VPC

--Originally published at tc2027 – Ce qui est chouette

In this topic I’ll cover Virtual Private Clouds, such are offered by Google Cloud Platform and Amazon Virtual Private Cloud.

A virtual private cloud is a cloud service that offers an infrastructure in which various services (VPC users), of the platform offering it, share resources available in this cloud while isolated from each other. This isolation is usually achieved through having a private local network and subnetting it (could be through VLANs), assigning a subnet to each user, or group of users that need to be directly connected, for other connections a local DNS server can be used.

Clouds by Eric Summers on Flickr under a CC License.

VPC services usually also encrypt and mask the communication between its users and the shared resources through a VPN, adding as well a layer of authentication. A VPC implements layered security and provides it As-A-Service at the cost that it is highly complicated to set up, but using it correctly can yield a system with powerful defense.

This is a technology that I’ve yet to learn, but will do so, hopefully, this summer. If there are some project ideas that you, the reader, have that may help in my learning of this technology, I’ll appreciate it if you shared them in the comments.

– Virtual Private Guy.

Containers

--Originally published at tc2027 – Ce qui est chouette

In this post I’ll talk about containers, how they are used, and talk a little about their implication with security.

First, what is a container? A container is a lightweight packaging of a piece of software, including everything needed to execute it: code, runtime, system tools, system libraries, settings, etc.. A container is isolated, it will run the same every time, anywhere it’s executed. When run in a single machine, they share its operating system kernel, start instantly, and use less computing power and RAM.

Isn’t that a virtual machine?

No.

Container by Photo Your Space on Flickr under a CC License.

A virtual machine consists of the following:

Abstraction of physical hardware.
Each VM consists of a full copy of the Guest OS, some apps and necessary binaries and libraries.
The hypervisor allows several VM’s to run on a single machine, turning one computer into many.
Usually in the GBs.

While a container is:

Abstraction of the application layer.
Contains code and its dependencies.
Multiple containers run on the same machine sharing the Host OS kernel with other containers.
Usually in the MBs.

So yeah, it’s virtual-machine-esque but not quite. By using a container, things like environment variables, that may contain sensible data, are not exposed to the main machine, instead they are cozily packaged along with the software and running inside the container, you can couple this with a reverse proxy like NGINX, setup SSL, and you’re all set for a slightly more secure application.

A technology that’s currently leading the market is Docker, providing a hub on which to upload your own images for the world to see and download common images from which to extend your own.

– FROM fornesarturo/dude:latest

Onions were right all along

--Originally published at tc2027 – Ce qui est chouette

This post will deal with the topic or security practice of security by layers, and a little suggestion of a technology that may serve for this purpose in a not so deep-in-configuration manner.

Onion by John Vetterli on Flickr under a CC License.

In Information Security, security by layers refers to the practice of combining various security control points across the pipeline of an application. That is multiple mitigating security controls to protect the application’s resources and data. There are various ways of going about this layers, there is no silver bullet in security by layers, as every system is different, but some examples may be:

Consumer Layered Security Strategy

Extended validation (EV) SSL certificates.
Multifactor authentication.
Single sign-on (SSO).
Fraud detection and risk-based authentication.
Transaction signing and encryption.
Secure Web and e-mail.
Open fraud intelligence network.

Enterprise Layered Security Strategy

Workstation application whitelisting.
Workstation system restore solution.
Workstation and network authentication.
File, disk and removable media encryption.
Remote access authentication.
Network folder encryption.
Secure boundary and end-to-end messaging.
Content control and policy-based encryption.

These are the common can-be-found-in-any-page-you-check strategies, in the next blog I’ll cover another topic related, in some way, to security by layers, that is using containers to deploy code.

– An ogre.

Alice and Bob, their story

--Originally published at tc2027 – Ce qui est chouette

The brief description provided by Coursera‘s Cyptography I course by the University of Stanford paints cryptography as a tool for protecting information in computer systems. What I’ll attempt to cover in this post is cryptography’s real-world application, why it is needed.

First let’s deal with some basic stuff regarding cryptography, starting with the classic Alice, Bob and that bastard Eve who’s always meddling, she’s more of a Lilith if you asked me. Let’s say Alice has the sudden urge to communicate some secret message to Bob, perhaps she’s going to confess her love, but Eve also likes Bob, and Alice knows this. She can’t met Bob in person, Eve would find out, she lives close by and would get in the way. THANK GOD for the cryptography course Bob and Alice took years ago, where they learned about symmetric and asymmetric cryptography . . .

4404131304_695f6775b1_o — Secured! by Sean T. Evans on Flickr under a CC License.

