Malware

--Originally published at Stories by Juan Andrés Rocha on Medium

Download the pirated movie, they said. The next day, my computer was slow, and my information was stolen. That’s a higher price than a $10 movie, right?

Malware is short for Malicious Software, and it could be anywhere. This malware is created by cyber criminals who want to make money by stealing your information, or even by kidnapping your computer.

According to Norton, malware was first intended as a joke or a prank yo colleagues and transformed into this “vandalism and destruction” of computers. Most of the malware is created to generate profit via ads, or stolen information.

Malware can be obtained by downloading or opening documents whose origin we don’t know, or simply by OS errors.

The best way to protect ourselves against it, is by not clicking every link we see, unless we trust it, and always keep our apps and OSs updated.

La fuga de información de Equifax en julio de 2017

--Originally published at Stories by Juan Andrés Rocha on Medium

*Ensayo realizado para la clase de Ética, Ciudadanía y Profesión*

Equifax es una empresa norteamericana que funge como gestor y proveedor de información y alfabetización financiera para personas y negocios en todo el mundo, además de proveer herramientas de análisis de datos que permiten tomar mejores decisiones crediticias y financieras (Equifax, s.f.). La empresa se encarga de administrar la información personal y crediticia de más de 820 millones de personas o entidades y de más de 91 millones de empresas en todo el mundo (Equifax, s.f.).

El 7 de septiembre de 2017 Richard Smith, CEO de Equifax, anunció que una de las aplicaciones web de Equifax había sufrido un ataque y habría sido vulnerada por ciber criminales, entre mayo y julio de este año (Gutzmer, 2017). Alrededor de 143 millones de usuarios estadunidenses, es decir el 45% de la población de Estados Unidos (Weise, 2017) resultaron afectados por este ataque, que dio acceso a los criminales a información como: nombres, fechas de nacimiento, números de seguro social, licencias de manejo y, en 209,000 casos, tarjetas de crédito de los usuarios (Haselton, 2017).

Según el comunicado oficial, el ataque fue descubierto el 29 de julio y “se actuó de inmediato para detener la intrusión”, dice Gutzmer (2017). Matthew Green, criptógrafo y experto en seguridad informática, dijo que 143 millones de registros perdidos solo pueden equivaler a “un hacker muy sofisticado y muy paciente o a un sistema de seguridad muy pobre” (Timberg, 2017).

La empresa notificó a los usuarios cuya información se vio comprometida por el ataque por medio de correo electrónico a partir del anuncio (Haselton, 2017), es decir, un mes y nueve días después del descubrimiento del ataque.

El 3 de octubre, el ahora ex-CEO, testificó frente a una audiencia en la House of Energy and

Continue reading →

Crypt0gr4phy

--Originally published at Stories by Juan Andrés Rocha on Medium

Basically, cryptography is used to protect valuable information, according to Microsoft.

Imagine you want to send a note to your crush in class, and you don’t want anyone else to see it, how do you do it? Do you write “I like you” in plain text? Do you write “ILY”? Cryptography can help you tell your crush you like them without anyone else knowing.

You could encrypt your love message, which here means making your message intelligible to anyone except you or someone who gets you, send the encrypted message to your crush, and they would be able to decrypt it, if and only if you gave them the key.

In IT, there are several ways of sharing these keys, and one of the most common is RSA Key Exchange. RSA lets you send your private key to a person, only decryptable by their public key. No one else would be able to use it except them. It would be like leaving a note with the way to decrypt your message in your crush’s backpack before class started.

Everyone would be seeing something like: aW3"·4421.1..1!!!2lk, while your crush would see: “I like you.”

Managing IT Risks

--Originally published at Stories by Juan Andrés Rocha on Medium

First of all, what is risk? Risk is a word which here means the possibility of something bad to happen, for example, stumbling on a rock and dropping your ice cream.

We could’ve managed that risk by taking the rock out of the way when we went to buy our ice cream in the first place, but we may have thought it wasn’t worth the time or effort. Now we’re about to lose our ice cream, we regret it.

Imagine this happening not to your ice cream, but to a bunch of other people’s data in your hands. Credit card information, birth certificates, pictures of their dogs.

There are several frameworks that help us prevent or manage these risks, but we’re going to talk about ISO 27005.

The newest version of ISO 27005 was released on 2011, and since every standard is reviewed every 5 years, it is currently under review.

It basically consists in guidelines to identify, analyze, and assessment of risks, divided in categories like:

Context Establishment:

First, you have to establish a context by identifying essential assets, and values to protect. Also, evaluate possible risks and their consequences and define the boundaries of the administrator.

Risk Assessment:

This phase consists in risk identification, analysis and evaluation.

Risk Treatment:

In risk treatment you decide how to treat this risk, wether you ignore it, do something about it, and how you plan to treat it.

Risk Acceptante:

Here you decide wheter you accept the plan or not.

Risk Communication:

This one is pretty obvious.

Risk Monitoring:

Here you monitor the risks, some new risks may appear, as they’re not static.

Here’s a nice report on how to use ISO 27005.

