Classic Security Architecture Models

--Originally published at Computer and Information Security

Howdy once again reader! Today’s topic is about some basic architecure models to give security in a system.

Security models of control are used to determine how security will be implemented, what subjects can access the system, and what objects they will have access to. Simply stated, they are a way to formalize security policy. Security models of control are typically implemented by enforcing integrity, confidentiality, or other controls. Keep in mind that each of these models lays out broad guidelines and is not specific in nature. It is up to the developer to decide how these models will be used and integrated into specific designs.

The most frequented or used are:

Lattice

A lattice is a mathematical construction with:

  • a set of elements
  • a partial ordering relation
  • the property that any two elements must have unique least upper bound and greatest lower bound

A security lattice model combines multilevel and multilateral security.

Lattice elements are security labels that consist of a security level and set of categories

State Machine

In state machine model, the state of a machine is captured in order to verify the security of a system.

The model is used to describe the behavior of a system to different inputs. It provides mathematical constructs that represents sets (subjects, objects) and sequences. When an object accepts an input , this modifies a state variable thus transiting to a different state.

Implementation tips:

  • The developer must define what and where the state variables are.
  • The developer must define a secure state for each state variable.
  • Define and identify the allowable state transition functions.
  • The state transition function should be tested to verify that the overall m/c state will not compromise and the integrity of the system is maintained.

Noninterference

The model ensures that any actions that take place

Continue reading "Classic Security Architecture Models"

Security on the Web (User Perspective)

--Originally published at Computer and Information Security

OMG! Reader, you keep looking at my posts, I’m so flattered. This time I will talk about how you can prevent get in to the wrong website.

The first thing that you should check, when you visit a website, no matter what type of website, but please, if you need to visit a payment website is really important that you first check their SSL certficate, I think nowadays Chrome tells you when a website is not secure. So, once the browser tells you that the browser is not secure, immediately leave it and don’t type or click in anything, you don’t know that scripts or dirty code lives there.

Resultado de imagen para ssl

Another recommendation of how you can avoid this is by visiting official pages, if you want to buy tickets for a concert and you know that a certain retailer has a valid webpage to buy them, then buy them there, don’t trust those website that post something cheaper, only because is in their website, that doesn’t guarantee it is true.

Resultado de imagen para ticketmasterThis is not a sponsored post, just as an example of an official retailer

One more advice I can give you is that never click those nonestop ads in any webpage, you could get into a website that could officialy infect you computer with stuff downloaded. With a simple click, your computer could be finished.

Resultado de imagen para finish him

That’s it folks, see you in the next post!

References:

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiMmMWYourXAhUJxoMKHe_eCOIQjRwIBw&url=http%3A%2F%2Fwww.globaldots.com%2Fneed-ssl-need-now-google-will-love%2F&psig=AOvVaw3Z5axg7Nj2JkcYjXjvTbKS&ust=1512267662935228

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjPhqCSourXAhWh6IMKHUfXAMkQjRwIBw&url=http%3A%2F%2Fmediatelecom.com.mx%2F~mediacom%2Findex.php%2Ftecnologia%2Fempresa%2Fitem%2F107204-llega-la-competencia-de-ticketmaster-a-m%25C3%25A9xico&psig=AOvVaw2tvawCh_iulhQ9zaqwotNC&ust=1512267649862313

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiCk5_8oerXAhUE94MKHePVC8cQjRwIBw&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5e3Dks50TMc&psig=AOvVaw2COjHkaRRj5utP4ZLbnoQj&ust=1512267601842048


So you want to know about Bitcoin…

--Originally published at Computer and Information Security

Hey reader! I’m glad you keep digging at my posts, that’s nice of you. This time I will talk about Bitcoin.

From the official page of Bitcoin we can find that this type of coin is:

Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system.

As you can see, the P2P technology that they talk about is something called blockchain, which you can read about in my previous post. In the big picture, Bitcoin is nothing than just a program that uses hash tables and is about transactions made in the web through a certain amount of time, and the one that solves the math problem first is the one that can charge a small amount of the bitcoin value.

That’s it, I tryied to explain to you in simple words what this is, but as I know that you are more graphical than just words, I will leave a video of how to create your own Cryptocurrency in JavaScript:

Part 1

Part 2

References:

https://youtu.be/zVqczFZr124

https://youtu.be/HneatE69814


Blockchain – As you saw it on TV! Actually in the web with Bitcoin

--Originally published at Computer and Information Security

Sup, reader! I feel like a little rusty talking to you since I haven’t uploaded in a while and that’s something I want to change today.

