Systems security pt. 2: STATS

--Originally published at Security blog

For the last post in this semester, we will talk about implementing the system securtiy in our project. Recall that system security talked about things of operating systems and, in my understanding, the more local parts of a software system. Some parts were also given to us, like rules to follow, and they are not so many as they are for the web security, but are also important parts to have in sight.

The password theory we saw, the one that used three things (what we know, what we have and what we are) was a little bit considered, but at the end, once again, we didn’t have time to implement more advanced things. We simply use written passwords. For the other part we saw about this was NTFS, the other file system. We really didn’t see this thing in a bigger sense. We didn’t even use files or anything. The part about that that we could use is the part of the active directory, because of the little amount of objects we use.

One of the things we saw about this is the part of the data backups. This is an important topic, because, obviously, if something happens that can end in a losing of information or cunfigurations, for example, we can recover everything from a previous state. The only thing we must have a backup of is of the database. Our apps will work with a strong basis in the database. The app can know the levels that are unlocked, the results and, of course, all of the users and passwords to grant or deny access. Fortunately, the MySQL service we are using has the ability to create and read text files to reconstruct the database from the point it is. We just have to follow some backup

Continue reading →

Web security pt. 2: STATS

--Originally published at Security blog

I will now discuss parts of web security conserning on the semestre i project. For this, it is realle easy, for we have the principles we just have to follow. Well, I say we “just have” to follow, because of course there are other things we should consider as we go on and on, but this is a good first approach, I mean, for the level of develoment our application has.

The first principle is the least privilege. For our app we are just giving limited privileges for the users. Teacher can only register users and themselves, and can only choose between groups and students to see their results. That user is the one with the most privileges, parents and students just login and see results or play. For simplicity, we keep the functions and actions simple, as well as the structure of the system. Database is pretty small, and the games take their basis from it. To never trust userse is also crucial, and ww have thought about that also giving little privileges to users also.

Expecting the unexpected is quite a task here, because we know many things can happen, but also we don’t have enought time to implement a lot of things. We are just aware of those things, and also keep an eye on making everything on bigger basis. With the defense in depth, for eample, we came into doing the cryptography with the customized key. In that way, if someone makes it to decifer the key, they will still encounter with another thing they have to decrypt, and that is the data itself.

The security through obscurity feature we also think about it by giving very little privileges to the users. I think it is also a way for them to no know what is

Continue reading →

Cryptography pt. 2: STATS

--Originally published at Security blog

I will now begin with a series of three last posts. Each one will have as a topic one of the topics of the course we haven seen, but with a different approach. I will talk about the topic but tried to be applied in our project, and by which means could be.

Starting with cryptography. We will need to use cryptography in our project, and I talked about it in that post, because we are managing many important information. Usernames and passwords are going to be stored in the database, as well as the results that will get from using the game. All these things are better not be seen from the outside, so they must be difficult to read and impossible to understand.

One of the alternatives we thought at the beginning was to use the methods that the tool we used could have. When we started using php (thing we don’t do now) we were planning to implement one of the functions that could make a big hash of the text that we were planning to store. It could work because it used md5 algorithm, but one of the problems we could have was that the key to decrypt the text had to be saved in the php script, which could make it vulnerable at the end.

We’ve also seen that the MySQL system we are using also implements some methods in the insert commands. MySQL has some interesting methods that work with AES scheme (Advanced Encryption Standard). This can also sound good, but still we have the same key problem. That’s why we thought of getting doing a cutomized key for each user. Constructing a key using some characters from its name and last name resulted in a different key for each person, thus making it

Continue reading →

Three golden rules

--Originally published at Security blog

Right at this point in the course, we’ve been taught many things about effective security in our environment as software engineers. However, it is also true that we are involved in one big project, an application that will allow elementary school children to have a better learning in math. And since, we have to take also special care about its own security, and this is a topic that we haven’t discussed in this blog.

First of all, there are several rules we should follow. I found many interesting things on golden rules for security purposes. One of them said that there were three golden rules for not having security issues: do not own a computer, do not turn it on and do not use it. These are not so practical, because, well, if you are reading this then you already broke the three rules (just as me).

