gigabit (if I can find a switch under $50, that is), to connect wired/wirelessly 7 members of a group that I’m a part of. All this is going to be used for interesting things…

What are your long term goals (if any) ?

In terms of cybersecurity, I’d like to reverse engineer the Broadcom stack for the iPhone 6S. This great little board has a strange binary stack that is hard to reverse engineer, even with a cracked SEP (secure enclave) and the ability to run arbitrary code and even Linux (see projects like Sandcastle and checkra1in), only WiFi/Bluetooth for the Apple A8 has been solved, and the Apple A9 is still much of a mystery.

What’s a fun fact about you :D

I like to use things for as long as possible, so my main computer is a 12 year old dual-core desktop. It’s definitely on its last legs, but I can still run Valorant at around 20–30 FPS in a virtual machine so it’s not dead yet. I actually run everything in VMs so I can pull the reset at any time. It does take a lot of disk storage, however!

What are your hobbies / what do you like to do in your free time?

My projects are pretty large-scale, and it’s not uncommon for me to commit hundreds of thousands of lines per project over the course of a year or spend hours and hours debugging a board. More recently I released my Discord bot to the public and it’s now hovering around 150,000 total users, which has caused unnecessary strain on my server network.

And finally, do you have any advice/something to say to the readers?

When you want to do something, just do it. It may be too hard, your goals may change, you may abandon your project. But your journey teaches you, and it teaches you rather quickly. You may not realize your project is hard (see XKCD #1425), but you’ll learn a little more breadth of knowledge by attempting it. Even challenges that seem insurmountable can easily be broken down into parts, especially in engineering and computer science. And make sure to participate in social events in your field, whether that be hackathons, CTFs, pitch competitions or otherwise, as you’ll learn fast and meet lots of cool people.

Cyber Member Spotlight — Gideon Tong was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

In this challenge, we revisit an old trick that, as the hint stated, is kind of funky. Diving into any web challenge can quickly turn into a unique experience and this challenge did not disappoint.

The challenge was a multistage challenge which presented a series of simple input webpages. On each page a password needed to be submitted to get access to the next webpage.

Discovering Zero Width Characters

After poking around the first webpage’s source, there is some HTML code that does not seem to have any effect on the appearance of the webpage. These character codes are a variety of zero width Unicode characters.

In the HTML, there was also another clue (not in the screenshot), “zwsp is fun!” After some web research, it became apparent this challenge would be about zero width character steganography. Essentially this means information is being hidden by encoding data with and within the zero width characters.

Null Byte had a really solid write up on this technique. In a short summary, there are Unicode characters mostly from languages other than English that do not appear in most normal output (there are cases where they appear).

Most surprisingly (for me), this technique goes back to the 1980s according to some of the commenters on a Hackaday post on the topic.

Finding the Solution

This challenge was a team effort of ideas to understanding the problem. Eventually, a GitHub repo by enodari popped up which looked like just the thing that was needed. Once the characters were copied over, we were able to remove the excess and extract the hidden message.

The tool we used has two different modes. MODE_ZWSP which uses Zero-Width Space (\u200b), Zero-Width Non-Joiner (\u200c), and Zero-Width Joiner (\u200d). MODE_FULL uses all of the MODE_ZWSP characters plus it includes Left-To-Right Mark (\u200e), Right-To-Left Mark (\u200f).

The output from the hidden text is: YWxtMHN0XzJfM3o=

This looks a lot like Base64. Using a Base64 decoder, we can get the result of alm0st_2_3z. Now just use this code word in the sign up form!

Doing so gives us another URL to visit. Traveling to the URL, we will scrape the entire HTML page from view-source (ctrl-a, ctrl-c, ctrl-v).

Remove the excess and get only the raw zero width characters. Again we put this into our script and…

Voilà! It returns this:

This time the decoded message, 755f756e6831645f6d33, looks like hexadecimal. Using a hex to ASCII translator, such as the one from Rapid Tables, we get the next password: u_unh1d_m3.

Yet another URL to explore! However, this time, it is the end! Getting to this 3rd webpage allows us to get the flag.

The flag being: flag{gu3ss_u_f0und_m3}. Overall this was a fun warm-up to web challenges where our team was able to learn about some different steganography techniques!

Writing where no one can see was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

Learn more about ACM Cyber member Alex Guo!

What’s your major? What drew you to this field?

I am a Computer Science major in Muir College. I developed a peculiar interest with computers and electronic devices during elementary school, wanting to explore the ins and outs of how they work. My first real mobile device was an iPod touch (2nd Generation) from 2008, and my first video game console was the Wii from 2006. My parents self-built a desktop computer (Intel codename “Sandy Bridge” CPU) in 2011, and I am still using that today, even during quarantine. Besides tweaking around with hardware, I took 3D Animation and Computer Science classes in high school, which furthered my interest into computer science. In addition, I participated in computer security extracurriculars, which I will discuss in more detail below.

How did you become interested in cybersecurity?

