What are good proof-of-concept implementations for general security awareness training?

Question

I will be giving a presentation on "cyber security" to a school class of 16 year olds and want to show them how network security works, how important privacy is (and why it matters) and how to protect oneself online.

Apart from (static) general slides on the topic I want to show them in an visually appealing and understandable way how "hacking", tracking for advertisement and phishing works.

So far I have prepared:

• A WiFi hotspot with mitmproxy running to intercept a WhatsApp message sent from a prepared phone
• Wireshark running on the same hotspot to show them how easy it is to inspect their web traffic
• Firefox Lightbeam addon to show them how ad networks track them

Now I'm looking for more ideas / proofs of concepts of hacks that are easy to deploy / run and show how (in)secure something is.

What are good proof-of-concept implementations for general security awareness training?

Answer 1

Sounds like you really put some thought in that lesson, sounds really fun. I used to run a gaming company and our players were around that age. Here's what we dealt with most:

Maybe you could give an example of brute forcing insecure passwords and how simple it is to hack your accounts with insecure passwords.

Maybe you could give an example of a keylogger that is installed via an email attachment or java web applet. Most examples of this i saw using a youtube video advertising "cheats" for a game if they install something but really it was just a keylogger or a RAT.

Maybe you could give an example of session hijacking (for example their Facebook session.

Maybe you could show how easy it is to make a copy of a website and send somebody to it to steal their password. For example what we saw a lot is youtube videos claiming that you can get free stuff on a website only if you entered your password.. obviously they stole the stuff :-) you could do this by making a post on a forum that accepts HTML input in posts and adding something like

<a href="http://facebook.login.example.com">Log In To Facebook</a>

Lastly, maybe you can put something about the exposure of yourself when you add somebody on Skype (IP address, maybe location etc).

Hope that helps!

Answer 2

Pim gave a great answer on the security aspects. You also mentioned privacy, so I'd add in a talk about the privacy policies that various companies have, and the importance of THAT. Security is about who you trust with your data, and you shouldn't necessarily trust the provider either.

The perfect example is of course the Facebook mood manipulation study. That was perfectly legal because of the terms and conditions set forth by Facebook. I'm sure some of them had heard of it, but aren't aware they inherently agreed to Facebook doing whatever they please when they sign up for Facebook.

Post Snowden, You can't really talk about privacy without mentioning the elephant in the room of the NSA. I'm not sure how to best broach that topic, as it's political, but maybe an open discussion about what they know about the NSA surveillance, and what the facts are.

Answer 3

I'd add browser security. Take an old version of IE and show a browser exploit for it in action. Some people just can't understand that you either need to get a secure browser, or be very careful with what you browse, even if you're not downloading anything.

Also, something to stress is the danger of password reuse. I don't think there is a good way to demonstrate this, but it's an important topic.

You could instruct them on the dangers of "fake" websites. For example, make a slide with the screenshots of a real popular website like FB and a (real) high-quality "fake" of it, and see how many of them can tell which is the real one. You could also make two slides with different websites, an "easy" one with the address bar shown, and a "hard" one with the address bar hidden, to make it more of a challenge.

I'll update my post if I think of anything else.