Clean your shoes before entering the house.

--Originally published at Merino is talking about security.

Data sanitization is a simple yet effective tool to preventing attacks. What kind of attacks? you may ask, well many, but all can be summarised as code injection.

In web applications you may encounter with a form, any form, that lets you write whatever string and maybe do something with it, display it as a comment, save it in the data base, send it as message, etc. But lets say that instead of jut plain text, I write a piece of code, and if the input isn't sanitized the page will run that code, and the results can be disastrous. Let the people at computerphile explain it better:

there are quite some kinds of code injection but here as the most common ones:

SQL injection: As the name indicates, is meant to attack SQL databases, adding sql scripts to the un-sanitized input can result in the database running said queries and returning data that should be read by the user. More info.

Javascript and HTML injection: By adding Javascript and HTML code to un-sanitized inputs can cause the browser to run and make the page behave in unwanted ways, this can potentially affect other users ass well. More info.

A simple solution to this problem is input sanitization, it cleans your inputs so that malicious code can't be written into it. You can do this by preventing certain characters or sets of characters to be typed in your input. Maybe banning the single quote or the <> brackets. The people at eSecurity Planet wrote a very in depth article on how to protect your web applications using code sanitization, there are many things you can do. Since HTML5, input type can be added to any input tag, and that can be a small step into making sure that the incoming Continue reading →

A self driving conundrum.

--Originally published at Merino is talking about security.

The other day I was coding a web page, I was using the framework Vue, you don´t have to know what Vue is to understand this next part, the only thing you have to know is that with Vue you need to program things differently, so I was making a button to simply change the page and it was giving me difficulties, so I coded this:

<a class="d-block mb-4 h-100" href="#" v-on:click="change_page"></a>

Thing is, I tried and I tried and I just could't get it to work, Thats when my friend told me to delete href="#" because I didn't need there, it was less than a line of code yet it was the source of all my problems. The point that I'm trying to make here, Is that we all make mistakes, and small things like that can be overlooked. Maybe this one time it was only a button on a web page, but other times it can be more critical things, and mistakes like that can literally life threatening. Take for example the launch of the Mariner I rocket by NASA, it exploded mid flight because the person coding into the computer forgot, or missed really a hyphen. This time the where no astronauts on board, but in other cases, simple errors, coding poorly, or even just bad practices can result in a deadly situcions, take for example the case of the Therac-25 where bad practices by programmers caused the death of multiple hospital patients.

I write all this to bring an interesting topic into the table, we, programmers, have way more responsibilities in our hands that we may think. Recently, a self driving car accidentally hit a person, this is the first Continue reading →

Cryptography & Encryption: a secret language.

--Originally published at Merino is talking about security.

The internet came to change our lives, no doubt about it. We communicate more and more frequently thanks to it, in fact more than 60 billion (a thousand million) messages are sent through internet apps each day (source). Adding that to emails and other forms of communication, thats an astounding amount of data flowing through the internet's tubes. And that data may contain any sort of information, important dates, pictures, banking information, addresses, sensible stuff really. So how can we get that data protected? because when its out there, it is out there. Thats why we have encryption, a way to cypher our data so only we can access it. Image translating all your messages into a secret language that only you and the person receiving the message can understand. Thats what encryption is. John Oliver of HBO's Last Week Tonight made a very funny video explaining encryption in layman terms (adult language warning). Computers have settings to encrypt your disk, and manny apps like Telegram and Whatsapp encrypt messages automatically.

To understand how encryption works I did a small Caesar Cipher code in python, check it out. But Caesar Cipher only shifts letters around by n number of places, so its not very secure, to prove it I coded a message with my python script to try to challenge you, the reader, to try to decoded:

The coded message is: qzodkbfuaz ue hqdk uybadfmzf fa wqqb kagd uzradymfuaz bdafqofqp rday efdmzsqde

The spaces in the words can be a dead giveaway, leave a comment if you could figure it out. You can potentially use my script to try to crack the code.

In real life the encrypting methods aren't so simple. Most common used method to encrypt our messages is by the Public & Private Continue reading →

Phishing phish.

--Originally published at Merino is talking about security.

Phishing refers to the act of masquerading as a company or institution in order to steal information, such as usernames, passwords, and credit card details.

I presented this subject in class, and to be honest is quite a tricky one. The interesting thing about phishing is that, even if it occurs within the different communications technologies, the attacker doesn't actually need any technical knowledge about technology. The attack happens at a human level, so the attacker doesn't need to be a hacker per-se, they'll just send you an e-mail, pretending to be a company or something, saying that something is wrong with an account of yours, and they need your password to fix it. As easy as that.