Today’s topic is about blockchain, you will be asking yourself, wt… is blockchain, well, this is nothing that how Bitcoin works, I mean, this is not a post about Bitcoins if that’s what you think you will learn here, for that I recommend you to look it up in my later blog post, where I talk about some cryptocurrency. But, for now I will explain as how I understood from a video that a person made online. I will tell you how I interpret it, but of course I will leave the video down somewhere here, for you to understand the basic concepts about how something like Bitcoins work.

First we have an ecosystem of computers connected in the whole world, through the internet, imagine like a bunch of computers connected with a lan, something, like a mesh. For example this image:

Resultado de imagen para mesh network

Here you can see a lot of devices connected, this is known as a descentralized and distrubuted, distributed because, each computer or device has a copy of each transaction and doesn’t depend on a third party, like how banks works, where you need a banc account which is managed by a banker and in order to reflect when you make a transaction, it needs to be aproved by this banker. So, in blockchain, what is trying to do, is to remove those third party entities, so that, each one of us can have a very transparent and out of corruption system. And, descentralized because, the transcations are reflected in each device connected to this system.

The basic component of the blockchain is  a layer, which is something like you see in the

Continue reading "Blockchain – As you saw it on TV! Actually in the web with Bitcoin"

Keeping a Secret, that is, Data Confidentiality

--Originally published at Bytes of Mind

This time, we are going to be talking about data confidentiality and how it was handled in my STATS project. To give a little recap, there is more to confidentiality than just making data private,rather, it’s about keeping the needed information private, and letting the user know what it needs to know.

On our project we were handling four different types of users: students, teachers, principal and admin, and each had a different level of access to information. First we have the students, who are able to see their average scores based on they perform on the game Mateoro. Then we have teachers, who can see the average score for each student in their class, an average of the whole group and a comparison between students. After that we have the principal, who can see the same information as a teacher but for every group in the school. And finally we have the admin, who can’t see test results, but is able to add new users (with the exception of a principal) to the or edit some of their information (such as name, date of birth, class, etc.). This is deliberately handled such that students can’t compare their scores through our platform, or that teachers can’t measure the progress of classes not related to them.

This ensures that data is confidential between users, but what about the database? Well, once again, this is where the power of encryption comes in. By running our data through an encryption algorithm we can ensure that data can’t be interpreted even if someone can get their hands on it. Thus, we can ensure that the data can reach their respective users while keeping it safe from people looking from the outside or even from the inside, since the data is basically useless without

Continue reading "Keeping a Secret, that is, Data Confidentiality"

Keeping a Secret, that is, Data Confidentiality

--Originally published at Bytes of Mind

This time, we are going to be talking about data confidentiality and how it was handled in my STATS project. To give a little recap, there is more to confidentiality than just making data private,rather, it’s about keeping the needed information private, and letting the user know what it needs to know.

On our project we were handling four different types of users: students, teachers, principal and admin, and each had a different level of access to information. First we have the students, who are able to see their average scores based on they perform on the game Mateoro. Then we have teachers, who can see the average score for each student in their class, an average of the whole group and a comparison between students. After that we have the principal, who can see the same information as a teacher but for every group in the school. And finally we have the admin, who can’t see test results, but is able to add new users (with the exception of a principal) to the or edit some of their information (such as name, date of birth, class, etc.). This is deliberately handled such that students can’t compare their scores through our platform, or that teachers can’t measure the progress of classes not related to them.

This ensures that data is confidential between users, but what about the database? Well, once again, this is where the power of encryption comes in. By running our data through an encryption algorithm we can ensure that data can’t be interpreted even if someone can get their hands on it. Thus, we can ensure that the data can reach their respective users while keeping it safe from people looking from the outside or even from the inside, since the data is basically useless without

Continue reading "Keeping a Secret, that is, Data Confidentiality"

TC2027 Security Class Review

--Originally published at Eric tries to write down cool things

What did I learn through the semester? if so, did I learn anything relevant? Did this semester was any different from my past ones?

If any of what I wrote doesn’t catch your attention, then a short conversational video might:

I can honestly say that from the security class I did not learn as much as I wanted (I did want to, but my sloppy behaviors didn’t help), but I sure did learn about Ken’s way of seeing the world or the understanding of ethics in our modern society. I can guarantee that Ken Bauer is a good teacher, he has a lot of knowledge about a bunch of programming subjects and he is always willing to give you some advice on any subject you need. He is always up for a chat and whenever he is not available, he is easy to book and find.

