Risk Assessment Methodologies.

--Originally published at Eric tries to write down cool things

First of all, I find this one to write a bit more tedious so imma force some memes into it,

so brace yourself for bad puns here and there

What is risk analysis?

It’s a way to figure out how important is your system and how far you are willing to go to protect it.

Contingency plan

Plan for disaster, it may spell the difference between a problem and a catastrophe.Backups are the key to disaster planning.

Thread Modeling

Getting into more technical stuff one of the first steps into any kind of security developing life cycle model is threat modeling, therefore, is a procedure that optimizes any kind of app or network instance by identifying objectives and vulnerabilities, and then countermeasures to prevent or mitigate its effect.

Risk Rating Methodology

What is the risk between a DDoS and a phishing attack? How probably is each one? What are the fixing costs? The capacity to estimate the associated risks and impacts it has on the business. The following represents the formula that tells what a risk is composed of

Risk = likelihood * impact

There are a series of steps in order to measure the severity of the risk:

Identify the risk
Estimate the likelihood
Estimate the impact
Determine the severity of the risk
Fix
Adapt the risk rating model to the specific project.

psssst imma let you into a secret >_>/ .. <_<

--Originally published at Eric tries to write down cool things

replace “wow” for “Encryption” and we’ve got ourselves a good meme

Did you know that you always had the opportunity to encrypt all your info and all your messages? Well! Turns out the only thing you needed is your power of will, a little math here and there and BOOM ! YOU ARE ENCRYPTED.

Now the pain comes when you want to encrypt all your stuff. L.O.L.

Good luck on that and remembering the decrypting process and keys for all your things

On the medium, this same principle of encoding a message to increase its security is known as Cryptography.

Cryptography ensures not only the security that only the ones intended to can read the message, but also that it won’t be changed by other people, and the authentication of the sender and receiver; because, If only your friend-crush Anna knows the secret key, and your love letter gets public then you can be sure you don’t need Anna close anymore.

It is clear that cryptographic methods are not as simple as the ciphers described above (they should not be), for that we have several algorithms that can fall in two main categories:

Symmetric cryptography
Asymmetric cryptography

Symmetric has some main weaknesses to asymmetric because this methods only use one key to encrypt and decrypt the message. If the key gets intercepted in the course of exchange between the emisor and receptor, then you are basically dead.

On the other hand Asymmetric uses two keys: Public and Private. The public one is used in order to be shared to anyone with the intention to send you a message. The private must not be shared because it is used to decipher the messages sent to you. This is an advantage because in large companies, you will only need 2 keys

Continue reading →

I don’t know who you are but …

--Originally published at Eric tries to write down cool things

Maybe in some occasion you have wonder why (if not, you should) you have to identify yourself EVERY SINGLE TIME that you want to log in to your email, favorite game, or even your computer, well this is all for your own safety, there exist these concepts called Authentication, Authorization and Access Control, that even though some people take as if they were the same, because normally end users aren´t aware of the whole process, you just put your username and password and magic´s done

first step is the authentication a.k.a inputting your user and password, well most of the times, there´s also other ways to identify yourself like, PIN, facial recognition, fingerprint, or a secret code just to name some examples, this last one it´s used very often for something called two steps verification which is a simple procedure designed to increase your security because it´s really easy that someone steals your password. The two steps verification its used by some companies like Sony in the PlayStation, also Google and Telegram have an option to turn it on. But not everything is perfect, a “disadvantage” of this method is that it´s a little bit annoying, but if you don´t bother unless you also lose your cell phone or whichever device in which you receive the code, it´s WAY SAFER.

We can divide the methods of authentication in three:

With something you know, like the password, PIN, etc.
Something you have, like a smart-card
By who you are or what you do, like voice recognition or fingerprint

But why is this useful, wouldn’t be easier if they let me in without asking anything??

all this just to know WHO ARE YOU?

This leads us to the Authorization, this is just a system verification of what you can do depending on who

Continue reading →

Ethical hacking. WUT!?

--Originally published at Eric tries to write down cool things

Hacking. What a word

isn’t it fun?
isn’t it dangerous?
isn’t it nerdy?
isn’t it sexy? (maybe not)

Hacking has so many meanings, from hacking the whole damn internet to enslaving the world for your very desire even from the comfort of your room in your parent’s house, (phew) to just writing a damn hello world in Lisp

https://learnxinyminutes.com/docs/common-lisp/

my point is that hacking has so many meanings and the society can interpret our hacking as programmers the way they want it, but is OUR job and responsibility to program and invent new apps and tools to help our society grow as a single one, not hacking their freaking facebook account.

When someone decides to make an application to administrate someone’s bank account, you are agreeing to take to of his data, to be responsible for something that goes wrong in the app. You are ensuring that the user can trust you.

Maybe you have signed it (not literally), but I’m so damn sure you’ve had to go through a talk or a reading about our responsibility as programmers to ensure our user’s well being.

Behind the scenes, we are the heroes that keep our world safe without anyone ever noticing. We hack some damn code!

