Unintentional Security Issues. WOOPS!

--Originally published at Eric tries to write down cool things

If I had to pick 1 topic to be my favorite from the mastery topics list, this one would win and by far.

Why do I think it’s the best one? Welllll, we like to screw up OVER AND OVER!

Most of security issues come from unintentional implementations. Badly written code, bad implementation of restrictions, too much information given away to unnecessary users, showing your code to your mom.

Really! Damn! There is so much to screw up all over the damn place! It’s just impossible to cover every single security scenario. The best you can do as a security brigadier is to implement and think of all the things you are capable of. Think of every single mother effing scenario that you can think that can go wrong. You won’t cover all of them, but oh boy will you try and make things better!

We covered a lot of issues in class demonstrating how things were badly made. For example, Isaac purchased some buss ticked online to go to Tepic, but he didn’t receive the tickets, so he YOLOed and went into the console and started looking for answers… AND OH BOY HE FOUND THEM! He found the source code of many things that could’ve compromised the information of other users aboard the bus and he could resubmit other information into the webpage, making a huge security issue.

And now, do we really think that the engineer from this site made this on purpose? Let’s damn hope he didn’t, if he did, well what a damn ass.

He didn’t expect that a mortal like Isaac would go in the chrome console to look for answers. This was the programmer’s demise, to think there were no other gods aside from him.

So remember kids! Try to break your stuff

Continue reading →

Basic things, dude. BASIC THINGS!

--Originally published at Eric tries to write down cool things

The network can be a Universe of its own. Vast, full of things that are or can be unknown. And just like in Sci-Fi movies, it is plagued with dangers. Hackers, malware, etc. Everything is there. As like in some movies, you need to learn to protect yourself. If not, you might be just like those victims, getting eaten by that unknown thing.

Everyday thing: Have an antivirus or antimalware and keep it updated too, obviously.

Basic protection: Use firewall if you are not on an expertise level please do not lower firewall. Your computer comes with a firewall by default and it helps you filter bad stuff from the web.

Public doesn´t equal good: Don’t go into public open networks without some sort of security, or even better, don’t get on them at all. By doing so, you are probably literally leaving your info in the air for someone to grab it.

Buy smart, buy safe: Just do online shopping from trusted and well-recognized sites, preferably using platforms like Paypal.

Free software can come with a price: not all software out there is good, that’s why you should only download/install certified software.

If your browser recommends you against it, don’t insist: Don’t play with fire. If your browser is already doubting on the page’s certification, it is probably because the page is dangerous. Unless you are a 100% percent sure you know that web page, get out of there.

Use browser tools: Most browsers already come with plugins to block popup ads, I recommend to use them or install them.

Passwords: Try using different passwords, don’t use the same for everything. That way, if someone gets access to your password, it would grant access to all of your accounts. Also, make them secure by making

Continue reading →

Denial of service, yeah that guy who screwed everyone up not long ago :)

--Originally published at Eric tries to write down cool things

This is a bit of an old issue that happened not so long ago, it destroyed a lot of stuff, including my belief that people are not asses.

Basically, this mother l went through a thousands of computers making them useless because the user’s computer caught a small DoS. The way this attack works is:

The attacker sends a lot of slaves/files to a lot of users, massively. The slave waits for the attacker’s command to activate and then freeze all activities in the victims computer so that the computer is useless. Here is where it gets nice, since the computer is useless, the victim has to have a salvation, right ? Luckily the attacker has a passion for money, so he gives the option to the victim to be able to pay for his damn freedom !!! What a guy ! He allows you pay back for his freedom, he needs a damn price!

In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

The various types of certifications

--Originally published at Eric tries to write down cool things

This one is a bit more about how you can get certifications to prove that you are qualified for security matters. A bit of a pain if you ask me…

When suddenly lost wi-fi from gifs

Licenses (depending which one) may come from one of the following sources:

Schools/Universities
Vendors also known as sponsored credentials (e.g. Microsoft, Cisco)
Association and Organization sponsored credentials
Governmental body sponsored licenses, certifications and credentials

There are a lot of certifications out there, but here we are going to discuss just 5.