Sidenote to Explain Asymmetric and Symmetric Cryptography

Based on this post on Synopsys. Encryption uses an algorithm and a key to turn plaintext, the message, into ciphertext, the encrypted message that you can then send. Symmetric Encryption uses the same key for both encryption and decryption of a message, its fast and can be used for large amounts of data, like encrypting a hard drive, the hard part is keeping that key secured. Asymmetric encryption keeps a pair of keys, a private one and a public one, that can be distributed anywhere to interact with your messages. Plaintext encrypted with a private key can only be decrypted by its corresponding public counterpart, and vice versa. A message can also be signed using your private key, so that others may decrypt the signature with your public key and verify it Continue reading "Alice and Bob, their story" →

Tokens: the ‘I’m old enough to drink’ of web-based teens

--Originally published at tc2027 – Ce qui est chouette

In this post I’ll be dealing with the topic of Authentication and Authorization, and at the end of this post I’ll provide some examples and summarize some of the currently used solutions.

The difference

First, let’s deal with what both of these concepts refer to and what the difference between them is.

Authentication means verifying who someone is. This is what sign up and log in are for, the first one defines who you are, while the latter is where the authentication lies, in checking your user-id and password to match you with someone in the system; authentication answers the claim this is who I am with a yep, that’s who you are.

bouncers - fabio venni.jpg — Bouncers by Fabio Venni on Flickr under a CC License.

Authorization means verifying that someone has permission to perform an action. This refers to a certain user having or gaining access to a resource, this is usually done through the use of different types of user, e.g., Administrator, Anonymous User, etc; authorizations answers hey can I do this? with yep, you can or if it were an english teacher, can you? to which you would simply groan in disgust at this attempt at comedy.

Tokens

One common way to handle both these processes is through the use of tokens. A token is a series of characters, usually encoded, that represent both to whom the token belongs—to which account it is linked—and what type of access this token has.

An implementation of tokens that I’ve used is JWT (JSON Web Token). JWT consists in three parts: header, payload, and signature. The first two are all base64 encoded and separated by a dot (.), the signature is a bit different, it consists in the following:

EncryptionAlgorithm(base64(  Continue reading "Tokens: the ‘I’m old enough to drink’ of web-based teens" →

On Certifications

--Originally published at tc2027 – Ce qui est chouette

Do I really have to take an exam? But I already know this, can’t you just ask me some questions to test me? These are some of the questions one may be thinking when the topic of IT Certifications comes up. In this post I’ll try to put forth both sides of the argument regarding this topic, I’ll link some resources at the end so you can read more about the topic.

lenora giovanazzi - exams — Exams by Leonora Giovanazzi on Flickr under a CC License.

We don’t need certifications

Certifications have shown to work well on industries like engineering, where one can specialize and get certified for various aspects of civil engineering, while another might go for the electrical engineering route. Both can go their merry way getting certified on bridge-building or electrical systems—I think at this point, its evident that my sources of information about these careers are limited to college brochures—because no one would expect an electrical engineer to build a bridge, and he might not be that excited about it, either. But in the software industries, areas do get intertwined, so perhaps certifications aren’t meant for us.

Experience in multiple areas is a plus, it’s an asset that can come in handy in attacking a problem from several angles. For industries like engineering, most things are set in stone, but software is in constant evolution, a certification you might get today may be obsolete come next year; at that rate, is it really worth the time and money required? Some may argue that a certification just means you’re good at passing tests—sidenote: that’s an issue I personally have with the way some companies handle job interviews.

On the other hand. . .

Some employers do look at certifications as a measure of quality and commitment to the area. Certifications serve Continue reading "On Certifications" →

Don the White, Jon

--Originally published at tc2027 – Ce qui est chouette

Everyone’s on the payroll nowadays, even hackers. Like legit payroll, no more 1337 money for hackers. Ethical Hacking consists in exploiting any existing vulnerability in a system—usually that in some way accesses the network—through intrusion to verify and evaluate their physical and logical security. The idea is to prove that a system is vulnerable and where they are, so the organization that owns the system can take the appropriate preventive measures against attacks exploiting them.

Now don’t panic, ethical hackers or white hat hackers perform this penetration or intrusion tests in a controlled environment, trying to think as the attackers in order to find exploits in security, kind of undercover geeks . . . please don’t hack me.

reese, hacker - donnie ray jones.jpg — Reese, Hacker by Donnie Ray Jones on Flickr under a CC License.

How Can I Become One of These White Knights?!

Since, as an official ethical hacker, you’d be finding confidential information hanging around the exploits, your employers will be asking to see some kind of credentials before allowing you to poke around their systems without restriction. The response to who do you think you are? when making this type of proposition is to flaunt around some information security certifications.

To officially get the Ethical Hacker title, I suggest the Certified Ethical Hacking Certification from the EC-Council (International Council of Electronic Commerce Consultants)—primarily a professional certification body, also the orchestrator of a series of information security conferences and EC-University.

The purpose of this certification is detailed in their page:

Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
Inform the public that credentialed individuals meet or exceed the minimum standards.
Reinforce ethical hacking as a unique and self-regulating profession.