Integrity, Availability and Confidentiality

--Originally published at Eric tries to write down cool things

This one is a bit more boring since it’s mainly definitions, my grain of sand here is to add the fun to it, so here goes nothing.

Confidentiality:

Don’t gossip and try to keep everyone as safe as possible. Damn it

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can, in fact, get it: Access must be restricted to those authorized to view the data in question.

Availability:

Does this thing even work? Damn it.

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can mitigate serious consequences when hardware issues do occur.

Can I trust this thing? Damn it.

Integrity:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controls.

Reference:

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Damn it.

Internet security? What the devil is that?

--Originally published at Eric tries to write down cool things

Nowadays everyone has a computer. Everyone is on a social media, everyone is connected, the. whole. time. Even your mother has a device that may connect to her microwave and when she warms that bowl of milk, she might be risking her own security online, and she won’t even notice it!

When it comes to security, you do not mess around, especially if you are living in 2017 where everyone gets offended and triggered.

Basic security is needed by everyone. If you are a good citizen of this world and a merciful God with the non-programmer mortals, you will be willing to share your knowledge with whoever needs it. Intermediate security knowledge must be a thing that all CS students need to have under their belt, it’s just matter of learning it by force and you may not like what you get out of that.

According to our ethics, you are enforced to promote these values with your family and friends.

Now be a good boy/girl/thing and help your mother set up her 2 step verification on Facebook, her information and your family will thank you for that

Systems security pt. 2: STATS

--Originally published at Security blog

For the last post in this semester, we will talk about implementing the system securtiy in our project. Recall that system security talked about things of operating systems and, in my understanding, the more local parts of a software system. Some parts were also given to us, like rules to follow, and they are not so many as they are for the web security, but are also important parts to have in sight.

The password theory we saw, the one that used three things (what we know, what we have and what we are) was a little bit considered, but at the end, once again, we didn’t have time to implement more advanced things. We simply use written passwords. For the other part we saw about this was NTFS, the other file system. We really didn’t see this thing in a bigger sense. We didn’t even use files or anything. The part about that that we could use is the part of the active directory, because of the little amount of objects we use.

One of the things we saw about this is the part of the data backups. This is an important topic, because, obviously, if something happens that can end in a losing of information or cunfigurations, for example, we can recover everything from a previous state. The only thing we must have a backup of is of the database. Our apps will work with a strong basis in the database. The app can know the levels that are unlocked, the results and, of course, all of the users and passwords to grant or deny access. Fortunately, the MySQL service we are using has the ability to create and read text files to reconstruct the database from the point it is. We just have to follow some backup

Continue reading →

Web security pt. 2: STATS

--Originally published at Security blog

I will now discuss parts of web security conserning on the semestre i project. For this, it is realle easy, for we have the principles we just have to follow. Well, I say we “just have” to follow, because of course there are other things we should consider as we go on and on, but this is a good first approach, I mean, for the level of develoment our application has.

The first principle is the least privilege. For our app we are just giving limited privileges for the users. Teacher can only register users and themselves, and can only choose between groups and students to see their results. That user is the one with the most privileges, parents and students just login and see results or play. For simplicity, we keep the functions and actions simple, as well as the structure of the system. Database is pretty small, and the games take their basis from it. To never trust userse is also crucial, and ww have thought about that also giving little privileges to users also.

Expecting the unexpected is quite a task here, because we know many things can happen, but also we don’t have enought time to implement a lot of things. We are just aware of those things, and also keep an eye on making everything on bigger basis. With the defense in depth, for eample, we came into doing the cryptography with the customized key. In that way, if someone makes it to decifer the key, they will still encounter with another thing they have to decrypt, and that is the data itself.

The security through obscurity feature we also think about it by giving very little privileges to the users. I think it is also a way for them to no know what is

Continue reading →

Cryptography pt. 2: STATS

--Originally published at Security blog

I will now begin with a series of three last posts. Each one will have as a topic one of the topics of the course we haven seen, but with a different approach. I will talk about the topic but tried to be applied in our project, and by which means could be.

Starting with cryptography. We will need to use cryptography in our project, and I talked about it in that post, because we are managing many important information. Usernames and passwords are going to be stored in the database, as well as the results that will get from using the game. All these things are better not be seen from the outside, so they must be difficult to read and impossible to understand.

One of the alternatives we thought at the beginning was to use the methods that the tool we used could have. When we started using php (thing we don’t do now) we were planning to implement one of the functions that could make a big hash of the text that we were planning to store. It could work because it used md5 algorithm, but one of the problems we could have was that the key to decrypt the text had to be saved in the php script, which could make it vulnerable at the end.

We’ve also seen that the MySQL system we are using also implements some methods in the insert commands. MySQL has some interesting methods that work with AES scheme (Advanced Encryption Standard). This can also sound good, but still we have the same key problem. That’s why we thought of getting doing a cutomized key for each user. Constructing a key using some characters from its name and last name resulted in a different key for each person, thus making it

Continue reading →

Web Security

--Originally published at itzeelyazmin