Lesson video

In progress...


Hello, and welcome to lesson three of cybersecurity.

Now this lesson is called script kiddies, but actually really what we're going to do is explore the concept of hacking.

So all you'll need for this lesson is your computer and web browser.

And other now, if you can clear away any distractions that you might have, turn off your mobile phone, and if you've got a nice quiet place to work, that'd be brilliant, and when you're ready, let's get started.

Okay, so in this lesson, we're going to explore what hacking is in the context of cybersecurity.

We're also going to look at some common cyber attacks, such as DDoS attack and a brute force attack.

We'll also look at strategy to reduce the chance of a brute force attack being successful.

Then finally, we'll look at what laws are in place to deter some hackers from doing these kinds of things, okay.

We're going to look at the computer misuse act, but before we get going, I've got a really, really important job for you to do to help us out.

So, first of all, George, our friend George, his phone is run out of battery and his family are really worried about where he is.

So what we need you to do is to hack into his Facebook account to see if you can find out where he is right now.

Okay, so now before we do that, I'm going to see if I can guess password.

Okay, I know George really well, and I know that he loves pizza.

So I bet his password is got something to do with pizza.

So I'm going to head over to the login page and see if I can log into his account using a pizza password.

Okay, So I've managed to find a way to kind of navigate to his password but so I'm going to type in pizza.

See if that works.

Now it says, Oh right.

Colour TV, says incorrect password.

Try again.

Le me go put a password hint on that which is colour TV, right.

I'm not sure what that is, so I'll tell you what we can do.

Let's have a look at their social media posts and see if we can work out any clues that George's put that might give us an indication to what that colour TV might mean, okay.

So let's have a look at that now.

Okay, so here are social media posts.

So what I'd like to do is I'd like to pause the video.

Can you just analyse his posts there and see if you can work out what colour TV might mean? So pause the video and see how you get on with that.

Right? Okay.

So how did you get on with that? Did you come up with an answer? I'm not sure I've got anything.


You know what? I think I've pulled out ones that might be helpful to us.

So I'm going to go look at the next screen.

How about theses? Feels like there's something maybe I could do with the three social media posts.

So again, pause the video, have a look at the three and see if we can work out what colour TV might mean.

Okay, right.

So I think looking at this colour, I mean, he mentions the reds and then red go matching in, so maybe it's still a red.

That might be the colour T V I mean, I don't know.

We got Homer.

They're so funny though.

That's the TV show, Isn't it? That's the Simpsons, is it? Let's have I look.

So let me try putting in something related to that.

Right? Okay.

So it's colour.

So I think reds, that's not a colour red.

I put red and then TV, Simpsons, red Simpsons.

That didn't work.

I know what makes a password a little bit more secure? maybe putting in capital letters, right? So maybe if I put red and then Simpsons like this with a capital R capital S, I'm in, excellent.

Okay, so it says to put in this into my web browser, so I'm going to do that.

I'm going to open a new web browser now.

Right, et's have a look at what it's opened up.

So we're now into George's Facebook account, okay.

So I'm not sure if you can see this very well.

So I'm just going to zoom in and see if right, okay.

So Rebecca said, woah mate, I think you've changed your password, you've been hacked.

That might be me.

Fergus says, thanks for your email.

I had no idea that you're stuck abroad.

So I clicked on the link on your email and transfer money the money that you need.

Oh, no.

Fergus I don't think that's a good idea.

Hope you get back okay.

George also thinks somebody has been hacking to conquer.

George on posted that some strange things happening on my account.

I, I think maybe I've been hacked while he has a clear cause we've just hacked into his account.

So he says we're off to the movies tonight.

George want to come? Ah, there we go with George is at the movies right? There we go.

So now we worked hard.

George was at the movies.


So we've hacked into his account and now we can safely tell his parents that George was at the movie so they don't need to worry and he'll be back soon.



Now we just hiked into George's account.

Now, does that make us hackers? Because that's what we just did.

We just get this password and we looked at clues and we worked hard that showed you that makes us a hacker.

Right? I think it does make us a hacker.

So, but is it ethical? What we've done? Well, let's explore this in a little bit more detail.

Let's look at what actually hacking is.


So let's look at hacking then.

Now, if I was to give you a definition of what hacking is hacking in the context of cybersecurity, and I put it that way, cause sometimes you hear the term hacking away at code that doesn't mean editing and changing it and improve in somebody else's code or manipulating it to make it your own.

But it hacking in terms of cyber security really means gaining an authorised access to or control of the computer system.

So in that note, what we've done though, with George's account, we did gain unauthorised permission.

We didn't get permission from George to do that.

And yet we find that found our way into his account.

So why might people want to hack? So I'd like to pause the video for a second and save, you can work out why people might want the hack.


