Gracias TOTALES!

--Originally published at #CParravirgen

This is to you Ken. I know I’ve said it before, but I’ll never get tired of thanking you, thank you for your thoughts, your teaching, and for being the way you are. Thank you for always inspiring the maximum on us, thank you for pushing us to always learn more and never settle, thank you for not letting us stand still in a moving world.

This is my review of the course and all I can say is thank you. To be honest, I wasn’t sure what to expect on how much I was going to learn from this course. Now I realize that I learned a lot, and not only learned from the course, but I have learnings that have made me a better person. Thank you for that.

Maybe I would’ve liked more activities like hacking into a wireless network that wasn’t possible with the infrastructure that we have at the Tec. But also I know that if it didn’t happen is because I didn’t generate that, I know that is nobody’s fault but mine if any. Thank you for making me realize how much impact I can create in my society and in my surroundings.

I was actually telling one of my friends, how much I loved this course, and how much I enjoyed having you as a teacher, and believe me, this is pretty much what I wrote in the ECOA, because from this course I take things that will help me my entire life, not just for my professional career, but for my life. That is why I think you’ve been one of the bests professors (if not the best) I’ve ever had.

If I would recommend you to my friends?, said one of the questions. Well, I think I don’t need to tell you

gracias
Continue reading "Gracias TOTALES!"

Should I click on that?

--Originally published at #CParravirgen

Noooooo

That’s the simple answer. And when we talk about security, better safe than sorry. As possible, do not click on any funny stuff that you find across the internet, if it looks weird, if it tells you that you should scan your computer for viruses, or if it tells you that you just won $500,000 USD since you are the 500,000 visitor. What a coincidence, but it is not; its just a few guys trying to make a living out of you, by getting your information and doing something dirty with it.

pic1

Clicking things like this one would usually lead to a privacy breach or something you really don’t want to have in your mind.

Stay safe and don’t click things that ask for something from you.

As a user of the internet, you are exposed to many things, many threats. It starts with where you are connecting from and it goes all the way to what sites you are visiting.

Alex Carrillo makes an interesting post about this in his blog, you can read the Security on the web post that he made and you will have a better picture of some simple threats that you should look for.

Now, besides the passwords, sharing information, clicking on things, using nice browsers and downloading dirty stuff; there are some other threats. This ones are more discreate, like phishing or false emails trying to get your information.

Phishing is a serious thing, since many times you don’t even notice you’ve been giving information or that you’ve been victim of an attack. So, what is phishing exactly?, here is the definition:

“Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person

pic2
Continue reading "Should I click on that?"

Please, not Windows again!

--Originally published at #CParravirgen

As part of the collective knowledge, I parter up with my friend Alex Carrillo, please give it a check at his blog too!

This time, we decided to work together on a blog about OS security. Here is what we came up with:

An OS can face many types of threats, and it needs to be able to protect itself. Here we will list some features or actions, that an OS needs to have or be done.

  • User Authentication
    • User authentication is a very important aspect to have, because with this, the OS can give access only to does people that have a user and a password. if an external person tries to access the computer by trying an invalid user and password, this will immediately reject them. Also by creating users, the OS can gave special privileges to some users. Of course, to be able to do that, the administrator is the one user that can do.
  • Security Policy
    • Creating a good and well-though security policy for the OS is a fundamental piece in making the OS more secure. We mention this, because this will be the base of creating the OS we want.
  • Vulnerability Assessment
    • From time to time, is very important to check for vulnerabilities in the system,and trying to solve them. Like they say, a computer connected to the internet is more vulnerable than an isolated one. So with that last thought in mind, we have to make sure to fix any problem that the OS might have before anyone else.

Even though we try to make our computer more secure, the reality is that we are not going to be able to make it 100% secure; but we can try to make it the most secure we can. There exist dozens of OS around

Continue reading "Please, not Windows again!"

So, what do we do now?

--Originally published at #CParravirgen

The countermeasure…

“In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.” (Wikipedia)

At some point, as a system admin or a software developer, you will have to deal with this, since there is no such thing as a “completely secure” system, any system can be cracked, is just a matter of time and intention.

So when the moment comes, actions will be required, what kind of actions?, that depends on the type of problem, but if the problem is too big, you will want to have Mr. Winston Wolf right by your side at that moment.

200_s

Here is a table of what is a good idea against different types of attacks:

Threat Countermeasures
Spoofing user identity Use strong authentication.Do not store secrets (for example, passwords) in plaintext.

