--Originally published at Talking about Computer and Information Security

An operating system is complex and the security is essential but could be one of the most difficult things to do because many operating systems are the target for a lot of hackers. The security in the OS could start in create a strong authentication for example with simple passwords, cards or biometric filters. But not all systems have this type of security, like user of operating systems I know that systems like Windows or Ubuntu have good security, but many factors are necessary to be secure, the systems have their own security like firewalls, anti-malware, authentications, filters, protocols, keys, etcetera, but the users are play an important role in the security because many time the phishing, social engineer are methods where the user install o put in risk the system.

--Originally published at Talking about Computer and Information Security

In the technology exist many types of security for hardware or software, in this time I going to talk about web security that means         keep a web server and its application protected. Web applications are used day by day for millions of people and if we want to build a web service we need to know the basic of its security because many times in this service we put our personal data, credit card information, etcetera. We need to be a good actor in internet and we need to protect our web service from hackers because when a service was hacked means that could be a brief to do spam, share malicious code, steal information or just do a bad reputation about the web service.

Some recommendation to has a good web security could be check and do a good configuration of the server, communication like telnet, ports, DNS, put authentication in the service and filters. But even if you follow all recommendations and have a lot of certificates, any system is not totally secure for this reason we need to be update every day about new technologies or security fails in technology and check every day our systems.

--Originally published at Talking about Computer and Information Security

Security has a lot of ways and one important is the cryptography, these concepts are hand to hand because the encryption is used in the basics concepts of security for example in confidentiality is used the encryption, in authentication is used the message authentication code, etcetera. Across the years protect the data is more difficult because in the firsts computers like ENIAC protect the data was easy because only specific personal has access but since the personal computers arrive to home share and storage data is a big problem. We need to protect data from attacks that could be passive (Noninvasive, just capturing authentication information) or active (Break secure systems to steal or modify information, or introduce malicious code). To understand the cryptography, we need to know some concepts:

Trusted third party.

That’s a service where clients trust it, for example if two clients that want to share information trust in a TTP mean that they trust one each other

Encryption

Symmetric. Use single key or secret key

Asymmetric. Use public and private key, public is shared to everyone to see and we need to be sure that this key is from the correct entity

--Originally published at Talking about Computer and Information Security

For every system is important has a good security, one of the most important phases is the creation of a good security architecture. This concept includes some specifications that are used for many companies or systems, the first step is knew what are the risk for the information and what we could do in this case.

In a system the information could be the most important, with this premise the access, modification and confidentiality are essential to have a basic control over the data, the politics of the security architecture need to be focused in these options.

ISO 27001 is a certification of security where is described how to manage data security in a company and the purpose is protect the confidentiality, integrity and availability. This certification is the correct way to have a good security but is hard to complete all the documentation to be certificate but if a company follow the way to have it going to be a good start to have an excellent security.

--Originally published at Security blog

Right at this point in the course, we’ve been taught many things about effective security in our environment as software engineers. However, it is also true that we are involved in one big project, an application that will allow elementary school children to have a better learning in math. And since, we have to take also special care about its own security, and this is a topic that we haven’t discussed in this blog.

First of all, there are several rules we should follow. I found many interesting things on golden rules for security purposes. One of them said that there were three golden rules for not having security issues: do not own a computer, do not turn it on and do not use it. These are not so practical, because, well, if you are reading this then you already broke the three rules (just as me).

                                          We get a nice golden lock.

Because of that, we need another set of rules, and I found one that I liked because it had to do with IoT. First of all, we must review repeated times the code we make and we must test the security things very often. We have seen a lot of these practices earlier. This point implies prioritizing for sure, and knowing your strengths and weaknesses. Second, continuous development. I consider this one as to not come into a halt when working on the security area. Things are changing everyday, and so must the security measures that are implemented (improved, at minimum). Last, managers (in business cases) must take responsibilities. I differ on this one. I think managers and engineers who make security parts should take responsibilities, mainly

--Originally published at TC2027 – Computer and Information Security

In my latest post I talk about what are security policies and what a security policy contains but how do we apply a security policy? With a security model.

A security model is used to determine how a security policy will be implemented, what users can access to the system and roles. This security model describes the entities governed by the policy, it states the rules that constitute the policy.

