Am I secure visiting a web site?

--Originally published at Tech and no-tech

It is normal, knowing the threats that exist in Computer systems and on the Internet, that we could be scared of surfing the web. It is valid to be scared of web sites and to doubt about their security and their countermeasures. Any web site or web page can be a target for people to attack or can have an unintentional threat within it. What are we supposed to do? Do not use the Internet?

As I already wrote, there are always potential vulnerabilities and threats when visiting a web page or site. When? For example, in these cases:

Loading a new page with dynamic content
Making a search (product, location, price)
Filling out a form
Searching the site’s content
Using a shopping cart
Creating an account
Logging in

Every time there is interaction between the user and the web site, that might involve server or external communication, is a potential threat. And let’s just remember that we trust some pages with very confidential or crucial information about us.

Businesses have, normally, two ways to choose from, to address the security of their site. The first one involves having very professional guys working on the code of the page, which know about security and that can apply patches or updates at once when needed. And having security experts checking their job. It is like a double-check. O yes, and do not forget they will have a tight firewall, antivirus protection and will run IPS/IDS.

The second option is to run a web scanning solution to test existing equipment, applications, and web site code. They will also have a tight firewall, antivirus and run IPS/IDS, but they will also lock their front door. Why? Well, it is easier to fix the actual bugs they have, than just keep building higher walls

Continue reading →

How to protect?

--Originally published at Tech and no-tech

When people know they are in danger, what do they tend to do? Yes, people tend to protect their selves. How can we protect in these cases? There are a lot of countermeasures we can implement or follow. These may not eradicate the problem, but will definitely lessen the threats and make you feel safe.

KEEP YOUR GUARD UP! Countermeasures range from software to hardware countermeasures, passing through behavioral countermeasures.

Software countermeasures:

Personal firewalls
Application firewalls
Anti-virus software
Pop-up blockers
Spyware detection/removal programs

Hardware countermeasures:

Router that can prevent IP address from individual computer be visible on the Internet
Biometric authentication systems
Physical restriction of access to computers and peripherals
Intrusion detectors
Alarms

Behavioral countermeasures:

Frequent deletion of sorted cookies and temporary files from web browsers
Regular scanning for viruses and other malware
Regular installation of updates and patches for operating systems
Refusing to click on links that appear within e-mail messages
Staying away from questionable web sites
Regularly backing up data on external media

Now, a video:

And now, a potato:

In collaboration with:

Fernando Chávez

References:

Definition: Countermeasure – SearchSoftware

Common malware and countermeasures

MALicious + softWARE = MALWARE

--Originally published at Tech and no-tech

A malicious software, more commonly known as a malware, is a program or file that is able to harm a computer. Viruses, worms, spyware, etc. are all part of the malware. Malware are designated for many different functions like stealing, erasing, encrypting, and so on and so forth.

The most common types of malware are:

Virus: this is the most common. This malware executes itself and spreads to other programs.
Worm: this type of malware is able to self-replicate and, thus, spreads alone.
Trojan house: Trojans, as in real life, are disguised as a normal, non harmful, program and, when executed, their malicious intentions start.
Spyware: This type of malware is intended to spy and steal data and information.

What can we do about it? Protect ourselves!

How? With an anti-malware.

What is an anti-malware? An anti-malware is a set of tools created for the only purpose of identifying, removing and preventing malware from infection computer systems.

And now, a tutorial that might help to remove malware from your computer, hopefully.

Yeah…safe mode…

In collaboration with:

Fernando Chávez

References:

Definition: Malware – SearchSecurity

Definition: Malware – Webopedia

Long story short about unintentional threats

--Originally published at Tech and no-tech

So far I have been writing about a lot of issues with the Internet and computer’s security. And there are a lot more of issues. All these issues are called intentional threats, but there also exist unintentional threats? WTF? How come there are unintentional threats? What do you mean?

Human errors, environmental hazards, and computer failures are these so called unintentional threats. Organizations and companies are responsible to establish policies or give solutions to, at least, reduce these errors. Some examples given Rainer and Cegielski on their book Introduction to Information Systems:Supporting and Transforming Business are:

Changes to critical data should be monitored with permissions to designated individuals only.
User manuals should be developed to control access.
Dispose all printouts appropriately.
Separate job functions.
IT Auditors.
Encryption of data.
Keep transaction logs to see who has accessed programs and when.

In collaboration with:

Fernando Chávez

References:

Computer Security &Threat Prevention for Individuals & Organizations

Unintentional Threats

Today we learn cryptography

--Originally published at Tech and no-tech

I have talked about a lot of ways of protecting systems and information. Protect through security policies, authentication, unique passwords, the CIA, etc. But there is still more. There is a way of transmitting data so that only those for whom the data is intended can read it. This method or tool for protecting information in information security and computer systems is called cryptography.

Cryptography, nowadays, is more related with scrambling plain text so that is does not make sense, because it needs to be put in order again. Though, cryptography includes many other ways to hide information, like microdots or combining text with images.

There are two main steps:

Encryption: Turning plain text into cipher text, by any method.
Decryption: Turning cipher text into plain text.

Cryptographers, who are in charged of practicing cryptography, along with modern cryptography have four main objectives:

Confidentiality: The information cannot be understood by anyone.
Integrity: The information cannot be altered in storage or transit without the alteration being altered.
Non-repudiation: The sender cannot deny at a later stage his or her intentions in the creation or transmission of the information.
Authentication: The sender and the receiver can confirm each other’s identity and the origin/destination of the information.

Access for everyone. Well, for everyone authenticated.

--Originally published at Tech and no-tech

Have you ever been asked to enter your credentials when trying to access a website or some sort of information? Maybe to access your school’s webpage, your work’s site or a social network? Yes, by credentials I may be referring to username and password or any combination of things to authenticate yourself. Of course, this is called authentication.

This is done to determine if a person or thing is, in fact, who or what he is claiming to be. Though, it is important to make a difference between authentication and authorization. Being authenticated does not mean you have been granted permission to read, write and/or execute any file. The administrator is in charge of granting this permission. The process of the administrator plus the process of checking user account permissions to access resources is called authorization.

There exist different authentication factors like:

Knowledge factors: a category of authentication credentials consisting of information that the user possesses, like username and password.
Possession factor: category of credentials based on items the user has with him, normally a hardware device or a mobile phone.
Inherence factors: a category of authentication credentials consisting of elements that are integral to the individual in question, in the form of biometric data.

On the other hand, access control is a security technique that can be used to regulate who or what can view or use resources in a computing environment. There are two main types of access control: physical (limits access to buildings, rooms, etc.) and logical (limits access to networks, data, etc.).

The four main categories of access control are:

Mandatory access control
Discretionary access control
Role-base access control
Rule-based access control

Access control systems perform different tasks:

Authorization
Authentication
Access approval
Accountability of entities

In collaboration with:

Fernando Chávez

References:

Definition: Access control

Continue reading →

Live long and read the security policy

--Originally published at Tech and no-tech

Companies should have an idea on how to protect their physical and information technology assets. They, usually, state these measurements in a document, commonly known as a security policy. And what do we find in that document? Well, as easy as it is, we find security policies.

When talking more in depth about information security, a security policy sates the rules, laws and/or practices for computer network access. And it regulates how organizations will manage, protect, and distribute their sensitive information. It may also lay the framework of the security of the company. Therefore, security policies are important in companies.

There are a lot of information of the best practices for information security. Keep in mind, when writing a security policy, that these best practices do no ensure the security of your network. It can depend or circumstance, scenarios or vary depending on the network, per se.

There are 8 thing policies should define:

Scope.
Who does the actions defined by the policy.
Defines when defines actions are to be done.
Defines where or on what equipment the policy applies to.
Defines the organizational level that the policy applies to such as a division or the entire enterprise.
Who enforces the policy.
What are the consequences of failure to follow the policy.
Policies may reference procedures that are used but do not define the procedures.

Security policies should be concise and as brief as possible while still fulfilling their purpose.

In collaboration with:

Fernando Chávez

References:

Definition: Security policy – SearchSecurity

Definition: Security policy – webopedia

Security Policies – The Computer Technology Documentation Project

What hat colors mean.

--Originally published at Tech and no-tech

Has anyone tell you that the way you dress talks about your self and your personality? This is a common thing. You can know facts about people just by the way they dress. Another common thing is the matching or mismatching clothes colors on purpose or use certain color because they make you look better. This is, somehow, the case of hackers.

As I wrote on my last blog post, hackers are not always bad. People around the world have created this direct connection between hacking and harming. Hackers are normal people like you and me. These people are characterized for breaking cyber security of ensuring it, either in good or bad ways. Again, what makes them different is:

Hackers are divided into three different types of hackers, by “their hat color”:

The white hack, who hacks against a black hat in order to protect computer and network access and has the company’s permission to do so. – Study

The gray hat, who hacks not for evil and not for good, neutral in their cause. They usually try to sell their skills for monetary gain. – Study

A black hat, who hacks for evil and malicious intent and without permission. – Study

Black hats are the hackers that society usually know, or relate with the word “hacker”. These guys focus on harming and/or violating cyber security and that is why they fit the the stereotypes that hackers are criminals. There are groups of hackers, called hacktivists. These groups hack for more social purposes like:

White hats are also known as the ethical hackers. They are, thus, the opposite of the black hats. These guys fight the criminals. They ensure that cyber security exist and that it is good. These hackers are the evidence that not all heroes

Image result for give that man a beer putin

Continue reading →

Should cyber security be ethically illegal?

--Originally published at Tech and no-tech

Ok, let’s be honest, there is a really thin line between being good and bad in any sense. For example, think of politicians or CEOs, they have a lot of power and they can choose between doing good and bad things. And, well, of course, I think we can all agree that power corrupts people, or at least makes it easier for people to corrupt.

This also happens in cyber security. You might be asking with whom in cyber security. In cyber security, there are people called hackers. People think hackers are always bad people. Let’s make something clear, hackers are not always bad. In fact, there exists different types of hackers, which I will talk about on my next blog post.

So, what makes good hackers good, and bad hackers bad? One simple word:

Gotta be honest, hackers have TONS of power. In fact, I truly believe that hackers could rule the world if they wanted to. If they could just unite and fix a goal in common, they could achieve whatever they want. The good thing for us, common people, is that hackers look after different things.

Some hackers do not have ethics, this are the bad hackers. These guys will try everything to harm people, organizations, or even the system. They will try to steal credentials (usernames, passwords) and/or important documents, to rob money in transactions or, somehow, directly from the bank. Try to make organizations crash, corrupt files, information, etc.

The good ones, do have ethics. These guys try to look out after people, systems, organizations, etc. They are the ones that create anti-virus programs, make sure the websites you navigate in are secure, make transactions safe and that your money cannot be stolen, make difficult for bad hackers to steal your credentials, and, of course,

Continue reading →

Tour del horror [ES]

--Originally published at Tech and no-tech

El día de ayer me encontré haciendo un ensayo acerca de una problemática en Jalisco. Era una tarea, pero quisiera compartirlo, ya que es una realidad de nuestro país México.

El tour del horror fue una experiencia interesante e impactante, para mí. Estoy muy consciente que lo que es “la realidad” es muy diferente para cada individuo, ya que depende en su contexto y experiencias. De la misma manera, sé que existen problemas en el país y que hay comunidades marginada o que viven en situaciones críticas. Lo que me impactó fue el ver esos problemas; no solo entender que existen, si no experimentarlas y verlas tangibles. Me sucedió como se dice en muchos lugares, “ver para creer”.

El problema principal, en mi opinión, es la despreocupación del gobierno por el pueblo, su gente; y la preocupación por quedar bien con empresas extranjeras y generar dinero. No les importa el costo (hablando de las personas y su calidad de vida), mientras que ellos generen ganancias, al igual que las empresas.

Como ya lo dije antes, todo el problema, en general, me impactó y me abrió los ojos. Aunque, como todo, hay cosas que impactan más que otras. Primeramente, el cambio de fauna de la zona. En segundo, la situación de la delegación del Castillo. Y, en tercero, las cascadas de Juanacatlán.

¿Cómo ha cambiado la fauna en la delegación de las Pintas? La presa era una parada para las aves migratorias. Se censaron alrededor de 76, 000 aves migratorias que pasaron por la presa en 2005. El último dato que se tiene al respecto es del 2009, con tan solo 9, 000 aves migratorias. Y, como podemos inferir, este número ha ido reduciendo. Dicen las personas de la población, que antes se tapizaba de aves y que ahora solo alcanzas

Continue reading →