Tag: TC2027

Crypt0gr4phy

--Originally published at Stories by Juan Andrés Rocha on Medium

Basically, cryptography is used to protect valuable information, according to Microsoft.

Imagine you want to send a note to your crush in class, and you don’t want anyone else to see it, how do you do it? Do you write “I like you” in plain text? Do you write “ILY”? Cryptography can help you tell your crush you like them without anyone else knowing.

You could encrypt your love message, which here means making your message intelligible to anyone except you or someone who gets you, send the encrypted message to your crush, and they would be able to decrypt it, if and only if you gave them the key.

In IT, there are several ways of sharing these keys, and one of the most common is RSA Key Exchange. RSA lets you send your private key to a person, only decryptable by their public key. No one else would be able to use it except them. It would be like leaving a note with the way to decrypt your message in your crush’s backpack before class started.

Everyone would be seeing something like: aW3"·4421.1..1!!!2lk, while your crush would see: “I like you.”

Planning ahead, that is, Data Integrity

--Originally published at Bytes of Mind

In my last post I talked a bit about the project I’m working on right now, and a lot of the things I mentioned had to do with data and the way we managed it. I will use this post to continue talking about data, more specifically, keeping it’s integrity.

Let me start by saying that the first thing we did to ensure that our data was complete was to define how the information was going to be stored. We decided on using a non relational database with MongoDB to be able to link and handle our data more freely, but it’s not a silver bullet. Since we are not using SQL, there isn’t really a danger to some data schemes making no sense, but that’s why we had to be careful and make sure every single little piece of data we needed was accounted for in the way it was intended. Even though we didn’t use relational schemas we still had to create our own pseudo-schemas.

But there is more to integrity than defining the way data is going to be handled. The principle of integrity basically states that information only has value if it is correct, in other words, that it hadn’t been tampered with. So what we decided to do about this was to encrypt the data and for things such as the login the encrypted data sent had to be checked against the encrypted data stored checking if it was correct. Other things such as the result of the game were a bit more tricky, since there isn’t anything to compare them to being dynamic data, so integrity of this was kept in line more by the sheer amount of information being generated by the game time and time again, and then running the data through

Continue reading "Planning ahead, that is, Data Integrity"

Managing IT Risks

--Originally published at Stories by Juan Andrés Rocha on Medium

First of all, what is risk? Risk is a word which here means the possibility of something bad to happen, for example, stumbling on a rock and dropping your ice cream.

We could’ve managed that risk by taking the rock out of the way when we went to buy our ice cream in the first place, but we may have thought it wasn’t worth the time or effort. Now we’re about to lose our ice cream, we regret it.

Imagine this happening not to your ice cream, but to a bunch of other people’s data in your hands. Credit card information, birth certificates, pictures of their dogs.

There are several frameworks that help us prevent or manage these risks, but we’re going to talk about ISO 27005.

The newest version of ISO 27005 was released on 2011, and since every standard is reviewed every 5 years, it is currently under review.

It basically consists in guidelines to identify, analyze, and assessment of risks, divided in categories like:

Context Establishment:

First, you have to establish a context by identifying essential assets, and values to protect. Also, evaluate possible risks and their consequences and define the boundaries of the administrator.

Risk Assessment:

This phase consists in risk identification, analysis and evaluation.

Risk Treatment:

In risk treatment you decide how to treat this risk, wether you ignore it, do something about it, and how you plan to treat it.

Risk Acceptante:

Here you decide wheter you accept the plan or not.

Risk Communication:

This one is pretty obvious.

Risk Monitoring:

Here you monitor the risks, some new risks may appear, as they’re not static.

Here’s a nice report on how to use ISO 27005.

Developing, that is, Integrating Security

--Originally published at Bytes of Mind

For the past four months, I’ve been working a school project that involves integrating different school courses into a single project. The project revolves around helping elementary school kids practice and start integrating math into their daily lives. I, along with other three team members, am working on a web app called Skalia, and a small game similar to Asteroids called Mateoro, where you shoot the asteroids by solving arithmetic operations within them. In short, an user, be it a student or teacher can log into Skalia, the student can play Mateoro while the teacher can monitor their progress.

mateoro_conept_art
Mateoro concept art

Along developing the web app and the game, we haven’t been forgetting about security either. One of our main concerns was how we were going to manage sensitive data. After talking for a while the team  reached the conclusion that, first and foremost, we were going to use the least possible amount of data, so in case something was compromised, the damages would be kept to a relative minimum. To keep data safe, we also decided that we were going to encrypt the data we stored, at first, it was just the usernames and passwords, but it honestly is a better idea to just encrypt everything.

Besides data management, there were some other things that had to be taken into consideration, mainly because we were going to be dealing with young kids. One of said things was going to be the way we would handle logouts for two reasons. We run a script that automates the difficulty of the game as soon as the session ends, and the other one was that we knew the kids would probably just lose the browser instead of just going login out. We had t play around with cookies for this, but

Continue reading "Developing, that is, Integrating Security"

TC2027

--Originally published at TC2027 – Surviving CS

This is the third class I took with Ken and I must say all classes have been such a different experience. This is the second class I took where is primarily focus on blogging and sharing my experience and this one is the one that I enjoyed the most maybe I lacked in my blogging skills but the topics I learned in class and the whole experience of learning by myself and digging into the internet was fulfilling.