Do not pass credentials in plaintext over the wire.

Protect authentication cookies with Secure Sockets Layer (SSL).

Tampering with data Use data hashing and signing.Use digital signatures.

Use strong authorization.

Use tamper-resistant protocols across communication links.

Secure communication links with protocols that provide message integrity.

Repudiation Create secure audit trails.Use digital signatures.
Information disclosure Use strong authorization.Use strong encryption.

Secure communication links with protocols that provide message confidentiality.

Do not store secrets (for example, passwords) in plaintext.

Denial of service Use resource and bandwidth throttling techniques.Validate and filter input.
Elevation of privilege Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Many more resources and information can be found here. At that Microsoft’s page, they have a lot of information

Continue reading "So, what do we do now?"

Are you ethical enough?

--Originally published at #CParravirgen

Uncomfortable question, right?

Well, ethical hacking is all about you. Why? Because the important question is, what will you do when you discover a major security problem with certain system? Will you inform the company about this, will you take advantage of it, will you tell someone else, will you try to fix it yourself?

There are many ways to react when you encounter a problem…

homer-simpson-nuclear-control-panel_0

so is up to you to decide what will you do.

Regarding this, in the computer science area, there exists some ways to get the “Ethical Hacking Certification”. The association that gives these things defines that: A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

Here is more information about the exam and the program:

The purpose of the CEH credential is to:

Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
Inform the public that credentialed individuals meet or exceed the minimum standards.
Reinforce ethical hacking as a unique and self-regulating profession.

About the Exam:

Number of Questions: 125
Test Duration: 4 Hours
Test Format: Multiple Choice
Test Delivery: ECC EXAM, VUE
Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)

For more information about this, you can go here.

There is this other place that you can check out too if you are interested, here they have lots of information that you can get and that you can request. Is up to you how deep you want to go in this topic.

giphy
Continue reading "Are you ethical enough?"

Thank you Julius Caesar!

--Originally published at #CParravirgen

Since the beginning of time, when human kind learn that to communicate between a lot of people, they had to speak the same language, more and more people started to learn the same language so they could understand what others were saying. This started to happen and at some point, we also felt the need to give messages to certain people without others finding out what we were saying to each other. So, how can we pass a message to someone else that is not physically close to us, but also in a secure way such that nobody else in between finds and knows what we were saying? Julius Caesar came out with a solution and an idea for this: The Cipher. What it would do is change the letters in a certain pattern, making it appear like the message has no sense when you read it, and you need the exchange pattern to decipher it.

Written in Java, a Caesar cipher could be programmed like this:

package cipher;

public class CaesarsAlg {
 
 String encrypt(int key, String text){
 char abc[] = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
 String result = "";
 int size = text.length();
 Character next;
 for (int i = 0; i < size; i++) {
 next = text.charAt(i);
 int numVal = next.getNumericValue(next)-10;
 result += abc[(numVal + key)%26];
 }
 
 return result;
 }

 public static void main(String[] args) {
 CaesarsAlg myTest = new CaesarsAlg();
 String text = "sbgsnofbcsghfobgtsfwfqcbcqwawsbhcgwbcqfsofzogdcgwpwzwrorsgdofogidfcdwodfcriqqwobcqcbghfiqqwob";
 for(int i=0; i<26; i++){
 System.out.println(myTest.encrypt(i, text));
 }
 }
}

Another classic security model to cipher things and messages is the Vigenère Cipher, this one is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.

Making a Vigenère Cipher is not so hard

Continue reading "Thank you Julius Caesar!"

Not so “Trump’s” CIA…

--Originally published at #CParravirgen

This is a post that I’ve been wanting to write since it is basis of Information Security, and is about the 3 pillars of this subject: Information Integrity, Availability and Confidentiality (that’s the IAC, or the not-Trumps-CIA as I like to call it).

So, right to the chest: why they are the 3 most important things in IT security? Because if you can ensure the 3 of them all the time at the same time, then you would become God of IT, with higher powers than the Power Rangers or Linus Torvalds.

Ensuring those 3 things all the time for any system sounds easy, but it isn’t really. You have to make sure that one doesn’t block the other but it doesn’t affect it either. For example: I could make public a big data base, so is available and in compliance with integrity, but is so available that affects confidentiality, so I’m missing one side of the triangle.

Pretty much all the systems try to be in compliance of these 3 things all the time, many of them achieve it for some time, until an update comes or an issue rises or someone tries to play the “smart-ass” and do dirty things into the system, ruining the complete triangle sometimes.

