Author: Anonymous

Computer Virus Protection

--Originally published at Sebastian Luna




Virus Protection


Conceptual Overview

Imagine having contact with many human beings, getting certain level of connection with every single one of them, every single day of your life. You can imagine that, eventually, you will get sick if you don’t have some precautions (washing your hands, getting your vaccines, keeping your distance, etc.).
When computers interact with other computers, some of them can have a Computer Virus, so they too can get infected, just like us! (sort of).
A Computer Virus is software with malicious intent that replicates itself by modifying other computer programs and inserting its own code. There are many methods in which a computer can get a virus, and there are different Computer Viruses that can have different negative effects on a computer, like accessing private information (your credit card too!), corrupting data (say goodbye to the pictures of your kids), spamming your e-mail contacts, or leaving your computer useless.

Available Methods

Some methods that can help you clean your computer from Viruses, or just to protect it against getting one are:
·         Keep your software up to date
o   Sometimes software has bugs that can be exploited by hackers, which could be used to infect your computer.
·         Don’t click/respond to strange emails
o   I’m sorry to tell you, but the Wife of the President of Uganda isn’t contacting you to give you 100 million dollars; you also didn’t win the Bill Gate’s foundation for 50 billion dollars.
·         Use an antivirus software
o   It’s a program designed to detect and remove viruses from computers and other threats.
·         Use a Firewall
o   A system designed to prevent unauthorize access to or from a private network.
·         Download only from verified places
o   Maybe Continue reading "Computer Virus Protection"

PROBLEM: Interval of Times

--Originally published at Sebastian Luna


The problem

Your company built an in-house calendar tool called HiCal. You want to addd a feature to see the times in a day when everyone is available.
To do this, you’ll need to know when any team is having a meeting. In HiCal, a meeting is stored as an instance of a Meeting structure with integer member variables startTime and endTime. These integers represent the number of 30-minute blocks past 9:00am.
typedef struct {
unsigned startTime;
unsigned endTime;
} Meeting;
For example:
typedef struct {
unsigned startTime;
unsigned endTime;
} Meeting;


Meeting meeting1 = {2, 3}; // meeting from 10:00 – 10:30 am
Meeting meeting2 = {6, 9}; // meeting from 12:00 – 1:30 pm
Write a function mergeRanges() that takes an array of meeting time ranges and returns an array of condensed ranges.
For example, given:
[{0, 1}, {3, 5}, {4, 8}, {10, 12}, {9, 10}]
Your function would return:
[{0, 1}, {3, 8}, {9, 12}]
Do not assume the meetings are in order. The meeting times are coming from multiple teams.


Write a solution that's efficient even when we can't put a nice upper bound on the numbers representing our time ranges. Here we've simplified our times down to the number of 30-minute slots past 9:00 am. But we want the function to work even for very large numbers, like Unix timestamps. In any case, the spirit of the challenge is to merge meetings where startTime and endTime don't
Continue reading "PROBLEM: Interval of Times"

Microservices == Microhell

--Originally published at miguel.net

Microservices, a word that has been buzzing around a lot, every one is writting, speaking and developing under the microservices mindset, but it is never that simple, just splitting a service into small pieces and having them interacting over the wire can cause a great mess.

Not having a good planning on how the service will interact, can cause an auto DDoS, because all the services are too chattie and then overload the network, so essentially, you performed an DDoS attack just by trying to run your system, congratulations.

So, what to do?
Now that the naive solution (http) is discarted, how can you interact in a system where everything is logically separeted? Many solutions have evolved throught out the years, one of the best solutions, specially if you need one way communication, is using a queue service, where messages can be posted and they can be received from the other end of the queue to be proccessed.

RPCs (Remote Procedure Calls), this method of executing actions is sometimes slow, depending on the level of concistency been used, two-phase commit is very costly but is very effective.

During the 80's and 90's, a paper was show, called SAGAS, which described long running transaccions on databases, and how to utilize them to make long queries work efficently, now it had evolved into Distributed SAGAS, a pattern where each microservice is a task, and a sequence of tasks is transaccional, so when an update occurs, every service that needs to be updated will receive the info. Also I really like the idea of a "pipeline" for this kind of situations, for example, maybe a reservation site allows you to book a flight, pay your hotel and rent a car on the same website, at the same time, so then, based Continue reading "Microservices == Microhell"

Azure Sphere

--Originally published at miguel.net

Great news came last month, Microsoft launches it's first non-NT based OS, it is an Linux based OS for MCUs (microcontrollers), the great thing here, they claim to have a solution for the security problem on IoT, they claim to have the most secure OS for MCUs, we all remember that dark day when the "full" internet was down, because a botnet took down one of the main DNS service providers in the USA, it was a hard punch to the IoT movement but also was an oportunity to really make a deep dive into the security issues of IoT.

