--Originally published at The Hitchhiker's Guide to information security… according to me!

--Originally published at The Hitchhiker's Guide to information security… according to me!

--Originally published at The Hitchhiker's Guide to information security… according to me!

Cryptography, the thing we all want to learn how to do and crack because it sounds cool, doesn’t it? As cool as it sounds, cryptography means the study of techniques to secure communication. Please don’t confuse with encryption which is the actual process of coding the message so only the authorized party could read it.

Truth is, cryptography is a very important process in the communication between users, systems, applications, etc. We don’t want everyone knowing about our credit card number, our passwords, our client’s information, at what time there’s nobody in our house, our dirty conversations, the location of the secret place where we store our chocolate cookies, etc. If it wasn’t for cryptography we wouldn’t be able to trust any communication device (we shouldn’t, but this will be more obvious) and we would be bind to only to transmit a message or a piece of information in person, and that wouldn’t be practical would it.

Since ancient times people have been studying ways of exchanging communication without a fear of a third party finding out. One example of ancient practices of cryptography is the Caesar Cipher encryption method, which shifts the letter of the alphabet by a certain number. For example if you wanted to write an A, then shifting it 3 spaces you would write a D, and so on with the other letters. So if I were to write “I am cool” with a shift of 3 it would read as following:

Plaintext: I am cool

Cybertext: L dp frro

Nowadays there exist more complicated ways of encryption that can guarantee the safe exchange of information. Some encryption algorithms use in modern days are the following:

• DES
• RSA
• HASH
• MD5
• AES
• SHA-1
• HMAC

Also there exist two fields of study and types of encryption which are

Continue reading "S3cR3t5" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

--Originally published at The Hitchhiker's Guide to information security… according to me!

Do you know why people are afraid of anything? It sums up to a one and only fear, the fear to die. Everything comes back to that, even if you are afraid of talking in public, if you fail that makes you think that people will isolate you, meaning that your chances of survival will decrease, hence fear of dying. But sometimes there are things that we should be afraid of and we aren’t, and it’s mostly because we don’t know the dangers behind them. There are many dangerous things in the world and one of them is the WIFI connection. (sounds of thunders and creepy music)

Unintentionally wifi connections may be unsecured because of a wrong configuration that allows unencrypted messages to be send or not allowed users to connect to it and it’s even worse when we are talking about open networks that allows access to any user. This exploits are used by hackers to steel information, use your computer for malicious purposes or distribute malware to all the users in the network.

A few attacks you can suffer on a wireless network are the next:

• Accidental association
• Malicious association
• Ad hoc networks
• Identity theft
• Man in the middle
• Network injection

There are some security measures that are used to protect this networks but sadly some are not secure enough and many people are not aware of it. For example:

WEP (Wired Equivalent Privacy): this was the first standardized way of securing a network. Many old routers still use it. It’s unsecure because it allows easy key decryption and network eavesdropping. Because the initialization vector (a constant use to start encrypting a message) is really short, it will repeat eventually, and when that happens the hacker can use it to find your encryption key and decrypt all

Continue reading "Fear the unknown" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

We all know one of the 7 wonders of the new world: the Great Wall of China. This series of brick fortifications help the country to not only defend against foreign invasions, but also to have better controls on the trading goods and visitors that came from the west. This extra layer of security helped China feel safer and to protect the towns near the border from invasion. Even if it doesn’t look like it, this is very similar to what operating system security is about. You need to protect your system from external threats and also be able to provide correct access to the users of your organization.

So what is this all about? Operating system security refers to the actions or activities that ensure the confidentiality, availability and integrity of all the data and services provided by an operating system. This means that you need to ensure that your users have the permissions they require to do their job (no more and no less) and also keep away access to malicious users or programs that can misuse your data or the services provided by the OS like the network.

Program threats

Refers external programs that run within the system that make OS do malicious task. For example:

• Trojan horse: A program that seems to do a certain thing and does another like storing login credentials.
• Virus: a program that duplicates itself when it is executed and can delete files, crash the system or modify the user session.
• Logic Bomb: refers to a malicious program that executes only when certain conditions are met, otherwise it behaves like a normal program.

System threats

Refers to the misuse of system services or network connection.

• DOS: repeatedly requesting the system services in order to clog them up and render
  
  
  Continue reading "The great wall" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Achilles, the mythical Greek hero, son of a king and a nymph, invulnerable in every part of his body except the heel… Seriously, the lamest part of the body. But Greeks have something very important to teach us and it’s that there’s always a week spot in something. Even though it may seem unbreakable, unstoppable or impenetrable we’re not looking carefully enough. And it’s when we find that weakness that we now have control. As it is, we are as strong as out weakest link. So we need to be harder, better, faster, stronger when it comes to information security and what will be a better place to start than the network of our organization.

