Tag: security

Developing, that is, Integrating Security

--Originally published at Bytes of Mind

For the past four months, I’ve been working a school project that involves integrating different school courses into a single project. The project revolves around helping elementary school kids practice and start integrating math into their daily lives. I, along with other three team members, am working on a web app called Skalia, and a small game similar to Asteroids called Mateoro, where you shoot the asteroids by solving arithmetic operations within them. In short, an user, be it a student or teacher can log into Skalia, the student can play Mateoro while the teacher can monitor their progress.

mateoro_conept_art
Mateoro concept art

Along developing the web app and the game, we haven’t been forgetting about security either. One of our main concerns was how we were going to manage sensitive data. After talking for a while the team  reached the conclusion that, first and foremost, we were going to use the least possible amount of data, so in case something was compromised, the damages would be kept to a relative minimum. To keep data safe, we also decided that we were going to encrypt the data we stored, at first, it was just the usernames and passwords, but it honestly is a better idea to just encrypt everything.

Besides data management, there were some other things that had to be taken into consideration, mainly because we were going to be dealing with young kids. One of said things was going to be the way we would handle logouts for two reasons. We run a script that automates the difficulty of the game as soon as the session ends, and the other one was that we knew the kids would probably just lose the browser instead of just going login out. We had t play around with cookies for this, but

Continue reading "Developing, that is, Integrating Security"

Malware. GRRR!! Spooky!

--Originally published at Eric tries to write down cool things

 

Malware… OH MALWARE! The fantastic and exotic creation of some people that just want screw other for money, for pride or for FREAKING FUN!

 

Yes, there are teenagers that mess up with the government just because they are able to do it and get away with it. Anywayyyyysssss.

Malware is a type of software that does harm a user. This malware was not born from magic dust and hopes of people, some guy decided to create it with a single purpose: Get the best out of people.

Malware is usually detected before doing any harm and it’s removed safely, but there are certain occasions where users insist into screwing themselves up by getting into unsafe sites! And clicking god know where to get screwed!!! DAMN PEOPLE, IT’S SO EASY TO AVOID ALL OF THESE REALLY!

 

Anyways, if the malware manages to get into your system, it will be camouflaged until the attacker decides to activate it and retrieve something from you. May it be raw information, passwords, accounts, credit cards or your family trip to Thailand from 5 years ago! WHO CARES?! This guy already has you grabbed by the p**** and he can do whatever he wants with your info if you don’t catch it before he gets out.

How to avoid this?

DAMN Firewalls!

DAMN not clicking on random stuff!

DAMN not downloading illegal stuff from random places!

DAMN not installing unsecured thinguies here and there!

It’s so easy I want to kiss the people who allow it to be easy :*

 

 

Play safe kids, PEEEACE


Unintentional Security Issues. WOOPS!

--Originally published at Eric tries to write down cool things

If I had to pick 1 topic to be my favorite from the mastery topics list, this one would win and by far.

 

Why do I think it’s the best one? Welllll, we like to screw up OVER AND OVER!

Most of security issues come from unintentional implementations. Badly written code, bad implementation of restrictions, too much information given away to unnecessary users, showing your code to your mom.

Really! Damn! There is so much to screw up all over the damn place! It’s just impossible to cover every single security scenario. The best you can do as a security brigadier is to implement and think of all the things you are capable of. Think of every single mother effing scenario that you can think that can go wrong. You won’t cover all of them, but oh boy will you try and make things better!

We covered a lot of issues in class demonstrating how things were badly made. For example, Isaac purchased some buss ticked online to go to Tepic, but he didn’t receive the tickets, so he YOLOed and went into the console and started looking for answers… AND OH BOY HE FOUND THEM! He found the source code of many things that could’ve compromised the information of other users aboard the bus and he could resubmit other information into the webpage, making a huge security issue.

And now, do we really think that the engineer from this site made this on purpose? Let’s damn hope he didn’t, if he did, well what a damn ass.

He didn’t expect that a mortal like Isaac would go in the chrome console to look for answers. This was the programmer’s demise, to think there were no other gods aside from him.

So remember kids! Try to break your stuff

?
Continue reading "Unintentional Security Issues. WOOPS!"

Basic things, dude. BASIC THINGS!

--Originally published at Eric tries to write down cool things

The network can be a Universe of its own. Vast, full of things that are or can be unknown. And just like in Sci-Fi movies, it is plagued with dangers. Hackers, malware, etc. Everything is there. As like in some movies, you need to learn to protect yourself.  If not, you might be just like those victims, getting eaten by that unknown thing.