What they claim
Microsoft published a great post providing a great overview on the product, but lets just review it.

The certified MCUs are, as they state, secure from the silicon, that means that security is the first thougth when building one of this MCUs, but how efficient and cost-value effective are them? well, we don't know, the first one is about to lauch but no price has been said.

Azure Sphere OS: it is a OS that is built for security and agility, thats what they have said, but I haven't found any security test results on the web.

Azure Sphere Security Services: this are cloud services built to provide an upper layer of security to the MCUs and also a layer to push updates of the firmware and user software that will run on the MCU.

My concerns
Well, we know that they love to charge for everything, and also if the services are bound to Azure, then maybe that could be a barrier that is hard to tackle, because not everyone likes Azure, every one have their issues with any cloud provider.


My conclusions
I really like to see this kind of things, companies making new technology Continue reading "Azure Sphere"

Never hard code Connection strings

--Originally published at miguel.net

A common practice during development is to just hard code every connection string that is been used on the project, but why is this a bad, and I mean a really bad practice?

Let's see what outputs the C# compiler for hard-coded strings:


As we can see, the line marked as IL_0001 is where the sintrg is been loaded to a variable, it is just written there, with out any consideration, imagine if someone gets access to your binaries, then they can just decompile them and read any sensitive string that was just hard-coded inside the program.

How to store them.

Many aproches can be used, maybe using encrypted files to store those keys, but also that can be cracked, or maybe using environment variables that store the encrypted strings, but again, it can be cracked. So, we cannot trust anybody, we need to be completly away from any kind of machine to be completly safe, but we can trust one institution, and when running on a cloud platform this is important, all cloud providers have their safe way to store this things Azure has Key Vault, Amazon has Systems Manager Parameter Store and Google has 
ObjectAccessControls, all of them have their own capabilities and ways to charge you for those services.

Now, you maybe asking, why would I trust any of this companies to save my important stuff? You don´t have to, but they are certified by some external authorities, so at least you have a way to berify their security.

Additionaly you must be carefull when pushing a commit to an open repository, it is way to easy to find connection strings on Github, I personally use an extension on my IDE that can be configured to produce compiler errors if a connection string is hard-coded, Continue reading "Never hard code Connection strings"

Elevation of privilege

--Originally published at miguel.net

Elevation of privilege or privilege escalation is a group of attacks, where the attacker gets can perform an action that he originally didn't had permission to do by exploting a bug, a design flaw or a oversight configuration [Wikipedia].

"So, if I 'accidentally' opened a file that was on the folder of an administrator, then I had performed that kind of attack?" Actually, yes, if you were supposed to don't have access to that file.

Now, lets talk about Windows, it is not a surprise that Windows is one of the most attacked OS, so a lot of vurnerabilities had been found and patched but there is also that weird config under the system that is made to keep you safe but comes unsafe by default. One of those configurations is the one that allows any system to install with all privileges, even adding new users and making them part of the administrator group, so as you can imagine, full access for that user on the system.

A great repository to test your settings is the one from PowerShellMafia, the repository is PowerSploit, please note, this scripts are meant for testing, any other use maybe considered illegal. Also, it is important to note that at least Windows Defender blocks all this scripts as trojans, in fact, they are trojans but in good hands, any weapon can be used for good.

To check this attack been used you can watch the video from the YouTube channel Security World, he makes a really good explanation about the attack, and what I find interesting about this particular aproach is that it is creating a MSI installer that creates a new user with admin privileges, and then your imagination can fly, you can open anything, activate remote desktop, anything. Continue reading "Elevation of privilege"

Cryptography is fun, TC2027

--Originally published at Sebastian Luna

Let's wikipedia:

Cryptography is the practice and study of techniques for secure communication from third parties.
It is about constructing and analyzing protocols that prevent unauthorized access to the message.

Modern cryptography is based on mathematics and computer science, thanks to computers, we have the power to encrypt data and make it 'impossible' for a human to decrypt it.

Getting started
The way I got into cryptography, was with the series "Gravity Falls", they put some hidden messages all over the place, on the intro, at the end of the episode, and they used different encryption methods. It was really fun to try to decypher a code that you found on an episode.
If you know nothing about cryptography, I would recommend to enter the link provided at the end of this document, and to watch the animated series.

 Encryption methods
Some encryption methods that were used on Gravity Falls are:

Caesar cipher: substitute the original letter for the nth letter before it. In the case for letters X, Y, and Z, (if n = 3) one would have to cycle through to the beginning of the alphabet.

Atbash cipher: decoded by reversing the letters. (A turns into a Z)
EXAMPLE: World -> D


A1Z26: simple substitution cipher decoded by substituting the nth letter of the alphabet for given number n.


Vigenère cipher: it's a series of Caesar ciphers where each letter shift depends on a key word. Vigenère ciphers use a Vigenère square to encrpyt the message.

