Quantum Computing

--Originally published at Security – Hermes's Blog

Here’s a really good video that explains (vaguely) quantum computing.

 

 

 

 

 

The fact that quantum compures have much more computational power than modern computers and are capable of factorazing very large numbers is a big threat to today’s cryptgraphic algorithms that rely on the assumption that factorizing really large numbers is a a so expensive operation that is nearly impossible to do so, but quantum computers will be able to complete the factorization in a short enough amount of time, and when cryptigraphic algorithms collapses so does network security.

But sure enough, quantum computers are not just a threat to network security, they are too the solution. Quantum cryptography relies on the Heisenberg Unsertainty Principle, which states that an observer cannot fully measure a moving object’s position and path without affecting one or the other.

And here’s a TED video explaining The Heisenberg Unsertainty Principle:

 

 

 

Koley (CTO of Juniper Networks) explains: “Typically, photons are used over a fiber-optic channel to achieve this [transmit information in quantum state], any attempt to measure one of the entangled photons leads to changes in the quantum state of the other, and therefore is detected. Thus, QKD offers a key distribution mechanism where any attempt to intercept the key by eavesdropping is revealed and the keys are discarded. QKD is not vulnerable to cracking attempts by quantum computers the same way that traditional cryptographic techniques are because any interception attempts in the QKD paradigm are readily detected. This is one of the reasons QKD is considered to be a good candidate for post-quantum security.”

And here’s a video explaining the QKD algorithm:

 

 

More resources on the subject:

https://www.techrepublic.com/article/how-quantum-computing-could-create-unbreakable-encryption-and-save-the-future-of-cybersecurity/

http://www.bbc.com/news/technology-36203043

https://www.britannica.com/science/uncertainty-principle

https://research.google.com/pubs/QuantumAI.html

Blockchain

--Originally published at Tc2017-security

Now a lot of us understand what bitcoin is, but most of use don’t know what is blockchain.

Blockchain is a way to secure your network. Basically what it does is it encrypts your data and sends it to everybody in the network. This means that everybody has a copy of what you’ve just send. So when sombody else tries to modify that information and send it. Everybody knows in the network knows that the information is not rue and will restore the correct data to that computer.

Blockchain is trully a great way to identify a person and really see if the person you are talking to is him or her.

Here is a short video that explains what blockchain is:

SQL INJECTION

--Originally published at Tc2017-security

So the first thing is what is sql injection. For does people that don’t know what sql is, sql is a programming language to help you save up information, for example:

The banks save up all customer information about their names, ssn, credit cards, etc.. in a sql table, which is kind of like excel.

SQL injection happens when a company dind’t sanities data and are able to get into the compañies data base.

Resultado de imagen para sql injection png

What a hacker does is find the vulnerabilities and when they have they can either:

 

  • Control the application’s behavior that’s based on data:
    • For example, show information that the company doesn’t want others to know.
  • Alter data in the database:
    • For example, erase or create new users that don’t exist.
  • Access data without authorization:
    • For example, give a user access to personal data of other people.

What can you do to defend yourself from this vulnerability:

  • Discover SQLi vulnerabilities, you can do so by using a special software to check how secure your code is.
  • Avoid and repair SQLi vulnerabilities by using parameterized queries.
  • Remediate SQLi vulnerabilities
  • Mitigate the impact of SQLi vulnerabilities, you can do so by only allowin certain access to user to a certain part of the data base or by using certificates.

Here is a really cool video of an example of this vulnerability:

Website certification – How safe is it?

--Originally published at Security – Carlos Rueda Blog

If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption:

  • a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
  • a URL that begins with “https:” rather than “http:”

By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything.

If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:

  1. The web site address matches the address on the certificate
  2. The certificate is signed by a Certificate Authority that the browser recognizes as a “trusted” authority

Can you trust a certificate?

The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate’s unique fingerprint by calling the organization directly, there is no way to be absolutely sure.

How to see a certificate’s information?

certificatechrome.png
certificateinfo
Continue reading "Website certification – How safe is it?"

