Cryptography

--Originally published at Computer and Information Security

Cryptography has been here since we are, we have to remember that to break a cryptography system was the objective of the first computers but also that cryptography and security are always related on iT or other for example:
Every poker player should learn a bit about cryptography. Because, in a way, playing poker is actually a form of cryptography. Let me explain.
Cryptography is the science of encoding information. Typically encryption is used to encode communications between two parties so that a third party is unable to understand it. For millennia, people have been trying to encrypt their communications—and the field of cryptography has become increasingly important over the years.
All of the innovation in cryptography is designed to address one problem. There is an inherent tradeoff between ease-of-use of a cryptographic method and its security.
Interestingly, if you are interested only in security—making sure that no one can possibly break your code—and not at all in ease-of-use, then the solution to perfect encryption is trivially simple. You can use a method called a one time pad.
Let’s say we have a message written in English that is 140 characters long. We want to encode this message so that only its intended recipient can read it. Before we send the message, we generate a list of 140 random numbers from 0 to 26. Maybe we have a computer generate this list. We write the random numbers down on a piece of paper and hand it to our intended recipient.
Then we compose the message. And for every character in our message, we add the corresponding number to it—adding meaning that we go that many letters forward in the alphabet to get the new letter. So if our letter is E, and the random number is 3, then in our Continue reading "Cryptography"

Why use httpS

--Originally published at Computer and Information Security

Just because it is secure we should always use https, actually right now as developers we have many options to use this protocol for free (GCP, Let's Encrypt).

But, what it is http?
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.
Benefits
  • Customer information, like credit card numbers, is encrypted and cannot be intercepted
  • Visitors can verify you are a registered business and that you own the domain
  • Customers are more likely to trust and complete purchases from sites that use HTTPS

Best Practices for DDoS

--Originally published at Computer and Information Security

I found this document from Google that explains the best practices to this cases.
  • GCP load balancing solution has DDoS mitigations built-in lowering the attack surface:
    • configure ingress firewall rules (like iptables)
    • network load balancing has port filtering. Any port that is not loadbalanced is dropped by GCP highly scaling frontend infrastructure
    • HTTP/HTTPS loadbalancing can absorb and protect from IP spoofing and large SYN flood attacks.
    • it has also fair-share allocation built-in
 And


Google Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the above mentioned best practices and other measures tailored to your requirements to make your GCP deployment resilient to DDoS attacks. 

Encrypt your Drive using SanDisk SecureAccess 3.0

--Originally published at Computer and Information Security

As I prefere to use services for all kind of users I decided to buy a comercial USB Drive on Walmart and use the brand software for encryption.
It was very easy to install and use because the user interface, it ask me for a "secure" password +8digit, special character, lower and upper case, numbers.

After the encryption my drive has and special "folder" when I can store files and access them by the interface.
It has the application portable so I can access them on any Windows/MacOS device.



2FA

--Originally published at Computer and Information Security

After the last class TC2027 on Monday 14 and Ken's suggestion of using an "strong" password  I was trying to figure what is the matter with our "regular" password when we activate a 2FA like an SMS, phone call or Google Authentication App. 
So I research about it and made this small post about it.

What I found was many examples about how 2FA and MFA resides on really normal transactions like credit cards, banks and doors, to say that we are using 2FA we should have 2 of:


  • something you know
  • something you have
  • something you are 

  • Witch basically is adding security layers to the standard "something you know" user and password, based on that is easy to resolve my questions; 2 layers are better than just 1 and stronger layers improve security even further.

    Other point I found is that there is a problem on the recovery passwords features because normally this process avoid the use of 2FA so many services have implemented a 3FA for recoveries, like a third part contact or a Unique Security Key (64digit).

    And on the balance of Secure <-> Easy to Use you can mantiene it simple, even though it could be a problem to lose the 2nd factor or to access easily on a "new" device you can have special one use password for specific devices or apps.

    Right now I use 2FA only on my primary accounts (G Suit, iCloud, FB, Dropbox, Git) and use Keychain as password-management system to generate and save strong passwords for anything else and I cloud recommend you to do the same.


        References:
        https://www.google.com/landing/2step/
        https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
        https://www.lynda.com/Server-tutorials/Multifactor-authentication/606075/643304-4.html