We get a nice golden lock.

Because of that, we need another set of rules, and I found one that I liked because it had to do with IoT. First of all, we must review repeated times the code we make and we must test the security things very often. We have seen a lot of these practices earlier. This point implies prioritizing for sure, and knowing your strengths and weaknesses. Second, continuous development. I consider this one as to not come into a halt when working on the security area. Things are changing everyday, and so must the security measures that are implemented (improved, at minimum). Last, managers (in business cases) must take responsibilities. I differ on this one. I think managers and engineers who make security parts should take responsibilities, mainly

Continue reading →

OS security

--Originally published at Security blog

Operating systems also have some security within them. Well obviously! An operating system is a great place to set security things, since it is a system that also has a lot of users’ information and involvement with hardware. Also, and as we have seen previously, some rules things have been made for people to easily implement security on the OS. This post will talk about some of those things.

The first theme of all of this are passwords. In passwords theory we can use three things in common to create them. We can use what we know, what we have and what we are. What we know are, well, things we know, things we keep in our heads. These are the traditional passwords, words. What we have can be material things we own, such as credentials or tags, which are already used to give access to some places. What we are is our body, our own characteristics such as eyes or fingerprints. These last ones are the best, because you cannot lose yourself, but are more expensive.

Resultado de imagen para os security

We are also introduced to NTFS (new technology file system), a new form of saving, browsing and securing files. This new system has a nice ability to secure data, since premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others. Also, we have the ability to create an active directory. A directory allows information to be stored, classified and retrieved. An active directory is a directory for objects. Essentially a database that resembles the form of a pyramid. Nice things about this is that implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

Right to this point, some basic data for OS security has been covered,

Continue reading →

The principles of web security

--Originally published at Security blog

This theme brings to us many useful information for the security course. At this point, we now know that security is a state away from harm, but that, as we have seen, also includes non-physical things, and things related to systems. Two basic things are needed for making an appropriate security state: awareness (to know the dangers and wait for them) and protection (to use actual security services in an intelligent way). Web security matters because a web service can be very complex, and it is attractive for hackers to look for complex, often built by beginners, to try and steal information. We don’t want to lose control of our projects, do we?

Hackers are defined like “someone who tinkers with computers and come up with innovative ideas”. The term has been misleaded through time, now a hacker is someone who can gain control of a platform and steal things. Several kinds of hackers exist, but it is sad to see that most of them doesn’t exist for positive purposes. Some people would not think that hackers will not attack them, but the truth is that bad people is roaming around all the time, and so awareness comes in.

The principles for web design are: least privilege, simplicity, never trust users, expect the unexpected, defense in depth, security through obscurity, blacklisting and whitelisting and map exposure points. We will talk briefly about these principles, since they form the basic web security theory. The least privilege principle refesr to give the minimum enough privilege to a user so that they can work in their own field and nothing else. Simplicity means to make the programs more simple, because the less things we have, the easier to protect. To never trust users is just to be careful with the users, because most

Continue reading →

Cryptograhpy

--Originally published at Security blog

The art of cryptography. It is not just making secret messages, mainly because they are no secret. Anyone can read a encrypted message, or well, try to read them, because what they are about to read is just a senseless disaster. But it is a planned disaster, a key is needed to read an encrypted message, so that makes this a man-made art. This is certainly an old issue, since encrypted messages have old origins (recall the Enigma code!).

Resultado de imagen para cryptography

Today encryption is the safest way to keep information, and to assure the safe transfer of data. At the same time, we have that every server has to have five basic services to guarantee security: confidentiality (protecting data), integrity (unchanged data), accountability (protection in communication), authentication (confirm identity) and availability (services accessible). These things are implemented through security services, and encryption has to do with confidentiality.

Basic concepts of cryptography include trusted third parties, publc key infrastructure and the story of Bob and Alice. A trusted third party helps us to trust connections between other Internet environments, and things like that. Keys can be divided into symmetric and asymmetric. Symmetric uses a single key and asymmetric uses a pair of keys. Bob and Alice have to do with certificates. Bob and Alice can trust each other because they use a trusted third party to authenticate through certificates. Cryptography is a widely used option for protecting data, and also an almost hardly secure option for transfering data.