Mirai – IoT Botnet Malware

--Originally published at Security – Carlos Rueda Blog

Mirai (Japanese for “the future”, 未来) is a malware that turns networked devices running Linux into remotely controlled “bots” that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

First let’s define some terms:

Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of harmful or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word “botnet” is a combination of the words “robot” and “network”.

Mirai was first discovered in 2016 by MalwareMustDie, a white hat security research group and according to leaked chat logs of the creator ‘Anna-senpai’, the malware is named after the anime series ‘Mirai Nikki’ (Future Diary in english). The malware’s source-code is published in a GitHub repository here. The malware is written in C for the agent infecting each device  and Go for the master controller of all the devices.

Resultado de imagen para mirai nikki

Mirai Nikki

This botnet malware was used to attack Brian Kreb’s website Krebs on Security, making the site reach 620 Gbit/s of traffic, there were also reports of attacks to French web services providers reaching 1Tbit/s of traffic to their website. Other attacks include in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT Continue reading "Mirai – IoT Botnet Malware"

Government and Business Ethics on Personal Devices Security

--Originally published at Security – Carlos Rueda Blog

 

In the not too distant past, employees had no choice but to work at a company’s office or on a company laptop or phone.  As mobile electronic devices (tablets and smartphones, for example) became both more accessible and affordable, this changed.  Now employees can work virtually anywhere and it’s becoming more and more common for them to use devices for both personal and work purposes.

Many individuals own multiple mobile devices.  One person may own a smartphone, tablet, and laptop computer.  An employer may also offer employees one or more company-owned devices. For some, it’s both inconvenient and less productive to carry company-issued and personal devices.  Others may prefer a specific technology or brand, or simply be annoyed by having to carry multiple devices.

Employers will assume legal, security, reputational, and other business-related risks when their employees use a device for both personal and work-related purposes. This is largely because employers lose control when employees use their own devices and networks to store and transmit company data.  The same is true when employees use company-owned devices for personal purposes.

There is also the issue with the government having access to our data. With the cases of the NSA Mass Surveillance program PRISM coming to light, we have to ask ourselves how much privacy we actually have, because the way the NSA obtained all this information was by DEMANDING that Internet Service Providers, Cellphone Carriers and many big tech companies submit their user data to the NSA.

There is also the recent case of the San Bernarding mass shooting in 2015, where the FBI requested access to the iPhone to one of the shooters to Apple, essentially requesting them to create a backdoor that would let them have access to the device. Apple opposed and denied the request, smart Continue reading "Government and Business Ethics on Personal Devices Security"

Pop ups are not just annoying

--Originally published at A work in progress




If you have a good eye you might have noticed how the advertisements from Youtube, Facebook and other social networks had changed in the last month. You are probably seeing a bit more (A LOT) from political campaigns and things related to them.
If you find yourself browsing through a web page that has any advertisements your computer might be in danger, or your data for that matter.

Welcome to the sad truth

First of all, let's talk about what is exactly , malvertsing. This is basically when you get attacked by viruses when you click on a pop ud or an ad, and you don't have to necessarily click on them, just by going into a web page that contains them you can get infected by it.

Here's how it looks like
Image result for malvertising
Just follow these simple steps:
  1. Let's watch a Youtube video
  2. Oh look! an ad! I'm just going to close it
  3. Nope, there's probably some code happening in the background , already stealing your information
Trust me when I say this, tons of websites had been attacked by this, Spotify , The New York Times, CBS and the list goes on. Because there's no way to actually control it. If you have the money to buy any ad then you're pretty much halfway there.

How do they steal?

I wasn't lying when I said that this happens even to the bests. And unfortunately there's not an accurate way (yet , because I'm hoping that in the future this gets targeted, at least easily). This is a fabulous way of stealing information because imagine it as this.

Someone wants to advertise on your website, they have the money to do so ... and Voila! That's it. If you use a fake bank account and you cover up your ip address
Image result for BBC malvertising attack
https://zeltser.com/wp-content/uploads/2011/06/tumblr_lm8epd1KYB1qd9o7r.png
Continue reading "Pop ups are not just annoying"

What is Malware?

