Teach Cyber 2020 logo

Back-to-School Edition

August 2021

The Teach Cyber Byte

Today's newsletter is chocked full of information. In this Byte, we:

1) announce upcoming events and important information for the 2021-22 school year,
2) open the application for US Cyber Range grants for the 2021-22 school year,
3) open the community donations fundraising program, and
4) define the term "SQL Injection" and look at some sample injections to see the concept in action.

If you enjoyed this Byte and know someone else that would, please feel free to forward and share our newsletter! (Please note: if you forward this to someone else and they click "unsubscribe," you may be unsubscribed from the mailing list.)

ANNOUNCEMENTS

1. Unit 6 is Now Available
Unit 6 explores economic issues in cybersecurity. Comparatively, unit 6 is short; estimated at 8 class 50-minutes class periods. And while it is a smaller unit, it touches on the important role that economic incentives and motivations contribute to cybersecurity, or insecurity as the case may be. Units 6 and 8 introduce students to the socio-political dimensions of cybersecurity and are foundational for developing student interest in cybersecurity governance and policy.

2. Other Curriculum Updates
Over the summer, Teach Cyber updated units 1 and 2 and they are now available on the website. The updated files are titled v1.2 to make them easy to recognize. The changes are minor and the change log can be found HERE.
The release schedule for future updates is:
Unit 3 - September
Unit 4 - October
Unit 5 - November
Unit 6 - December
Unit 7 - January
Unit 8 - February
new release
3. Virtual Lounges
In September we will pick back up with our Virtual Lounges. The Virtual Lounges cover a wide range of topics about secondary cybersecurity education to include what to teach, how to grow your program, career awareness, and more. STAY TUNED!

4. We are Growing
Nancy S
Meet Nancy Stevens. Nancy recently retired from her 29 year teaching career in computing education. Over the past five years, Nancy has a) served as a curriculum developer on the C5 project that integrated cybersecurity into AP-CSP, b) been a site visitor for GenCyber, and c) been on the curriculum development team for the Teach Cyber courseware. Teach Cyber is lucky to have her expertise and experience. Nancy will be helping move forward the Teach Cyber mission in building capacity in secondary cybersecurity education. You can contact her at nancy.stevens@teachcyber.org.
5. Be A Part of Making Change Happen
Cybersecurity is a fairly new field of study. It started in higher education about 25 years ago at the graduate level. Over the past two decades, cybersecurity programs have grown at the baccalaureate and associate degree levels.
intro to challenge of cybersecurity
And over the past 5 years, cybersecurity units, courses and pathways have been growing at the secondary level. This development is needed; cybersecurity is currently one of the fastest growing career fields in the United States.

There is a lot of work that needs to happen to build cybersecurity pathways that are robust, sustainable, and effective. Teach Cyber's mission is to help nurture the cybersecurity education ecosystem. If you want to be a part of making change happen, please volunteer by email to proponent@teachcyber.org.

6. White House Summit on Cybersecurity
Cybersecurity threats and incidents affect businesses of all sizes, small towns and cities in every corner of the country, and the pocketbooks of middle-class families. Compounding the challenge, nearly half a million public and private cybersecurity jobs remain unfilled. These cybersecurity challenges are not new, but they are growing. In response, the White House held a Cybersecurity Summit last week as a call to action. You can read more about it here. Teach Cybersecurity. Change the Future.

US CYBER RANGE GRANT APPLICATIONS

Teach Cyber will provide grants to support US Cyber Range access to schools that are implementing the Teach Cyber courseware in their High School Cybersecurity Course or Pathway. To be eligible to receive a grant, the course/pathway must be grades, 9, 10, 11 and/or 12.
Preference will be given to courses that are working toward dual/concurrent enrollment and schools with higher financial need. The application deadline is September 15, 2021.

Help Us Help You

Teach Cyber is a project within DARK Enterprises, which is a non-profit organization dedicated to Nurturing a Sustainable Cybersecurity Education Ecosystem.

We can provide US Cyber Range grants, the curriculum, the virtual lounges, etc., through grants and the generous support of foundations, individuals.

There are two ways you can support Teach Cyber today.
  1. Amazon Smile - You shop. Amazon Gives. To donate to Teach Cyber, please use the DARK Enterprises Amazon Smile link: https://smile.amazon.com/ch/47-4951875
  2. Make a direct donation here: https://teachcyber.org/donations-and-partners/ Every dollar counts.
WORD OF THE WEEK

"SQL Injection"

SQL injection (sometimes abbreviated as SQLi) is an injection attack that uses malicious commands to interfere with the queries that a web application makes to its database. These commands use SQL, the Structured Query Language, a special computer language used to design and manage the data stored in databases. Web applications often access a database via SQL commands to provide site functionality, like allowing users to log in to their accounts or query a database for information [1]. The use of SQL on the backend of web applications is nearly ubiquitous, which makes SQL injections one of the most common web hacking techniques.
While the threat of SQL injections to a web application can be avoided through security-aware development, severe SQL injection vulnerabilities can allow attackers to read sensitive data from an application's database, modify database data, and even execute administration operations on the database or operating system (such as shutting down the database server entirely) [2]. Thus, SQL injection vulnerabilities threaten all components of the CIA triad for a database. Because SQL databases can hold sensitive and proprietary information, SQL injections constitute a severe threat to confidentiality. Additionally, just as it's possible to steal
the data, it's also possible to change the stored information or even delete it using command injections, impacting database integrity and availability.
Kill Chain (WoW)
Because SQL injection vulnerabilities are so common and severe, the Open Web Application Security Project (OWASP) organization lists injections in their OWASP Top 10 document as the number one threat to web application security [3]. Many high-profile data breaches in recent years (Yahoo, LinkedIn, Equifax, and Epic Games, to name a few) have resulted from SQL injection attacks [4]. These breaches can damage an organization's reputation, result in fines and litigation, and even endanger lives depending on the stolen data. In some cases, an attacker can also use command injections to obtain a persistent backdoor into an organization's systems, leading to a long-term compromise.
Kill Chain
While all versions of SQL, including MySQL, Oracle, and Microsoft Server SQL, can be used in SQL injection attacks, there are lots of mitigations and defensive measures that developers can use to protect their applications. The absolute best way to mitigate SQL injection is to avoid insecure methods of passing queries to the database altogether. Developers should always be using prepared statements to pass queries to the database. These ensure that the query and search term are distinct, meaning that the entered data cannot be mistaken for part of the query command itself [5]. Tools like Burp Suite and SQLMap can also be used to automatically search for SQL vulnerabilities on a website [6]. Let's see a few SQL injections in action to get a better idea of how they work (and how they can be avoided).
WORD OF THE WEEK IN ACTION
Kill Chain
A simple SQL query looks something like this:


SELECT username, password FROM users WHERE username="Alice";

This query will get the username and password from the "users" table for the account whose username matches "Alice." If the site works by entering the user's input directly into this command, an attacker can alter the query to their own intentions. They won't be able to remove the beginning of the query, but they make additions to the existing one to devastating effect.

So what if an attacker entered something like "Alice" OR 1=1;" instead of just "Alice?" This would append another operation to the end of the query, causing the search to return the usernames and passwords for ALL accounts in the users table. This is because the username can match "Alice," OR one can equal one, which will always be true.

Additionally, if the query checks for a specific password, the input "--" could be given in the password field, which is a comment in SQL. This would nullify the password check and rely only on the username field, which could be changed to something like "administrator," potentially granting admin privileges to a site without ever knowing the administrator's password.

SQL attacks can be substantially more advanced than these two examples, however, and their impact is limited only by the attacker's creativity. Advanced query logic can be employed to retrieve data from other databases via unions, and other SQL features can be used to learn information about the site even when no query results are directly returned to the user. This type of SQL injection is called a "blind injection" and uses features like delayed load times to reveal information and vulnerabilities in a webserver. An example blind SQL injection might ask the web application to sleep for 15 seconds if the first letter of the first username in the "users" table is "A," for instance. These injections take much longer to reveal the information, but they can still achieve the same results as regular injections [7].
WANT TO LEARN MORE?
If you found this Byte interesting, you can find more information about data security and secure software design in the "Intro to the Challenge of Cybersecurity" course, Units 4 and 7, respectively (free to registered users).

To try out SQL injections on your own, you can visit intentionally vulnerable web applications such as Google Gruyere and HackThisSite. The DVWA and OWASP Juice Shop can also be hosted on your own device to learn more about SQL injections from both the defensive and offensive sides.
Please remember, however, that it is a crime to perform SQL injections on any site that hasn't
given you their express permission. With great power comes great responsibility!

[1] Acunetix. What is SQL Injection (SQLi) and How to Prevent It. Acunetix Website Security Blog. https://www.acunetix.com/websitesecurity/sql-injection/

[2] Open Web Application Security Project (OWASP). SQL Injection. OWASP WWW Community. https://owasp.org/www-community/attacks/SQL_Injection

[3] Open Web Application Security Project (OWASP). OWASP Top 10. OWASP WWW Community. https://owasp.org/www-project-top-ten/

[5] Malware Bytes. What is a SQL Injection Attack? Cybersecurity Basics. https:// www.malwarebytes.com/sql-injection/

[6] PortSwigger. SQL Injection. Web Security Academy. https://portswigger.net/web-security/sql- injection

[7] PortSwigger. SQL Injection. Web Security Academy. https://portswigger.net/web-security/sql- injection
Teach Cyber 2020 logo