I joined my high school’s cybersecurity organization during the beginning of tenth grade, approximately in the summer of 2015. This was the first year that my high school had a formal cybersecurity organization. Downloading free Windows software from Microsoft Dreamspark (now Azure Dev Tools) was a major perk of joining the cybersecurity team. Another reason that I joined was that my high school was still using Windows XP for most of their computers in 2015 (even after Microsoft’s end of support date) when Windows 10 was about to come out, which I find as a very insecure and outdated practice! I was a head Windows lead during my junior and senior years, and I had weekly responsibilities for training my school’s teams up to speed on various Windows topics. My own cyber team competed in multiple cybersecurity competitions, including CyberPatriot, SoCal Cyber Cup (formerly the San Diego Mayor’s Cyber Cup), and the California Cyber Innovation Challenge (CCIC). Our team earned first place in the 2017 SoCal Cyber Cup Challenge and third place in the 2018 CCIC. We advanced to the National Finals Competition for CyberPatriot IX and X in the Open Division, during my junior and senior years. Having the opportunity to travel and compete at the in-person final rounds is probably the most fun part of these cybersecurity competitions. Besides competitions, I attended a couple of security boot camps to enhance my knowledge in computer security, including the SoCal Cyber Cup ESET and USD GenCyber camps. All of these experiences kept me passionate and involved with cybersecurity and computer science.

What are some cool cybersecurity related/other projects you’ve undertaken? Or have there been any fun CTFs you’ve participated in recently?

Honestly, I haven’t really done too many security related DIY projects on my own time. I have yet to set up my homelab router/firewall/VPN solution with the Raspberry Pi’s that I received from the 2017 USD GenCyber boot camp and the 2017 CyberDay LA Competition. My apologies for procrastinating on this; hopefully I’ll set up my pi-cluster soon and work on security-related projects on my compute cluster. In terms of competitions, I am a part of the Collegiate Cyber Defense Competition (CCDC) team right now, specializing in Windows Server configuration and defense. This will be ACM Cyber’s second year competing in the CCDC, and it’s quite eye opening to see our team make regionals for the first time this season! I have high hopes for success for such a young team. What’s exciting yet scary to witness for the CCDC is the Windows and Linux boxes getting hacked and defaced by the red team (uh oh)…

What are your long term goals (if any) ?

My goal in a few months is to earn my Security+ certification because I have been putting this off for way too long now. My long-term goal in industry is to work in areas in regards to cloud, security, and enterprise infrastructure. There is a lot more to Computer Science than just working as a software engineer, and frankly, I have not fully made up my mind yet.

What’s a fun fact about you :D

I have played around with every major client and server version of Windows since Windows XP (yes, the operating system you used when you were a kid). Of course, I also dive into various Linux distributions.

What are your hobbies / what do you like to do in your free time?

I’m a DIY’er who likes to take apart electronics and assemble them back together. Note that I am a tech enthusiast, so I probably spend too much time looking at computing and technology news, especially for products involving the manufacturing and assembly of semiconductors.

And finally, do you have any advice/something to say to the readers?

I am going to leave you all with this saying from UCSD’s retired Simple Boy in the Midwest: “Start Early, Start Often!”. However, it is never too late to explore any subfield of computing, including cybersecurity, machine learning, architecture, graphics, and much more. Computer security may sound daunting at first, since there can be a high learning curve for some people. Weathering through this path, whether through security workshops or competitions such as CTFs, is very enjoyable and fulfilling at the end.

I hope to see all of you ACM Cyber ppl in person someday when it is safe to do so! Stay safe, and we are all in this together! (pending COVID-19 vaccinations and state/county restrictions)

Cyber Member Spotlight — Alex Guo was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

Learn more about ACM Cyber member Kira Tran!

What’s your major? What drew you to this field?

I am majoring in computer engineering (Warren college woo!). I started programming with Scratch (best programming language don’t @ me) in middle school and continued learning with computer programming classes in high school. I also did a few summer programs. In my sophomore year, I lived at a university and took college classes (my closest experience to “normal” college life to this day :’( rip). One of my classes was an introductory EE course, where we worked with Arduino. I loved being able to understand the circuitry and tinker with the hardware while also programming the circuit to make fun projects! In high school, I also led a club to teach people about the Makerspace, which was brand new at the time. In the process, I learned a lot about using the equipment and had fun messing around with the technology. I think those were probably the two most influential experiences I had in high school when it came to choosing a major.

How did you become interested in cybersecurity?

I was part of the cybersecurity club at my school. After letting me sit in on one of their competitions, the members of the club were not welcoming at all and it actually took me the better part of two school years to become an “official” member of the team. So, while I was trying to get the club to let me in, I started participating in picoCTF individually to get a sense of what the competition questions would look like. I still don’t have much experience, but I’ve enjoyed what I’ve done so far with the club at my school, with picoCTF, and with ACM Cyber!

What are your long term goals (if any) ?