--Originally published at Computer and Information Security

I have heard more frequently the word malware, but the question is “what is malware?”. I didn’t even know what that word mean until I made some research. According to the definition, malware is the abbreviation of “malicious software”, and it is considered as a malicious program that harms the functionality of a computer. Also, malware is composed by many other tools that harm the computer, such as viruses, Trojan horses, and worms. People often create these malware to steal information from the user, to modify it, or even to delete important data from the computer. These activities are made by the malicious programs without any permission.

it is possible to divide the kinds of malware depending on their characteristics and the way of how each one acts.

  • Virus: this one is the most common one. It has the name virus because it acts as in health, it spreads in the computer and spreads very quickly with malicious software. Virus infects other programs.
  • Worms: it is a type of malware that multiplies without any command or a specific action. Worms can be activated without any human interaction and it affects the performance of the computer.
  • Trojan horses: its name comes as in history. It appears to be a legit program until it is executed. While it is executed, malware is installed in the computer and can use malware’s functions.
  •  Spyware: this last one is the one that steals information from the user without any knowledge from him or her. It also watches the movements from the user to learn from him or her.

The following video explains the types of malware. I’ll recommend you to watch it.

 

It is known that the first tope of malware was a virus, it was called the Creeper virus and it happened in Continue reading "What is Malware?"

Wireless security

--Originally published at Computer and Information Security

Wireless networks

Since the last few years, wireless networks have become very important in the market. We can see wireless networks everywhere, such as in the coffee shops, some malls, on the streets, airports, hotels,  home, school, etc. The problem is that there are a lot of security problems with them. It is important to take into consideration that nowadays, wireless networks carry important information and it is crucial to have a secured wireless network.

Although it is easier to get connected to a wireless network rather than a wired one, it has become more vulnerable because of the facility to get connected to a wireless one. Each day, people are being connected to the internet and its easier to be in risk because of that. But leaving aside those risks, wireless networks have a lot of advantages. Before the explanation of them, i’ll recommend you to watch the next video regarding wireless security:

 

Wireless Security protocols

In order to protect wireless networks, WSP (wireless security protocols) were invented. These WSP are mainly targeted to protect local networks, such as the ones that are in home or offices. These WSP have their own strengths and weaknesses, but they offer wireless security in most of the cases, sending encrypted data through the airwaves.

The problem with the wireless networks is that the information is send to every device that is listening to the signals, obviously, it has a limited range. One of the benefits of the wired networks is that it has only one connection, between device A to device B. Protocols were created to protect these airwaves signals. We have three protocols: WEP, WPA, and WPA2.

WEP (Wired Equivalent Privacy)

The WEP was the first protocol to secure the wireless networks. The main point of the protocol is to Continue reading "Wireless security"

Baby Monitor – TC2027

--Originally published at Sebastian Luna

To introduce you to the topic I'll be writing about, I'll first explain the context.

My father works and lives out of Jalisco, but he comes and visits us every two weekends or so.
My brothers and I (we're 3 male, young adults - this might be relevant) live with my mother, she went a few days ago to my place of birth, to take care of her parents. 

Why do I have to tell you this? Well... because before my mother left, my father set up two Baby Cameras to "watch the house", more like keeping an eye on their sons.
Some of you might ask what does this have to do with security, well, let me tell you some stories that came up in the news:

  • A couple's 3 year old son told their parents he was afraid of the man talking over the monitor at night. One day, the father heard “Wake up little boy, daddy’s looking for you,” coming from the monitor. (CBS)
  • A family in London was sleeping their child when they heard eerie music coming from the monitor and a voice that said "you're being watched". (CTV News)
These news are creepy, but we're not babies, so what could go wrong? Well, if someone gained access to the monitors, they could watch us everytime, see our movements, when do we go out, at what time do we come back, what do we do when we're at the house, etc. There is a webpage, insecam which has this on their webpage:

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world.



Meaning that they have access Continue reading "Baby Monitor – TC2027"