Never hard code Connection strings

--Originally published at miguel.net

A common practice during development is to just hard code every connection string that is been used on the project, but why is this a bad, and I mean a really bad practice?

Let's see what outputs the C# compiler for hard-coded strings:

As we can see, the line marked as IL_0001 is where the sintrg is been loaded to a variable, it is just written there, with out any consideration, imagine if someone gets access to your binaries, then they can just decompile them and read any sensitive string that was just hard-coded inside the program.

How to store them.

Many aproches can be used, maybe using encrypted files to store those keys, but also that can be cracked, or maybe using environment variables that store the encrypted strings, but again, it can be cracked. So, we cannot trust anybody, we need to be completly away from any kind of machine to be completly safe, but we can trust one institution, and when running on a cloud platform this is important, all cloud providers have their safe way to store this things Azure has Key Vault, Amazon has Systems Manager Parameter Store and Google has

ObjectAccessControls, all of them have their own capabilities and ways to charge you for those services.

Now, you maybe asking, why would I trust any of this companies to save my important stuff? You don´t have to, but they are certified by some external authorities, so at least you have a way to berify their security.

Additionaly you must be carefull when pushing a commit to an open repository, it is way to easy to find connection strings on Github, I personally use an extension on my IDE that can be configured to produce compiler errors if a connection string is hard-coded, Continue reading →

Fake News

--Originally published at TC2027SWSecurity

We could define fake news as falsely descriptive information that seeks to manipulate the audience regardless of its purpose.

Although using fake news to manipulate the public is a thousand year old practice, this new iteration we call fake news is much more powerful because of its speed, power and low production cost. The fake news is a kind of cancer of the web that is born as a result of the business models of Google and Facebook, in conjunction with the decline of traditional media.

Resultado de imagen para Fake news

To face it, then, what we need are better professional means that inspire confidence and seriousness, that win over the audience with courageous and objective coverage, taking advantage of both technology and historical journalistic techniques. If we can not value journalistic work seriously, making both readers and platforms pay for good content, then we will end up hurting ourselves, living in a less informed society and therefore less free.

Source: fakenews source

Gilberto Rogel García A01630171 #tc2027

Elevation of privilege

--Originally published at miguel.net

Elevation of privilege or privilege escalation is a group of attacks, where the attacker gets can perform an action that he originally didn't had permission to do by exploting a bug, a design flaw or a oversight configuration [Wikipedia].

"So, if I 'accidentally' opened a file that was on the folder of an administrator, then I had performed that kind of attack?" Actually, yes, if you were supposed to don't have access to that file.

Now, lets talk about Windows, it is not a surprise that Windows is one of the most attacked OS, so a lot of vurnerabilities had been found and patched but there is also that weird config under the system that is made to keep you safe but comes unsafe by default. One of those configurations is the one that allows any system to install with all privileges, even adding new users and making them part of the administrator group, so as you can imagine, full access for that user on the system.

A great repository to test your settings is the one from PowerShellMafia, the repository is PowerSploit, please note, this scripts are meant for testing, any other use maybe considered illegal. Also, it is important to note that at least Windows Defender blocks all this scripts as trojans, in fact, they are trojans but in good hands, any weapon can be used for good.

To check this attack been used you can watch the video from the YouTube channel Security World, he makes a really good explanation about the attack, and what I find interesting about this particular aproach is that it is creating a MSI installer that creates a new user with admin privileges, and then your imagination can fly, you can open anything, activate remote desktop, anything. Continue reading →

Never hard code Connection strings

--Originally published at miguel.net

How to store them.

Elevation of privilege

--Originally published at miguel.net

Depth or layers? – Security Blog #9

--Originally published at TC2027 – Security – That Class Blog

Okay, so… Have you heard of the famous cake layers? If you haven’t, please, check out my last blog. Else, we can continue!

