--Originally published at How to HACK or not

I will now begin with a series of three last posts. Each one will have as a topic one of the topics of the course we haven seen, but with a different approach. I will talk about the topic but tried to be applied in our project, and by which means could be.

Starting with cryptography. We will need to use cryptography in our project, and I talked about it in that post, because we are managing many important information. Usernames and passwords are going to be stored in the database, as well as the results that will get from using the game. All these things are better not be seen from the outside, so they must be difficult to read and impossible to understand.

One of the alternatives we thought at the beginning was to use the methods that the tool we used could have. When we started using php (thing we don’t do now) we were planning to implement one of the functions that could make a big hash of the text that we were planning to store. It could work because it used md5 algorithm, but one of the problems we could have was that the key to decrypt the text had to be saved in the php script, which could make it vulnerable at the end.

We’ve also seen that the MySQL system we are using also implements some methods in the insert commands. MySQL has some interesting methods that work with AES scheme (Advanced Encryption Standard). This can also sound good, but still we have the same key problem. That’s why we thought of getting doing a cutomized key for each user. Constructing a key using some characters from its name and last name resulted in a different key for each person, thus making it Continue reading "Cryptography pt. 2: STATS" →

--Originally published at How to HACK

During this course we have learned a lot about security, our task during this semester is to create a solution to help children in elementary school to learn mathematics, and of course we have to take care of its own security.

There’s a lot of rules that can help us in order to secure a system. I found one, that made me laugh a lot, this post says that the three golden rules for not having security issues were: do not own a computer, do not turn it on and do not use it. Of course that’s not useful for us.

So, we need to set other rules, and these are the ones I found:

1. Review repeated times the code and test the security often. This means prioritizing and knowing the strengths and weaknesses.
2. Continuous development. World changes everyday and security must, as well.
3. Managers must take responsibilities. I think security is a task that developers and managers should be responsible of, but yeah, all the responsibility will lie in the manager, so, the manager should be more worried about it.

Security measures should be taken for our project, because it will work with people’s information. The rules listed above must be applied on it. Testing it many times, to assure that the methods are correctly implemented, offering maintenance services for sure and assuming the responsibility as long as it is used correctly.

--Originally published at How to HACK

Operating systems have security as well. An operating system serves to set security, since it is a platforms that interacts with a lot of users and information. This is how easily you can implement security to your Operating System.

First, passwords. For passwords we can use three things to create them: what we know, what we have and what we are.

• What we know are things or words that we keep in our heads.
• What we have could be material things we own, some examples are credentials or tags, which we have already used to have access to some places.
• What we are are our own characteristics, eyes or fingerprints. These passwords are the best, because you cannot be copied or cloned, but of course, are more expensive.

NTFS (New Technology File System) is a new form of saving, browsing and securing files. This systems allow that premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others.

Also, you can create an active directory to store, classify and retrieve information. It is a directory for objects,  essentially a database that resembles the form of a pyramid. It also, implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

My advice is to look further in the web how to provide security to your operating system,  this post is just a little example of what you can do. As always, prevent and be prepared for the danger you could face, operating systems are not the exception.

--Originally published at How to HACK

Security is way to prevent harm and includes systems and non-physical factors. To develop a good security environment, you have to consider to basic things:

• Awareness: Identify dangers and set your mind to wait for them to happen.
• Protection: Using the existing security services in an intelligent way.

Web services can be complex, so web security matters. Why? Because is common that hackers look for complexity and try to steal information.

Hackers can be defined as “someone who tinkers with computers and come up with innovative ideas”. Unfortunately, the term has been mislead because of our context; nowadays, a hacker is known as someone who can find vulnerable point in a platform, gain control and steal information. There’s several kinds of hackers, sadly, most of them don’t use their knowledge for positive causes.

Web design principles:

• Least privilege is about giving the user just the minimum privilege over the web service, so they can stick to their field and nothing else.
• Simplicity means to simplify the programs, the less things we have, the easier to protect it.
• Never trust users is just a recommendation about being careful with the users, most of them don’t know anything about the dangers, and can cause to the system by accident.
• Expect the unexpected is assuming that things will happen, even it sounds impossible, is better to be prepared than have no clue at all.
• Defense in depth refers to have various layers of defense, in order to reduce the strength of the attack if it happens.
• Security through obscurity is leasing the amount of information you share about your web, because the less it is known, the less chances to be attacked.
• Blacklisting and whitelisting are opposite concepts. A blacklist is a list of banned things and a whitelist is a list of
  
  
  Continue reading "Web Security" →

--Originally published at How to HACK

Cryptography is not just secret messages, mainly because those messages are not secret. An encrypted message can be read for anyone, or at least try, because its just a senseless disaster. And that’s not bad, it is planned to be a disaster. To read an encrypted message you need a key, making it a man-made art. The origins of an encrypted messages are really old (recall the Enigma code!).

Encryption is the safest way to keep information and assure a safe data transfer. Servers have five basic services to guarantee security (listed below), these are implemented through security services, so encryption is a matter of confidentiality.

• Confidentiality (protecting data)
• Integrity (unchanged data)
• Accountability (protection in communication)
• Authentication (confirm identity)
• Availability (services accessible).

Trusted third parties, public key infrastructure and the story of Bob and Alice are basic concepts of cryptography:

• A trusted third party helps to trust connections between Internet environments.
• Keys:
  • Symmetric, that uses a single key
  • Asymmetric, that uses a pair of keys.
• Bob and Alice deals with certificates. Bob and Alice can trust each other because of the trusted third party which authenticates through the certificates.

Cryptography is a wise option to protect data and avoid data transfer.

--Originally published at How to HACK

If you’re developing a software to provide a service, you must consider a security architecture. Which is a platform where every single thing is where it has to be, easy to maintain and recover. Security must be included within the architecture of the system.

The construction of a system can be in different ways, and there’s a lot of factors that affect the how well the system is built. For example, a big amount of preassure, allowing inexperienced programmers to do changes or wait just for the time to pass without changing anything. At last, you will not be able to test the system, making it fragile. Fortunately, we can reengineer everything.

You need to understand the technology for this. But don’t worry, if you don’t, you just need to take some time to do research or go out and ask someone that knows about it. No matter how long it takes to you to understand it, security is always a way to save time and money. Considering a good security architecture ensures to run nice, and that further security applications will be easy to implement.

--Originally published at How to HACK

Information security is more complex that it appears, it deals with conventions further than just the implementation or blocked stuff.

Risk management, is like being alcoholic. The first step to get over it and tackle it is to accept that risks exists and are closer than what you believe. Even though you might think that you’re not the billionaire that hackers are looking for, outside there’s lot of people looking for vulnerable points in your systems to steal your information.

A good way to prevent it is the risk management. These are the six steps:

1. Categorize. You need to categorize dangers. If we group dangers according to its characteristics, we can attack more dangers in an easier way.

2. Select. You have to select the technology or correct measure that you will applied to each danger.

3. Implement. This step is easy, you need to implement the measures you selected previously.

4. Assess. You need to evaluate the things you are going to use, and decide if it’s better to use a better one or keep using the currently. 

5. Authorize. This works by accepting the solution, and have a clear method of what to do in case it is needed.

6. Continuous monitoring. Keep looking for anomalies, you need to know what are you looking for and where. So, if you find something already know what to do, because you have followed the framework and have a plan to solve it.

Following the steps, we can prevent that a risk will not affect as hard as it can. Honestly, most of the risks, will hit in a relatively hard way, but not as much as if there’s no defense set.