TC2027 was focused on Informatic Security I learned from ransomware, vpn’s, cryptography, ssh, security from the user perspective, etc. Also, what I like was the slack group and all the resources my classmates shared this was also a huge important part of the class because from time to time I logged on the group and read the articles that they shared and I could learned about what was happening in the security world.

Overall the flip learning concept is great and its all about having an independent motivation to learn because we are free to learn as much as we want and immerse ourselves in a single topic or as many as we can handle.


TC2027

--Originally published at Computer and Information Security

TC2027

Work with Ken is a complete different way to learn, it challenge your self to improve and to learn exploring the world/internet in a DIY way.

I really enjoyed taking the course with him because it was a easy way to learn and to complete the course not to get a good grade but to get the knowledge expect to receive on this course.

Course objective:
Upon completion of this course, students will have gained an overview of the area of computer security and the basic knowledge needed to understand the risks, threats and vulnerabilities of computer systems in today's world, as well as the controls and protection methods against possible attacks, which are indispensable for these systems to work properly in contemporary companies. They will also be familiar with the existing national and international laws related to computer system security.



Yes, for me the course objective was accomplished, and I strongly recommend to take any possible course with Ken, not only because he has the knowledge to share related to the course also because as a person Ken is full of great skills that share with his students and those are more valuable that the static knowledge.

Operating System Security

--Originally published at Computer and Information Security

Dentro de los principales sistemas operativos MacOS es de los más importantes, el día de ayer se descubrió una vulnerabilidad que permitía que un usuario invitado tuviera privilegios de administrador con un simple cambio en el nombre del usuario y varios enters,
Pueden ver el descubrimiento original aquí

Lo más interesante de esto es que 19 horas más tarde Apple ya tenia disponible en su centro de descargas una actualización al sistema operativo que solucionaba el problema.

No existe sistema perfecto pero la velocidad de reacción y el compromiso de los creadores a mantenerlo seguro, confiable y funcional es lo que hace que sus usuarios permanezcan ahí.

Ethical Hacking

--Originally published at Stories by Juan Andrés Rocha on Medium

Hacking is a word often perceived as negative and really far from “ethics” and “good things”. But it is not.

Before we judge the so-called hackers, we must get familiar with the hacker culture:

Hacker culture emerged from a fusion of intellectual curiosity, counter-culture and a hate-on for any technology that you couldn’t easily get access to or tamper with. — Forbes

Basically, a hacker is a person who finds creative workarounds to turn their devices or technology pieces into something more useful to them, even if it means breaking, modifying or creating ‘frankensteins’ with them.

Some companies are trying to make hacking of their devices illegal, which I think shouldn’t be, because if you already paid for a device, and it could fit better your necessities, and you know how to change it to do so, why wouldn’t you? Why would a company limit what you can do with the devices you already paid for? Voiding the warranty is valid. Making it illegal is not.

A good example of the above is Jailbreaking iOS, which might seem unharmful, if you use it correctly (it also voids your warranty, so be careful) but it can be used for wrong, like pirating apps or downloading illegal content on your phone.

There’s also the issue of Ethical hacking. You might be wondering if that’s possible, and it might be, sometimes even necessary, for example: If you’re a network administrator, you should try to hack it every way possible to find vulnerabilities in your own creation, this will help you prevent other malicious persons gain access to your network in the future.

So, what do you think? Is Ethical Hacking a thing?

Make Your Online Identity Safe Again (10) – I Will Tell You A Secret.

--Originally published at ISC de día, intento de cinéfilo de noche.

The confidentiality concept of the app is also very important. The user must feel like we are respecting its privacy, he/she has to feel protected and that his/her information will remain on secret for the rest of the world. It is true that you leave a trace when you are on the Internet, deleting your browsing history will not erase the fact that you entered a website. Imagine that your trace is like walking on wet cement, your steps will stay there forever.

But that is way different than keeping Confidentiality. Privacy is helping the user to feel comfortable giving those steps, and that only trust worthy people have access to see them, at the end of the day, we have to walk to make our lives worthy.

We encrypted the footsteps, so if anyone tries to look through them, they will not see human footsteps, they could end up seeing pterodactyl steps or something like that. The kids and the teachers will have access to the app by using their IDs and passwords, and we'll have a back up for the information. saved under key.

I really hope my analogy helped to understand confidentiality a little better.

Make Your Online Identity Safe Again (9) – Open and Free.

--Originally published at ISC de día, intento de cinéfilo de noche.

Ken asked us to take a picture of what open meant to us. I believe that the Internet is the most open door we have. It gives us the opportunity to express ourselves, to research about any topic in the world. The problem with a door being open, is that you can pass through it both ways, let's be careful when entering to it.