Códigos de encriptación

--Originally published at Héctor H.F. Blog

Hace algunas semanas, les quedé a deber códigos para encriptar (ambos en Java). Puede ser desde una palabra hasta un texto entero. Si no han leído mi entrada sobre la encriptación, deberían leerla antes de tratar de averiguar cómo funcionan los siguientes códigos.

Son dos encriptaciones, César (muy simple) y Vigenere (un poco más avanzada).

El cifrado César consiste en mover cada letra de un texto n posiciones. El número de posiciones lo define el usuario. El siguiente código demuestra el funcionamiento de este cifrado, y ya lleva incluido una serie de caracteres que, al encriptarla, te dará un mensaje real.

public class Caesar {

	public String encrypt(int key, String plaintext){
		String finalText = "";
		int[] ascii = new int[plaintext.length()];
		int[] asciiEncrypted = new int[plaintext.length()];
		for(int i = 0; i < plaintext.length(); i++){
			ascii[i] = (int) plaintext.charAt(i);
		}
		for(int i = 0; i < ascii.length; i++){ 			asciiEncrypted [i] = ascii[i] + key; 			if(asciiEncrypted[i] > 122) {
				asciiEncrypted[i] = ascii[i] - (26 - key);
			}
		}
		for(int i = 0; i < asciiEncrypted.length; i++) {
			finalText = finalText + (char) asciiEncrypted[i];
		}
		return finalText;
	}
	
	public static void main(String[] args) {
		caesar c = new caesar();
		System.out.println(c.encrypt(12, "sbgsñofbcsghfobgtsfwfqcbcqwawsbhcgwbcqfsofzogdcgwpwzwrorsgdofogi dfcdwodfcriqqwóbcqcbghfiqqwób"));
	}

}

El cifrado Vigenere es una versión mejorada del César. Este se construye de varios cifrados César en distintas partes del mensaje. Más detalles aquí http://es.ccm.net/contents/143-el-cifrado-vigenere. Esta página explica muy bien el paso a paso de este cifrado http://es.wikihow.com/codificar-y-decodificar-utilizando-la-cifra-de-Vigen%C3%A8re. Este código hace algo parecido (obtenido de http://javaenaccion.blogspot.mx/2012/05/cifrador-y-descifrador-del-metodo_28.html)

public class Vigenere {
 
    char tablaCesar[] = {
        'A', 'B', 'C', 'D', 'E',
        'F', 'G', 'H', 'I', 'J',
        'K', 'L', 'M', 'N', 'O',
        'P', 'Q', 'R', 'S', 'T',
        'U', 'V', 'W', 'X', 'Y',
        'Z'
    };
 
    public char getTextoCifrado(char parTextoClaro, char parTextoClave) {
        int 
 Continue reading "Códigos de encriptación" →

Tips para novatos en la red

--Originally published at Héctor H.F. Blog

Hola a todos, aquí una nueva entrada sobre seguridad informática. Esta va a ir dirigida a un sector para el que no frecuento mucho hablar: para las personas adultas que no tienen mucho en este mundo virtual llamado Internet (aunque podría también haber algún millennial por ahí que jamás había prendido una computadora). Les voy a dar algunos consejos para cuando naveguen en Internet.

Me basaré en una lista que publicó Microsoft en el 2009, si bien, desde entonces la tecnología ha evolucionado mucho, las cuestiones básicas de seguridad prácticamente son las mismas. Aquí se pueden encontrar más detalles http://expansion.mx/tecnologia/2009/09/03/10-tips-de-seguridad-para-usar-internet. He aquí ellas:

1. No reveles información personal por Internet. Establece restricciones a tu información personal en sitios de redes sociales. Este punto no solo es para personas adultas, también muchos jóvenes acostumbran a tener su información de Facebook pública para cualquiera. Facebook o cualquier otra red social nos permiten configurar quién puede ver nuestra información. Así puedes poner que solo tus amigos vean las publicaciones, e incluso tienes la opción de que solo ciertos amigos (tu familia, por ejemplo) vean cierta información. Teniendo tu información pública corres el riesgo de que alguien esté espiando lo que haces con tu vida.

