Author: david0cabello0

5 Rules For Designing With Security In Mind

--Originally published at Information Security Class

Whenever we buy something on Amazon, change the settings of our social media accounts or download a new application, we risk our digital identity. That’s why developers invest lots of hours into refining these actions and making them secure.

Beside hacker attacks, there is also another risk, that can’t be handled by developers, but only by designers: The users. To help them we should obey some rules which are especially relevant when the actions can have drastic impact on the user in a financial or social way.

1. Different actions look different

Whenever a user is doing tasks that could have dramatic impact, e. g. changing account settings or a password, that’s stressful for the user and makes him nervous. Therefore, the UI should make clear what the user has to do right now.

If a user has to enter his mail on one screen and his password on another, like Yahoo and Gmail demand it, the two screens have to look different from each other. Just replacing the word “Email” with “Password” is usually not enough, when the whole structure of the two screens looks the same.

At least the standard text within the text fields should be used to show what’s to enter, as that’s the part of the screen which will attract the user’s attention. Furthermore, it’d be helpful to use different colors for username input and password input, if this doesn’t conflict with the brand. To improve it even further, you could use big icons that show what to enter.

That’s a pretty good option for a two-screen login process. The changed icons, changed options and username on top show that there’s something different to do on the second screen.

2. Show the user what’ll happen next

Predictability is, in my opinion, the aspect of an UI that makes it useable.

Continue reading "5 Rules For Designing With Security In Mind"

Cross site scripting

--Originally published at Information Security Class

Cross-site Scripting (XSS) Attack

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS is amongst the most common of web application vulnerabilities and occurs when a web application makes use of unvalidated user input within the output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

While XSS can be taken advantage of within VBScript, ActiveX and Flash, unquestionably, the most widely abused is JavaScript – primarily because JavaScript is fundamental to most browsing experiences.

How Cross-site Scripting works

In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.

In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.

The following server-side pseudo-code is used to display the most recent comment on a web page.

print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"

The above script is simply printing out the latest comment from a comments database and printing the contents out to an HTML page, assuming that the comment printed out only consists of text.

The above page is vulnerable to XSS because an attacker could submit a

Cross site scripting
Continue reading "Cross site scripting"

Cryptography

--Originally published at Information Security Class

Cryptography involves creating written or generated codes that allow information to be kept secret. Cryptography converts data into a format that is unreadable for an unauthorized user, allowing it to be transmitted without unauthorized entities decoding it back into a readable format, thus compromising the data.

Information security uses cryptography on several levels. The information cannot be read without a key to decrypt it. The information maintains its integrity during transit and while being stored. Cryptography also aids in nonrepudiation. This means that the sender and the delivery of a message can be verified.

Operating System Security

--Originally published at Information Security Class

Many attacks are silent and invisible. What good is an attack if the victim can see and perhaps counter it? As I described in my last post, viruses, Trojan horses, and similar forms of malicious code may masquerade as harmless programs or attach themselves to other legitimate programs. Nevertheless, the malicious code files are stored somewhere, usually on disk or in memory, and their structure can be detected with programs that recognize patterns or behavior. A powerful defense against such malicious code is prevention to block the malware before it can be stored in memory or on disk.

The operating system is the first line of defense against all sorts of unwanted behavior. It protects one user from another, ensures that critical areas of memory or storage are not overwritten by unauthorized processes, performs identification and authentication of people and remote operations, and ensures fair sharing of critical hardware resources. As the powerful traffic cop of a computing system it is also a tempting target for attack because the prize for successfully compromising the operating system is complete control over the machine and all its components.

Because of its fundamental position in a computing system, an operating system cannot be weak. The strength of an operating system comes from its tight integration with hardware, its simple design, and its focus intentionally or not on security. Of course, an operating system has the advantage of being self-contained on a distinct platform.

Malware

--Originally published at Information Security Class

Malware, a shortened combination of the words malicious and software, is a term for any sort of software designed with malicious intent. That malicious intent is often theft of your information or the creation of a backdoor to your computer so someone can gain access to it without your permission. However, software that does anything that it didn’t tell you it was going to do could be considered malware.

What are Common Types of Malware?

  • Virus: Infects program files and/or personal files
  • Spyware: Software that collects personal information
  • Worm: Malware that can replicate itself across a network
  • Trojan horse: Malware that looks, and may even operate, as a legitimate program
  • Browser hijacker: Software that modifies your web browser
  • Rootkit: Software that gains administrative rights for malicious intent
  • Malvertising: The use of legitimate online advertising to spread malicious software.

There are other types of programs, or parts of programs, that could be considered malicious due to the simple fact that they carry a malicious agenda, but the ones listed above are so common that they get their own categories.