So I've come up with a few reasons and see what you think and we'll go through them.

Now, first of all, people like to hack steal data.

If they hack into someone's account, that might be that they've hacked into their, their bank accounts or something.

So that would also be for financial gain as well.

They might be able to then transfer money across to their own account.

They might just want to hack into a system to gain the information they might want to gain into like a, a rival company and find out what they're doing with their latest product development.

They might just want to disrupt services.

They might want to close down their systems and, and want to cost us disruption just for purposes to maybe even just stop them.

That company from functioning properly, it might be for political reasons.

So maybe some activism or espionage might want to find out some government secrets or something, but they might also just want to disrupt what the government are doing.

Maybe they don't agree with the goal, what the government are doing.

And they just want to cause some problems and show that they're they're cross and angry.

Some reasons they're just simply for fun.

Some people just want to hack, because they have the technical ability to do so.

And they're just going to show that they can, so they might want to try and show that they can hack into the FBI system or something like that must be a really bad idea, but they might just do it.

So it's called planting the flag.

And then finally we kind of already talked about this in some respects, but for ethical reasons as well, it may well be that they don't believe what a company is doing is morally right.

And they just want to show that this rope, what that company is doing, go to make that stunned.

And that's very similar to the political reasons that we looked up before.


So that's when we debated about whether or not hacking into George's account was ethical or not.

So let's kind of have a think about what is unethical versus what that's ethical.

So let's have a look at this scenario.

So it says a company is harming animals by testing their cosmetic product products on them.

Now I think we can all agree that we might feel not good about that and think that's a bad thing for that company to be doing.

So is it ethical to hack into their systems to find the data that will expose our practise to the whole world? What do you think about that? So you might just want to pause the video again and just think, well, I'm not sure we need to try.

And in your head justify what you think about that.

You might not like that company, but is it okay to then go ahead and do something unauthorised and break into their systems and to prove what they're doing is that ethical or not? Now? I think only you can decide is that ethical, but we're going to look at what the law would tell you later on in this lesson.

So let me move myself on the other side So you can read this.

So it says; penetration testers, otherwise known as pen testers or people who are paid to legally hack into computer systems with the sole purpose of helping a company, identify their weaknesses in their system.

So penetration test is an interesting concept because a company will pay them to come look at their system and deliberately try and hack into it so they can work out maybe where the loopholes are in their system or where the weak points are.

Now that is still hacking, but because the company has paid them to do it, does that make it ethical? Does it make it okay? Would that still be breaking the law again? This is something we're going to explore us.

The lesson moves on.

So let's move to the next slide.


So we're introducing a new term here called Hacktivism.

And I really like that term because it's two words put together it's hackers and activism.

So it was obviously activists who use hacking as a medium to form their protest.

So hacktivists are rarely motivated by theft, but more interested in creating disruption to cause public embarrassment or to promote a cause.

For example, it might be a political reason.

It might be protesting for example, against civil liberties or climate change, but it might also be targeting major corporations that they feel are doing wrong somehow.

So the case study we've got here is around something called the Dyn cyber attack.

And the story starts with a, with an organisation called WikiLeaks.

Now WikiLeaks has an organisation that leaks news or information that they feel is in your interest to know.

Now the founder of WikiLeaks, Julian Assange was wanted by the U S government for espionage offences.

Now what Julian Sanchez.

He took refuge in the, the Ecuadorian embassy in London.

So that meant the UK and the us forces couldn't term or police forces and governments couldn't arrest him.

Now, at some point, whilst he was there, the Ecuadorian Embassy decided to rescind his Julian Assange's internet access.

Now that made a lot of people really cross and a group called the New World Hackers got together and claimed an attack, which was, they disrupted the internet access for millions of Americans.

Now I'll read this.

It says it later emerged that it was probably this job or a new world hackers was probably done by script kiddies.

So let's look at what the term script kiddies means.

Now, script kiddies.

Script kiddies are hackers, but not necessarily kids.

The kiddies part really refers to the fact that they're not they maybe novices or beginners in the hacker's world.

They don't necessarily need to have the technical expertise to know how talking to a system.

All they do is download and use tools that does that job for them.


Now it's thought that the 2016 den cyber type was done by script kiddies using a DDoS attack.

Now we can see that the image on the screen there, that's kind of a heat map of where the, of the areas of America, where internet was disrupted.

So people who are in that, in those areas, they weren't able to access the internet when the, when the attack was taking place.

But like I said, there was done by a DDoS attack.

So again, let's look at what DDoS attackers, but we'll start off by looking at what a DoS attack is.

So not a DDoS attack, but just a DoS attack.

Now that's known as a denial of service attack.

So this is a cyber attack in which a criminal makes a network resource unavailable to its intended users.

And that's done by flooding the targeted machine or website with lots of requests in an audit to overload the system.

