A virtual private cloud is a cloud service that offers an infrastructure in which various services (VPC users), of the platform offering it, share resources available in this cloud while isolated from each other. This isolation is usually achieved through having a private local network and subnetting it (could be through VLANs), assigning a subnet to each user, or group of users that need to be directly connected, for other connections a local DNS server can be used.
VPC services usually also encrypt and mask the communication between its users and the shared resources through a VPN, adding as well a layer of authentication. A VPC implements layered security and provides it As-A-Service at the cost that it is highly complicated to set up, but using it correctly can yield a system with powerful defense.
This is a technology that I’ve yet to learn, but will do so, hopefully, this summer. If there are some project ideas that you, the reader, have that may help in my learning of this technology, I’ll appreciate it if you shared them in the comments.
In this post I’ll talk about containers, how they are used, and talk a little about their implication with security.
First, what is a container? A container is a lightweight packaging of a piece of software, including everything needed to execute it: code, runtime, system tools, system libraries, settings, etc.. A container is isolated, it will run the same every time, anywhere it’s executed. When run in a single machine, they share its operating system kernel, start instantly, and use less computing power and RAM.
Isn’t that a virtual machine?
A virtual machine consists of the following:
Abstraction of physical hardware.
Each VM consists of a full copy of the Guest OS, some apps and necessary binaries and libraries.
The hypervisor allows several VM’s to run on a single machine, turning one computer into many.
Usually in the GBs.
While a container is:
Abstraction of the application layer.
Contains code and its dependencies.
Multiple containers run on the same machine sharing the Host OS kernel with other containers.
Usually in the MBs.
So yeah, it’s virtual-machine-esque but not quite. By using a container, things like environment variables, that may contain sensible data, are not exposed to the main machine, instead they are cozily packaged along with the software and running inside the container, you can couple this with a reverse proxy like NGINX, setup SSL, and you’re all set for a slightly more secure application.
A technology that’s currently leading the market is Docker, providing a hub on which to upload your own images for the world to see and download common images from which to extend your own.
This post will deal with the topic or security practice of security by layers, and a little suggestion of a technology that may serve for this purpose in a not so deep-in-configuration manner.
In Information Security, security by layers refers to the practice of combining various security control points across the pipeline of an application. That is multiple mitigating security controls to protect the application’s resources and data. There are various ways of going about this layers, there is no silver bullet in security by layers, as every system is different, but some examples may be:
Consumer Layered Security Strategy
Extended validation (EV) SSL certificates.
Single sign-on (SSO).
Fraud detection and risk-based authentication.
Transaction signing and encryption.
Secure Web and e-mail.
Open fraud intelligence network.
Enterprise Layered Security Strategy
Workstation application whitelisting.
Workstation system restore solution.
Workstation and network authentication.
File, disk and removable media encryption.
Remote access authentication.
Network folder encryption.
Secure boundary and end-to-end messaging.
Content control and policy-based encryption.
These are the common can-be-found-in-any-page-you-check strategies, in the next blog I’ll cover another topic related, in some way, to security by layers, that is using containers to deploy code.
The brief description provided by Coursera‘s Cyptography Icourse by the University of Stanford paints cryptography as a tool for protecting information in computer systems. What I’ll attempt to cover in this post is cryptography’s real-world application, why it is needed.
First let’s deal with some basic stuff regarding cryptography, starting with the classic Alice, Bob and that bastard Eve who’s always meddling, she’s more of a Lilith if you asked me. Let’s say Alice has the sudden urge to communicate some secret message to Bob, perhaps she’s going to confess her love, but Eve also likes Bob, and Alice knows this. She can’t met Bob in person, Eve would find out, she lives close by and would get in the way. THANK GODfor the cryptography course Bob and Alice took years ago, where they learned about symmetric and asymmetric cryptography . . .
Sidenote to Explain Asymmetric and Symmetric Cryptography
Based on this post on Synopsys. Encryption uses an algorithm and a key to turn plaintext, the message, into ciphertext, the encrypted message that you can then send. Symmetric Encryption uses the same key for both encryption and decryption of a message, its fast and can be used for large amounts of data, like encrypting a hard drive, the hard part is keeping that key secured. Asymmetric encryption keeps a pair of keys, a private one and a public one, that can be distributed anywhere to interact with your messages. Plaintext encrypted with a private key can only be decrypted by its corresponding public counterpart, and vice versa. A message can also be signed using your private key, so that others may decrypt the signature with your public key and verify it Continue reading "Alice and Bob, their story"→
In this post I’ll be dealing with the topic of Authentication and Authorization, and at the end of this post I’ll provide some examples and summarize some of the currently used solutions.
First, let’s deal with what both of these concepts refer to and what the difference between them is.
Authentication means verifying who someone is. This is what sign up and log in are for, the first one defines who you are, while the latter is where the authentication lies, in checking your user-id and password to match you with someone in the system; authentication answers the claim this is who I am with a yep, that’s who you are.
Authorization means verifying that someone has permission to perform an action. This refers to a certain user having or gaining access to a resource, this is usually done through the use of different types of user, e.g., Administrator, Anonymous User, etc; authorizations answers hey can I do this? with yep, you can or if it were an english teacher, can you? to which you would simply groan in disgust at this attempt at comedy.
One common way to handle both these processes is through the use of tokens. A token is a series of characters, usually encoded, that represent both to whom the token belongs—to which account it is linked—and what type of access this token has.
