TC2027

--Originally published at Computer and Information Security

TC2027

Work with Ken is a complete different way to learn, it challenge your self to improve and to learn exploring the world/internet in a DIY way.

I really enjoyed taking the course with him because it was a easy way to learn and to complete the course not to get a good grade but to get the knowledge expect to receive on this course.

Course objective:
Upon completion of this course, students will have gained an overview of the area of computer security and the basic knowledge needed to understand the risks, threats and vulnerabilities of computer systems in today's world, as well as the controls and protection methods against possible attacks, which are indispensable for these systems to work properly in contemporary companies. They will also be familiar with the existing national and international laws related to computer system security.

Yes, for me the course objective was accomplished, and I strongly recommend to take any possible course with Ken, not only because he has the knowledge to share related to the course also because as a person Ken is full of great skills that share with his students and those are more valuable that the static knowledge.

Operating System Security

--Originally published at Computer and Information Security

Dentro de los principales sistemas operativos MacOS es de los más importantes, el día de ayer se descubrió una vulnerabilidad que permitía que un usuario invitado tuviera privilegios de administrador con un simple cambio en el nombre del usuario y varios enters,
Pueden ver el descubrimiento original aquí

Lo más interesante de esto es que 19 horas más tarde Apple ya tenia disponible en su centro de descargas una actualización al sistema operativo que solucionaba el problema.

No existe sistema perfecto pero la velocidad de reacción y el compromiso de los creadores a mantenerlo seguro, confiable y funcional es lo que hace que sus usuarios permanezcan ahí.

Cryptography

--Originally published at Computer and Information Security

Cryptography has been here since we are, we have to remember that to break a cryptography system was the objective of the first computers but also that cryptography and security are always related on iT or other for example:

Every poker player should learn a bit about cryptography. Because, in a way, playing poker is actually a form of cryptography. Let me explain.

Cryptography is the science of encoding information. Typically encryption is used to encode communications between two parties so that a third party is unable to understand it. For millennia, people have been trying to encrypt their communications—and the field of cryptography has become increasingly important over the years.

All of the innovation in cryptography is designed to address one problem. There is an inherent tradeoff between ease-of-use of a cryptographic method and its security.

Interestingly, if you are interested only in security—making sure that no one can possibly break your code—and not at all in ease-of-use, then the solution to perfect encryption is trivially simple. You can use a method called a one time pad.

Let’s say we have a message written in English that is 140 characters long. We want to encode this message so that only its intended recipient can read it. Before we send the message, we generate a list of 140 random numbers from 0 to 26. Maybe we have a computer generate this list. We write the random numbers down on a piece of paper and hand it to our intended recipient.

Then we compose the message. And for every character in our message, we add the corresponding number to it—adding meaning that we go that many letters forward in the alphabet to get the new letter. So if our letter is E, and the random number is 3, then in our Continue reading →

Malware

--Originally published at Computer and Information Security

On this post I want to share some work I did on my company related with this topic and with collaboration with ESET.

Unintentional Security Issues

--Originally published at Computer and Information Security

Easy the users and admins are humans and humans made mistakes

There were many times that because a mistake made by a human the system fail an thats a real issue when for example that human works at AWS and unintentionally breaks the internet of half of USA.

It’s human to make errors but thankfully these errors can be 100% prevented. A mixture of strategies may help to prevent human errors from turning into security incidents.

When looking at attacks today, most people think external attacks are the biggest problem for organizations and where they need to focus most of their energy. However, it is important to distinguish between the source of an attack and the cause of damage. While the source of most attacks is absolutely external, the cause of damage is often the accidental insider. Adversaries recognize that it is too hard to directly break into servers and compromise an organization externally. It is much easier to target an insider, trick that person into opening an attachment or clicking on a link through social engineering, and then leverage his system as a point of compromise. In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content. What can an organization do to properly protect itself against insider threats? Most organizations believe greater security awareness is the answer to minimizing accidental insider attacks; this means ensuring employees better understand the dangers and exposures. While I am a big fan of awareness, organizations have to remember that no solution will solve every problem. Awareness is good for basic attacks where there is something visibly wrong with the email or information received by the user. However, with advanced adversaries and more sophisticated phishing attacks, the Continue reading →

Ethical issues security professionals

--Originally published at Computer and Information Security

Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions.

IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations.

Why are ethical guidelines needed?

The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little consideration of how those abilities can be misused. In fact, many IT professionals approach their work with a hacker's perspective: whatever you can do, you're entitled to do. (Note: In this article, we're using the word hacker in the current common meaning, pertaining to "black hat" hackers who use their skills to break into systems and access data and programs without the permission of the owners. We're well aware that the term originally referred to anyone with advanced programming skills, and that there are "white hat hackers" who use their skills to help companies and individuals protect against the black hats.)

In fact, many IT pros don't even realize that their jobs involve ethical issues. Yet we make decisions on a daily basis that raise ethical questions.

What are the ethical issues?

Many of the ethical issues that face IT professionals involve privacy. For example:

Should you read the private e-mail of your Continue reading "Ethical issues security professionals" →

Why use httpS

--Originally published at Computer and Information Security

Just because it is secure we should always use https, actually right now as developers we have many options to use this protocol for free (GCP, Let's Encrypt).

But, what it is http?

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.

Benefits

Customer information, like credit card numbers, is encrypted and cannot be intercepted
Visitors can verify you are a registered business and that you own the domain
Customers are more likely to trust and complete purchases from sites that use HTTPS

Best Practices for DDoS

--Originally published at Computer and Information Security

I found this document from Google that explains the best practices to this cases.

GCP load balancing solution has DDoS mitigations built-in lowering the attack surface:
- configure ingress firewall rules (like iptables)
- network load balancing has port filtering. Any port that is not loadbalanced is dropped by GCP highly scaling frontend infrastructure
- HTTP/HTTPS loadbalancing can absorb and protect from IP spoofing and large SYN flood attacks.
- it has also fair-share allocation built-in

And

Google Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the above mentioned best practices and other measures tailored to your requirements to make your GCP deployment resilient to DDoS attacks.

Ethical Hacking

--Originally published at Computer and Information Security

Encrypt your Drive using SanDisk SecureAccess 3.0

--Originally published at Computer and Information Security

As I prefere to use services for all kind of users I decided to buy a comercial USB Drive on Walmart and use the brand software for encryption.

It was very easy to install and use because the user interface, it ask me for a "secure" password +8digit, special character, lower and upper case, numbers.

After the encryption my drive has and special "folder" when I can store files and access them by the interface.

It has the application portable so I can access them on any Windows/MacOS device.