Because on the network, no one can hear you scream

--Originally published at (Not so) Random talk

The network can be a Universe of its own. Vast, full of things that are or can be unknown. And just like in Sci-Fi movies, it is plagued with dangers. Hackers, malware, etc. Everything is there. As like in some movies, you need to learn to protect yourself. If not, you might be just like those victims, getting eaten by that unknown thing.

I’ve already mentioned the basics some, if not many times, in the past, but here they come again, plus some new tips in order to browse safely, dearly from me to you:

Update your browser

Everyday thing: Have an antivirus or antimalware and keep it updated too, obviously.

Basic protection: Use firewall if you are not on an expertise level please do not lower firewall. Your computer comes with firewall by default and it helps you filter bad stuff from the web (want to learn more about it read my past post).

Not everything clickable should be clicked: really, just don’t. If something popups, mostly common in not very safe sites, don’t click on it, close it immediately. Those can be gateways for the alien to filter into your spaceship.

Public doesn´t equal good: Don’t go into public open networks without some sort of security, or even better, don’t get on them at all. By doing so, you are probably literally leaving your info in the air for someone to grab it.

Buy smart, buy safe: Just do online shopping from trusted and well recognized sites, preferably using platforms like Paypal.

Free software can come with a price: not all software out there is good, that’s why you should only download / install certified software.

If your browser recommends you against it, don’t insist: Don’t play with fire. If your browser is already doubting on

Resultado de imagen para password 8 characters long meme

Continue reading →

Fix it Felix Jr.! Security network edition!

--Originally published at (Not so) Random talk

Wrecking stuff have always been Ralph’s thing. Ever since his tree stump was moved to the dumpster, he had dedicated himself to wreck the building that was built in his old place. But, whenever Wrack starts wrecking, Felix Jr. has always been there to fix things, thankfully. With his useful hammer, he always fixes the windows and reconstructs the zones Ralph has broken with his big fists. And time and time again, our hero manages to fix everything, get a golden medal, and leave the villain in the mud.

However, times change. And just when Ralph was resigning himself, some interesting trash got into the dumpster. It was lot of information about networking that the Highlanders decided wasn’t important when setting their new networks. And with it, Ralph also learned how to attack this new thing called network. Yes, Wreck it Ralph is now Wrecking the Network! Now in a hurry, Felix had to learn about security networks and dive into the practice of protecting the usability and integrity of your network and data of the Highlanders. Set into this new adventure with Felix, and fix all the things that Ralph has damaged as well as setting up the new multiple layers of defenses on the network.

The way of playing in this game is somewhat different that in the other installment. In each level, you must ensure or do activities that conform network security. Earn a certain number of points to advance to the next level. These activities are:

Wireless Security: set up the wireless security for the Highlanders network, which they used to have on default and Its probably one of the ways in which Ralph accessed the network. To do so in a basic level, change the passwords on the modems of the Highlanders.

Network isolation: divide

Continue reading →

Fashion Security Runway: Architecture Models

--Originally published at (Not so) Random talk

Today, coming down our runway are the security architectures, showing us their models. Show your enthusiasm and let’s begin!

*cue sassy music in*

The first model is State Machine. It is using states to verify the security of a system, capturing all the current permissions and instances of subjects accessing objects. Getting the job done, it is dealing with each subject’s association with objects. If the subjects can only access objects by means that are concurrent with the security policy, the system is secure. To alter a state, a transition (activity) must happen, though if all activities do not comprise the system and put It into an insecure state, then the system executes a secure state machine model. If a secure state fails, safety measures like a reboot or system freeze must happen in order to protect the system, itself, and data. As you can see, this is a very basic attire.

And just as we were saying this, the next Bell-LaPadula model indeed takes the prior basic attire and modifies it into its own style. It is a multilevel security style, with users of different clearences using the system and the system process data with different classifications, and it is an implementation of its predecessor that enforces confidentiality aspects in access control. Its’ goal? Enforce secrets and prevent data leakage. A matrix and security levels are used to determine if subjects can access different objects. The subject’s clearance is compared to the object’s classification; if the clearance is higher or equal to the object’s classification, the subject can access the object without violating the security policy. If properly implemented and enforced, this model has been mathematically proven to prevent data from a higher security level from flowing to a lower security level. It is an information flow

Continue reading →

Administrando el peligro

--Originally published at (Not so) Random talk

En el sector público y privado se tienen diferentes usos para la información y las nuevas tecnologías, como ya hemos visto eso conlleva a tener presentes una serie muy grande de peligros y vulnerabilidades latentes. Las diferentes compañías y empleados que generan las nuevas tecnologías deben no sólo ser capaces de reaccionar ante estas vulnerabilidades, sino también manejarlas y evaluarlas para poder otorgar un grado mayor de seguridad a los usuarios.

Los diferentes objetivos que conlleva el evaluar estos riesgos son:

Encontrar peligros para la organización.
Detectar vulnerabilidades dentro y fuera de la organización.
Evaluar el impacto del explotamiento de dichas vulnerabilidades.
Conocer el porcentaje de probabilidad de ser explotada de una vulnerabilidad.

Es decir, se lleva una evaluación que determinará el riesgo.

Los riesgos en las organizaciones deben ser vistos a partir de diferentes puestos de trabajo los cuales terminan abarcando todas las jerarquías. Los dirigentes deben saber tanto como los programadores sobre los riesgos que puede implicar el uso de la tecnología, convirtiendo la tarea del asesoramiento de riesgos algo realmente complicado.

Una manera de entender esto es lo siguiente: Digamos que se te pide que realices un formulario con la contraseña de la gente.

Hecho 1: El jefe, al no saber sobre riesgos acepta el trabajo aún sin especificar claramente que no se debe mostrar en algún lado esa información.

Hecho 2: El empleado al no saber sobre la seguridad de contraseñas ni peticiones, envía la contraseña dentro del url para que la página que le utiliza le pueda verificar.

Hecho 3: Un atacante se da cuenta del error y roba información cuando el producto sale a la venta.

Todo lo anterior da como resultado que la empresa quede en mala posición, se pierda dinero por la necesidad de arreglar el error, probablemente el programador sea despedido

Continue reading →

Type your username and password here

--Originally published at (Not so) Random talk

Diego's Password

Please, input your username and password to read this post:

Username:
Password:

…

You didn’t fall under our little trap/joke right? (Really, hopefully you didn’t).

Anyways, jokes aside, this kind of things that many pages like Facebook or Gmail, or that even your computer when you start it does, it’s called Authentication. What it basically does, is assuring that you are, indeed, you. Sounds funny, but we said we were leaving jokes aside. It is a fundamental security block (if not imagine, someone through the web could get your info without anything to block them, or your friends posting on your FB account). It is made in two steps: identification – identify the username – and verification – bind the identification and the entity.

As you probably already know, authentication can be made through something you know (password), something you have (card or…

Ver la entrada original 460 palabras más

No time for panic

--Originally published at (Not so) Random talk

Imagine you own a very important company, constantly attacked or under possible attacks from spies. You are vulnerable, you are at risk. But what can you do know? You might start to panic thinking nothing can save you.

Ah, but there is something you could do. No, don’t look at us with those big, hopeful eyes.

We don’t have the magic solution to your problem. But we can tell you something you could do, maybe not to prevent those spies, but actually, the first step before that. They are called Risk Assessment Methodologies.

Risk assessment is about finding out exactly in which parts or places are the risks (for example your vault code), which of those risks are more important, and how to make the risk smaller. After doing risk assessment, you and our personnel will know which actions to take to reduce risk or to reduce those actions that put you more at risk (like stop leaving

There are two types of risk assessment: quantitative and qualitative. As the names suggest, one has a very rigorous metrics to assess risks, it puts a great effort into asset value determination and risk mitigation, but the calculations can be complex and time consuming, as well as requiring a lot of preliminary work. The second one is much simpler in calculations, not even quantifying threat frequency, and the value of the assets is not necessarily monetary. On the other hand, as the name suggests, it is subjective, depend on the expertise of the assessment team and there is no basis for the cost/benefit analysis of risk mitigation.

Now that we know what is risk assessment, let’s see the methodologies:

Asset Audit

Your company (the one attacked by spies), actually manages lots of money, information and valuables from very important and influential people

Continue reading →

Policies in Wonderland

--Originally published at (Not so) Random talk

Let’s play, let’s play, with allegories and fantasies.

Let’s play, let’s learn, about security policies.

The company becomes a kingdom,

The CEO becomes the queen.

3i8t6n — Gif from: http://makeagif.com/3i8T6n

But being who I am,

But being who you are

It can’t be any kingdom

And now you are in Wonderland.

“Off with the head!”

Yells the Red Queen

For now you are under her rules.

You fell into the Rabbit Hole

You fell into Wonderland

And having been unannounced

The Queen seems to think the policies you’ve broken.

“The policies have not been broken”

“The policies have not been written”

“The policies are not even known”, is what you say

So you saved your neck for now.

Think the policies,

Write the policies,

And if the Queen is happy,

Your head shall go home on your shoulders.

Days and days you think,

Days and days you write,

For the policies that won’t be over specific,

And that will pass the test of time.

Security advice must be given,

Security protocols must be covered,

You think of common practices,

But without copying them for this are just for Wonderland.

Three common policies are known to you,

Three common policies are written.

Information, Privacy and Acceptable Use policies

For Wonderland are clearly written now.

The White Rabbit has taken them,

The White Rabbit will read them to the kingdom,

His trumpet will sound, and so he will say

“Hear all, hear all, the new policies are here”.

The Information policy designates

Who is responsible for information security matters,

The Information policy describes,

The role each member of the kingdom will play in information security.

The Queen is the authority in the creation of security standards,

The Queen is the authority for incident response,

But not it won’t

Continue reading →

Code 404! We are under attack!

--Originally published at (Not so) Random talk

Have you ever gone in to a web page you usually go into, but that day you simply can’t. You might be getting the (in)famous error: 404 page not found. But why?! You check your Internet connection, might even open other tabs and see it just fine. So it must only be happening to this one page. This annoys you, thinking the page was fine just a day or a few hours ago, and close the tab. Later you return and see you can access normally, and everything is fine. But what happened that time that you couldn’t get in? Well something at that moment probably was under an attack. A denial of Service Attack.

But what exactly is that? Should I start panicking over it? The word Attack sounds like something really bad… Well, as answer to the last question I can only say maybe, maybe not. As for the first, I’d like you to meet someone who will help me explain.

This is Little Packet. Little Packet normally goes to through the web delivering your request to access a web page. It would normally go as follows:

But sometimes, someone wanting to do something bad (just like in the real world imo), would send a lot of request (call them rouge packets if you want), to one server hosting a page, all at once. What this does is to prevent legitimate users, like Little Packet, from accessing information or services, like websites, emails, online accounts, etc.

Another form of DoS is one you probably already know, but hadn’t paid much attention to it, or just called it annoyed. It is called spam. When a lot of spam is sent, it fulls the inbox, not letting you receive your legitimate email.

There exists, let’s call it, an upgrade to

Continue reading →

Things that are and are not fiction

--Originally published at (Not so) Random talk

Okay, I think I should start by saying that this post on whole is my opinions about the movie NERVE and that it contains some huge spoilers of the film, so I must warn you if you haven’t seen it and wish to do so, close this post or tab right now. If you just don’t care or have already watched, be my guest, relax, scroll over and maybe eat those leftover popcorn.

popcorn-bucket — Found at: http://www.whatwillyoustore.com/wp-content/uploads/2016/01/Popcorn-Bucket.jpg

Now, let’s remember a little bit what the movie is about:

“A high-school wallflower named Vee (Emma Roberts) decides to participate in an online game that involves completing challenges and dares throughout New York City. Although she is initially thrilled by the game’s antics — and the fact that it asks her to partner with a handsome stranger (Dave Franco) for some of the tasks — the experience eventually escalates into a life-or-death struggle.” – http://www.fandango.com/nerve_192705/plotsummary

Before going into why being a computer science student might have dispelled a little bit of movie fiction for me in this film, there is one thing I want to talk about something first: most of the times computing security starts with you making a “may not seem like it is but is” bad choice (yup, #TC2027 is involved in this post too :P), just in the same way as you can put in danger your life. This movie can be a clear example about both the physical and the computer aspects, but let’s focus on the later:

The first time Vee sees the web page of nerve she says it’s “sketchy” and even asks her friend if it’s legal, to which her friend responds that it’s probably not.
Later a friend says that taking personal information from players is “a thing

Continue reading "Things that are and are not fiction" →

The three “knights” of the Internet

--Originally published at (Not so) Random talk

Come children and listen to this story.

Once there was a kingdom. All kingdoms have something that makes them special. Some have a fair princess, other brave knights, or others are cursed by an evil witch. What made this kingdom special, was the amount of information it had about the world in it’s huge library. And not just about the world, but of all the people that lived or even visited this place.

15361704293_ce103fb634_k — Picture by dilettantiquity hosted at Flickr. License of CC: https://creativecommons.org/licenses/by-sa/2.0/legalcode Thi picture was not modified in any way.

And as in all stories, something bad must happen. Some people say that knowledge is power, and maybe that’s the reason why bad things started happening in the kingdom. Sometimes it were small things that were annoyi, like not finding information, it being in use or reserved always or simply not there because it was taken for long periods of time. Some other times the information was overwritten, making people believe things that were not true and causing confusion. And sometimes, the information was made to extorsion or hurt them.

Trying to act quickly to prevent the chaos, the king called forward three knights to protect information: Cooney, Inbern and Avery. The first knight, would safeguard the personal information of the kingdom’s citizen’s and the travelers, so it wouldn’t be used with bad purposes again, by making only authorized people able to look at this info. The second, Inbern, was assigned to check and protect the books in the way that no one without the ones with the permissions to do so could change their content. And last but not least, Avery was assigned to make public data available, managing it and preventing it’s loss.

g7nt5naposaxq — Found at https://giphy.com/gifs/if-youre-reading-this-its-too-late-g7nT5NAPosaxq

I think that’s enouh story for today, though

Continue reading →