Security architecture

--Originally published at Security blog

When substantial software for a certain service is to be build, a security architecture is also to be considered. What does this mean? Basically, a platform where everything is in its place, easy to maintain and to recover (in certain cases). Some times people need to maintain a software stable by its own (or most of its own) but now, let’s say, the ‘places’ of the components matter. Security must get inside, must be included within the architecture of the system.

The system itself can be constructed in many different ways, and also many things can affect how well the system is built. For example, a lot of preassure, letting inexperienced programmers make big changes or waiting for time’s passing without changing things. At the end, the system will not be able to be tested and will become fragile. Good thing is that we can reengineer everything.

Understanding the technology is an essential part of this, and i fyu don’t understand it completely, take some time to investigate or to ask someone else. Security is never, never a waste of time or money. I could say that a team of people (senior security people to be more precisse) can check these things. What this is al about is to consider a good architecture for the security to run nice, if this is not made like that, further security appliations will be made hard to implement.

Referencias

Boura, Andy [Andy Boura on Information Security, Technology, and Business]. (2014, july, 28th) 
Effective Security Architecture as a Foundation for Risk Reduction. Taken from https://www.youtube.com/watch?v=2flZGFulSOI&feature=youtu.be

What to do on risks!!

--Originally published at Security blog

Security is not just about implementing things and blocking-off just because. We will still talk in further chapters about the awerness of cyber attacks and stuff like that. Well, here we talk about risk mangement, and the first lesson to battle against risks is, effectively, to know that risks exists. Even if you don’t believe it, or you resist to believe it, among the population we have a lot of people who are just trying to leak into your systems, find a mistake to take advantage or to steal everything.

Lucky for us, we have work made for us! A nice framework is to be followed to manage all the risk management. Six steps are available for our knowledge, wich are:

1- Categorize

2- Select

3- Implement

4- Assess

5- Authorize

6- Continuous monitoring

Each of these steps have a clear clue of what they should be, but for illustrative purposes we will explain them one by one. Categorize is to, well, categorize dangers. Most dangers are easier to attack if we put them in groups with same characteristics, so can take in consideration more and more dangers. Select is to, once again, select which technology or correct measure to have against a certain danger or dangers. The next step will be the implementation of the measures selected.

Resultado de imagen para risk management

Assess the decision made is next, we now have to make an evaluation of the thing we will use, and choose between a better one or the current one. To authorize is to accept the solution, and to have it there is to have a clear method of what to do in case of. Continuous monitoring is to look for things constantly. To know where to look for what things, but wishing you will not find anything. Still if you find something,

Continue reading →

Some on ethics

--Originally published at Security blog

It is almost inevitable to talk about security without talking about ethics. Most of the times getting away with something like that on ethics can cause a lot of doubt about the interests of one person, can it be good? Bad? Can he or she be a hacker? Or just a morally correct person who wants to get information for good? I could be exaggerating, but the thing is that most of these themes are a a bit (or more than that) delicate.

For all of those information managements it would be convenient to get a framework to work. Not a framework, more like a set of laws and principles about ethics in this thing. Fortunately, we get many organizations that create and promote code of ethics, and are based on laws that talk about these. Actually, we get five organizations that had senior members in the 2009’s RSA conference ethics panel: ISSA (International Systems Security Association), ISC2 (International Information Systems Security Certification Consortium), GIAC (Global Information Assurance Certification), ISACA (Information Systems Audit and Control Association) and ASIS (a security company).

These five companies have a lot to do with web and information security, among other things, and having the chance to put them in an ethics panel can get a lot of positive aspects, calling the Ethics Working Group. The things on what they have been working include AIC things, in fact. The focus is to work with integrity (according to laws and frameworks), objectivity (having a clear objective and messing with nothing else) and confidentiality (respect confidential information at all costs).

There are many things about security and ethics outside, but for me this is a very nice approach, and one that is of interest to us (ISC). As we should care for these things when we are

Continue reading →