Author: diegonoe_vargas

Security! Counterattack, now!

--Originally published at Diego's Password

rocket1.gif

Countermeasure “an action taken to counteract a danger or a thread.” pretty simple concept right? Defending ourselves from bad people and attacking them back, is that it? Well, yes and no at the same time. Security countermeasures are all those actions, procedures and techniques that can reduce a thread or an attack by either preventing it or eliminating it once it happened already, even reducing the effect could be seen as countermeasure. So yes protecting yourself, but in all means; everything you can do to in order to minimize the damage.

So what are some security recommendations that might become useful to prevent attacks? I would say to you to start by regain control of your modem/wireless router! It will be a short example of what a security countermeasure would be, focused in a router, but it should be as this example for every element in your system. Take in consideration the following list of things one can do with its personal wireless router in order to increase security on the network.

  • Change the defaults (user and password, using a strong password)
  • Change default SSID (they give modems model information)
  • Enable WEP encryption (At least, though WPA-PSK is much better)
  • Do not access your router remotely (instead use ssh, embedded web servers in the router might be dangerous choice)
  • Logout after any significant configuration
  • Enable MAC filtering
  • Use a Firewall
  • Turn off the network when not in use.
  • Keep your routers firmware updated, this will install the latest patches and increase security.

router-hack.jpg

Ok, we get the concept, now the most important question in this blog. How will I protect everything else? I found this really cool post from Adrian Lance, linked right here. He talks about this topic in particular, but what I like the most was that he

security13.gif
Continue reading "Security! Counterattack, now!"

Security or privacy policies?

--Originally published at Diego's Password

 

Security policy is a definition of what it means to be secure for a system, organization or other entity. […] For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

 

If you want to continue reading this post, please read our terms of privacy here. The post continues there.


How to hack a router

--Originally published at Diego's Password

Are you ready to hack a wireless router?

2eobgr6.gif

I’ll explain it briefly, no special software. Promise it is super easy.

  1. Go to the IP direction of the router in your internet browser. Hint, it’s usually the last IP address in your network.
  2. When it prompts a couple of texts box asking for username and password, just write admin and admin respectively. If it doesn’t work try cisco for password.
  3. Enjoy.

Disclaimer… Diego’s Password is not responsible for any legal issues this tutorial may cause. Do at your own risk.

Haha, I should be a comedian. Enough of jokes (although that method will break into half of the routers in the world). This blogpost will be about wireless security.

Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.

Done.


Mythology risks

--Originally published at Diego's Password

tumblr_mhhv7oRsbv1rjl16lo1_500.gif

Risk assessment mythologies, haha funny right… Methodologies. What could it mean…

The evaluation or estimation with of the nature, quality or ability of someone or something.

So is the actual quantification of a risk, being quantitative or qualitative. How could we even count or grade a risk; well, that’s when the mythologies comes in. Normally two factors are taken into consideration, the consequences and the probability. The consequences being all the potential loss, counted either monetary or by a given parameter and the probability being the actual percentage, the likeliness of happening or occurring.

giphy.gif

He’s probably right, but first we need to learn how to analyze a risk and take a wise decision. There’s a really interesting articule written by the GIAC. I’ve written about them before, I’ll link the post here. This post will be based on that article.

There are three mythologies… haha enough. Three methodologies used in risk management in information systems, I wrote another post in that manner, linked here. Anyways I’ll explain them briefly.

  • Asset Audit
    This asset takes in consideration information flows, specifically if it’s protected at all times. It has in consideration around seven areas in the system that evaluates their security and behavior. Based on this study the threads and risk are analyzed.
  •  Pipeline model
    In this approach, risks are analyzed in a pipeline manner with five main sections: active processes, communication processes, stable data processes, enquiry processes and access control processes. This sections are different kind of process with distinct tasks and responsibilities. Once the pipeline is define, we need to look for the weakest link and its gaps, finally we would define be how that given risk would be assessed.

Type your username and password here

--Originally published at Diego's Password

Please, input your username and password to read this post:

 

        Username:
        Password:

You didn’t fall under our little trap/joke right? (Really, hopefully you didn’t).

 

tumblr_n08pabyCmL1skoud9o1_500.gif

 

Anyways, jokes aside, this kind of things that many pages like Facebook or Gmail, or that even your computer when you start it does, it’s called Authentication. What it basically does, is assuring that you are, indeed, you. Sounds funny, but we said we were leaving jokes aside. It is a fundamental security block (if not imagine, someone through the web could get your info without anything to block them, or your friends posting on your FB account). It is made in two steps: identification – identify the username – and verification – bind the identification and the entity.

 

key-animated-gif-11.gif

 

As you probably already know, authentication can be made through something you know (password), something you have (card or token) or something you are (fingerprint).

But after authentication, then what?

Well, next is access control, which is the prevention of use of a resource from unauthorized people (can be a bit like integrity from the CIA). What access control does is to authenticate users and to assign what do those users can or cannot do within the system or with it’s resources.  It is made of three elements:

  • Subject (no, not test subject): it’s the entity who can access resources.
  • Object: the resource.
  • Access right: Remember how civil rights tell you what the government guarantee to you? It’s the same logic: what things you have the right to use in the system.For example: read, write, delete, modify.

