Type your username and password here

--Originally published at (Not so) Random talk

Please, input your username and password to read this post:

Username:
Password:

…

You didn’t fall under our little trap/joke right? (Really, hopefully you didn’t).

Anyways, jokes aside, this kind of things that many pages like Facebook or Gmail, or that even your computer when you start it does, it’s called Authentication. What it basically does, is assuring that you are, indeed, you. Sounds funny, but we said we were leaving jokes aside. It is a fundamental security block (if not imagine, someone through the web could get your info without anything to block them, or your friends posting on your FB account). It is made in two steps: identification – identify the username – and verification – bind the identification and the entity.

As you probably already know, authentication can be made through something you know (password), something you have (card or…

Ver la entrada original 460 palabras más

Excuse me, who are you?

--Originally published at Don't Trust Humans, Trust Computers

Each person in this planet has something that identifies him/her. It could be a physical characteristic, like nose shape, eye color, hair, a scar, etc., or it could be a non-physical thing like voice tone, name, the way you speak, and so on. We even have legal documents that verify who we are in a society. No matter in what part of the world we are, we are someone and we can probe that we are the person we say we are. But if the pass from the physical world into the digital one. In the digital world, we can be any one and there’s no one that is checking if we are really who we say we are, or maybe there is? The truth is it depends on how you see it. Because there are websites, like Tumblr that ask you for a user and a password, so there is really someone checking that the user and password match, but once inside Tumblr is another story. If you came to realize, there are many places in the digital environment that ask for a user and password, and that is important matter in the security aspect.

Authentication and access control are two complementary topics that go on hand in hand. Most of the time you want this type of security in any system you are in to protect the information that is inside a system. And of course, it affects which user access the system. Authentication is the process of verifying if you are really the user you say you are. This process there are two key elements: the identifier and the authenticator. By identifier we mean the user, that tells who you are and the identifier is commonly known as the password that verifies that is truly you who is

Continue reading →

Working after dark!

--Originally published at The shield of the world

So…I have a business but, how do I protect it? This is where the Security policy play his game. A security policy is a document that states in writing how a company plans to protect the company’s physical and information technology assets. It defines the goals and elements of an organization’s computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. The policies can be categorized into the 3 security principles.

A security policy is often considered a “living document”, meaning that the document is never finishes, but is continuously updated as technology and employee requirements change. A company security policy may include a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the policy to ensure the necessary corrections will be made.

The National Research Council has specifications that every company policy should address:

Objectives
Scope
Specific goals
Responsibilities for compliance and actions to be taken in the event of noncompliance.

For every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework. The policy should not be generic should be personalized to let the company achieve its mission and goals.

The policies may include:

Password policy
Network login policy
Remote access policy
Internet connection policy
Approved application policy
Asset control policy
Equipment

Continue reading "Working after dark!" →

You shall not pass!

--Originally published at The shield of the world

So today post is about Authentication and Access Control…which is something not so new for someone who actually respects the base configuration of Windows (Yeah…right) permissions about new software and modifications and also for the Unix base OS with sudo.

So in the more basics words Authentication is when we identify ourselves to the OS, with an username and a password. So authentication is in reality so simple, just helps the OS to verify that the individual or “user” we claim to be, is indeed ours.

Actually when you are on the same network as others computers and you want to access the information on them, you got a pop-up asking for an specific user and password. This is to authenticate that you are trying to get your own information and not someone else.

We have seen movies where the authentication is almost a ritual, first the person just stands by and uses his password of 4 digits, then in the other door he puts his fingertip, on the other one he uses his eye to authenticate himself and finally he almost have to sing or dance or pray to the gods looking for it to work and access the most secret place and treasure.

Of course in real life there is a high chance that you don´t even have the user and password authentication enable. We are lazy, yes we are… but we need to know when to block our PC and avoid those email for the entire enterprise saying “DONUTS ON ME”, no, I haven´t suffered this, but someone in my group did.

Is not entirely necessary to implement the full ritual that I just mention to you, but a 2 factor authentication can help us to avoid getting our information filtered. When you lost

Continue reading →

Authentication and Access Control (Part I)

--Originally published at TC2027 – Will It Blog?

Yesterday on a workshop about a rapid prototyping tool for making web applications, a classmate asked about the options that the tool offered in order to authenticate users. For that the instructor went along to ask us if we knew the difference between authentication and authorization.

An easy way to differentiate both is to make two questions. Who’s allowed to log in? (authentication) and once the user is already logged into the system, what is he allowed to do? (authorization). That just comes as an introduction in order to talk about the different types of authentication that exist out there, it is not important to remember all of them exactly but if you can read them once you will know what can be done in order to accomplish a reliable authentication method.

In most kind of systems you identify yourself with some kind of identifier (usernames, emails) followed by a password, that is the most common authentication method and it is called PAP (Pen Apple Pen, just kidding it stands for Password Authentication Protocol). At the most basic level you will have the server looking for these values on the tables and if there exists a record then grant access.

Challenge Handshake Authentication Protocol (CHAP)

In this method the server in charge of the authentication process sends the user an ID and a random number, also the sender and receiving program share a predefined secret word.

So the client strings together ID + generated random + secret word, in order to make a key that can be hashed, this retrieves a new value. This new value is sent to the authenticator, which now has the job to compare it with a built string made by itself using the same hash.

Mutual Authentication

Also known as two way-authentication.

http://kenscourses.com/tc2027fall2016/wp-content/uploads/2016/10/3ce56df0669c110503c561d630fc75b2.jpg

Continue reading →

YOU ARE THE 1 MILLION VISITOR!

--Originally published at The shield of the world

Hello again, today the topic is something more common or at least something everyone has lived.

As a gamer I use to play PS1, PS2. And when I make the change to the MMORPG games and some others MMO Games I use to think f*ck this game when I cannot login because I was the player 109290321890431904139804123 (yep, random number) and when I grow up I actually start to looking for an answer to this kind of stuff. In that point in my life was when I meet the Denial of Service and the Distributed Denial of Service.

So a Denial of Service(DoS) attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Some examples are…

Attempts to “flood” a network, like I said been the number 3409340934903409 to enter is a pain in the neck.
Attempts to disrupt connections between two machines, thereby preventing the access to a service. Here my example is when I used to play Dofus, Tibia and LoL. You were in a quest, hunting or just playing and the whole squad got disconnected.
Attempts to prevent an specific user from accessing a service. In Tibia when a player (don’t remember the name) was about to got to a really high level and was a competition between 2-3 other players, there are rumors that people actually attack that player to avoid him from entering the game.
Attempts to disrupt service to a specific system or person.

Sometimes a DoS attack may be part of a larger attack.

Also Illegitimate use of resources may result in a DoS. For example, an intruder that uses your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating traffic.

Damage

DoS attacks

Continue reading →

My penguin has no armor?

--Originally published at The shield of the world

So let’s start with this…

What is security in OS?

Is when you have issues external to OS and you would ask, why external? Because is the authentication of you, the user, validation of messages, malicious or accidental introduction of flaws, etc. So is not really about the OS.

And what is Protection in OS?

Mechanisms and policies to keep programs and users from accessing or changing stuff they should not do. AND is internal to OS. The OS has to provide this.

So…Protection and Security

An Operating System (OS) is an interface between a computer user and computer hardware. An operating system is a software which performs all the basic tasks like file management, memory management, process management, handling input and output, and controlling peripheral devices such as disk drives and printers. We will call this objects.

And each object has a unique name and can be accesses through a well-defined set of operations.

Protection and security ensure that each object is accessed correctly and only by those processes of authorized users that are allowed to do so.

OS designers faces challenge of creating a protection scheme that cannot be bypasses by any software that may be created in the future.

Networking adds to the problem as it allows access to a computer and its resources without being in the same physical location.

This is the correct way to access and use Resources.

OS have goals like:

Data confidentiality
Data integrity
System availability

And each of this has a threat:

Exposure of data
Tampering with data
Denial of service

One of the solutions is user authentication…you know when you type “password” to actually enter your PC and if you don’t type anything and just has all his information without any little layer of protection should use at least a

security-protection-in-operating-system-22-1024

Continue reading →