So what let's do is a messages are constantly being sent to the server over and over again, till eventually it can't open anymore.

And it just shuts down and, and it overloads and it crushes.

And it's like your computer.

If your computer is doing too many things at the same time and you computer can't cope with it, eventually it just overheats and shuts itself down.

So that's what a DDoS attack.

It's one computer sending tonnes of files, lots of messages at a server until the server eventually crushes.

So what's a DoS attack.

So a DDoS attack, it's the same concept, but this time it's a distributed denial of service attack.

And that's means it's multiple computers sending the multiple computers, sending the messages out at the same time.

So it's not just one, one computer sending it.

It's multiple.

Now, the reason why I DDoS attackers more effective for a hacker is that it's a lot harder to stop the attack by simply blocking a single source.

So we might have software in place that recognises if we've got lots of requests from the same, same device, then we just, we can put things in place to stop that device from sending messages, but DDoS using so many that it makes it really difficult to do that.

It's also really difficult to identify who is responsible as lots of machines and making the request.

And many of them might not even know that they're making the, the attack because their computer might have been affected by something called malware, which means that when the attacker wants to, they can wake up all these machines and send multiple tasks at the same time and the person who's used them, might not even be aware that their machine is conducting an attack.


So we'll move on to the next form of attack, which is called a Brute force attack.

Now this is a form of type that makes multiple attempts to discover something such as a password.

It's a brute force attack.

it just means it just keeps going until eventually it achieves what it wants to achieve.

Now, we normally see this in the form of passwords because it's almost like multiple attempts of trying to crack a password by going over and over again, maybe running through every combination in the dictionary, for example, until eventually we find one that lets us in.

So with that, I've got an exercise for you to complete.

So I've created a Python script that will run through different dictionary or, or let us combinations of letters.

And I'd like you to type in different passwords and see how long it takes my programme to crack your password.


So follow the instructions on your worksheet.

So I'd like to head over to task one on your worksheet now and follow through all the activities.

There are multiple activities for you to do, and hopefully you'll explore how this works and maybe how, if we make co passwords more complex, it makes it a little bit harder to crack the password.


So if you pause the video had equity worksheets and I'll be here when you get back.

So how did you get on with that? Now, if you haven't already thought about this question, just pause the video for you to have a think about what the answer might be, but for a brute force attack, what rules do you think a company might place on their login system to reduce the chance of a brute force attack being successful? Okay.

So let's say if you pause the video and see if you can think about that, but if you've already thought about it with your worksheet, then you can just carry on with the video.

Now this is something that we're going to explore in a future lesson in this unit, but actually you may have come across or we may have thought about things such as you might only allow a certain amount of attempts to, to be made on a password before you block that, you know, account or stop any more attempts being made to login into account.


So next question.

Thinking about the exercise that you just completed, what simple password rules would you set yourself to reduce the chance of a brute force attack being successful? Again, you might want to pause the video just to think about this.

Now it's worth noting that on the worksheet that you just did.

All the pastors that we attempted were all terrible passwords.

They weren't going to be passwords that we would recommend that you use, but they should have just highlighted the fact that the more complex you make a password, there may be the harder it is for a brute force attack to be successful.

So for example, you may come up with some rules such as it must be a minimum of seven characters and must include a capital letter, a number under special character.

But actually, I mean, that would be really good advice certainly, but another good bit of advice for a password would be to use three random words.

Cause that way it's hard for anybody else to guess.

It's hard for a brute force attack to be successful, but most importantly is easy for you to remember because the problem with doing really long passwords with special, special characters or symbols and numbers, it's kind of counterproductive if you yourself can't remember the password.


So let's look at the computer issue sites.

Now it won't surprise you to know that there's laws in place to stop things like auditor, more actors to Terrence, sorry for, for things like brute force attacks and DDoS attacks.

So The Computer Misuse Act was created in 1990 and this was, this act was passed by parliament and established three new offences.


So section one ;is gaining an authorised access to computer material.

Now, if you were to hack into a system and just look at the data, it might even just be to plant the flag.

Like we talked about earlier to say that, you know, I've done it and I can or it might just be for your interest sake, that was still be breaking the law.

And that would break section 1, of the Act.


Even if you didn't have any intention to do anything malicious or, or bad once you've done it.


So let's move on to section 2.

So section 2, is the same as section one.

So as gaining an authorised access, but this time with intent to commit or facilitate the commission of further offences.

So that means hacking the account and then doing something bad.

So doing something malicious.

So that might be maybe you've hacked into a bank account.

Now that will be breaking section 1, but section 2 would be actually using that to information and maybe transferring some money out of that account, maybe to your own bank account that would be breaking section 2, or it may be that you break into somebody's email and use that information for blackmail purposes.

