Author: Sebastián

Baby Monitor – TC2027

--Originally published at Sebastian Luna

To introduce you to the topic I'll be writing about, I'll first explain the context.

My father works and lives out of Jalisco, but he comes and visits us every two weekends or so.
My brothers and I (we're 3 male, young adults - this might be relevant) live with my mother, she went a few days ago to my place of birth, to take care of her parents. 

Why do I have to tell you this? Well... because before my mother left, my father set up two Baby Cameras to "watch the house", more like keeping an eye on their sons.
Some of you might ask what does this have to do with security, well, let me tell you some stories that came up in the news:

  • A couple's 3 year old son told their parents he was afraid of the man talking over the monitor at night. One day, the father heard “Wake up little boy, daddy’s looking for you,” coming from the monitor. (CBS)
  • A family in London was sleeping their child when they heard eerie music coming from the monitor and a voice that said "you're being watched". (CTV News)
These news are creepy, but we're not babies, so what could go wrong? Well, if someone gained access to the monitors, they could watch us everytime, see our movements, when do we go out, at what time do we come back, what do we do when we're at the house, etc. There is a webpage, insecam which has this on their webpage:

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world.



Meaning that they have access Continue reading "Baby Monitor – TC2027"

Security or Convenience, TC2027

--Originally published at Sebastian Luna

With the increasing number of devices connected to the Internet, sometimes (most of the times, really) we do things thinking they are making us more secure on the internet, but we are unintentionally doing the opposite.

I will talk about some authentication methods or things we do on the Web and analyze if they are keeping us safe or actually harming us.

Whenever we go to a park, a mall, or any public space, we are tempted to see the latest memes, videos, check/send important work emails, or do some work on a coffee shop. To do this, we connect (sometimes automatically) to Free Public Wi-Fi's, I know it is very convenient, but please DO NOT USE FREE PUBLIC WI-FI to do important work or send sensitive data, WHY? Because you need NO AUTHENTICATION to establish a network connection, this means anyone can see whatever information you're sending (important emails, credit card information, you name it). Some measures you can do to be safer are: use a VPN (maybe I will write a Blog about this), on your browser, type "https" instead of "http" for the websites you're visiting, this adds an extra layer of security.
 = not safe

 = safe!


A very convenient thing for when we forget our password, is to recieve a code via SMS to your mobile phone, this is kind of safe but there are some risks with it:
SMS are not protected from someone else seeing them.
There's no assurance they will go to the intended recipient. (Databreach)

Fingerprints! I think most smartphones nowadays come with this option, forget about those boring, old-fashioned secure passwords, now you can unlock your device wih your fingerprint! Is this convenient? hell yes, is this safe? maybe not so much.
Researchers developed a set of MasterPrints that could Continue reading "Security or Convenience, TC2027"

Authorization vs Authentication, TC2027

--Originally published at Sebastian Luna

I think these concepts are sometimes used incorrectly, or used one meaning the other, but these two concepts are closely related which is why it can cause some confusion to some.

Today I will try to explain these concepts.

Authentication

It is a way to prove that you are who you say you are. Outside the tech environment, if an officer pulls you over and asks for your ID, is a way for him to know who are you. If he asked your name, you could come up with a fake name, but an official ID will let him know your name, and other accurate information about you, proving that you are you. 

In the tech world, authentication is used by a server to know who is trying to access the information, and it is used by a client to know if the server is who it claims to be. 

There are different types of Authentication:
  • Single-factor: it is giving access to a system by using only one category or credentials. An example could be passwords. 
  • Two-factor: it is giving access to a system by using two categories or credentials, in order to add an "extra layer" of security. It's usually added to the username - password authentication but adding information that only the user knows or has, this can be a token, an SMS they send to your phone number.
  • Multi-factor: it is giving access to a system by using two or more categories or credentials. 
  • Strong: it is combining two mutually-independent factors of authentication so if one is compromised, the other isn't automatically compromised. Usually, a category or credential is non-reusable, like a specific token for only one transaction, to add even more security.
______________________________________________________________________________
Authorization

Computer and Information Security, TC2027

--Originally published at Sebastian Luna

CIA? Probably ot what you're thinking

In Information Security there are three big goals that every organization should take into consideration, which are:
  • Confidentiality
  • Integrity
  • Availability
The first one, Confidentiality, is to ensure that sensitive information of the organization is accessed only by those authorized to look to that information. There can be different levels of classification to the information, depending on how important it is. For example, someone getting unauthorized access to an email about which type of coffee someone likes, doesn't have the same impact as if the email contained the nuclear launch code. 
There are several ways to keep information confidential, I'm not going to go in depth about these but I can mention the following: secure passwords, two-factor verification or encryption. 

Integrity means to keep the information consistent, for example, if a document is being manipulated by someone, an unauthorized person shouldn't be able to modifiy it, because that document becomes untrustworthy and stops being consistent. This doesn't mean that information's integrity is compromised only if someone external does something to it; it can happen that a person has access and is authorized to certain document, and works on it all day but forgets to save it or loses the most actual version, this affects the documents integrity because it stops being accurate. 

Availability is the cherry on top of the previous concepts. Think about it, you can keep Information in the most secure way, only the ones authorized to the information can access it, it's up to-date, accurate and trustworthy. But what happens if it's stored on a computer that's kept under key and the key is lost, and there is no copy of such key. That totally makes the information useless, the information should be accessed and available whenever it's Continue reading "Computer and Information Security, TC2027"