2. Llena con cuidado formularios de registro. Cerciórate de que estás llenando ligas de empresas conocidas y confiables. De esto he hablado al menos en otros dos blogs. Hay que ver que en serio el sitio sea confiable. Una manera de estar seguro es ver si en la barra de direcciones aparece un candadito y/o la palabra https://… Con esto, puedes estar seguro que el sitio es confiable y no usarán tu información para fines no deseados.

3. Evita sitios que muestren violencia y/o pornografía, pueden ser de alto riesgo. Al visitar estas páginas, puede entrar malware a tu

Resultado de imagen para actualizacion windows

Continue reading →

Administrando el peligro

--Originally published at (Not so) Random talk

En el sector público y privado se tienen diferentes usos para la información y las nuevas tecnologías, como ya hemos visto eso conlleva a tener presentes una serie muy grande de peligros y vulnerabilidades latentes. Las diferentes compañías y empleados que generan las nuevas tecnologías deben no sólo ser capaces de reaccionar ante estas vulnerabilidades, sino también manejarlas y evaluarlas para poder otorgar un grado mayor de seguridad a los usuarios.

Los diferentes objetivos que conlleva el evaluar estos riesgos son:

Encontrar peligros para la organización.
Detectar vulnerabilidades dentro y fuera de la organización.
Evaluar el impacto del explotamiento de dichas vulnerabilidades.
Conocer el porcentaje de probabilidad de ser explotada de una vulnerabilidad.

Es decir, se lleva una evaluación que determinará el riesgo.

Los riesgos en las organizaciones deben ser vistos a partir de diferentes puestos de trabajo los cuales terminan abarcando todas las jerarquías. Los dirigentes deben saber tanto como los programadores sobre los riesgos que puede implicar el uso de la tecnología, convirtiendo la tarea del asesoramiento de riesgos algo realmente complicado.

Una manera de entender esto es lo siguiente: Digamos que se te pide que realices un formulario con la contraseña de la gente.

Hecho 1: El jefe, al no saber sobre riesgos acepta el trabajo aún sin especificar claramente que no se debe mostrar en algún lado esa información.

Hecho 2: El empleado al no saber sobre la seguridad de contraseñas ni peticiones, envía la contraseña dentro del url para que la página que le utiliza le pueda verificar.

Hecho 3: Un atacante se da cuenta del error y roba información cuando el producto sale a la venta.

Todo lo anterior da como resultado que la empresa quede en mala posición, se pierda dinero por la necesidad de arreglar el error, probablemente el programador sea despedido

Continue reading →

Type your username and password here

--Originally published at (Not so) Random talk

Diego's Password

Please, input your username and password to read this post:

Username:
Password:

…

You didn’t fall under our little trap/joke right? (Really, hopefully you didn’t).

Anyways, jokes aside, this kind of things that many pages like Facebook or Gmail, or that even your computer when you start it does, it’s called Authentication. What it basically does, is assuring that you are, indeed, you. Sounds funny, but we said we were leaving jokes aside. It is a fundamental security block (if not imagine, someone through the web could get your info without anything to block them, or your friends posting on your FB account). It is made in two steps: identification – identify the username – and verification – bind the identification and the entity.

As you probably already know, authentication can be made through something you know (password), something you have (card or…

Ver la entrada original 460 palabras más

Excuse me, who are you?