Certifications are a nice way of going pro, as they help regulate professionals by providing employers with a base-knowledge Continue reading "Don the White, Jon" →

Why your site could be taken down by some fridges

--Originally published at tc2027 – Ce qui est chouette

This post’s topic will be IoT botnets.

Internet of Things

Starting with the basics, IoT (Internet of Things) refers to the concept of tangible devices—fridges, cars, security cameras—being hooked up with wires, electronics—sensors—and software and having access to a network to communicate with one another, broadcast data to other. In IoT, these intelligent fridges are called a Thing; that is a device with an IP address and the ability to transmit data over a network.

SAMSUNG DIGITAL CAMERA — OMFG! It’s the EVIL FRIDGE! by Fabio on Flickr under a CC License.

What is a Botnet?

Any device that has been hijacked is called zombie or bot; an IoT Thing that has been taken over is then called a Thingbot—honestly, I think they messed up, zombie horde sounds way cooler than Botnet. Anyway, a Botnet is a distributed network made up of many of these IoT Things, that have been hijacked—by malware—to relay messages on command.

The bot part of the Botnet connects to a control center, usually just an encrypted chat room or a bot-exclusive chat room. At any moment the owner of the botnet can access the control server and ask its members to do stuff, like dance or destroy humanity. These botnets can be used perform distributed attacks, like DDoS; to steal data; to redistribe the malware that infected them, becoming the thing they swore to destroy in the first place—I trusted you . . . you were my brother, Anakin; generate bitcoins; or simply download and run a file. An example of a Botnet malware is Mirai.

How can I protect my Thing from becoming a Zombie?

Upgrade its firmware and secure access to it with smart user-and-password combos.

– Totally not a Botnet.

References

IT Security Guru. (January 21, 2014). The Internet of Things – Thingbot. On Continue reading "Why your site could be taken down by some fridges" →

Los Dedos te atacan

--Originally published at tc2027 – Ce qui est chouette

This post will deal with DoS (Denial of Service) and DDoS (Distributed Denial of Service). Los Dedos te atacan comes from DDoS sounding like dedos (fingers in spanish) when reading from a spanish perspective.

Hand by Hana Tichá on Flickr under a CC License.

DDoS and DoS attacks have the same goal. Render an online service—like an API, online gaming networks like Xbox Live or PlayStation Network, or your average webpage—unavailable for its legitimate users. This is usually done by flooding the victim’s server with requests or performing a particular request that triggers some action to bring the server down. In the end, both these attacks set their aim at the Availability part of the CIA Triad.

A traditional DoS attack consists on the same computer performing these requests, so you could imagine this type of attacks would be easy to defend against. SPOILER ALERT: they are. Usually just a check for the same IP address making multiple requests in a short span of time does the trick. The real problem lies with DDoS, mainly because of the first D.

DDoS attacks are the steroid-pumped version of DoS attacks, is just mentioned, because of the Distributed part of it. A DDoS attack is based on the same idea, but instead of a single computer, the culprit of the attack is a network of computers of any type—hijacked personal computers, remote servers from all around the globe, or IoT things, like fridges or security cameras. The fact that this network could be distributed, in the geographical sense, means that identifying the attacking computers is harder and takes much more time.

Types of DoS

Now onto the details, these are the classes of DoS attacks:

TCP.

This type of attack attempts to block all the available connections to the infrastructure Continue reading "Los Dedos te atacan" →

Three letters to rule them all

--Originally published at tc2027 – Ce qui est chouette

This post will deal with the CIA, but it won’t be about the usual, let’s call it fun and secretive CIA, this is about the concept of information security called The CIA Triad, which is a model that guides and evaluates policies regarding information security inside an organization. These three letters stand for Confidentiality, Integrity, and Availability.

Spies - emory allen — Spies by Emory Allen on Flickr under a CC License.

Confidentiality

Generally, this concept refers to the rules that limit access to the provided information. This concept revolves around privilege, in the sense of user privilege—not the fuzzy SJW privilege—, like an administrator user, a public user or a specific user. Confidentiality relies on the following three principles—this is quickly becoming a tree, isn’t it . . . —: Identity, Authorization and Authentication, because if any of these is compromised, so is confidentiality. Let’s say someone steals your online credentials, your identity has been hijacked, and now they can access your stuff, so this service’s confidentiality is lost. In reality, confidentiality is all about how your data is classified and how credentials are secured.

Integrity

This concept refers to making sure that information gets to where its headed with no detours and without losing anything on the journey. That is, make sure the information hasn’t been tampered with when traveling from source to destination or whenever it makes a pit stop. One way to prove integrity is to add a hash along with the message, and on the recipient’s end the hash is calculated and compared against the one included with the message; if it matches, the data received hasn’t lost its value.

Availability

To make sure that a service is available for use. A secure service should be reliably available to the right people. This concept is the target Continue reading "Three letters to rule them all" →