VPC

--Originally published at Ce qui est chouette

In this topic I’ll cover Virtual Private Clouds, such are offered by Google Cloud Platform and Amazon Virtual Private Cloud.

A virtual private cloud is a cloud service that offers an infrastructure in which various services (VPC users), of the platform offering it, share resources available in this cloud while isolated from each other. This isolation is usually achieved through having a private local network and subnetting it (could be through VLANs), assigning a subnet to each user, or group of users that need to be directly connected, for other connections a local DNS server can be used.

VPC
Clouds by Eric Summers on Flickr under a CC License.

VPC services usually also encrypt  and mask the communication between its users and the shared resources through a VPN, adding as well a layer of authentication. A VPC implements layered security and provides it As-A-Service at the cost that it is highly complicated to set up, but using it correctly can yield a system with powerful defense.

This is a technology that I’ve yet to learn, but will do so, hopefully, this summer. If there are some project ideas that you, the reader, have that may help in my learning of this technology, I’ll appreciate it if you shared them in the comments.

– Virtual Private Guy.

Containers

--Originally published at Ce qui est chouette

In this post I’ll talk about containers, how they are used, and talk a little about their implication with security.

First, what is a container? A container is a lightweight packaging of a piece of software, including everything needed to execute it: code, runtime, system tools, system libraries, settings, etc.. A container is isolated, it will run the same every time, anywhere it’s executed. When run in a single machine, they share its operating system kernel, start instantly, and use less computing power and RAM.

Isn’t that a virtual machine?

No.

.

.

.

Containers
Container by Photo Your Space on Flickr under a CC License.

A virtual machine consists of the following:

  • Abstraction of physical hardware.
  • Each VM consists of a full copy of the Guest OS, some apps and necessary binaries and libraries.
  • The hypervisor allows several VM’s to run on a single machine, turning one computer into many.
  • Usually in the GBs.

While a container is:

  • Abstraction of the application layer.
  • Contains code and its dependencies.
  • Multiple containers run on the same machine sharing the Host OS kernel with other containers.
  • Usually in the MBs.

So yeah, it’s virtual-machine-esque but not quite. By using a container, things like environment variables, that may contain sensible data, are not exposed to the main machine, instead they are cozily packaged along with the software and running inside the container, you can couple this with a reverse proxy like NGINX, setup SSL, and you’re all set for a slightly more secure application.

A technology that’s currently leading the market is Docker, providing a hub on which to upload your own images for the world to see and download common images from which to extend your own.

– FROM fornesarturo/dude:latest

Onions were right all along

--Originally published at Ce qui est chouette

This post will deal with the topic or security practice of security by layers, and a little suggestion of a technology that may serve for this purpose in a not so deep-in-configuration manner.

Onions were right all along
Onion by John Vetterli on Flickr under a CC License.

In Information Security, security by layers refers to the practice of combining various security control points across the pipeline of an application. That is multiple mitigating security controls to protect the application’s resources and data. There are various ways of going about this layers, there is no silver bullet in security by layers, as every system is different, but some examples may be:

Consumer Layered Security Strategy

  • Extended validation (EV) SSL certificates.
  • Multifactor authentication.
  • Single sign-on (SSO).
  • Fraud detection and risk-based authentication.
  • Transaction signing and encryption.
  • Secure Web and e-mail.
  • Open fraud intelligence network.

Enterprise Layered Security Strategy

  • Workstation application whitelisting.
  • Workstation system restore solution.
  • Workstation and network authentication.
  • File, disk and removable media encryption.
  • Remote access authentication.
  • Network folder encryption.
  • Secure boundary and end-to-end messaging.
  • Content control and policy-based encryption.

These are the common can-be-found-in-any-page-you-check strategies, in the next blog I’ll cover another topic related, in some way, to security by layers, that is using containers to deploy code.

– An ogre.

Alice and Bob, their story

--Originally published at Ce qui est chouette

The brief description provided by Coursera‘s Cyptography I course by the University of Stanford paints cryptography as a tool for protecting information in computer systems. What I’ll attempt to cover in this post is cryptography’s real-world application, why it is needed.