There are many types of security models according their scope, for example

• Capture policies for confidentiality such as Bell-LaPadula
• Capture policies for Integrity such as Biba, Clark-Wilson
• Models applied to environments with static policies such as Bell-LaPadula
• Models applied to dynamic changes of access rights such as Chinese Wall

And many others but I’ll talk about some of them.

How can we differed model from policy, easy a model is maps the goal of a policy by using data structures and techniques that are necessary to enforce the security policy.

State Machine Models

In this model the state of the machine is captured in order to verify the security of a system. Each state provides permissions to objects and access subjects, if the subject can access to the object only by mean that are concurrent then the system is secure.

For the im0lementation the developer must define what and where the states variable is, the developer then must define a secure state for each state.

Bell—LaPadu Confidentiality Model

This model was the first one to define with a multilevel security policy for the states. This is a static model which enforces the confidentiality of the model. This model focuses on ensuring that the subjects with different clearances (top secret, secret, confidential) are properly authenticated

Rules

• The simple security rule: a subject that is in a certain security
  
  
  Continue reading "Classic Security Architecture Models" →

--Originally published at TC2027 – Computer and Information Security

So, this time I want to talk about one topic that may be familiar with a lot of people. I’m talking about ethical hacking, but do you really know what is ethical hacking, or what an ethical hacker does?

So, starting by the basics the definition according to mcmaster it’s ‘the controversial act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers’. So basically, its use your skills to find vulnerabilities or security issues before a hacker does. So, let me continue with the term hacker, it’s any person that knows how to code and does it in a enthusiastic way. So according this definition almost any programmer can be a hacker, but there are also hacker classifications! There is black hat, red hat and other classifications but for this post I’m going to talk about white hackers (Ethical hackers).

I share a cool picture about hacker history: https://eduarea.wordpress.com/2013/06/09/que-es-el-ethical-hacking/

The ethical hackers are the ones that apply they knowledge and hacking skills for defensive purposes on behalf of the owners of information system. This is cool because even they had the knowledge and skills they use this to protect and seek vulnerabilities for a system before another hacker with another intension does. There is some controversy about this because how do people know if this knowledge and skills are being used the right way?

Surprise, there are many white hat hacker certifications available online so you can apply this knowledge without been search by the law.

• Certified Ethical Hacker (CEH) (https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/)
  • Covers over 18 security domains.
    • Foot printing and reconnaissance • Scanning networks • Enumeration • Sniffing • System hacking • Malware threats • Social engineering • Denial of service • Session hijacking • Hacking
      
      
      Continue reading "Ethical Hacking" →

--Originally published at PocketMinder's Blog

So, cryptography… How important is it in a system? Well you guessed it! Pretty important.

Cryptography and security go hand in hand. Cryptography helps securing a system by transporting encrypted data that cannot be decrypted easily.

There are many ways encrypting data works, mostly now there are two man categories, symmetric cryptography and asymmetric cryptography. Both of them use a term called “keys” but they work in a different way. In a general way, the way symmetric encryption works is by having one key for each person that will encrypt and decrypt data. This way both keys have a relation between them, and if one is compromised (stolen) then pretty much the other is compromised as well. Asymmetric encryption works by having two sets of keys, one set is private, meaning only the person who created the key can have the key, and the other set is public so anyone can see it. Then data is encrypted using a private key and then is decrypted by a public key and a private key. Again is a general explanation of how those methods work but there is much more behind them.

So yeah, encryption is a really important thing that must be take into account when developing the security architecture of a system, and there are many ways to do it, one must choose the most appropriate method of encryption for the given system.

I’ll leave a link below to a (very good) video about asymmetric encryption (also known as public key encryption), enjoy!

--Originally published at Tobi`s Blog

In an world where government surveillance and data bought from companies is used to stop protest movements, to guide the public opinion and to stop progress we all need to secure our data to keep the world turning. Otherwise we loose our influence on the future and give all the power to governments and companies. This is undermining the principles of democracy.

It’s not sufficient to just harden yourself. I’ll give you some examples.

Today the technical means we have are beyond those mentioned in dystopian litarature.
Face recognition, cameras at every corner, social network mapping, profiling, position tracking via Smartphone and many more are reality.

I don’t want to live in a world where I run into problems for
what I read, talk about with friends or even just think.

Conclusion? Please care for your privacy and let people know!!!

P.S. Very interesting talk about government surveillance

Photo credit: Jay Phagan via VisualHunt.com / CC BY