So, let’s define each of the parts:

  • Integrity:  Assurance that the data being accessed or read has neither been tampered with, nor been altered or damaged through a system error, since the time of the last authorized access.Read more: http://www.businessdictionary.com/definition/information-integrity.html
  • Availability: In the context of a computer system, refers to the ability of a user to access information or resources in a specified location and in the correct format.Read more: https://www.techopedia.com/definition/990/availability
  • Confidentiality: Is whether the information stored on a system is protected against unintended
    computersecurity_blogimage
    Continue reading "Not so “Trump’s” CIA…"

Me loggeo y aparece autenticacion timeout, he sido timado!

--Originally published at GG Guazaman

¿Qué es?

2094966

Cada vez que intentamos hacer Log In en una pagina, conectarnos a un modem, entrar a nuestra cuenta de Gmail, conectarnos al cliente de LoL, etc. Siempre necesitamos hacer una autenticación, pero, ¿En que consiste?

La autenticación no es otra cosa que el proceso de identificar a un usuario en base de ciertas credenciales que proporciona, siendo las mas comunes usuario (o correo) más contraseña.

El objetivo de la autenticación es decidir si “alguien es quien dice ser”. Hay tres formas de reconocer a un usuario, que se conocen como lo son:

  • Sistemas basados en algo conocido. Ejemplo, un password (Unix) o passphrase (PGP).
  • Sistemas basados en algo poseído. Ejemplo, una tarjeta de identidad, una tarjeta inteligente(smartcard), dispositivo usb tipo epass token, Tarjeta de coordenadas, smartcard o dongle criptográfico.
  • Sistemas basados en una característica física del usuario o un acto involuntario del mismo: Ejemplo, verificación de voz, de escritura, de huellas, de patrones oculares.

En este post nos enfocaremos en la autenticación de usuario y contraseña, y no podríamos empezar de otra forma que por la parte mas complicada la contraseña.

Password = 1234

incorrect-password

¿Tu contraseña es 1234, qwerty, abc123, password, etc?

Para empezar deja que te cuente lo siguiente. Existen diversas formas de que nos roben nuestras contraseñas tales como que la vean, que la adivinen, suplanten nuestra identidad o bien se cree un almacén de cuentas. Uno de los métodos utilizados consiste en la fuerza bruta, pero, ¿Qué tan efectivo puede llegar a ser? Para que te des una idea existe la siguiente formula:

Siendo S la longitud de la contraseña y N el numero de simbolos que se pueden usar en las contraseñas:

Sin título

Pero, ¿Qué significa esto?, tomemos un ejemplo. Imagina que tu contraseña consiste en solo minúsculas y su longitud es de máximo

Sin título
Sin título
978zzj
?
412bo6cfqbyl
Continue reading "Me loggeo y aparece autenticacion timeout, he sido timado!"

It’s me, open up!

--Originally published at #TC2027 #CParravirgen

Sooooo, before my coffee power runs out, I’ve got to finish this post, so, buckle up and prepare for a not so wild, not so boring and very instructional reading. Don’t worry, I’m not that a great writer so it won’t be long, just long enough to prove I know what I’m  typing?

Kids, this is the story of “how I met your mother”, no, actually it’s not about how I met her, but sounds like an interesting post, or TV show to make, oh wait…

Since the “how I met your mother” has been already taken, lets see what we can say about authentication. Why?, you ask, why going from super cool to super-boring? well kids, it’s because of our security blog, eventually I’ll write about more interesting things, but for now, lets keep with authentication and security, shall we?

So, authentication and security basic goals (like the 101 of security):

  1. Keep unauthorized persons from gaining access to resources
  2. Ensure that authorized persons can access the resources they need

Therefore, you can imagine it is important to know who is knocking at our door before we open it (only in Mexico we open up the door by just saying “It’s me, open up!”

abrirPuertaMexico

So, we know how insecure Mexico is (and yes, I can say that because I’ mexican, I live in Mexico and I care about it, any complains please refer them to your hand and the Mexican government, thank you); even though is not because we open the door without proper authentication, the computer and network world can’t work like that.

How can we protect data from people who is not authorized to see/have it but still make it available to those who should and depend on it. Keeping it under the mattress is not an

pinkyAndBrain
Joke1
Joke2
Joke3
Joke4
Joke5
Joke6
Joke7
Joke8
Joke9
Joke10
Joke11
Continue reading "It’s me, open up!"