First let’s deal with some basic stuff regarding cryptography, starting with the classic Alice, Bob and that bastard Eve who’s always meddling, she’s more of a Lilith if you asked me. Let’s say Alice has the sudden urge to communicate some secret message to Bob, perhaps she’s going to confess her love, but Eve also likes Bob, and Alice knows this. She can’t met Bob in person, Eve would find out, she lives close by and would get in the way. THANK GOD for the cryptography course Bob and Alice took years ago, where they learned about symmetric and asymmetric cryptography . . .

 

Alice and Bob, their story
Secured! by Sean T. Evans on Flickr under a CC License.

Sidenote to Explain Asymmetric and Symmetric Cryptography

Based on this post on Synopsys. Encryption uses an algorithm and a key to turn plaintext, the message, into ciphertext, the encrypted message that you can then send. Symmetric Encryption uses the same key for both encryption and decryption of a message, its fast and can be used  for large amounts of data, like encrypting a hard drive, the hard part is keeping that key secured. Asymmetric encryption keeps a pair of keys, a private one and a public one, that can be distributed anywhere to interact with your messages. Plaintext encrypted with a private key can only be decrypted by its corresponding public counterpart, and vice versa. A message can also be signed using your private key, so that others may decrypt the signature with your public key and verify it was sent by you. This type of encryption, though, is slow and can only be used to encrypt data smaller than the key.

Back to the gossip

Alice decided to use Bob‘s public key to encrypt her confession, Eve had a man-in-the-middle software running in Bob‘s network, and caught the message, she didn’t understood it, however, and decided to let it through, ignorant to the fact that she was about to lose Bob, her Bob, to Alice‘s encrypted message. Bob received the message and recognized the gibberish as an encrypted message, like the ones he had worked with. Bob got a hold of his private key and decrypted the message, the surprising confession got to him, and to Eve‘s dismay, reciprocated.

That’s not reality! Well, Alice is the everyday user, Bob is the destination of every operation Alice does online, and Eve is third-parties, like government agencies, interfering in these interactions. This everyday interaction is why encryption is important, to keep your privacy. These third-parties’ goal is to break these encryption algorithms, by cracking it themselves or demanding a backdoor from the developers, which was the case in the FBI-Apple encryption dispute or the whole Snowden situation, of which there’s a cool John Oliver video.

XOXO, crypto guy

Tokens: the ‘I’m old enough to drink’ of web-based teens

--Originally published at Ce qui est chouette

In this post I’ll be dealing with the topic of Authentication and Authorization, and at the end of this post I’ll provide some examples and summarize some of the currently used solutions.

The difference

First, let’s deal with what both of these concepts refer to and what the difference between them is.

Authentication means verifying who someone is. This is what sign up and log in are for, the first one defines who you are, while the latter is where the authentication lies, in checking your user-id and password to match you with someone in the system; authentication answers the claim this is who I am with a yep, that’s who you are.

Tokens: the ‘I’m old enough to drink’ of web-based teens
Bouncers by Fabio Venni on Flickr under a CC License.

Authorization means verifying that someone has permission to perform an action. This refers to a certain user having or gaining access to a resource, this is usually done through the use of different types of user, e.g.AdministratorAnonymous Useretcauthorizations answers hey can I do this? with yep, you can or if it were an english teacher, can you? to which you would simply groan in disgust at this attempt at comedy.

Tokens

One common way to handle both these processes is through the use of tokens. A token is a series of characters, usually encoded, that represent both to whom the token belongs—to which account it is linked—and what type of access this token has.

An implementation of tokens that I’ve used is JWT (JSON Web Token). JWT consists in three parts: header, payload, and signature. The first two are all base64 encoded and separated by a dot (.), the signature is a bit different, it consists in the following:

EncryptionAlgorithm(base64( HEADER ) + "." + base64( PAYLOAD ), SECRET)

The signature part of a JWT consists in taking concatenation of the previous parts, both base64 encoded and separated by a dot, and encrypting and signing it with a SECRET key. As you may have guessed, JWT isn’t supposed to protect your payload from eavesdroppers, what it does is prove that a JWT was emitted by an entity within the system, because of that SECRET key that’s used to sign the signature part of the JWT. Because JWT still exposes user data, it is advised to not include something confidential inside them, what you may include in a JWT is:

  • Who this token represents—subject claim, user.
  • Who issued this JWTissuer claim, client application.
  • Who this JWT is meant for—audience claim, the server that’s meant to read it.
  • Up to when the token is valid—expires claim, the Unix Epoch up to which the JWT is valid, or, just if issued at is also provided, the time, in seconds, during which it is valid.
  • When this token was issued—issued at claim, the Unix Epoch.
  • Custom claims that don’t compromise confidential information, like level of access this token has.

JWTs should be used when a secure connection can be established, so as to not expose this data the public, just in case. As to where to store them I’ll link an article that explores that topic, as its another beast on its own: Where to Store your JWTs – Cookies vs HTML5 Web Storage.

– I swear its me.

References
Jones, M., Bradley, J., Sakimura, N. (December 9th, 2014). JSON Web Token (JWT). On RFC. Retrieved from https://tools.ietf.org/html/rfc7519#section-4.1
Abbot, T. (January 8th, 2016). Where to Store your JWTs – Cookies vs HTML5 Web Storage. On Stormpath. Retrieved from https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

On Certifications

--Originally published at Ce qui est chouette

Do I really have to take an exam? But I already know this, can’t you just ask me some questions to test me? These are some of the questions one may be thinking when the topic of IT Certifications comes up. In this post I’ll try to put forth both sides of the argument regarding this topic, I’ll link some resources at the end so you can read more about the topic.

On Certifications
Exams by Leonora Giovanazzi on Flickr under a CC License.

We don’t need certifications

Certifications have shown to work well on industries like engineering, where one can specialize and get certified for various aspects of civil engineering, while another might go for the electrical engineering route. Both can go their merry way getting certified on bridge-building or electrical systems—I think at this point, its evident that my sources of information about these careers are limited to college brochures—because no one would expect an electrical engineer to build a bridge, and he might not be that excited about it, either. But in the software industries, areas do get intertwined, so perhaps certifications aren’t meant for us.

Experience in multiple areas is a plus, it’s an asset that can come in handy in attacking a problem from several angles. For industries like engineering, most things are set in stone, but software is in constant evolution, a certification you might get today may be obsolete come next year; at that rate, is it really worth the time and money required? Some may argue that a certification just means you’re good at passing tests—sidenote: that’s an issue I personally have with the way some companies handle job interviews.

On the other hand. . .

Some employers do look at certifications as a measure of quality and commitment to the area. Certifications serve the purpose of preventing the self-proclaimed expert from ruining your system. As stated in my previous post—about Ethical Hacking—certifications establish and keep track of minimum standards for specialists, and recognizes the individual as credentialed for whatever the topic of the certification may be.

If you’re willing to go through and get certified, here are some of the most requested for IT Security professionals:

  1. CISSP: Certified Information Systems Security Professional
  2. CISM: Certified Information Security Manager
  3. CompTIA Security+
  4. CEH: Certified Ethical Hacker
  5. GSEC: SANS GIAC Security Essentials

To read more on the topic, head over to references.

– Laters, alligat(e)rs.

References
Bolton, D. (July 9th, 2015). 5 Reasons Certifications Aren’t Worth It. On Dice. Retrieved from https://insights.dice.com/2015/07/09/5-reasons-certifications-arent-worth/
Tillman, G. (June 8th, 2010). Why IT certification is a really, really bad idea. On Computer World. Retrieved from https://www.computerworld.com/article/2518765/it-management/why-it-certification-is-a-really–really-bad-idea.html
Tittel, E., Lindros, K. (December 12th, 2017). Best Information Security Certifications 2018. On Tom’s IT Pro. Retrieved from http://www.tomsitpro.com/articles/information-security-certifications,2-205.html

 

Don the White, Jon

--Originally published at Ce qui est chouette

Everyone’s on the payroll nowadays, even hackers. Like legit payroll, no more 1337 money for hackers. Ethical Hacking consists in exploiting any existing vulnerability in a system—usually that in some way accesses the network—through intrusion to verify and evaluate their physical and logical security. The idea is to prove that a system is vulnerable and where they are, so the organization that owns the system can take the appropriate preventive measures against attacks exploiting them.

Now don’t panic, ethical hackers or white hat hackers perform this penetration or intrusion tests in a controlled environment, trying to think as the attackers in order to find exploits in security, kind of undercover geeks . . . please don’t hack me.

Don the White, Jon
Reese, Hacker by Donnie Ray Jones on Flickr under a CC License.

How Can I Become One of These White Knights?!

Since, as an official ethical hacker, you’d be finding confidential information hanging around the exploits, your employers will be asking to see some kind of credentials before allowing you to poke around their systems without restriction. The response to who do you think you are? when making this type of proposition is to flaunt around some information security certifications.

To officially get the Ethical Hacker title, I suggest the Certified Ethical Hacking Certification from the EC-Council (International Council of Electronic Commerce Consultants)—primarily a professional certification body, also the orchestrator of a series of information security conferences and EC-University.

The purpose of this certification is detailed in their page:

  • Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
  • Inform the public that credentialed individuals meet or exceed the minimum standards.
  • Reinforce ethical hacking as a unique and self-regulating profession.

Certifications are a nice way of going pro, as they help regulate professionals by providing employers with a base-knowledge that someone with that certificate has, these Certified Ethical Hackers should, in-theory, come with this basis out-of-the-box; for the certificated it serves as credentials, to back up the claims of granditude that tend to run amok in people’s CVs.

– Not a hacker, white nor black.

References
Reyes, A. (June 16th 2011). Ethical Hacking. From Universidad Nacional Autónoma de México. Retrieved from https://www.seguridad.unam.mx/historico/documento/index.html-id=7

Why your site could be taken down by some fridges

--Originally published at Ce qui est chouette

This post’s topic will be IoT botnets.

Internet of Things

Starting with the basics, IoT (Internet of Things) refers to the concept of tangible devices—fridges, cars, security cameras—being hooked up with wires, electronics—sensors—and software and having access to a network to communicate with one another, broadcast data to other. In IoT, these intelligent fridges are called a Thing; that is a device with an IP address and the ability to transmit data over a network.

Why your site could be taken down by some fridges
OMFG! It’s the EVIL FRIDGE! by Fabio on Flickr under a CC License.

What is a Botnet?

Any device that has been hijacked is called zombie or bot; an IoT Thing that has been taken over is then called a Thingbot—honestly, I think they messed up, zombie horde sounds way cooler than Botnet. Anyway, a Botnet is a distributed network made up of many of these IoT Things, that have been hijacked—by malware—to relay messages on command.

The bot part of the Botnet connects to a control center, usually just an encrypted chat room or a bot-exclusive chat room. At any moment the owner of the botnet can access the control server and ask its members to do stuff, like dance or destroy humanity. These botnets can be used perform distributed attacks, like DDoS; to steal data; to redistribe the malware that infected them, becoming the thing they swore to destroy in the first place—I trusted you . . . you were my brother, Anakin; generate bitcoins; or simply download and run a file. An example of a Botnet malware is Mirai.

How can I protect my Thing from becoming a Zombie?

Upgrade its firmware and secure access to it with smart user-and-password combos.

– Totally not a Botnet.

References
IT Security Guru. (January 21, 2014). The Internet of Things – Thingbot. On Youtube. Recovered from https://www.youtube.com/watch?v=DuwTThMGOK4

Los Dedos te atacan

--Originally published at Ce qui est chouette

This post will deal with DoS (Denial of Service) and DDoS (Distributed Denial of Service). Los Dedos te atacan comes from DDoS sounding like dedos (fingers in spanish) when reading from a spanish perspective.

Los Dedos te atacan
Hand by Hana Tichá on Flickr under a CC License.

DDoS and DoS attacks have the same goal. Render an online service—like an API, online gaming networks like Xbox Live or PlayStation Network, or your average webpage—unavailable for its legitimate users. This is usually done by flooding the victim’s server with requests or performing a particular request that triggers some action to bring the server down. In the end, both these attacks set their aim at the Availability part of the CIA Triad.

A traditional DoS attack consists on the same computer performing these requests, so you could imagine this type of attacks would be easy to defend against. SPOILER ALERT: they are. Usually just a check for the same IP address making multiple requests in a short span of time does the trick. The real problem lies with DDoS, mainly because of the first D.

DDoS attacks are the steroid-pumped version of DoS attacks, is just mentioned, because of the Distributed part of it. A DDoS attack is based on the same idea, but instead of a single computer, the culprit of the attack is a network of computers of any type—hijacked personal computers, remote servers from all around the globe, or IoT things, like fridges or security cameras. The fact that this network could be distributed, in the geographical sense, means that identifying the attacking computers is harder and takes much more time.

Types of DoS

Now onto the details, these are the classes of DoS attacks:

TCP.

This type of attack attempts to block all the available connections to the infrastructure by using up all their TCP ports.

Volumetrics.

Consume all of the victim’s bandwidth with gigabyte-sized requests.

Fragmentation.

Flood the victim with fragments and overwhelm their server’s reassembly capability.

Application.

Specific flaws in applications, like a backdoor of sorts.

– Your friendly fingerful neighborhood guy.

References
Rivera, N. (September 11, 2016). La diferencia entre un ataque DoS y un ataque DDoS. On Hypertextual. Recovered from https://hipertextual.com/2016/09/ataque-ddos-dos-diferencias

Three letters to rule them all

--Originally published at Ce qui est chouette

This post will deal with the CIA, but it won’t be about the usual, let’s call it fun and secretive CIA, this is about the concept of information security called The CIA Triad, which is a model that guides and evaluates policies regarding information security inside an organization. These three letters stand for ConfidentialityIntegrity, and Availability.

Three letters to rule them all
Spies by Emory Allen on Flickr under a CC License.

Confidentiality

Generally, this concept refers to the rules that limit access to the provided information. This concept revolves around privilege, in the sense of user privilege—not the fuzzy SJW privilege—, like an administrator user, a public user or a specific user. Confidentiality relies on the following three principles—this is quickly becoming a tree, isn’t it . . . —: Identity, Authorization and Authentication, because if any of these is compromised, so is confidentiality. Let’s say someone steals your online credentials, your identity has been hijacked, and now they can access your stuff, so this service’s confidentiality is lost. In reality, confidentiality is all about how your data is classified and how credentials are secured.

Integrity

This concept refers to making sure that information gets to where its headed with no detours and without losing anything on the journey. That is, make sure the information hasn’t been tampered with when traveling from source to destination or whenever it makes a pit stop. One way to prove integrity is to add a hash along with the message, and on the recipient’s end the hash is calculated and compared against the one included with the message; if it matches, the data received hasn’t lost its value.

Availability

To make sure that a service is available for use. A secure service should be reliably available to the right people. This concept is the target of DDoS (Distributed Denial of Service) Attacks; not only is this concept a target of man, but also of nature, hurricanes, earthquakes, floods, etc., can all affect the availability of a service. A way to fight the forces of nature is to back up, and have redundant traffic routing . . . just in case.

– Definitely not a CIA Agent.

References:
CIA Triad. (n.d.). On Infosec Institute. Recovered from http://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/the-security-cia-triad/
Rouse, M. (n.d.). What is confidentiality, integrity, and availability (CIA triad)?. On WhatIs TechTarget. Recovered from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA