Systems Security

--Originally published at How to HACK

Operating systems have security as well. An operating system serves to set security, since it is a platforms that interacts with a lot of users and information. This is how easily you can implement security to your Operating System.

First, passwords. For passwords we can use three things to create them: what we know, what we have and what we are.

  • What we know are things or words that we keep in our heads.
  • What we have could be material things we own, some examples are credentials or tags, which we have already used to have access to some places.
  • What we are are our own characteristics, eyes or fingerprints. These passwords are the best, because you cannot be copied or cloned, but of course, are more expensive.

NTFS (New Technology File System) is a new form of saving, browsing and securing files. This systems allow that premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others.

Also, you can create an active directory to store, classify and retrieve information. It is a directory for objects,  essentially a database that resembles the form of a pyramid. It also, implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

My advice is to look further in the web how to provide security to your operating system,  this post is just a little example of what you can do. As always, prevent and be prepared for the danger you could face, operating systems are not the exception.


Cryptography

--Originally published at Computer Security

Cryptography has been in use since a lot of time ago, mainly in the form of encrypted messages, and these ones were used in some important wars to communicate between allies and teams, sharing a key to decrypt them. A common example is the Enigma Machine, used in the World War 2 and decrypted by Alan Turing, this is known as the start of the modern computer era.

Nowadays Cryptography is a must in computer systems and the Internet, because a lot of personal and sensitive data is shared between websites and servers. The most common data that is encrypted are passwords and billing information, but all the data should be encrypted. There are a lot of encryption algorithms with its own complexity and security.

Some of the most popular are:

  • RSA – Rivest-Shamir-Adleman
  • AES – Advanced Encryption Standard
  • Blowfish
  • Twofish
  • MD5
  • SHA – Secure Hash Algorithm

If a website owner deals with sensitive information, like users personal information, billing data, all of this must be encrypted to ensure security and protection from hackers.

The objectives of cryptography are:

  • Confidentiality – Information is accesible for authorized users. It uses codes and cipher.
  • Integrity – Guarantees the correctness and completeness of the informations. It uses hash algorithms.
  • Authenticity – Is the assurance that the sender of a message is who they say they are. It uses hash functions and zero-knowledge proof.

 


Security on the web

--Originally published at Computer Security

Right now there are millions of websites and this number increases every day, so all of these sites have to be concerned about the security if the deal with some sensitive information, because there’s hackers. If some website owner has a security hole in the website, maybe he runs lucky and some white hat hacker (“the good one”) tells him about  it and the owner fixes it. unfortunately, there are more black hat hackers (“the bad ones”) on the Internet, so if the owner doesn’t want to deal with them or doesn’t want the data to be stolen, he has to pay for security.

A bad web security scenario is when a curious hacker, the one that looks into developer tools and plays with the url, can break the security of the website.

A nice practice is to encrypt everything, and for everything I mean EVERYTHING. Passwords, users, files, etcetera and be sure to use established encryption algorithms, is really a bad practice write your own. In the website always will be a security hole, because no website is 100% secure, that doesn’t exist, that’s an utopia. So if you wanna be  the nearest possible to that 100%, be sure to pay for some security specialist. And one important rule. TRUST NO ONE, even your website administrator, be sure not to grant all the permissions to your employees because one day maybe the won’t be your employees, and the will still have the access to your data.

Be sure yo write your security policy, privacy policy and terms and conditions, even knowing that 95% of the people won’t read them.

 


Web Security

--Originally published at How to HACK

Security is way to prevent harm and includes systems and non-physical factors. To develop a good security environment, you have to consider to basic things:

  • Awareness: Identify dangers and set your mind to wait for them to happen.
  • Protection: Using the existing security services in an intelligent way.

Web services can be complex, so web security matters. Why? Because is common that hackers look for complexity and try to steal information.

Hackers can be defined as “someone who tinkers with computers and come up with innovative ideas”. Unfortunately, the term has been mislead because of our context; nowadays, a hacker is known as someone who can find vulnerable point in a platform, gain control and steal information. There’s several kinds of hackers, sadly, most of them don’t use their knowledge for positive causes.

Web design principles:

  • Least privilege is about giving the user just the minimum privilege over the web service, so they can stick to their field and nothing else.
  • Simplicity means to simplify the programs, the less things we have, the easier to protect it.
  • Never trust users is just a recommendation about being careful with the users, most of them don’t know anything about the dangers, and can cause to the system by accident.
  • Expect the unexpected is assuming that things will happen, even it sounds impossible, is better to be prepared than have no clue at all.
  • Defense in depth refers to have various layers of defense, in order to reduce the strength of the attack if it happens.
  • Security through obscurity is leasing the amount of information you share about your web, because the less it is known, the less chances to be attacked.
  • Blacklisting and whitelisting are opposite concepts. A blacklist is a list of banned things and a whitelist is a list of
    Continue reading "Web Security"

Cryptography

--Originally published at How to HACK

Cryptography is not just secret messages, mainly because those messages are not secret. An encrypted message can be read for anyone, or at least try, because its just a senseless disaster. And that’s not bad, it is planned to be a disaster. To read an encrypted message you need a key, making it a man-made art. The origins of an encrypted messages are really old (recall the Enigma code!).