I’m not entirely sure! I’m hoping to explore software engineering this summer. Next school year or next summer, I’m looking at quantum computing research or a quantum programming internship. I am hoping to learn more about quantum computing and its potential effects on cybersecurity (both positive and negative!) in the meantime. I don’t know whether I want to do an REU or do research at a company yet, so I’ll be looking more into that as well .-. Ultimately, I’d like to pursue hardware. This is a bit far away but the goal is also to get an internship in semiconductor chip design before I graduate if possible! Obviously, this is the idea for now, but it also depends on whether I end up liking software engineering or if I find another interest I’d rather pursue. Overall though, I’m hoping to figure out what industry to go into, though I’m guessing probably chip design or quantum hardware at this point. But again, who know what the future holds? ^-^

What’s a fun fact about you :D

I don’t like the sound of really crunchy apples :(

What are your hobbies / what do you like to do in your free time?

I like to do digital art and computer animation in my free time! (though I’m not much good :p) Other than that, I don’t really have free time!

And finally, do you have any advice/something to say to the readers?

I’m always looking to make friends so feel free to say hi on Discord (KT#2811)! :D thanks for reading

Cyber Member Spotlight — Kira Tran was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

Learn more about ACM Cyber member (and Member Spotlight writer) Jessica Lam!

What’s your major? What drew you to this field?

I’m majoring in computer science — I was introduced to CS through a short 1 week summer program right before I entered high school. I found that I enjoy it because it was challenging and because I loved the problem-solving aspect, that coding problems were like logic puzzles. I also really like the idea of being able to be a part of something that can impact so many people!

How did you become interested in cybersecurity?

I joined my high school’s Cybersecurity club and participated in CyberPatriot the first time in my junior year. I was thrown onto an Ubuntu VM and was told to Google anything I didn’t know. It was definitely a steep learning curve (at the time I didn’t even know what Linux meant) but the challenge was what got me so interested in the competition and in cybersecurity in general.

What are some cool cybersecurity related/other projects you’ve undertaken? Or have there been any fun CTFs you’ve participated in recently?

I’m currently doing research as a part of UCSD’s early research scholar’s program where my group is writing a tool that essentially can tell whether or not certain programs are vulnerable to a side channel attack called CopyCat. I’ve also recently been learning Go to prepare for my summer internship and hopefully will try to write something cool using it by the end of the school year :D

What are your long term goals (if any) ?

I don’t know if I have anything specific, I just want to learn as much as possible and hopefully finally pinpoint what I want to pursue a career in (since there are so many things we can do with CS or even within Cybersecurity itself!)

What’s a fun fact about you :D

I was in marching band all 4 years of high school and played in the front ensemble! This means instruments like the marimba, xylophone, etc. During concert season I had to prepare a solo performance each year (there’s a video or 2 of some of my performances floating around somewhere…)

What are your hobbies / what do you like to do in your free time?

I’ve recently gotten back into art — I mostly just sketch or doodle use it as a way to take a break and relax from everything school related. I also dug up my old drawing tablet and have been trying to learn how to do digital art when I have time!

And finally, do you have any advice/something to say to the readers?

Sometimes it feels so daunting going into cybersecurity because of how large the field is and how it sometimes feels like you’ll never know ‘enough’. However, I like to think of that as a challenge and just take time out of my day to learn a little bit at a time. It’s easy to feel like you’re stagnant in your progress but you’ll be surprised at how much you’ve learned when you look back! I’d say just keep pushing onward in this field or any other that you’re interested in! It also really helps to find a community within people in this industry so try leveraging ACM Cyber or other communities as much as possible.

Cyber Member Spotlight — Jessica Lam was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.

Learn more about ACM Cyber member Annie Dai!

What’s your major? What drew you to this field?

I’m a Computer Science Major — and originally, it was my second choice! But I think that I’ve taken to it a bit more nowadays. An understanding of the devices that we use everyday, as well, as the ability to optimize your own life (writing scripts, editing .css files, and .json files) are all things that I do now that I hadn’t before. And besides, who doesn’t want to be the tech support of your immediate circle?

How did you become interested in cybersecurity?

I’ve been interested in cryptography from a very early age. In fact, I can remember writing my own ciphers in elementary school on a post it note — very simple substitutions, for the most part. Later on, I joined a high school Science Olympiad team and competed in the CodeBusters event, where I learned about Hill Ciphers, Affine, RSA, Morse, and how to encrypt/decrypt all of these in real time. Nowadays, I see my interest in cyber security as an evolution of all that — fueled by a drive to better understand how the technology in our every day lives works.

What are some cool cybersecurity related/other projects you’ve undertaken? Or have there been any fun CTFs you’ve participated in recently?

Last summer I was studying for the CompTIA Security+ certificate, before those plans were moved to next summer. I’ve also been looking at Natas and the past CTF writeups to better understand cyber security topics that aren’t exactly cryptography.

What are your long term goals (if any) ?

I would like to get that certification, certainly.

What are your hobbies / what do you like to do in your free time?

I read fantasy, think about writing my own stories, and fold origami. Very artsy things that you wouldn’t ordinarily associate with this field.

Cyber Member Spotlight — Annie Dai was originally published in ACM at UCSD on Medium, where people are continuing the conversation by highlighting and responding to this story.