And just for you to understand the reference. The anchors go the ocean floor… Deeply… To the depths…

176805103_eeb002dfdf_o — “Rusty Anchor” by _lem (CC https://creativecommons.org/licenses/by-nc-nd/2.0/). Taken from https://www.flickr.com/photos/_lem/176805103/

So, why did I asked you to read about the security layers? Because security in depth is based on the layers implementation. We already discussed how layers are supposed to function, if you achieve to cover all holes of each layer with the preceding layers, there will be no way an attack could be successful to your system. The thing is that achieving that level of perfection is impossible. Instead, security in depth assumes from the start that the layer method can, and will eventually fail. The layered security only achieves the exhaustion of the threat (Successful defense) or the slowing of it, giving time for other plans of action and countermeasures initialize.

Depth defense also assumes that the hack or breach isn’t necessarily of remote origin, this means that the possibility of physical theft, threats, unauthorized person access, and some other unique events (See van Eck phreaking below).

Usually, taking into account those possible events involve the set up of:

Monitors, alerts and emergency responses
Authorized personnel activity logs
Forensic analysis
Reports on criminal activity
Disaster recovery

Remeber that the objective of depth defense is to gain time. Each of the set up new components main objective is to delay the threat, which might not be obtained if we used only technological solutions. The obtained extra time should be used by the administrator to identify and try to overcome the hack.

And I guess that is for now regarding security.
As a mini comment

Continue reading →

Cake layers rule – Security Blog #8

--Originally published at TC2027 – Security – That Class Blog

As the 8th blog regarding security, I will talk about the computer security layers. There are some people who state that there are 5, there are some people who say there are 8. What I mostly found during the investigation is that there are security layers as layers in the cake (Including the top frosting), 7.

What you, dear reader, need to remember during the reading of this entry, is that this set of rules can be implemented either by a network system administration or a regular single computer user.

The logic behind the security layers is the following: A single defense will be ineffective or flawed if the defense mechanism leaves unprotected areas, with its protective layer (umbrella), empty. That it’s why the layer’s purpose is to cover those empty spots. Theoretically, the empty areas on each layer would be so different, that an attack can’t penetrate through all the holes, and the service would remain available.

8234883949_e9e1be1f17_k — “20121201-_IGP1571” by Tim Ebbs (CC https://creativecommons.org/licenses/by-nc-nd/2.0/). Taken from https://www.flickr.com/photos/ebbsphotography/8234883949/

Application Whitelisting: The objective is to install just a set of limited programs and applications in the administered computers. The fewer applications, the fewer possibility there is of a breach.
System Restore Solution: This is one of the most talked security solutions in the classroom. Basically, it consists of creating a plan of action when the hack peril arouses. This would let the user gain access to their files, even if the system is hacked and damaged files remain.
Network authentication: A system of usernames and passwords must be taken into place. This would give access only to authorized users. This means no login without a password prompt.
Encryption: All of your files, disks and the rest of removable devices should be encrypted. This will provide a Continue reading "Cake layers rule – Security Blog #8" →

Secure Network, How? – Security Blog #7

--Originally published at TC2027 – Security – That Class Blog

This entry is not addressed to regular computer users, but more specifically to engineering students or people interested in network’s security, as the concepts are not that regular. This entry’s topic is the security of the network’s enterprise.

Virtual Private Network

This first category isn’t that much complex, as Virtual Private Networks (VPNs), are more and more widely used by the general users. So I won’t be talking a lot about this. VPNs are a method used by enterprises to connect and access an internal network from the outside, using a more secure network and an encrypted one.

15252943257_12957cec4a_k — “network” by Rosmarie Voegtli (CC https://creativecommons.org/licenses/by/2.0/). Taken from https://www.flickr.com/photos/rvoegtli/15252943257

Intrusion Detection Systems

Intrusion Detection Systems (IDS) main function is to aid the administrator in the detection of the type of attack that is being carried to the system. Usually, the IDS also help the administrator find and execute a solution to the problem as well as a plan of action on future detections. These systems trace and record logs, signature and triggered events. Usually, the IDS is attached to the firewall (Which I’m speaking down below) and the network router.