--Originally published at Don't Trust Humans, Trust Computers

Each person in this planet has something that identifies him/her. It could be a physical characteristic, like nose shape, eye color, hair, a scar, etc., or it could be a non-physical thing like voice tone, name, the way you speak, and so on. We even have legal documents that verify who we are in a society. No matter in what part of the world we are, we are someone and we can probe that we are the person we say we are. But if the pass from the physical world into the digital one. In the digital world, we can be any one and there’s no one that is checking if we are really who we say we are, or maybe there is? The truth is it depends on how you see it. Because there are websites, like Tumblr that ask you for a user and a password, so there is really someone checking that the user and password match, but once inside Tumblr is another story. If you came to realize, there are many places in the digital environment that ask for a user and password, and that is important matter in the security aspect.

Authentication and access control are two complementary topics that go on hand in hand. Most of the time you want this type of security in any system you are in to protect the information that is inside a system. And of course, it affects which user access the system. Authentication is the process of verifying if you are really the user you say you are. This process there are two key elements: the identifier and the authenticator. By identifier we mean the user, that tells who you are and the identifier is commonly known as the password that verifies that is truly you who is

Continue reading →

No time for panic

--Originally published at (Not so) Random talk

Imagine you own a very important company, constantly attacked or under possible attacks from spies. You are vulnerable, you are at risk. But what can you do know? You might start to panic thinking nothing can save you.

Ah, but there is something you could do. No, don’t look at us with those big, hopeful eyes.

We don’t have the magic solution to your problem. But we can tell you something you could do, maybe not to prevent those spies, but actually, the first step before that. They are called Risk Assessment Methodologies.

Risk assessment is about finding out exactly in which parts or places are the risks (for example your vault code), which of those risks are more important, and how to make the risk smaller. After doing risk assessment, you and our personnel will know which actions to take to reduce risk or to reduce those actions that put you more at risk (like stop leaving

There are two types of risk assessment: quantitative and qualitative. As the names suggest, one has a very rigorous metrics to assess risks, it puts a great effort into asset value determination and risk mitigation, but the calculations can be complex and time consuming, as well as requiring a lot of preliminary work. The second one is much simpler in calculations, not even quantifying threat frequency, and the value of the assets is not necessarily monetary. On the other hand, as the name suggests, it is subjective, depend on the expertise of the assessment team and there is no basis for the cost/benefit analysis of risk mitigation.

Now that we know what is risk assessment, let’s see the methodologies:

Asset Audit

Your company (the one attacked by spies), actually manages lots of money, information and valuables from very important and influential people

Continue reading →

The network is down

--Originally published at Don't Trust Humans, Trust Computers

Do you remember you life before the internet? where you had to go outside to socialize with people, and laugh to your uncle’s bad jokes instead of memes. Yeah a pretty scary scenario that is in the past. Luckily we live in an era where the internet has become a major part of our lives, but how does the internet can reach SO many people? Well, that’s because the internet is just a HUGE network, where everybody is connected to. That network is a network that is formed out of other networks, and those other networks are formed out of OTHER networks and so on and so on. This networks are made of various components, like: computers, servers, routers, hubs, switches, cables, and other items. All this components are key elements so a network can function properly, along with the right configuration in each item that need it. So this are VERY important and need to be secure from any type of attack or incident that might happen, or else the network can have some problems. That why network security is essential.

As cisco states “Network security refers to any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies”. Network security include many types like:

Access control.
Antivirus and antimalware software.
Application security.
Behavioral analytics.
Data loss prevention.
Firewalls.
Mobile device security
Wireless security and many more.

Networks are in constant a threat some of the most notorious threats they have are DoS. DoS stand for Denial of Service, and what it does is basically send more request than a machine can handle. The purpose of this attacks is to take down a service a server is giving. This are a very common attack a network can receive and there

Continue reading →

Network Security Policies

--Originally published at TC2027 – Will It Blog?

Directly from googles search “security policies”. I came first to the definition of security policy just like that. Security Policy is a document with a protection plan on physical and information technology assets. Then I came to the definition of “network security policy” and that is a generic document that specifies or outlines rules for computer network access.