Everyday thing: Have an antivirus or antimalware and keep it updated too, obviously.

Basic protection:  Use firewall if you are not on an expertise level please do not lower firewall. Your computer comes with a firewall by default and it helps you filter bad stuff from the web.

Public doesn´t equal good: Don’t go into public open networks without some sort of security, or even better, don’t get on them at all. By doing so, you are probably literally leaving your info in the air for someone to grab it.

Buy smart, buy safe: Just do online shopping from trusted and well-recognized sites, preferably using platforms like Paypal.

 

Free software can come with a price: not all software out there is good, that’s why you should only download/install certified software.

If your browser recommends you against it, don’t insist: Don’t play with fire. If your browser is already doubting on the page’s certification, it is probably because the page is dangerous. Unless you are a 100% percent sure you know that web page, get out of there.

Use browser tools: Most browsers already come with plugins to block popup ads, I recommend to use them or install them.

Passwords: Try using different passwords, don’t use the same for everything. That way, if someone gets access to your password, it would grant access to all of your accounts. Also, make them secure by making

?
Continue reading "Basic things, dude. BASIC THINGS!"

Denial of service, yeah that guy who screwed everyone up not long ago :)

--Originally published at Eric tries to write down cool things

This is a bit of an old issue that happened not so long ago, it destroyed a lot of stuff, including my belief that people are not asses.

Basically, this mother l went through a thousands of computers making them useless because the user’s computer caught a small DoS. The way this attack works is:

The attacker sends a lot of slaves/files to a lot of users, massively. The slave waits for the attacker’s command to activate and then freeze all activities in the victims computer so that the computer is useless. Here is where it gets nice, since the computer is useless, the victim has to have a salvation, right ? Luckily the attacker has a passion for money, so he gives the option to the victim to be able to pay for his damn freedom !!! What a guy ! He allows you pay back for his freedom, he needs a damn price!

 

In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.


The various types of certifications

--Originally published at Eric tries to write down cool things

This one is a bit more about how you can get certifications to prove that you are qualified for security matters. A bit of a pain if you ask me…

When suddenly lost wi-fi from gifs

Licenses (depending which one) may come from one of the following sources:

  1. Schools/Universities
  2. Vendors also known as sponsored credentials (e.g. Microsoft, Cisco)
  3. Association and Organization sponsored credentials
  4. Governmental body sponsored licenses, certifications and credentials

There are a lot of certifications out there, but here we are going to discuss just 5.

CEH Credential

Recently I discovered the Certified Ethical Hacker Credential, as discussed before in a blog post talking about Ethical Hacking, this certification ensures that the person is trained on detecting systems vulnerabilities with techniques that also hackers employ.

The exam for this type of certification has 125 questions related to penetration testing techniques, security laws and standards, malicious software coverage and hacking in general. Also there are several sites and universities that offer training in the matter.

CompTIA

CompTIA works as a professional certification provider in the information technology industry, once obtained; certifications they offer like A+, N+ and  Security+ have a validity duration of 3 years.

  • A+ is a basic essential IT certification, that demonstrates competence as a computer technician.
  • N+ (or Network+) well the name speaks for itself It certifies skills as a network technician
  • Security+ the one we care about inside the information security course, ensures security knowledge and skills, it covers principles for network security and risk management inside systems.

CISSP

Stands for Certified Information Systems Security Professional. This consists in an exhaustive 6 hours with 250 question examination. It is given to those who show deep knowledge and competence in new threats  and growing security attacks. It covers topics like: Identity access management, security operations and the insurance of assets.

GIAC

GIAC

https://sharegatewordpress.blob.core.windows.net/sg-wp/app/archive/media/Sharegate/Images/OfficeSecurityWebGuide/chapt7-img1.png
Continue reading "The various types of certifications"

Risk Assessment Methodologies.

--Originally published at Eric tries to write down cool things

First of all, I find this one to write a bit more tedious so imma force some memes into it,
so brace yourself for bad puns here and there ?
 What is risk analysis?

It’s a way to figure out how important is your system and how far you are willing to go to protect it.

Contingency plan

Plan for disaster, it may spell the difference between a problem and a catastrophe.Backups are the key to disaster planning.

Thread Modeling

Getting into more technical stuff one of the first steps into any kind of security developing life cycle model is threat modeling, therefore, is a procedure that optimizes any kind of app or network instance by identifying objectives and vulnerabilities, and then countermeasures to prevent or mitigate its effect.

Risk Rating Methodology

What is the risk between a DDoS and a phishing attack? How probably is each one? What are the fixing costs? The capacity to estimate the associated risks and impacts it has on the business. The following represents the formula that tells what a risk is composed of

Risk = likelihood * impact

There are a series of steps in order to measure the severity of the risk:

  1. Identify the risk
  2. Estimate the likelihood
  3. Estimate the impact
  4. Determine the severity of the risk
  5. Fix
  6. Adapt the risk rating model to the specific project.

psssst imma let you into a secret >_>/ .. <_<

--Originally published at Eric tries to write down cool things

replace “wow” for “Encryption” and we’ve got ourselves a good meme ?

Did you know that you always had the opportunity to encrypt all your info and all your messages? Well! Turns out the only thing you needed is your power of will, a little math here and there and BOOM ! YOU ARE ENCRYPTED.

Now the pain comes when you want to encrypt all your stuff. L.O.L.

Good luck on that and remembering the decrypting process and keys for all your things ?

On the medium, this same principle of encoding a message to increase its security is known as Cryptography.

Cryptography ensures not only the security that only the ones intended to can read the message, but also that it won’t be changed by other people, and the authentication of the sender and receiver; because, If only your friend-crush Anna knows the secret key, and your love letter gets public then you can be sure you don’t need Anna close anymore.

It is clear that cryptographic methods are not as simple as the ciphers described above (they should not be), for that we have several algorithms that can fall in two main categories:

  • Symmetric cryptography
  • Asymmetric cryptography

 

Symmetric has some main weaknesses to asymmetric because this methods only use one key to encrypt and decrypt the message. If the key gets intercepted in the course of exchange between the emisor and receptor, then you are basically dead.

On the other hand Asymmetric uses two keys: Public and Private. The public one is used in order to be shared to anyone with the intention to send you a message. The private must not be shared because it is used to decipher the messages sent to you. This is an advantage because in large companies, you will only need 2 keys

Continue reading "psssst imma let you into a secret >_>/ .. <_<"

I don’t know who you are but …

--Originally published at Eric tries to write down cool things

Maybe in some occasion you have wonder why (if not, you should) you have to identify yourself EVERY SINGLE TIME that you want to log in to your email, favorite game, or even your computer, well this is all for your own safety, there exist these concepts called Authentication, Authorization and Access Control, that even though some people take as if they were the same, because normally end users aren´t aware of the whole process, you just put your username and password and magic´s done ?

first step is the authentication a.k.a inputting your user and password, well most of the times, there´s also other ways to identify yourself like, PIN, facial recognition, fingerprint, or a secret code just to name some examples, this last one it´s used very often for something called two steps verification which is a simple procedure designed to increase your security because it´s really easy that someone steals your password. The two steps verification its used by some companies like Sony in the PlayStation, also Google and Telegram have an option to turn it on. But not everything is perfect, a “disadvantage” of this method is that it´s a little bit annoying, but if you don´t bother unless you also lose your cell phone or whichever device in which you receive the code, it´s WAY SAFER.

We can divide the methods of authentication in three:

  1. With something you know, like the password, PIN, etc.
  2. Something you have, like a smart-card
  3. By who you are or what you do, like voice recognition or fingerprint

But why is this useful, wouldn’t be easier if they let me in without asking anything??

all this just to know WHO ARE YOU?

This leads us to the Authorization, this is just a system verification of what you can do depending on who

?
Continue reading "I don’t know who you are but …"

Ethical hacking. WUT!?

--Originally published at Eric tries to write down cool things

Hacking. What a word

isn’t it fun?
isn’t it dangerous?
isn’t it nerdy?
isn’t it sexy?           (maybe not)

Hacking has so many meanings, from hacking the whole damn internet to enslaving the world for your very desire even from the comfort of your room in your parent’s house,  (phew) to just writing a damn hello world in Lisp

https://learnxinyminutes.com/docs/common-lisp/ ?

my point is that hacking has so many meanings and the society can interpret our hacking as programmers the way they want it, but is OUR job and responsibility to program and invent new apps and tools to help our society grow as a single one, not hacking their freaking facebook account.

When someone decides to make an application to administrate someone’s bank account, you are agreeing to take to of his data, to be responsible for something that goes wrong in the app. You are ensuring that the user can trust you.

Maybe you have signed it (not literally), but I’m  so damn sure you’ve had to go through a talk or a reading about our responsibility as programmers to ensure our user’s well being.

Behind the scenes, we are the heroes that keep our world safe without anyone ever noticing. We hack some damn code!