With Ken, we reviewed a movie called “the internet owns boy”  and that for sure changed a lot of my mindset. The movie described a bunch of events that are repeating in today’s news. For sure gives us something to keep in mind. (HOW THE H ARE THESE GUYS MAKING THE SAME MISTAKES AGAIN?). It was amazing for me to realize how much impact had this event with Adam Schwarz, it made me think of how sensible our information is and how much value we should give to it.

I sure did learn something from this class, but what I appreciate the most is having a better mindset about what I want to do in the future, because now I’ve got more ethical thinking from a programmer’s perspective, not just a dumb engineer enclosed in his computer.

The class was not perfect though, I think that because of our student nature, we have

Continue reading "TC2027 Security Class Review"

Crypt0gr4phy

--Originally published at Stories by Juan Andrés Rocha on Medium

Basically, cryptography is used to protect valuable information, according to Microsoft.

Imagine you want to send a note to your crush in class, and you don’t want anyone else to see it, how do you do it? Do you write “I like you” in plain text? Do you write “ILY”? Cryptography can help you tell your crush you like them without anyone else knowing.

You could encrypt your love message, which here means making your message intelligible to anyone except you or someone who gets you, send the encrypted message to your crush, and they would be able to decrypt it, if and only if you gave them the key.

In IT, there are several ways of sharing these keys, and one of the most common is RSA Key Exchange. RSA lets you send your private key to a person, only decryptable by their public key. No one else would be able to use it except them. It would be like leaving a note with the way to decrypt your message in your crush’s backpack before class started.

Everyone would be seeing something like: aW3"·4421.1..1!!!2lk, while your crush would see: “I like you.”

Planning ahead, that is, Data Integrity

--Originally published at Bytes of Mind

In my last post I talked a bit about the project I’m working on right now, and a lot of the things I mentioned had to do with data and the way we managed it. I will use this post to continue talking about data, more specifically, keeping it’s integrity.

Let me start by saying that the first thing we did to ensure that our data was complete was to define how the information was going to be stored. We decided on using a non relational database with MongoDB to be able to link and handle our data more freely, but it’s not a silver bullet. Since we are not using SQL, there isn’t really a danger to some data schemes making no sense, but that’s why we had to be careful and make sure every single little piece of data we needed was accounted for in the way it was intended. Even though we didn’t use relational schemas we still had to create our own pseudo-schemas.

But there is more to integrity than defining the way data is going to be handled. The principle of integrity basically states that information only has value if it is correct, in other words, that it hadn’t been tampered with. So what we decided to do about this was to encrypt the data and for things such as the login the encrypted data sent had to be checked against the encrypted data stored checking if it was correct. Other things such as the result of the game were a bit more tricky, since there isn’t anything to compare them to being dynamic data, so integrity of this was kept in line more by the sheer amount of information being generated by the game time and time again, and then running the data through

Continue reading "Planning ahead, that is, Data Integrity"

Developing, that is, Integrating Security

--Originally published at Bytes of Mind

For the past four months, I’ve been working a school project that involves integrating different school courses into a single project. The project revolves around helping elementary school kids practice and start integrating math into their daily lives. I, along with other three team members, am working on a web app called Skalia, and a small game similar to Asteroids called Mateoro, where you shoot the asteroids by solving arithmetic operations within them. In short, an user, be it a student or teacher can log into Skalia, the student can play Mateoro while the teacher can monitor their progress.

mateoro_conept_art
Mateoro concept art

Along developing the web app and the game, we haven’t been forgetting about security either. One of our main concerns was how we were going to manage sensitive data. After talking for a while the team  reached the conclusion that, first and foremost, we were going to use the least possible amount of data, so in case something was compromised, the damages would be kept to a relative minimum. To keep data safe, we also decided that we were going to encrypt the data we stored, at first, it was just the usernames and passwords, but it honestly is a better idea to just encrypt everything.

Besides data management, there were some other things that had to be taken into consideration, mainly because we were going to be dealing with young kids. One of said things was going to be the way we would handle logouts for two reasons. We run a script that automates the difficulty of the game as soon as the session ends, and the other one was that we knew the kids would probably just lose the browser instead of just going login out. We had t play around with cookies for this, but

Continue reading "Developing, that is, Integrating Security"