--Originally published at Diego's Password

I want to focus this blog post on the talk we had last session. It was surprising and reveling that the bast majority of attacks are either social hacks or just due to mistakes and bad practices. Such as the password in the monitor.

I think it’s pretty clear what unintentional security issues are, at the end not everyone is prepared and has knowledge of the threats we all face everyday and how to protect ourselves. I want to talk about the ways that we as engineers and probably employers have to prevent this issues.

There’s a study from the Software Engineering Institute called Unintentional Insider Threats: A Foundational Study. I’ll link it here. It is very interesting, they talk specially about the human factor and common mistakes. I’ll base this blog post on that paper.

This paper is a research of the unintentional security issues, it’s reasons and how to prevent them. Here’s their definition.

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network, system, or data and who, (3) through action or inaction without malicious intent,1 (4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.

Lets review the point number 3. It’s basically saying that it wasn’t the employee intention to harm the company, but he made an action that caused it. Going along with the article, it displays the specific actions that are causing the issues and in which percent. Some of the reasons investigated are the followings.

• Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail.
• An outsider’s electronic entry acquired through social engineering and carried
  
  
  
  Continue reading "Unintentional Insider Threats" →

--Originally published at Diego's Password

This blog post will be very close to my heart because I see the average user very insecure. I can’t believe how we still have super simple phishing attacks or just pages with an unbelievable amount of fraudulent advertisement. Even more surprising to me, it is how the users still fall and give out personal information that easy.

We as computer systems engineers must share the word, teach our friends and anyone in our reach. Google made an investigation of the practices that us information security experts follow to maintain ourselves anonymous and safe on the web. This practices are far from being technically difficult for the average users.

These are the five most important  points that Google assures will keep us safe.

• Stay updated
  Vulnerabilities is another complete blogpost. But they are wholes in the security architecture of a system, from which hackers can get in, in this case to your computer and withdraw sensitive data. As soon as vulnerabilities are discovered, the manufacturares realice updates to correct them. One security engineer guest once told us that 90% of the attacks happen through outdated platforms. So that ease, staying away from the majority of attacks by accepting the automatic updates that your operating system and browser offers.

  

•  Hard passwords
  As our teachers says, passwords are not meant to be remembered. If you can remember it, then something is wrong. Are you suggesting me to write them down? No, but a strong password should be completely randomized, with numbers, special characters, caps and love. Servers for example tend to have the ones by default and they are the easiest devices to access.
  Another important point. Don’t reuse passwords. Just don’t. If someone breaks into one of your numerous accounts, then he would have access to your Paypal account, your Facebook account, your
  
  
  
  
  
  Continue reading "Congratulations! You are the 1000th visitor!" →

--Originally published at Diego's Password

A security model provides all the specifics for a given architecture. It describes specifically how will the system logic will be implemented and executed. It will display all the bones needed to support the complete body; it will provide the fences and bars structures in a prison, it will… Ok enough! It’s very clear ok! There’s another important aspect called security policy, and they work together. The security policy describes what or which aspects will the architecture protect or secure, like the requisites; while the security architecture provides the how and where, the technical arrangement of the components.

Without further ado, lets discuss the classic security models.

• State Machine Model
  Remember our class Computational Mathematics? Remember how automatons worked? It’s a machine which is structured with it’s own states and transactions. Well, a state machine model describes in a architecture in a similar fashion, if all the states and transitions remain secure, if and only if all of them at all time, then its a secure state machine. Very simple to describe, hard to accomplish.

• Bell-LaPadula Model
  This model was created int the early 70s by the US military. They were the first ones to implement secure state machine models. They found out that there was a lot of data leak out of their control; since they had very sensitive data, they were concerned about the privacy and reach of it. So they created the idea of having classification of users and data within the same system. The information was divides into categories like top secret, being the most delicate data, to secret, confidential and all the way up to public. All the users had something called “lattice” which was a couple of bounds describing their access level over the data, upper and lower. It’s pretty obvious but the user
  
  
  
  Continue reading "Security Architecture Models 101" →

--Originally published at Diego's Password

So hacking, super cool, magic powers, we all get it, but does that makes me a bad person? In this blog post I’ll talk about the dark side, the light side and a bit of history.

So what about this sides, I believed in the absolute truth. I think it’s really self explanatory. The dark side is that hacker, in fact cracker, which uses his powers to take advantage of others, being usually illegal. The hacker that operates in favor of security belongs to the light side, otherwise known as ethical hacker.

There are tons of certifications that lets you prove your skills formally. In fact I wrote a complete blogpost about them, I’ll link it here. This certificates are sometimes requisites for companies that are looking for a security expert. What does this have to do with ethical hacking? Well, this security experts, besides building and designing a security architecture, they have to break them somehow so that they know their weak links, and that ladies and gentleman would be the act for hacking ethically. The effort to find vulnerabilities inside a security system with a controlled environment. As a fun fact, for us systems engineers, information security analyst is the fifth best job in the technology field.

We once got the chance of meeting and talking with an amazing computer systems engineer, security expert magician. He told us that there are communities which share knowledge and experience in pro of vulnerability detection. This vulnerabilities are very expensive in the market, imagine it is the secret recipe for the crabby patty. How would Mr. Crab would feel if someone found out the way to his recipe. He would pay a fortune to keep that safe and to patch the whole right? Well that happens in real life, except that he is not the only one

--Originally published at Diego's Password

Imagine you are in finals week and today is your Informatics Security final exam. You take your time as usual, even extra, just in case. You are arriving to the Tec and the complete parking lot is full, even the lanes. Not a single car fits inside. Ok… take it easy, just park it outside and walk your way inside, right!? Wait… The waling entrance appears to be full as well, it’s completely crowded. And again no a single person fits in there. All the possible entrances are full, it’s like if all The Beatles were alive and giving a free concert inside. How would you feel? Failing Informatics Security. That ladies and gentleman would be the scenario of a denial of service attack.

I think this kind of attack is really easy to understand. It is making a service or a resource unavailable to its intended user. In my example the mastermind would be the person in charge of the marketing campaign announcing the concert. Sometimes it hard to find that much people willing to request some service at a given time, so normally in these kind of attacks the attacker fakes them. It’s also important to mention that the attackers hardware and technical power must be way more advance and robust than the victim. It is obvious; if you are trying to saturate a server, you need to be able to send more data than what the servers able to serve.

There are a lot of kinds of denial of service attacks, DoS by its initials.

• Distributed DoS: the attacker will have more than one IP address, by more than one I mean thousands of IP addresses. So instead of showing up a lot at the Tec’s parking lot, you’d be dressed like a thousand different persons, hence you
  
  
  
  Continue reading "The Beatles at Tec" →

--Originally published at Diego's Password

Having a computing security degree is already a sure and interesting job, but if you weren’t lucky enough or you want to boost your professional development. Here are some amazing certifications. These three are the ones that I found more interesting. Specially the ISSEP cause it is not that expensive and we have already the material. I also think that your work certifies you the most, besides any corporation saying you can do something; it is better showing you’ve done it before. Anyways let’s get right into it.

Global Information Assurance Certification Security Essentials. It is the most important and known organization in charge of security certifications. It evaluates the abilities and knowledge in security of IT systems. They offer an exam mainly consisting  of questions and exercises, it’s about five hours long and it has a cost of. It costs around a thousand US dollars and unfortunately they don’t offer a price for us students. If you want to take this certificate they suggest to prepare yourself with their own courses and material (around 5 thousand dollars).

Information Systems Security Engineering Professional
(ISSEP/CISSP). What is interesting about this certification is that the organization is in association with the US National Security Agency, like in the movies. It’s mainly about good practices and methodologies for big enterprises and organizations. It had a 36% value growth in the last year.

Here I have another one from GIAC and its the GIAC Certified Penetration Tester. Same as in the movies where

Continue reading "$6000 for a certification!?" →

--Originally published at Diego's Password

Do you want to join Hogwarts school of witchcraft and wizardry? I don’t mean to destroy your illusions but it’s imposible; what is possible is study computing security! Studying security these days is like studying magic, so it’s barely the same.

Why do I say like magic? First of all you’ll know deep stuff that no-one knows, you’ll develop abilities that will protect yourself and others from dementors and dark creatures that are stealing your happiness and private information. If magic is not your passion, I’ll give you some more reasons.

First one, infinite good jobs. It is estimated that by 2022, security information job will increase my a 37% (BLS), its growing three times faster than any other area. But what if I am still studying. Well, undergrads earn an average of $80,000 annually, isn’t that impressive?

I could continue with more specific resins, but I was waiting to write this post cause I didn’t wanted to just talk about something that I wouldn’t know. But I think that the most rewarding feeling and most important reason for myself to study computing security, is that feeling that I guess policeman feel when they safe someones life, or when they protect or prevent someone from an attack; now imagine doing that but with thousands of people. It might sound to fictional or inspirational, but it’s true. As the image shows, more than 80% of US companies have been hacked, and guess what. Not only the owners are affected, all the costumers as well and you’ll be able to prevent that.

There are trends that are extremely insecure, such as internet o things. When I was doing research on this matter, it’s scary, very scary. Having a camera or a micro
phone recording you 24/7 without you noticing, worse than that

--Originally published at Diego's Password

So in today’s class we saw some encryption algorithms which we needed to implement later on. After a hard time dealing with C string ASCII references, I finally could made them some algorithms work.

We saw Caesar’s and Vigenere’s ciphers. Both operate by changing a character certain number of positions based on an abecedary index. So if I have “abc” and I apply a key of 1, I’ll just move all the characters by one, giving back “bcd”. Thats how Caesar’s works.

For Vigenere’s it’s the same, but having a distinct key for each character of the string. These keys will be taken from another string, having each character of it as a numeric key.

Here’s what I came up with.

--Originally published at Diego's Password

So is this blog post telling me that someone can access to my webcam without me noticing it? I don’t think so; I have a mac and they’re pretty safe. Covering your iSight camera is just too paranoiac.

I used to think that too. I also used to think that if someone accessed to my camera, the green led that lets you know if it is in use would eventually turn on.

Lets talk about malware first. We all know what is it; a peace of software that runs without the user noticing it and making of course bad things. There are a lot of different kinds, so lets dive into it. The most common malware on the internet are trojans. The name Trojan horse comes from Homer’s Odyssey, which supposedly was a really nice present, or at least that appeared, but from the inside it was full of warriors. That is exactly wat a trojan is. It is a program that appears to be really nice to the user, but in reality it is full of malware.

The next type is a well heard virus. This kind of malware is characterized for it’s spreading abilities. When a user executes the virus, it reproduces it self infecting other peaces of software inside the machine. It is similar to a worm, but the worm travels through internet, anreven more dangerous it executes without the need of the user. That is why they can be multiplied that quickly.

There are other kinds of malware, like adware, backdoor and spyware, which I want to focus this blogpost. Adware is just like the other ones but instead of trying to steal information or just create vandalism, it locates ads in your browser or elsewhere. On the other hand backdoor malware can be really dangerous, cause

--Originally published at Diego's Password

Hey everyone! As we all could notice, I have really bad learning and productive habits; specially when it’s related with deadlines, correct, when it’s not. So besides this blog, and the blog I did with my classmates, won’t mention the about page (already did), I don’t have any blog post. Normally I tend to leave things to the end. I work more efficiently if there’s pressure in me and here is where my personal schedule comes to the game.

I’ll see if my own deadlines can give me pressure and motivation. I think it’s more about how much I respect my present self and how responsable can I be. Making this schedule public to my classmates and in reality anyone that finds this title interesting to read will hopefully give me the courage to start the hard work on this course.

I think I’ll also embarrass myself via twitter if I don’t made it to my deadline. Cause I don’t think a lot of people will show up around here.

So with no more further ado, here’s me schedule. (OMG right!?)

Yes… Hopefully I’ll finish everything and learn a bunch of new things. I’ll probably won’t be the same after week 10.