These are relatively simple Encryption methods, computers use other methods but I will write about it on another blog, I want this one to be for "begginers".



 http://gravityfalls.wikia.com/wiki/List_of_cryptograms

Revolution, TC2027

--Originally published at Sebastian Luna

We need one, we need a revolution on the way we learn.

I am currently developing a project that started with one of our professors, Sergio Hernández.
He started Estación Meiquer to give Social Service hours to ITESM GDA students. I was lucky to be one of them, because it covers topics I really like.
But for about a year now, we wanted to do more than giving Social Service hours, we see that there is a need for kids to change the way they think and the way they learn. We see everyday the consequences of a bad educational system, even here, at my school; there hasn't been a single time where partials are comming, and I see students studying from very specific questions and exercises (it took me a few semesters to realize they were studying from exams). I've seen students that take pictuers of the exam as soon as it's on their hands, before making it and after the professor gives them back so we can check our mistakes. What went wrong? Why is it more important to get an exam or find really clever ways to copy, than actual learning? Why is a number (grade) more important than all the effort someone can make on a whole semester learning by experimentation or research? Why aren't we allowed to make mistakes? We're not perfect, we learn from mistakes, I can tell you that the things I remember or learned the most, are things I struggled with, I had to find a way to solve it or I f*cked up really bad.

Our project is called Estación Meiquer, our goal is for kids to develop skills that, according to the World Economic Forum, will drive the 4th Industrial Revolution. These skills are:

Elevation of Privileges, TC2027

--Originally published at Sebastian Luna

What is Elevation of Privileges? 

Elevation of Privileges or Privilege Escalation is exploiting a system or application to gain more access than you normally should have. This means you have the power to do unauthorized actions.

There are two branches of privilege escalation, Horizontal and Vertical.

Horizontal

  • Access to other user's information or content. It's horizontal because you are in the scope of a user, but you can gain access to other users, this is still gaining more access than you should, but not at a higher level.

Vertical

  • Access to information or content that should only be accessd by someone with higher access. You stay on your scope, but now you "escalate steps" in the privilege section.

The following image shows the different levels of privileges that a system has. 


My favorite example of elevation of privileges:

Jailbreak

I remember I was in highschool when I got my first iPod Touch, it was Christmas and Santa gave me and my brothers an iPod. I was really excited and I opened it on the bathroom, as soon as I took it out of the box, it fell.
I always liekd playing and listening to music on my iPod, but after a while (still in highschool) I discovered that you could "jailbreak" it, letting you add more functionalities and customize your iPod, I didn't know it back then but that was a form of Elevation of Privileges. 
Normally, you couldn't do all those things that Cydia allowed you to do, but when you jailbreaked it, you gained control of many things and it felt really nice. 

Other methods
This webpage tells more about EoP and ways that it cacn be exploited: 
https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/06/07/all-you-know-about-stride-elevation-privilege-threat-eop
Here there are 6 ways to exploit and gain EoP that the webpage Continue reading "Elevation of Privileges, TC2027"

Problemas de seguridad con Github

--Originally published at Seguridad Informática



Github ha sido conocida mudialmente como una de las mejores herramientas para los programadores, realmente una herramienta hecha a la medida para poder subir tus trabajos y códigos y llevar un control de versiones increiblemente ordenada. Todos nos hemos sentidos seguros con github, ya que su uso consiste en un control de versiones que guarda cada avance de tu proyecto, y cada vez que hagas un "commit" se guardara tu avance y siempre podras regresar a esa version que "si funcionaba bien". 

En lo perosnal soy un fanático de github y de su flexibilidad, ya que puedes ingresar cualquier tipo de lenguaje, además de llevar un control de progreso en gráficas que meustra que tanto has avanzado, además de contar con las herramientas para trabajar con colaboradores y que otros puedan mejorar tu proyecto o simplemente darte algunas sugerencias. Otra cosa que ahce de github una herramienta muy util es que es opensoruce, por lo cual todos pueden ver tu código a menos que hagas tu proyecto privado.

Con filtraciones de contraseñas masivas apareciendo casi semanalmente y la práctica común de reutilizar el mismo password en varias cuentas, los ataques de contraseña automáticos son una buena razón para establecer un nivel adicional de autenticación para servicios en línea. Compañías como Apple, DropBox , Google , Twitter , Facebook o Microsoft, han lanzado la doble autenticación a lo largo del último año.

Recientemente GitHub ha enviado correos electrónicos a usuarios con contraseñas consideradas como débiles cuyas cuentas se han visto potencialmente comprometidas tras un reciente ataque de su sistema de autenticación. El ataque, todavía es investigado, aunque se sabe que se ha originado desde unas 40.000 IPs.

Confirmado de forma official en el blog de GitHub por el Security Manager, Shawn Davenport, el popular servicio de alojamiento de repositorios Continue reading "Problemas de seguridad con Github"