Encryption is the safest way to keep information and assure a safe data transfer. Servers have five basic services to guarantee security (listed below), these are implemented through security services, so encryption is a matter of confidentiality.

  • Confidentiality (protecting data)
  • Integrity (unchanged data)
  • Accountability (protection in communication)
  • Authentication (confirm identity)
  • Availability (services accessible).

Trusted third parties, public key infrastructure and the story of Bob and Alice are basic concepts of cryptography:

  • A trusted third party helps to trust connections between Internet environments.
  • Keys:
    • Symmetric, that uses a single key
    • Asymmetric, that uses a pair of keys.
  • Bob and Alice deals with certificates. Bob and Alice can trust each other because of the trusted third party which authenticates through the certificates.

Cryptography is a wise option to protect data and avoid data transfer.


Security architecture and policies

--Originally published at How to HACK

If you’re developing a software to provide a service, you must consider a security architecture. Which is a platform where every single thing is where it has to be, easy to maintain and recover. Security must be included within the architecture of the system.

The construction of a system can be in different ways, and there’s a lot of factors that affect the how well the system is built. For example, a big amount of preassure, allowing inexperienced programmers to do changes or wait just for the time to pass without changing anything. At last, you will not be able to test the system, making it fragile. Fortunately, we can reengineer everything.

You need to understand the technology for this. But don’t worry, if you don’t, you just need to take some time to do research or go out and ask someone that knows about it. No matter how long it takes to you to understand it, security is always a way to save time and money. Considering a good security architecture ensures to run nice, and that further security applications will be easy to implement.


Risk management, and assessment

--Originally published at How to HACK

Information security is more complex that it appears, it deals with conventions further than just the implementation or blocked stuff.

Risk management, is like being alcoholic. The first step to get over it and tackle it is to accept that risks exists and are closer than what you believe. Even though you might think that you’re not the billionaire that hackers are looking for, outside there’s lot of people looking for vulnerable points in your systems to steal your information.

A good way to prevent it is the risk management. These are the six steps:

1. Categorize. You need to categorize dangers. If we group dangers according to its characteristics, we can attack more dangers in an easier way.

2. Select. You have to select the technology or correct measure that you will applied to each danger.

3. Implement. This step is easy, you need to implement the measures you selected previously.

4. Assess. You need to evaluate the things you are going to use, and decide if it’s better to use a better one or keep using the currently. 

5. Authorize. This works by accepting the solution, and have a clear method of what to do in case it is needed.

6. Continuous monitoring. Keep looking for anomalies, you need to know what are you looking for and where. So, if you find something already know what to do, because you have followed the framework and have a plan to solve it.

Following the steps, we can prevent that a risk will not affect as hard as it can. Honestly, most of the risks, will hit in a relatively hard way, but not as much as if there’s no defense set.


Cryptography

--Originally published at Título del sitio

In my opinion cryptography is one of the most interesting topics of the course and it is something that I already had a relationship with last semester in my subject of computational mathematics. My teacher explained some of the methods used and used for encryption of information and told us a lot about the Turing machine, which although used to solve algorithms was a key element in the Second World War to encrypt intercepted data . I could also see the Cesar cipher, used for a long time and actually very simple. Nowadays it is necessary to keep all information secure and cryptography must be essential to keep all the information we trust to the websites that we access safely.

In the semester, the school will provide important information about teachers and students and it is necessary to look for a tool that allows us to encrypt this data to keep them safe. As we will use NodeJS we will have to adapt a tool that allows us to use them and return the information as JsonWebTokenscrip

 


Security architecture and policies

--Originally published at Título del sitio

The design of a computer security architecture helps to understand the risks to which the information of an organization is exposed, in order to establish the procedures that will help to eliminate them.

In my opinion you should have 3 essential criteria that are
Confidentiality Only authorized persons can access the data.

Integrity. The data must be authentic and can not be changed without permission.

Availability. Make the data available to the right person at the time you require it.

Risk management, and assessment

--Originally published at Título del sitio

Everyday, all the time the information is exposed to be attacked for differents motifs, and this represent a lot of risks according the institute of software engineering of Carnegie Mellon risk is the possibility of suffering damages or losses for human agent or not.
The selection and specification of security controls for a system is accomplished as part of an organization that involves the management of organization risk and is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for a system.

The Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle that utilice for prtotect the information.

Categorize,Select, Implement, Assess,Authorize,Monitor are paramount to an effective information security program and can be applied development life cycle.