That would also be breaking section 2.


And then finally, section 3, this is an authorised acts with the intent to impair or with recklessness as to impairing the operation of a computer.

So this is doing some damage to a computer to stop it from working.

Now that might be stop it working temporarily or forever, but that was certainly be section 3.


So let's put this into practise.

We talked earlier about the 2006 Dyn Cyberattack.

Now what I'd like you to do is answer three following questions.

So which of the three sections that we just learned about in the computer misuse act does a DDoS attack violate.

Cause it didn't, it didn't attack was a DDoS attack.

So which part of the computer misuse act would the DDoS attack violate.


Can you justify why you think it's section 1, 2 or 3 and then third of all, what is a maximum punishment for this crime under this act? Now we haven't explored what the punishments are, but what I've done is I've created a online tips leaflet for you.

So on your worksheet, if you head over to it in a second, there's a, there's a, there's a computer misuse like fact sheet for you.


Now what I'd like to do with that fact sheet is I would like you to look out to the three sections.

It'll tell you what's counsellor breaking each on the three sections, but also tells you what is the punishment for breaking each one of the sections.


So you're going to head over to your task two worksheet now, and I'd like you to complete task two, which is to answer three questions, but remember you've also got the fact sheet to help you.


So if you pause the video and I'll be here when you get back.


So how did you get on with that? Okay.

Hopefully you're able to use the fact sheets and get the answers that you needed.

So let's go through the answers to that then.


So which of the three sections of the computer misuse sites does the DDoS attack? Well, it was violated.

So section 3, sorry.

It was section 3 of the Act.

And why was that? Or because, because it's a DDoS attack and it's constantly hitting the servers service.

So they shut down then that, for that.

that was reckless recklessly empowering the operation of computer systems. Okay.

Because it's impairing this operation, it's unable to function anymore.

Therefore that would be section 3.

Now, if you looked at your factory, you'll know that actually the maximum punishment for this crime under this Act is 10 years in jail.


Quite sobering thought.

So let's move on to the final part.

Now we're quite familiar and comfortable with, with the computer misuse act and the three sections of it.

What I'd like to do is look at maybe some scenarios that may be a more realistic to your life.


So I'd like to look at the three scenarios that you've got in your worksheets.

And then again, go back to your fact sheet, work out which section they might be breaking if at all they break any.

And then if they do break any of them, what's the maximum punishment for those crimes.


So if you pause the video and then we'll finish the lesson once you're done.

So let's go through the answers and hopefully you've got the same as me.

So the first one was without permission, you took your friend's phone correctly, guessed their pen, open their banking up and transfer money into your account.


So does that break the computer misuse? yes, absolutely.

It does.


Now that was section 1 and 2.

Cause remember section 1 was gaining unauthorised access and section 2 was then to commit or facilitate further crime.

So the further crime was you transferring money into your own account.


So you weren't authorised to access the phone and therefore further, further crime that happened once you gained access to it.


So the next one, then you used a brute force attack to gain access to your friend's email account to prove a point that their password isn't secure.

Does that break the computer misuse that well, yes it does.

It does because you gain access to somebody's account without permission.

Although, you know, you might consider it ethical to do so.

There is no permission given therefore section 1 was broken.


Now the next one, A work colleague leaves their computer unlocked while away from their desk and you go onto their computer and read their emails.


So is that, does that break the computer misuse that well, technically, no it doesn't.


So while this is a malpractice for you to do that and the company they worked for might consider this a punishable offence because the company wouldn't want you to do this as there's been no attempt to bypass any security that's in place that does not actually break the Computer Misuse Act.


And then the last one use a tool to download to.

So you use a tool you downloaded to knock a friend offline from an online game that they were beating you up.


So does that break the computer misuse that yes it does.

Yes it does, and it's section 3 So this is an unauthorised act with intent to impair the operation of a computer system because you're impairing the operation by taking them off the server or ruining the server that they're on.


So that would definitely be breaking section 3.



So that's all for lesson three.

I hope you've enjoyed exploring the different types of hacking techniques.

Remember, we've learned about some really interesting concepts today.

We've learned about hacking a more broadly.

We've learned about brute force attacks.

We've learned about a DoS attack, DDoS attack.

And we also learned about that really interesting cyber attack called the Dyn cyber attack.

And so how those attack mythologies of hacktivism took place.


So anyway, that's all for this lesson.

I really hope you enjoyed it.

We'd love to know your thoughts on the lesson.

Maybe you could share with some information about any examples where you think you might've come across the computer misuse are being broken.


And if you'd like to do that, then please do share it with us on an ask your parents or carer to share your work on Instagram, Facebook, or Twitter, tagging @OakNational and using the #LearnWithOak.


So I look forward to seeing you in lesson four.


So bye.