The most popular IDS tools I found are Snort and Cisco Network-Based IDS. Both successfully notify the user real-time, the signatures of attacks made to the network. The main advantage of Cisco IDS is the results obtained in the aftermath of the events (Reassembly of IPs and TCP sessions) and Cisco continuous support to the client. Meanwhile, Snort is open-source, cheaper to implement (Hardware wise), and flexible (Only requires Linux) and has multiple modalities where it can be implemented.

Firewalls

Firewalls, also called Intrusion Detection Devices, are software or applications that work directly in the network layer. As most of us already know, the firewalls protect the Continue reading "Secure Network, How? – Security Blog #7" →

Ataque man-in-the-middle

--Originally published at Toledo

Un ataque man-in-the-middle, “hombre en el medio” en español, es un tipo de ataque en el mundo de seguridad informatica, en el que el atacante, con intenciones maliciosas, se interpone en la comunicación entre su victima y el servidor al que quiere acceder.

En término cotidianos, un ataque man-in-the-middle es como el juego popular del telefono descompuesto. Las personas en los extremos estan intentando comunicarse, quizá para decir la primera frase o chiste que se les ocurrió, al fin es un juego. La persona en medio, es parte del medio de comunicación, es decir, tiene que escuchar y repetir lo que oye para que el mensaje llegue al otro extremo. Para que ésto funcione, ambas personas en los extremos tienen que confiar que la persona en medio va a jugar su papel de manera correcta, no va a divulgar chismes que probablemente escuche, ni va a modificar lo que alguien dijo para armar un alboroto.

La situación cambia ligera cuando se trata de un ataque man-in-the-middle. Las personas en los extremos ahora son: algún usuario despistado navegando en internet, y el servidor de alguna de sus páginas favoritas. El atacante toma el lugar de la persona de en medio, sin que los otros se enteren. Y lo que intentan comunicar, ya no son cosas sin sentido, los mensajes podrían contener datos sensibles (tarjetas de crédito, contraseñas, domicilios, etc.). Es aquí la principal razón por la que se invierte tanto tiempo y esfuerzo en llevar a cabo éste tipo de ataques, en el valor de la información que se puede conseguir.

Un atacante puede utilizar su computadora, celular o dispositivo especializado para planear e configurar el ataque. Dependiendo del caso en específico, y de las precauciones que la víctima tome en cuenta, un atacante podría explotar a Continue reading "Ataque man-in-the-middle" →

Cryptography is fun, TC2027

--Originally published at Sebastian Luna

Let's wikipedia:

Cryptography is the practice and study of techniques for secure communication from third parties.
It is about constructing and analyzing protocols that prevent unauthorized access to the message.

Modern cryptography is based on mathematics and computer science, thanks to computers, we have the power to encrypt data and make it 'impossible' for a human to decrypt it.

Getting started
The way I got into cryptography, was with the series "Gravity Falls", they put some hidden messages all over the place, on the intro, at the end of the episode, and they used different encryption methods. It was really fun to try to decypher a code that you found on an episode.
If you know nothing about cryptography, I would recommend to enter the link provided at the end of this document, and to watch the animated series.

Encryption methods
Some encryption methods that were used on Gravity Falls are:

Caesar cipher: substitute the original letter for the nth letter before it. In the case for letters X, Y, and Z, (if n = 3) one would have to cycle through to the beginning of the alphabet.

Atbash cipher: decoded by reversing the letters. (A turns into a Z)
EXAMPLE: World -> D

A1Z26: simple substitution cipher decoded by substituting the nth letter of the alphabet for given number n.

Vigenère cipher: it's a series of Caesar ciphers where each letter shift depends on a key word. Vigenère ciphers use a Vigenère square to encrpyt the message.

These are relatively simple Encryption methods, computers use other methods but I will write about it on another blog, I want this one to be for "begginers".

http://gravityfalls.wikia.com/wiki/List_of_cryptograms