So I guess the second one was the one oriented for this course. With this sort of document organizations can greatly improve the security of their Information and Communications Technologies systems and keep the patched against known vulnerabilities.

Security policies must be subject to the following risks:

-Unauthorized changes to systems (remember.. THE CIA TRIAD OMG)
-Exploitation of unpatched vulnerabilities (Keep those databases updated)
-Exploitation of insecure system configurations (do not draw on intentional vulnerabilities they might cause backdoors).

So to get this sort of risks to be managed, security policies have to:

Ensure that updates and system patchs are applied in a timeframe.
Maintain hardware and software orientates
Conduct regular vulnerability scans
Disable unnecessary I/O devices and removable media access
Maintain a whitelist and execution control.
Limit user ability to change core configurations.

Whitelist: List with authorized applications and software that has permissions to execute.

https://en.wikipedia.org/wiki/Network_security_policy

Security Countermeasures

--Originally published at Don't Trust Humans, Trust Computers

We live in an era, where everybody has some kind of digital device. Most of us have at least 2 of this devices, if not more. We interact with them in a daily basis; in our work, in our home, at the school, at entertainment centers, etc. This gadgets are taking over the world, but most importantly our lives. And if this devices are being an essential part of our lives, well… we are very likely to have some security threats on our way. In our lives, we are always expose to some kind of threat, even if we like it or not, and if we have a digital device, we are expose to a different new kind of threat, that it didn’t exist before.

There exist so many cyber security threats out in the world, and we need to be prepared if we encounter one. So here I am going to list you some of the most common threats and some countermeasures to those problems.

Spoofing user identity.- using a fake authentication to gain access to a system.
- Countermeasures:
  - Do not store passwords in files.
  - Use a strong authentication.
  - Do not send passwords over the internet.
Tampering with Data.- unauthorized modification of data.
- Countermeasures:
  - Use digital signatures.
  - Use data hashing and signing.
  - Use strong authentication.
Information Disclosure.- unwanted exposure of data.
- Countermeasures:
  - Use strong encryption.
  - Use strong authentication.
Phishing.- making use of a fake email or webpage so user can put personal information
- Countermeasures:
  - Delete suspicious email.
  - Enter to verify websites.
  - Look for digital signatures.
Malicious Code.- software that cause malfunctions inside a system.
- Countermeasures:
  - Turn off automatic downloading.
  - Block malicious websites.
  - Stay current with OS updates.
Weak and Default Passwords
- Countermeasures:
  - Combine letters, number and special characters.
  - Don’t share your password.
  - Don’t use
    
    Continue reading "Security Countermeasures" →

Security on the web

--Originally published at Don't Trust Humans, Trust Computers

OOOH the internet such a beautiful and harmonic place yet so full of stranger dangers and mischievous things. People must of the time are very naive when they are on the internet. They are not well aware of the dangers that the internet has. Even though this seems like I am giving a bad reputation to the Internet, I am only saying the truth. Yes, the internet is one of the most amazing inventions there is. It has help people from all over the world communicate in a way it seems impossible before and has brought us many other wonderful things. But sometimes there are people that take advantage of this great invention and try to use it for malicious purposes. Every time we navigate in the internet we are expose to some kind of danger, but if we are smart enough we will be able to not fall into the tramps.

Here are some advices to take in consideration when we are in the internet.

Passwords
- How many of us know a person that has a very awful password, if we he/she share his/her password so freely, well… there’s a problem. When we are creating accounts to some websites and they ask us for a password, we need to create strong password. Try combining letters (both capital and lowercase), numbers and special characters. DON’T share your passwords with any one, unless you truly trust the person you are sharing it with. Don’t use the same password for different websites, try using a different one in every website.

Internet Browsers
- To be able to navigate in the internet we need a browser to do that. There are plenty of browser out there for you to choose from. When you have selected your browser, you have to make sure is up-to-date.
  
  Continue reading "Security on the web" →