Ethical Hacking

--Originally published at Stories by Juan Andrés Rocha on Medium

Hacking is a word often perceived as negative and really far from “ethics” and “good things”. But it is not.

Before we judge the so-called hackers, we must get familiar with the hacker culture:

Hacker culture emerged from a fusion of intellectual curiosity, counter-culture and a hate-on for any technology that you couldn’t easily get access to or tamper with. — Forbes

Basically, a hacker is a person who finds creative workarounds to turn their devices or technology pieces into something more useful to them, even if it means breaking, modifying or creating ‘frankensteins’ with them.

Some companies are trying to make hacking of their devices illegal, which I think shouldn’t be, because if you already paid for a device, and it could fit better your necessities, and you know how to change it to do so, why wouldn’t you? Why would a company limit what you can do with the devices you already paid for? Voiding the warranty is valid. Making it illegal is not.

A good example of the above is Jailbreaking iOS, which might seem unharmful, if you use it correctly (it also voids your warranty, so be careful) but it can be used for wrong, like pirating apps or downloading illegal content on your phone.

There’s also the issue of Ethical hacking. You might be wondering if that’s possible, and it might be, sometimes even necessary, for example: If you’re a network administrator, you should try to hack it every way possible to find vulnerabilities in your own creation, this will help you prevent other malicious persons gain access to your network in the future.

So, what do you think? Is Ethical Hacking a thing?

How to prove yourself (and your bosses, maybe) you’re an Expert in Computer Security.

--Originally published at Stories by Juan Andrés Rocha on Medium

A Certification, a word which here means a paper to show off you know enough of certain topic, is sometimes required in industry to prove you’re prepared enough in certain fields.

CompTIA is a non-profit, non-vendor related organization that offers neutral certifications to professionals, students, and other organizations. One of the several certification CompTIA offers is Security+.

Security+ is focused on validating “foundational, vendor-neutral IT security knowledge and skills”. Among the companies that use this certification are Apple, HP, Dell, The Department of Defense, and others.

Most of the time, certifications consist in an exam that validates your knowledge through a series of questions. Security+ uses 90 questions in 90 minutes. These questions can be multiple option, or Performance Based, which here means that you have to perform a task in a simulation.

In case you’d like to take this certification, you need $320 USD if you live in the US, or $179 if you live in an emerging market (like México) and it’ll be valid for the next 3 years.

If you want to take the certification, but have never studied security or anything related, there are courses in Udemy that’ll prepare you for the test (but more importantly, for your job).

This is not the CIA you’re looking for.

--Originally published at Stories by Juan Andrés Rocha on Medium

Remember, this is a blog series about Computer Security, so in this context we’re not talking about the Central Intelligence Agency. We’re talking about the three goals of a Secure Computer System: Confidentiality, Integrity, and Availability.

These are the three maxims we need to accomplish to ensure a system is secure. So if the system you’re creating, or the one you’re paying for does not stick to these three definitions, then why are you even using it?

Confidentiality /känfədenSHēˈalədē/:

Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.
- University of California, Irvine (Department of Research)

Basically, keeping confidentiality is just leting the users know what will happen to their information and, if they agree, stick to the rules and make sure all of this information is kept safe and private by all means.

Integrity /inˈteɡrədē/:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality).
- TechTarget

And, the last, but not least goal:

Availability /əˌvāləˈbilədē/:

It is important to ensure that the information concerned is readily accessible to the authorised viewer at all times. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect.
- Suprema Project

Imagine a bank app or website that wouldn’t let you check your balance whenever you wanted to, would you still use it? Why? You really don’t

Continue reading →

All the Wrong Questions: When did you Change your Wi-Fi Password last?

--Originally published at Stories by Juan Andrés Rocha on Medium

A random person shows up at your place: a mailman, a milkman, an insurance salesman, a friend, a friend’s friend or a family member. You talk to them for a little while and then they ask if they can come into your home, and you show them every corner of it, including where you keep your family pictures, your IDs and where you keep the money. Do you? No, because that would compromise your security, wouldn't it? No? You really don’t care?

Well, maybe we don’t do that (very often) but we share our home network everytime a guest shows up. But, what does that have to do with compromising security? you may ask. Well, that’s another wrong question.

Most of the time, our gadgets share private information over the network, because every device connected to your home network is trustworthy, isn’t it? Look, I’m not saying you shouldn’t trust your family or friends, what I’m saying is: if you want to keep it tight, you should definitely look “Computer Security” up. A term which here means the protection of data, networks and computing power (Davis, 2015).

Sometimes, we’re just too confident with how we handle our sensitive information and home networks, and that’s why we should study Computer Security. Some ways to stay safe is to create a guest network and to change our Wi-Fi passwords regularly to avoid others from breaking in or infiltrating our networks, and get access to our files.

Also, if you’d like to know who’s connected to your Wi-Fi network, you can use this really helpful app called Fing.

Fing is a network scanner to detect intruders, and solve network issues easily. You can download it for Android and for iOS.

This is the first post of a series on Computer and Information

Continue reading →