CEH Credential

Recently I discovered the Certified Ethical Hacker Credential, as discussed before in a blog post talking about Ethical Hacking, this certification ensures that the person is trained on detecting systems vulnerabilities with techniques that also hackers employ.

The exam for this type of certification has 125 questions related to penetration testing techniques, security laws and standards, malicious software coverage and hacking in general. Also there are several sites and universities that offer training in the matter.

CompTIA

CompTIA works as a professional certification provider in the information technology industry, once obtained; certifications they offer like A+, N+ and Security+ have a validity duration of 3 years.

A+ is a basic essential IT certification, that demonstrates competence as a computer technician.
N+ (or Network+) well the name speaks for itself It certifies skills as a network technician
Security+ the one we care about inside the information security course, ensures security knowledge and skills, it covers principles for network security and risk management inside systems.

CISSP

Stands for Certified Information Systems Security Professional. This consists in an exhaustive 6 hours with 250 question examination. It is given to those who show deep knowledge and competence in new threats and growing security attacks. It covers topics like: Identity access management, security operations and the insurance of assets.

GIAC

https://sharegatewordpress.blob.core.windows.net/sg-wp/app/archive/media/Sharegate/Images/OfficeSecurityWebGuide/chapt7-img1.png

Continue reading →

Risk Assessment Methodologies.

--Originally published at Eric tries to write down cool things

First of all, I find this one to write a bit more tedious so imma force some memes into it,

so brace yourself for bad puns here and there

What is risk analysis?

It’s a way to figure out how important is your system and how far you are willing to go to protect it.

Contingency plan

Plan for disaster, it may spell the difference between a problem and a catastrophe.Backups are the key to disaster planning.

Thread Modeling

Getting into more technical stuff one of the first steps into any kind of security developing life cycle model is threat modeling, therefore, is a procedure that optimizes any kind of app or network instance by identifying objectives and vulnerabilities, and then countermeasures to prevent or mitigate its effect.

Risk Rating Methodology

What is the risk between a DDoS and a phishing attack? How probably is each one? What are the fixing costs? The capacity to estimate the associated risks and impacts it has on the business. The following represents the formula that tells what a risk is composed of

Risk = likelihood * impact

There are a series of steps in order to measure the severity of the risk:

Identify the risk
Estimate the likelihood
Estimate the impact
Determine the severity of the risk
Fix
Adapt the risk rating model to the specific project.

psssst imma let you into a secret >_>/ .. <_<

--Originally published at Eric tries to write down cool things

replace “wow” for “Encryption” and we’ve got ourselves a good meme

Did you know that you always had the opportunity to encrypt all your info and all your messages? Well! Turns out the only thing you needed is your power of will, a little math here and there and BOOM ! YOU ARE ENCRYPTED.

Now the pain comes when you want to encrypt all your stuff. L.O.L.

Good luck on that and remembering the decrypting process and keys for all your things

On the medium, this same principle of encoding a message to increase its security is known as Cryptography.

Cryptography ensures not only the security that only the ones intended to can read the message, but also that it won’t be changed by other people, and the authentication of the sender and receiver; because, If only your friend-crush Anna knows the secret key, and your love letter gets public then you can be sure you don’t need Anna close anymore.

It is clear that cryptographic methods are not as simple as the ciphers described above (they should not be), for that we have several algorithms that can fall in two main categories:

Symmetric cryptography
Asymmetric cryptography

Symmetric has some main weaknesses to asymmetric because this methods only use one key to encrypt and decrypt the message. If the key gets intercepted in the course of exchange between the emisor and receptor, then you are basically dead.