An implementation of tokens that I’ve used is JWT (JSON Web Token).JWT consists in three parts: header, payload, and signature. The first two are all base64 encoded and separated by a dot (.), the signature is a bit different, it consists in the following:
Do I really have to take an exam? But I already know this, can’t you just ask me some questions to test me? These are some of the questions one may be thinking when the topic of IT Certifications comes up. In this post I’ll try to put forth both sides of the argument regarding this topic, I’ll link some resources at the end so you can read more about the topic.
We don’t need certifications
Certifications have shown to work well on industries like engineering, where one can specialize and get certified for various aspects of civil engineering, while another might go for the electrical engineering route. Both can go their merry way getting certified on bridge-building or electrical systems—I think at this point, its evident that my sources of information about these careers are limited to college brochures—because no one would expect an electrical engineer to build a bridge, and he might not be that excited about it, either. But in the software industries, areas do get intertwined, so perhaps certifications aren’t meant for us.
Experience in multiple areas is a plus, it’s an asset that can come in handy in attacking a problem from several angles. For industries like engineering, most things are set in stone, but software is in constant evolution, a certification you might get today may be obsolete come next year; at that rate, is it really worth the time and money required? Some may argue that a certification just means you’re good at passing tests—sidenote: that’s an issue I personally have with the way some companies handle job interviews.
I have heard more frequently the word malware, but the question is “what is malware?”. I didn’t even know what that word mean until I made some research. According to the definition, malware is the abbreviation of “malicious software”, and it is considered as a malicious program that harms the functionality of a computer. Also, malware is composed by many other tools that harm the computer, such as viruses, Trojan horses, and worms. People often create these malware to steal information from the user, to modify it, or even to delete important data from the computer. These activities are made by the malicious programs without any permission.
it is possible to divide the kinds of malware depending on their characteristics and the way of how each one acts.
Virus: this one is the most common one. It has the name virus because it acts as in health, it spreads in the computer and spreads very quickly with malicious software. Virus infects other programs.
Worms: it is a type of malware that multiplies without any command or a specific action. Worms can be activated without any human interaction and it affects the performance of the computer.
Trojan horses: its name comes as in history. It appears to be a legit program until it is executed. While it is executed, malware is installed in the computer and can use malware’s functions.
Spyware: this last one is the one that steals information from the user without any knowledge from him or her. It also watches the movements from the user to learn from him or her.
The following video explains the types of malware. I’ll recommend you to watch it.
Since the last few years, wireless networks have become very important in the market. We can see wireless networks everywhere, such as in the coffee shops, some malls, on the streets, airports, hotels, home, school, etc. The problem is that there are a lot of security problems with them. It is important to take into consideration that nowadays, wireless networks carry important information and it is crucial to have a secured wireless network.
Although it is easier to get connected to a wireless network rather than a wired one, it has become more vulnerable because of the facility to get connected to a wireless one. Each day, people are being connected to the internet and its easier to be in risk because of that. But leaving aside those risks, wireless networks have a lot of advantages. Before the explanation of them, i’ll recommend you to watch the next video regarding wireless security:
Wireless Security protocols
In order to protect wireless networks, WSP (wireless security protocols) were invented. These WSP are mainly targeted to protect local networks, such as the ones that are in home or offices. These WSP have their own strengths and weaknesses, but they offer wireless security in most of the cases, sending encrypted data through the airwaves.
The problem with the wireless networks is that the information is send to every device that is listening to the signals, obviously, it has a limited range. One of the benefits of the wired networks is that it has only one connection, between device A to device B. Protocols were created to protect these airwaves signals. We have three protocols: WEP, WPA, and WPA2.
Everyone’s on the payroll nowadays, even hackers. Like legit payroll, no more 1337 money for hackers. Ethical Hacking consists in exploiting any existing vulnerability in a system—usually that in some way accesses the network—through intrusion to verify and evaluate their physical and logical security. The idea is to prove that a system is vulnerable and where they are, so the organization that owns the system can take the appropriate preventive measures against attacks exploiting them.
Now don’t panic, ethical hackers or white hat hackers perform this penetration or intrusion tests in a controlled environment, trying to think as the attackers in order to find exploits in security, kind of undercover geeks . . . please don’t hack me.
How Can I Become One of These White Knights?!
Since, as an official ethical hacker, you’d be finding confidential information hanging around the exploits, your employers will be asking to see some kind of credentials before allowing you to poke around their systems without restriction. The response to who do you think you are? when making this type of proposition is to flaunt around some information security certifications.
To officially get the Ethical Hacker title, I suggest the Certified Ethical Hacking Certification from the EC-Council (International Council of Electronic Commerce Consultants)—primarily a professional certification body, also the orchestrator of a series of information security conferences and EC-University.
The purpose of this certification is detailed in their page:
Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
Inform the public that credentialed individuals meet or exceed the minimum standards.
Reinforce ethical hacking as a unique and self-regulating profession.
Before we start, I’ll recommend you to see the following video regarding Virtual Private networks:
So what is a VPN?
A VPN is a connection between the computer and a server. The server is operated by the VPN service and it creates a secure connection between both of them by a tunnel. This connection makes the user to be part of the company’s network, as if the computer was on it. The tunnel hides the traffic until it leaves the tunnel. One of the main goals is to hide the IP address of the computer.
There are a lot of advantages while using a VPN, its important to notice that the number of functions of a VPN is interesting. I’ll mention three of them.
It prevents anyone that is on the same network access point from intercepting your web traffic in a man-in-the-middle attack.
It makes harder for advertisers, or spies, or hackers to track you online.
Avoid censorship, but it could be against the law.
I think that one of the most remarkable ones is the first one. