--Originally published at El Machetero Blog´s

Como ya he mencionado anteriormente, trabajar con personas puede ser algo realmente complicado y aún más si no existen reglas, es por esto que las compañías crean sus propias reglas, específicamente para la parte de seguridad las nombran políticas de seguridad, que son documentos en los cuales se especifican los requerimientos que se deben de seguir con el fin de minimizar riesgos. Existen varias políticas de seguridad, dependiendo del área y la razón por la cual se creará.

Las políticas de seguridad deben definir:

1. A quien aplica
2. Quien aplica las acciones definidas
3. Cuando se deben de aplicar las acciones mencionadas
4. Donde o en que equipos aplica
5. A que parte de la organización aplica
6. Quien hace que se cumpla
7. Cuales son las consecuencias en caso de no cumplir con lo establecido

Uno de los objetivos que se buscan al hacer políticas de seguridad es preservar los principios del triangulo CIA. Así que hazle un favor a tu jefe y a ti mismo y sigue las reglas.

--Originally published at El Machetero Blog´s

IT it´s a common profession in companies, but are IT people aware of all the power that it´s in their hands, and as we all know

One big problem is that contrary to other branches of study in IT it´s not common to take ethical courses, some people don´t even take courses, they´re just self learning people, and there is not a certain guideline or book to know how to proceed in certain cases or if something is bad or not and as a result of this they´re more prone to do something unethical without knowing.

But what lead IT people to do bad things, well the thing is that they have access to if not all, a big part of the company and employees information, and something that may not seem bad could turn out to be so wrong or it wasn´t bad at the beggining, but little by little you start doing other things and end up falling through the slippery slope all the way down to bad things.

What would you do if you see info in an employee computer about him/he selling info about the company, stealing data?

Maybe you notice that the company is doing ilegal things, they may ask you to be quiet about certain topic, or even tell you to do something that it´s  unethical. Is it wrong if you do it? Will somebody else do it if you don´t? You could lose your job if you disobey, what would you do in that situation?

The problem lies in all the power they have, with administrator access it´s possible to get into any device in the system, which lead to access to sensitive data, but everyone hopes and trust you won´t do anything stupid, so try not to disappoint them and ask for permission when you

Continue reading "My mama said that it was ok" →

--Originally published at El Machetero Blog´s

Now that the term has gotten popular let´s talk about DoS attacks.  A few weeks ago we heard that sites like Twitter, Spotify and Reddit went down a few hours because of a “cyber attack” known as DDoS. Gizmodo did like a thousand posts about it and if you want to hear the whole story and how this was not the conventional DoS you can do it here.

http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835

DoS stands for Denial of Service, it is essentially bringing down a site  by over flooding it with traffic, so much that it cannot handle it . This can be achieved either by doing the so called ping of the death, that is taking advantage of the TCP/IP protocol that allows an ip packet to be fragmented, the trick is to send pings with a header of bigger size causing the system to crash also DoS can be done by doing a Teardrop attack, it also takes advantage of TCP/IP fragmentation sending confusing headers in the packets so that it cannot be reassembled, causing sooner or later the system to crash.

There are four common categories of attacks:

1. TCP Connection Attacks: This type of attack attempt to occupy all the available connections and even devices capable of maintaining millions of connections can be taken with this.
2. Volumetric Attacks: Here what they do is attempt to consume the bandwidth either of the target network or between them and the rest of the internet.
3. Fragmentation Attacks: Basically they send a ton of TCP or UDP fragments overwhelming the ability of the target to reassemble them and reducing performance.
4. Application Attacks: This attack attempt to overwhelm an specific aspect of an application or service, making it able to succeed even with a few attacking machines and because of this they generate a low rate
   
   
   
   
   Continue reading "Power in Numbers" →

--Originally published at El Machetero Blog´s

Maybe you know a lot about computer security and feel like you´re ready to go outside and work, or you need to, because you don´t want to die and food isn´t free and we live in a cruel world, but hey either way, you need to work and have to prove companies what you´re worth and can do, the problem is no one will trust you just because, that´s why some organizations create some credentials or certificates, to validate those who own it of certain knowledge in the specified topics.

There are four different sources that provides credentials and certifications:

1. Schools and Universities
2. “Vendor” sponsored credentials (e.g. Microsoft, Cisco)
3. Association and Organization sponsored credentials
4. Government

But giving the fact that there are a ton of different certifications, you should only do those that you´re interested in and suits better to what you want to do.

According to this page Top 5 Information Security Certifications, this are the best 5 certifications for 2016

1. CompTIA Security+
2. CEH: Certified Ethical Hacker
3. GSEC: SANS GIAC Security Essentials
4. CISSP: Certified Information Systems Security Professional
5. CISM: Certified Information Security Manager

But it all depends on what you want to do and where, because some companies only take some certificates, for example Cisco for Networking that even has it´s own certificates, a different certification would be used for cryptography, or pen-testing, you should also take in consideration the level of acknowledgment of who is issuing the certificate like CompTIA, EC Council, Cisco, GIAC, ISACA and (ISC)2.

But as we´ve already said it all depends on what you want to do, so choose wisely.

In collaboration with Miguel and Ari.

--Originally published at El Machetero Blog´s

As you may know or if you don´t, well, let me tell you there´s no thing as PERFECT SECURITY, there´s a lot different ways to get access to a system either it is a personal one or it belongs to a company and believe it or not many of this don´t even require the attacker to use a computer, they only need distracted, neglected, fearful or even helpful PEOPLE, yes people are a vast source of information and they can be easy to trick so I would say people is one of the most dangerous breach in security and you can´t patch them

Password Cracking

There are different methods to obtain information from an user, some can be done with no computers or special devices for  example social engineering, dumpster diving, shoulder surfing and some more use programs like NetBios Auditing Tool, Chknull or LC4 which can be used to attack the network from the outside of wherever the system is located.

We can also do things from the inside either it is just for testing or with malicious intentions, one well know program to crack passwords is John the Ripper, but it takes some time. But you may ask, how the hell does bad people managed to get into the company D:, well you may have some pretty bad physical security, or bad guys are pretty good at what they do.

Physical Security

With all the information of the many cyber attacks that occur you may focus only on increasing your system security, but may tend to forget about physical security and this may lead to very serious problems.

There are some very hardcore ways to increase the physical security, like having systems in a specially located room with no cristal windows, secure doors and many other things, but I

Continue reading "Patch Patch Patch!!" →

--Originally published at El Machetero Blog´s

Maybe in some occasion you have wonder why you have to identify yourself EVERY SINGLE TIME that you want to log in to your email, favorite game, or even your computer, well this is all for your own safety, there exist these concepts called Authentication, Authorization and Access Control, that even thought some people take as if they were the same, because normally end users aren´t aware of the whole process, you just put your username and password and magic´s done

The first step is the authentication a.k.a inputting your user and password, well most of the times, there´s also other ways to identify yourself like, PIN, facial recognition, fingerprint, or a secret code just to name some examples, this last one it´s used very often for something called two steps verification which is a simple procedure designed to increase your security because it´s really easy that someone steals your password. The two steps verification its used by some companies like Sony in the PlayStation, also Google and Telegram have an option to turn it on. But not everything is perfect, a “disadvantage” of this method is that it´s a little bit annoying, but if you don´t bother, unless you also lose your cellphone or whichever device in which you receive the code, it´s WAY SAFER.

We can divide the methods of authentication in three:

1. With something you know, like the password, PIN, etc.
2. Something you have, like a smart-card
3. By who you are or what you do, like voice recognition or fingerprint

But why is this useful, would´t be easier if they let me in without asking anything??

MMM all this just to know WHO ARE YOU?????

This lead us to the Authorization, this is just a system verification of what you can do depending of who you are it´s

Continue reading "Who Are You And What Do You Want" →

--Originally published at El Machetero Blog´s

How is it that a term like hacking that everyone relate with bad things can be ethical? What´s the difference with the common hacking? Who do this? Why?

Let´s start by defining what is ethical hacking also know as pentesting, this is called pentesting because an important part of it is to run some test to try getting into the system breaking throught it´s security, and you may ask, but what´s the difference with common hacking, isn´t it also breaking throught security to obtain access to a system??

Well, the difference is the purpose of getting into that system and what is done after that, there´s two types of hackers Black Hat Hackers and White Hat Hackers, what does each ones does?

Black Hat Hackers are the ones that breaks into systems with bad intentions, either it is to steal information, money or any other reason they may have, but some people or organization get´s affected. Some Black Hat Hackers are big experts on what they do and would search and find even the minimum security breach to break and get into your system, but hey, there´s no thing as perfect security, all you can do is try your best doing and hope no one find those holes sometimes even you don´t know.

So what does white hackers do, well they work on increasing security, detecting and preventing possible point in which someone can get access to the system, but not everything is rainbows and butterflies, when things go well people don´t may not even notice what you´re doing, but when there´s a problem it´s all your fault, even when it´s not.

One of the worst thing and the one most of the times you cannot do anything it´s the layer 8, a.k.a the users, ignorance, fear, laziness

Continue reading "Black is bad, White is Good, NO, this is NOT Racism" →

--Originally published at El Machetero Blog´s

Three Goals of Computer Security

After seeing or hearing the word CIA, you may be thinking about the Central Intelligence Agency from the United States, but this time we are going to talk about a different CIA, the CIA triangle of Information Security, but what´s this? where is it? is it edible?

Well the CIA Triangle is composed of the 3 main goals of Computer and Information Security:

Confidentiality

This means that only authorized persons can access the information, because you wouldn`t like someone else reading your personal information or something that is for a specific person or group.

Imagine a very simple example where you write a message with detailed information for a secret party you´re planning for a friend, it wouldn´t be nice if that person could read the message and realize about the party, it ruins everything.

Integrity

What´s this??
Well integrity refers to the fact that the data we are reciving or sending must NOT be altered by anyone and if it happens, we are able to verify it, a very good tool for this is signing files and if somehow the data is changed we are able to check it.

An everyday life example could be banks, when we make transactions we won´t be happy if somehow you just send $1000 but the reciber only gets $100 at least I will be very upset and angry, because, hey, I just lost $900

 

Availability

What would happen if your data was been carried by the white rabbit of Alice in Wonderland??? Your data wouldn´t be available for you when you need it, that´s what availability is about, that it must be ensured that you have access to data all time.

--Originally published at El Machetero Blog´s

Who is the Machetero??

Well hello, this may be a little bit late after my first post, but better late than never

Im actually a student that is taking a course of Computer and Information Security and im going to share some of my learnings in this blog, most of the post are going to be about the main topic of the course, but some of them will be about related topics, like how to do something practical or just about a recent new.

Oh y olvidaba mencionar que algunos de mis post seran en español, quiza en algún momento los traduzca todos a ambos idiomas, per mientras tanto, disfruten de los que puedan o esperen que el traductor funcione correctamente.

But for now ….

--Originally published at El Machetero Blog´s

Did you ever wanted to pass a note to a classmate without the professor knowing ? Or at least if the note was caught, that the teacher wouldn’t know what you were talking about? Well, this was something pretty recurrent that I remember back on my elementary school days, and typically what we did was inventing some type of ‘encoding’ to the alphabet. A simple one was just taking the alphabet and re-assign each letter with the one alphabet spelled backwards. Something like:

 

Then apple would not be spelled “apple”, but “zkkov”. Back in the day this gave us a sense of privacy, and do you know where else privacy is a big deal? That’s right, on the internet. On the medium this same principle of encoding a message to increase its security is known as Cryptography.

Cryptography ensures not only the security that only the ones intended to can read the message, but also that it won’t be changed by other people, and the authentication of the sender and receiver; because, If only your friend-crush Anna knows the secret key, and your love letter gets public then you can be sure you don’t need Anna close anymore.

It is clear that cryptographic methods are not as simple as the ciphers described above (they should not be), for that we have several algorithms that can fall in two main categories:

• Symmetric cryptography
• Asymmetric cryptography

 

Symmetric has some main weaknesses to asymmetric because this methods only use one key to encrypt and decrypt the message. If the key gets intercepted in the course of exchange between the emisor and receptor, then you are basically dead.

On the other hand Asymmetric uses two keys: Public and Private. The public one is used in order to be shared to

Continue reading "How to send a dirty little secret" →