One way of access control are Access Lists. In networking, this lists can access who can connect, for example, to a modem.

 

you_shall_not_pass1.jpg

 

Traditional Identity

logo.png
Continue reading "Type your username and password here"

OS protected

--Originally published at Diego's Password

Here’s a great post Mario and me made. OS Security! Give it a read, very interesting.

Allow Yourself to fail and learn... and hack

collaboration post made with Diego

So far we have only talk about security in the web, and internet related security issues, but there’re also other fields in which security should be applied. Operating System is an important example.

Operating System Security refers to the measurers and all the effort made by the developers to protect an OS. Do you recall the 3 big components abut computer security? Integrity, Availability, and Confidentiality. Well those three guys are the main components for the Operating system security as well.

The purpose of OS security is to protect the OS from malware, threats, and forbidden access. When someone unauthorized access to a computer, usually causes severe damage to the system and the data stored in it.

The most recommended methods to maintain security on your OS are the following:

  • Performing regular OS patch updates
  • Installing updated antivirus engines and software
  • Scrutinizing all incoming and…

View original post 72 more words


Cisco’s recommendations

--Originally published at Diego's Password

Interesting topic, great working with Mario.

Allow Yourself to fail and learn... and hack

Collaboration post made with Diego

Same as previous post (link to previous post). Network security refers to all the measures and efforts made to protect a network and its data. The components we care about are the same components from computer security (usability, reliability, integrity).

Having a secure network not only assures a healthy and constant connectivity on the network, but most important it helps to protect personal information from a hacler attack.

To provide protection to a network we need to combine multiple layers for a solution. Each layer containing its own policies and controls. Some popular types of network security are the following:

  • Access control
  • Antivirus and antimalware software
  • Behavioral analytics – it analizes activites that deviate from the norm
  • Email security – this is the channel where many infections occur. An email secuiry application blocks incoming attacks
  • Firewalls – set a barrier between your network and outside…

View original post 35 more words


Wiser decisions with Risk IT

--Originally published at Diego's Password

In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success.

IT Risk Management Frameworks, large concept right. Let’s brake it down in order to understand it. Risk, “a situation involving exposure to danger.” pretty simple. Management, “the process of dealing with or controlling things or people.” in this case risks. Framework, “an essential supporting structure of an object.” We think its getting a bit more clear. Concluding, there are information technology risks or danger situation in which people, in this case managers need to take decisions based on their analysis. Here’s where “framework” comes in. A program that evaluates these risks and helps with the process of taking a decision in the area of technology. Hope you liked this blog post!

 

giphy.gif

 

Ok… there’s more than that. We are going to review Risk IT. It is the first framework help enterprisers analyze and manage IT risks; we’ll link their presentation PDF here. Risk IT is based on five simple guiding principles.

  • You can set your business objectives with quantitative metrics and the framework will connect to them and help you make decisions based on them.
  • It’s able to implement other  more general risk management systems (Enterprise Risk Management, ERM) so that it can make a broader analysis.
  • It considers the benefits and costs of created by managing these risks, otherwise this same process.
  • Implements various communication tools into the system to that you can share content with your IT general module.

 

RiskIT-logo.jpg

 

One of the biggest problems with IT risk management, and it’s pretty logical and understandable. If we asks ourselves, who is the one in charge of risk management inside a company? We’ll probably answer

Risk-IT-VAL-IT-Full.jpg
Continue reading "Wiser decisions with Risk IT"

Central Intelligence Agency

--Originally published at Diego's Password

This blog isn’t actually about CIA the agency as the title suggests. It’s about confidentiality, integrity and  availability. I chose to write this blog post till the end cause it was’t appealing to me at the beginning. Now that I’ve made research, it relates to almost every topic I’ve written about. I’ll write very briefly what I learned during the research of all my blogposts and this specific one.

These three concepts refers to information security, so we’ll be talking about data privacy a lot. The first concept is confidentiality.

The state of keeping or being kept secret or private

Confidentiality means that data must remain secret; must be viewed only by its owner or the ones with access, pretty simple. If we want to talk about confidentiality we need to mention encryption. Encrypting a peace of data ensures that no-one else will be able to read it but you.

giphy.gif

Integrity. If I lend you a music cd, I expect it in return unmodified right? Cause modified would be worthless, For what would I need a scratch cd? Same happens with information. If you are making a transaction of 10 Mexican pesos and you receive a 10000 Mexican pesos. What would happened? First of all you became broke. But the bank service would become worthless. Similar to confidentiality, instead of preventing a file from being readied by unauthorized people, integrity prevents from being written or modified.

In order to keep integrity in data, a good and easy method would be to sign it. Just the people with the signature will be able to read and modify the file. We did a very easy example in class in which we sign files. The profesor told us that this is very useful when you want to release a peace of code  for which you don’t want any modifications.

giphy2.gif
giphy3.gif
Continue reading "Central Intelligence Agency"