DEFINITION I CHOOSE YOU! Network security refers to any activity that will protect the integrity, availability and consistency (CIA coff coff) of the physical and logical assets from any threats or prevent the breach from getting worst. We’ve been talking a lot about threats in information security, and I’m sure that by now you must be as paranoid as I am, so I’m sure there’s not need to discuss threats anymore, but the real question is… what are those activities that will helps us protect our love ones from evil hackers? Well here are some layers of security.

Security Devices: refers to hardware or software devices that help improve security on the networks. For example:

• Firewall: a hardware software based mechanism that helps control incoming and outgoing traffic permitting and denying it depending on a set of rules.
• Honeypot: is a computer system that acts as a decoy to attract hackers into access it in order to gain information about the hackers methods and goals.

Network Isolation: refers to the segmentation of the network in order to create a more secure

Continue reading "We are as strong as our weakest link" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Many people wish upon a star for a zombie apocalypse. They want to ride on their jeeps while shooting at anything that moves because they just want to watch the world burn. They want to go wild, experience the feeling of anarchism, but mostly they just want to shoot something and prove that they can survive adversity. For some this is just a dream, but for others it is a serious business. They understand that it’s is not only about carrying a gun, but also about searching for food and water; dealing with the lack of electricity, gas and communication and looking for a shelter that can resist the attack of hordes of zombies. This people are prepared for dealing with the situation and all of this are countermeasures that prepares them for this day. But what does all of this have to do with information security you may be wondering. Well, follow me and let’s find out.

In time of war we need a good plan that comes into action, and in information security, in time of threat and vulnerability we need a security countermeasure to help us deal with the risk or at least minimize it. And… BOOM! Now you understand what this zombie thing is all about.

A security countermeasure is a method, action, procedure, system, device or technique that helps eliminate, mitigate or reduce a threat or vulnerability. So if you’ve been reading my blogs, and of course you’ve been this are the security control that come into action when we are facing a threat. Not preventing it or planning what will happen, but dealing with it… like the adults we are.

Like everything in this world they come in different flavor depending on the context and there are a few contexts in the information security

Continue reading "All we need to do is… survive" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Have you ever had that traumatic childhood experience where you wanted to play with the cool kids of the neighborhood and when you asked them “Can I play with you guys” they will brutally say “No, because you’re not cool like us”. Kids are violent… Well, even though they where assholes, they where actually, and of course subconsciously, applying a security control so that only the right people could play with them. We call that and access control system. Damn you cool kids (*cries in a dark lonely corner).

Access Control is a technique used to restrict the access to a physical place or other non-phsysical resources, and with access we mean entering a facility or being able to view and manipulate data. So yeah, those kids didn’t want you to enter their secret group and to view and manipulate secret cool data from their organization, but less assume for a moment, for a very hypothetical moment that you’re a cool kid. How this group of young delinquents can distinguish between a cool kid and a average one? Well, the access control process consists in the following 3 steps.

Identification: the person that wants access to the system claims to be someone with authorization. This first step consist only on giving an assertion of who you are. If you talk about physical access, you may give your name to the guard or inside an information system you may provide an account.

Authentication: After you gave your name to a guard or your user name to a system, you will need to prove that you really are who you claim to be, to the system satisfaction (it could be more than one authentication phase). For the name and the guard example, you may need to give your driver’s license in order

Continue reading "You shall not pass!" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

You know guys I’m a true believer that in order to accomplish your dreams you need to be awake. You think of that beautiful car, that penthouse on the beach, those Australian models swimming in your pool (boys, girls, maybe both… not judging here) and that gorgeous PC with Intel Core i7-6950X Extreme Edition, 4.2 GHz of processing speed, 32 GB of RAM, 2.2 TB of storage capacity and Nvidia GeForce GTX 1080 graphics card. All of this floats in the vacuous void of our minds, but in order to make it a reality we need to put our feet in the ground, and oh such coincidence of an obviously not arranged metaphor, it’s the same way security models help us achieved the desired expectations of our security policies. (Check the previous post coff coff)

“So what are this so call security models?” you ask. Well a security model is a scheme used in order to accomplish the abstract goals specified by the security policy. The security model maps those goals and dictates explicit techniques and system specifications in order to achieve them. It’s like the idea of living a healthy life will be a security policy and the instructions for a diet, exercise routine and time management will be the security model, a series of steps that helps you achieve a healthy life.

You want another real life example?! Ok… You sure like examples. Let say that in your security policy you state that all users must be authorized in order to access information, then the security model will then contain the design of a real world system, with data structures, mathematical formulas and stuff; that will physically allow you to control access. Not just idealistically control it.

There are different types of security models that

Continue reading "Don’t let your dreams be dreams!" →