Transcript from the "Security Checklist" Lesson
>> Jem Young: When it comes to security, there are a few key ways that we think about how to lock down our server. The first one we talked about before was SSH, secure socket shell. So instead of using a username and password, we use SSH. Because the problem with a username password is, one, humans, we tend to reuse the same password over and over again.
[00:00:23] Or we'll use variations of password or password1. In fact, security researchers, when they look at stolen passwords, they say, what are the top five common stolen passwords? And they're like 12345. And you're like, I made my password requirement eight characters rather than five cuz that's more secure. So what do people do?
[00:00:44] 12345678. I'm not kidding, if you look at hacked passwords, it'll be password or password with, instead of an a, an @ symbol. Humans, we're our own worst enemy. So what we do is we create these security rules and protocols that help us kind of not shoot ourselves in our foot, cuz you will.
[00:01:06] If I didn't tell you, we'd probably still be doing everything as root, and bad things entail. So it's best to follow the best practices of the community. Another way of handling security, and the one you're probably all familiar with, is firewalls. Another one is just keeping your software just up-to-date.
[00:01:25] Because vulnerabilities and zero days, they happen all the time. In fact, there is big money in zero days. And I say zero days, but what is a zero day? I'm sure you've heard the term before.
>> Speaker 2: Unpatched vulnerability.
>> Jem Young: It's an unpatched vulnerability, specifically one that the company itself, so Microsoft or Apple or Google, has not found or documented yet.
[00:01:52] So it's an undocumented vulnerability, and zero days are worth a ton of money. We're talking millions of dollars, depending on what the exploit is. And there's so much so that there's entire companies that all they do is try to find zero days and then sell them to the highest bidders.
[00:02:07] These are kind of known as gray hats in the world, because they're like, well, we're not actually doing anything bad with this. We're just handing it off to someone else. So gray hat is known as someone who's morally ambiguous. The good security researchers, the people that are trying to protect you and keep your software up-to-date and are trying to find vulnerabilities and then tell the companies about them are known as white hat hackers, and are security people.
[00:02:31] And the bad ones, the nefarious ones, are known as black hats. And then there's the lowest here of hackers and bad security people, which are known as script kiddies. Those are people that just download things from the Internet and then run it against entire IP ranges trying to break in, yes?
>> Speaker 3: One of the most famous zero day things was Stuxnet, where our government or whoever attacked the Iran radioactive program or whatever, nuclear program. And then they used four zero day things as a worm to spread this worm into the facility, it's just crazy.
>> Jem Young: Stuxnet is fascinating.
[00:03:19] We're talking about security, every government in the world has their own security teams and hacking teams and zero day teams. They won't talk much about it, but they all have them because it's this cyber war that's going on. But I won't say war, cuz it's not official, but pretty much everybody's trying to break into everybody all the time.
[00:03:37] If you look at your auth log you see that there's people trying to break in your server right now. Stuxnet is a really interesting example. And it goes back to, what can someone do if they gain access to your server? So what Stuxnet did was they chained a bunch of zero day, so that is unpatched, unknown bugs.
[00:03:54] And they usually start with some sort of a stack overflow or something like that, something innocuous. But if you can make a computer stack overflow, you can make it throw an error, and that error, you can control. And then once you start chaining those together, you can actually start doing something.
[00:04:07] So even the most minor vulnerability can turn into something major if someone knows what they're doing. And what Stuxnet did was they planted software into, I wanna say it was the USB drives, that's how it started. Because this was a nuclear facility that refined uranium, or plutonium, probably uranium.
[00:04:24] And they're like, okay, we know we're dealing with things that are really dangerous. We're not gonna connect to the Internet at all. So what Stuxnet did was they hooked up to someone's USB drive. So I don't know, a secretary or someone, so whenever they hacked their computer. So whenever they plugged in the USB drive, they dumped the software into that.
[00:04:45] So when that person went to work and they plugged in that USB to, I don't know, watch movies or something, whatever people at nuclear facilities do, that now got on to their server. So even though that computer wasn't connected at all to the Internet, they now managed to infiltrate the entire network, which honestly is next level hacking.
[00:05:03] If you can hack someone's server without actually being connected to it, that's like only something governments can achieve, or really, really, really big funded companies. But what they did was really subtle. They just turned off the controls for the things that refined uranium. So they just made them spin out of control.
[00:05:22] And they literally destroyed millions and millions of dollars in machinery and set them back years. All because their servers weren't secure and their security protocols were bad. So again, I say this to scare you because you should be scared. You don't know the unintended consequences of having bad security.
[00:05:38] Another common security factor is two factor authentication. That just means instead of just SSHing, you would SSH and then they send some sort of push notification to your phone. A device you'd have on you or a UB key you plug into your phone, and then you say, yes, this is me.
[00:05:52] It's just another layer of authentication that we're all pretty familiar with. But that doesn't always work too because there are ways around that. For instance, Jack Dorsey, CEO of Twitter, got hacked because Twitter has this weird workaround where you can still send tweets via text message. So all they did was they called up AT&T and they said, or whatever his phone company was, they said, hey, I got a new phone, I'm Jack Dorsey.
[00:06:18] And they're like, are you sure? They're like, yeah. They're like, okay, sounds good to me. And so his probably long password, his two factor authentication was rendered worthless because there's just a way around it. That's why when we think about security we're talking about creating an entire wall around everything we do.
[00:06:35] And then every step of the way we say, are you sure? Are you sure? And it seems really onerous whenever we have the sudo things, but it's because of that. You always want security on every step of the way. Another security feature that probably most companies use is a VPN, a virtual private network.
[00:06:52] That's essentially a wall between the Internet and the Intranet, which we discussed earlier. Intranet is private Internet. And it just means everything through the wall is unencumbered. You can develop, you can push, you can pull, you can login to servers as long as you pass through the rigor of the VPN.
>> Jem Young: I can talk more about VPNs a little later, cuz they're not super critical right now. But in general, I surf the Internet using a VPN. Probably most of you should at some point. It's a little safer and it prevents snooping.
>> Jem Young: I'll talk about that later, if you want, towards the end.
[00:07:27] I don't wanna get hung up on security, cuz I keep telling stories about it cuz they're really interesting.