On the other hand Asymmetric uses two keys: Public and Private. The public one is used in order to be shared to anyone with the intention to send you a message. The private must not be shared because it is used to decipher the messages sent to you. This is an advantage because in large companies, you will only need 2 keys

Continue reading →

I don’t know who you are but …

--Originally published at Eric tries to write down cool things

Maybe in some occasion you have wonder why (if not, you should) you have to identify yourself EVERY SINGLE TIME that you want to log in to your email, favorite game, or even your computer, well this is all for your own safety, there exist these concepts called Authentication, Authorization and Access Control, that even though some people take as if they were the same, because normally end users aren´t aware of the whole process, you just put your username and password and magic´s done

first step is the authentication a.k.a inputting your user and password, well most of the times, there´s also other ways to identify yourself like, PIN, facial recognition, fingerprint, or a secret code just to name some examples, this last one it´s used very often for something called two steps verification which is a simple procedure designed to increase your security because it´s really easy that someone steals your password. The two steps verification its used by some companies like Sony in the PlayStation, also Google and Telegram have an option to turn it on. But not everything is perfect, a “disadvantage” of this method is that it´s a little bit annoying, but if you don´t bother unless you also lose your cell phone or whichever device in which you receive the code, it´s WAY SAFER.

We can divide the methods of authentication in three:

With something you know, like the password, PIN, etc.
Something you have, like a smart-card
By who you are or what you do, like voice recognition or fingerprint

But why is this useful, wouldn’t be easier if they let me in without asking anything??

all this just to know WHO ARE YOU?

This leads us to the Authorization, this is just a system verification of what you can do depending on who

Continue reading →

Ethical hacking. WUT!?

--Originally published at Eric tries to write down cool things

Hacking. What a word

isn’t it fun?
isn’t it dangerous?
isn’t it nerdy?
isn’t it sexy? (maybe not)

Hacking has so many meanings, from hacking the whole damn internet to enslaving the world for your very desire even from the comfort of your room in your parent’s house, (phew) to just writing a damn hello world in Lisp

https://learnxinyminutes.com/docs/common-lisp/

my point is that hacking has so many meanings and the society can interpret our hacking as programmers the way they want it, but is OUR job and responsibility to program and invent new apps and tools to help our society grow as a single one, not hacking their freaking facebook account.

When someone decides to make an application to administrate someone’s bank account, you are agreeing to take to of his data, to be responsible for something that goes wrong in the app. You are ensuring that the user can trust you.

Maybe you have signed it (not literally), but I’m so damn sure you’ve had to go through a talk or a reading about our responsibility as programmers to ensure our user’s well being.

Behind the scenes, we are the heroes that keep our world safe without anyone ever noticing. We hack some damn code!

Integrity, Availability and Confidentiality

--Originally published at Eric tries to write down cool things

This one is a bit more boring since it’s mainly definitions, my grain of sand here is to add the fun to it, so here goes nothing.

Confidentiality:

Don’t gossip and try to keep everyone as safe as possible. Damn it

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can, in fact, get it: Access must be restricted to those authorized to view the data in question.

Availability:

Does this thing even work? Damn it.

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can mitigate serious consequences when hardware issues do occur.

Can I trust this thing? Damn it.

Integrity:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controls.

Reference:

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Damn it.

Internet security? What the devil is that?

--Originally published at Eric tries to write down cool things

Nowadays everyone has a computer. Everyone is on a social media, everyone is connected, the. whole. time. Even your mother has a device that may connect to her microwave and when she warms that bowl of milk, she might be risking her own security online, and she won’t even notice it!

When it comes to security, you do not mess around, especially if you are living in 2017 where everyone gets offended and triggered.

Basic security is needed by everyone. If you are a good citizen of this world and a merciful God with the non-programmer mortals, you will be willing to share your knowledge with whoever needs it. Intermediate security knowledge must be a thing that all CS students need to have under their belt, it’s just matter of learning it by force and you may not like what you get out of that.

According to our ethics, you are enforced to promote these values with your family and friends.

Now be a good boy/girl/thing and help your mother set up her 2 step verification on Facebook, her information and your family will thank you for that