Transcript from the "Why Security" Lesson
>> Jem Young: Security is honestly one of the most important things you'll do, which kind of run contrary to what we do as engineers. We think, no, my job is to build things and connect things and make sure the pipes are running smoothly and everything like that. But the thing about security is none of, none of your cleverness, none of your code, none of your fast application matters if you have no security.
[00:00:23] Because you know what's gonna happen, some 13 year-old is gonna come in and wipe your server or he said to you mine Bitcoin or something like that. Why, because they can. And as we noted when we looked at our blog. People are trying all the time. They're trying right now on your server and you're thinking, I don't have anything worthwhile.
[00:00:41] I'm gonna keep my BitCoins on my server. Hopefully you don't. But people wanna get in anyways just because they use it to build lots of nefarious things or just try to steal passwords, credit card information, things like that. You never know what's gonna be on a server. So people just wanna know and they're gonna keep trying to get in.
[00:00:58] So security is one of the more important things we're doing. That's why there's an entire section on this. Even though it's full stack engineers, you probably won't do as much security as you think. There's dedicated people that dedicate their entire lives just doing security and operations, security, things like that.
[00:01:12] But these are good practices to keep in top of mind. So the question on security is, jump there, what could someone do if they gained just to access to your server, anybody? What could someone do if they gained access to your server? Yes, Gale?
>> Speaker 2: If you do the horrible thing of reusing your password, they have your password for other things.
>> Jem Young: Yes, that's a good one and that's more common you think. I've seen security professionals that they have their password taped to their monitor, because old habits are hard to break, which is why we don't even use passwords in this class. We use SSH keys because you while you can reuse those, you can't steal unless you physically take someone's computer or their device.
[00:01:54] What else can someone do if they have access to your server?
>> Speaker 3: Redirect your site to them. Nefarious sites.
>> Jem Young: Yeah, they can absolutely. They can say, I want to bankofusa.com. But it's actually not actually bankofusa.com to site that looks exactly like it because they can just copy your HTML and CSS and JS.
[00:02:12] And then everytime you type in your credentials, they're just cyphing that off. Even better if you weren't using HTTPS, they can actually forward everything to the actual real site. So that the the people running the site don't know that it's broken and they're just stealing all the traffic in between.
[00:02:28] That is actually it's called a man in the middle attack. And that's very, very common, before HTTPS and, honestly, it's still far to common. There's easier ways to prevent that. What else could someone do? Anything, what else? Yes.
>> Speaker 2: They can kind of run their own server on your server and until you get banned.
[00:02:45] And then all of a sudden, your legit stuff is not working cuz your IPs are banned from services like a mailbot or something like that. Like when people's bridges were spamming the world.
>> Jem Young: Yeah, they can lock you out of your own server. So that like all that data and all that time and code you put in, they can steal it and lock you out of it and you can't get it back.
[00:03:06] And you'll say, DigitalOcean I can't get in my own server. They'll be like we can't get in your server. That's on you, pal. What else could people do? I wanna hear more, Mark do you have something?
>> Speaker 3: Scrape your database.
>> Jem Young: They can scrape your database, they can take all that credit card information or unencrypted passwords which today, people still leave unencrypted password in database.
[00:03:25] Don't do that. Hopefully, you will never be in that position where you have to be saving passwords to database. They'll be someone who is more qualified but most of the hacks of the internet were by people who got hacked. Because someone like me who knows enough to be dangerous thought, I’ll use an MD5 hash.
[00:03:45] But I'll just do it five times and I'll hash a password using MD5 which is a very breakable hashing mechanism. And I'll save that and it looks secure. But because the database wasn't locked down and the permission weren't locked down. They got into the database and you are like, it's okay because everything is still safe cuz it's encrypted and then they decrypted that.
[00:04:05] Honestly and that happens way more often than you'd like to think. And because there's a password reach every other day now it seems like it's all due to bad security. And that's why security is really, really important because at the core, if you're running a hospital or bank or I don't know, investment company you have people's lives in your hands.
[00:04:28] Your life can be ruined if someone steals your password, steals all your money or something like that you can't pay rent, the power gets shut off things like that. So security is really, really important. What's probably even more common thing that happens when people servers get broken into.
[00:04:45] This one's a little trickier.
>> Speaker 2: Overloaded with requests.
>> Jem Young: Yeah, so that's the end result, what they do is they could turn into what's known as a botnet. And that's just a program that they install a backdoor. They won't do anything. And in fact, if you're really good in Unix, you can delete all the logs.
[00:05:06] So someone could break in, do a bunch of stuff, delete the logs that show that they ever were there which is pretty common. There's a script that will do it for you. And then they just turn into like a silent botnet and they might not do anything for months or even years.
[00:05:20] But when it comes time they can activate your server, shut down all the running programs and then turn that into a way of DDoSing people. That's distributed denial of attack, which means I can take all of my servers and point at, say, netflix.com and try to take down assigned level of overwhelming traffic.
[00:05:35] That is overwhelmingly what a lot of hack servers do. And then once they're done hacking, sometimes they just wipe your servers completely. The more nefarious ones, we're starting to see a lot more, is what is called cryptojacking or ransoming. So what they'll do is, Mark like you're saying earlier, they'll steal your database credentials, they'll encrypt all of them.
[00:05:56] They'll encrypt your entire database which is, invaluable information and then they'll sell it back to you for money. Because they encrypted it and they only they have the password. That happens a lot, especially with hospitals and entire towns in America are getting a ransom because they still they took over their server and encrypted everything.
[00:06:17] So at that point, you can say I'm gonna lose 20, 30, 40 years with the data, or I'm gonna pay these people ransom. And there's no guarantee they didn't leave others things in your system that will pop up to three years later that you can't find. So all that is to scare you, and deliberately cuz it's really scary if someone gets in your server.
[00:06:35] Now someone gets root access, it's game over. You can do anything you want with root, which is why the first thing we do is disable root. But it's not a cure all.