How Does a Malware Infection Happen?

Malware can infect a computer or other device in a number of ways. It usually happens completely by accident, thhe most common is by downloading software that is bundled with a malicious application. Some malware can get on your computer by taking advantage of security vulnerabilities in your operating system and software programs. Outdated versions of browsers, and often their add-ons or plug-ins as well, are easy targets.

Another common source of malware is via software downloads that at first seem to be something safe like a simple image, video, or audio file, but in reality is a harmful executable file that installs the malicious program.

How Do You Remove Malware?

The most common types of malware are actual programs like Continue reading "Malware"

Phishing

--Originally published at Information Security Class

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion.

In June 2013, security firm Kaspersky Lab estimated that 37.3m people had encountered phishing attacks in the last year. Symantec, meanwhile, estimates that phishing accounted for one in 392 emails per day in 2013. Phishing is all about convincing you to divulge information that could help criminals steal your money and/or install malware on your computer, potentially also selling your passwords on to others.

It works by impersonating communications from companies that you trust: banks, online payment firms like PayPal, social networks, online retailers and other technology companies, as well as government bodies (tax authorities, for example). According to Symantec, 71% of phishing attacks in 2013 were related to financial organizations.

A lot of phishing attacks are done without you ever seeing them, thanks to the spam filters used by companies and webmail providers. But for those that make it through to your inbox, there are some common-sense tips to ensure you don’t fall victim.

If it looks wrong, it probably is wrong

Phishing often looks, well, fishy. Typos can be a sign that an email is dodgy – yes, The Guardian may be on thin ice with this point, but typos in an email from your bank really are a red flag – as are all-capitals in the email’s subject and a few too many exclamation marks.

Check the email address carefully

If you often get emails from a particular company, they’ll usually come Continue reading "Phishing"

What can we do to browse the internet safely?

--Originally published at Information Security Class

In my last blog I wrote about why the internet can be a really insecure place and that if you are not careful, your personal information can be compromised. That is why now I am writing what can we do to increase our security while we browse the web. Here I listed some things that will improve your internet security:

Encryption

Encryption used to be the sole province of geeks, but a lot has changed in recent years. In particular, various publicly available tools have taken the rocket science out of encrypting email and files. GPG for Mail, for example, is an open source plug-in for the Apple Mail program that makes it easy to encrypt, decrypt, sign and verify emails using the OpenPGP standard. And for protecting files, Apple’s MacOS operating system come with a new filesystem called APFS that lets you encrypt the hard drive of your computer. Those running Microsoft Windows have a similar function.

Web browsing

Since browsing is probably what internet users do most, it’s worth taking browser security and privacy seriously. If you’re unhappy that your clickstream (the log of the sites you visit) is in effect public property as far as the security services are concerned, you might consider using freely available tools such as Tor Browser to obscure your clickstream.

Wireless services

Have Bluetooth off by default in all your mobile devices. Only switch it on when you explicitly need to use it. Similarly, beware of using open wifi in public places. At the very minimum, make sure that any site you interact with uses HTTPS rather than unencrypted HTTP connections.

Personal security

It is recommended to use a password-management app like LastPass or 1Password, this applications not only provide safe passwords for you to use, but also encrypt all your information. This apps Continue reading "What can we do to browse the internet safely?"

How safe is the Internet in reality?

--Originally published at Information Security Class

In today’s day and age I would say that this question is relevant and important. When I think back to my past views about the Internet 14 years ago, topics such as “Internet and Web Security” were unknown names to me.

A decade ago the main purpose of the Internet was purely focussed on email communication and web browsing activities. Commercial, critical or even complex transactions were rarely performed on the Internet.

User interactions through web applications were possible at the time; however in most cases it was very simple and “unsafe”. Security concepts or even safety precaution measurements in corporate environments were ignored and were hardly implemented in any web application solutions.

Have you ever had any concerns about your privacy or security issues a decade ago? E.g. when sending an email with sensitive information to someone or filling sensitive information in a web form on the internet? How safe did you feel when browsing the web?

It is quite interesting that such concerns were not felt at that time. Yet much has changed now.

Internet and web security measurements in private or corporate environments are being taking more seriously than a decade before. Many efforts have been made by corporate organizations and educational institutes to make the internet more transparent and much safer.

At the same time billions of harmful malwares, worms, bots and malicious codes have been developed and distributed over the web. Some of them have survived until now as they have been coded with “intelligence” such as being able to act independently based on sophisticated algorithms.

Without security measurements no administrator in the world would be able to detect intrusions or even be smart enough to block a hidden attack on his corporate network. Data theft runs at milliseconds and you even won’t be Continue reading "How safe is the Internet in reality?"