The more intricate phishing scams will require technical/hacking skills, like hosting a fake websites online, with a url that's almost indistinguishable from the real deal (only different by a couple of characters, they added 'the', different extension, etc.), where users "log in", or at least they think they do, and actually give away their credentials to attackers. A recent example is what happened with the giant company Equifax because, not satisfied with having a massive security breach, they linked on Twitter to a phishing site. If a large company can be fooled, what about the rest of us. Thats why we always check, and double check the URL var.

But examples like the one above are just the tip of the iceberg, as I wrote above, attackers don't need to be technical experts, they just need to get in contact with you through an email, social media message, even phone calls. We need to smart about protecting ourselves, if you someone approached you on the street asking for your email and/or password, even if he/she claimed to be from Continue reading →

Your computer has been kidnapped.

--Originally published at Merino is talking about security.

The government of {{Insert current location country name}} has found {{Insert illegal material}} on your computer, please pay the fine of {{Insert ridiculous amount of money}} to regain access to your computer.

Kidnapped!? Really!? Yes. Thanks to this thing called Ransomware Internet pirates and other evil doers can lock all information on your computer, encrypting it so you can't use it. Now you have to pay them an amount of money to regain access to it, or say goodbye to your precious data.

As explained above, a Ransomware attack targets your computer and encrypts various files and folders in your computer, rendering them useless. You can get attacked by it if you'r computers gets infected with a virus or you run a malicious script, the attacker hides the code as an e-mail attachment, a link on an infected webpage, videos on iffy pages, system updates, etc. Not very different than other kinds of attacks. But what makes Ransomware different from other kinds of attack is that, while others may just want to ruin your computer or steal your info, Ransomware will actually ask you to pay the rescue, and paying doesn't warranty that your information won't be copied or/and stolen, it doesn't even warranty that it will be released.

Many times they will mask the attack as a sort of government issued computer search-warrant, claiming that illegal material has been found in your computer, and that you have to pay a fine to regain access to your machine.

So, how can I protect myself?

Anti-virus, Anti-malware all the way. These are the main ways that ransomware gets distributed, so try using these layers of protection.
Don't click random links, check the address to see if its a site you thrust, hover (without clicking) the mouse on the link Continue reading "Your computer has been kidnapped." →

The life and death of Aaron Swartz and why it matters. Part 1.

--Originally published at Merino is talking about security.

Aaron Swartz at Boston Wikipedia Meetup, 2009-08-18
(From Wikimedia Commons, the free media repository)

A couple of classes ago we saw the first half (and a little more) of the 2014 documentary feature "The
Internet's Own Boy: The Story of Aaron Swartz", directed by Brian Knappenberger. And, for a millenial that spends most of his time online, and is studying a mayor in computer sciences, I´m guilty, like many others, of not knowing who Aaron Swartz was. And, let me tell you, he was a pretty big deal.

As soon as the film starts I was ready for not liking this guy, he was a gifted boy genius, heavily opinionated and responsible for the creation of Reddit (a page that, to put lightly, has image problems). People with that profile usually score low on the likeability scale, they can be read as pretentious and hard to connect to in a human level. But I was pleasantly surprised that I was dead wrong, yes he was heavily invested in his work, but also he cared a lot about the PEOPLE who surrounded him, and how his work affected them.

You see, Swartz was quite a pioneer of the modern internet, maybe not a founding father per-se, but his work went from RSS, a page that can be best described as a pre-Wikipedia, and the aforementioned Reddit, all at a very young age. Swartz was all about sharing information, his brothers, interviewed on the film, mention that, apart from computers, he had a passion for teaching. He will explain what he learned at school to his brothers, he will read the entire textbook before class, he will spend his time toying with cd-encyclopedias, he wanted all that information to be accessible to the world, and he saw in the internet a way to do so.

Continue reading →

Simple stuff you can do to be safe.

--Originally published at Merino is talking about security.

1. Allways stay updated.

Be sure to turn on auto-updates for Operating System and apps.
Host Operating System as well as other Host Operating System.
Applications (mobile and also on computer, drivers, etc.)

2. Ecrypt Data.

Modern Phones, Macs and most Linux have it by default, check that it is on anyway.
For windows users u can use other tools like Veracrypt (Make sure that you have a backup first).

3. Have an antivirus and anti-malware (but don't install two or more, since they might not work properly that way).

4. Passwords.

Have safe passwords, no "password", no "12345678", no "77777777", etc.
Don't use the same passwords for different things.
Consider using a password manager, it can be your computer's keychain or a third party manager you trust.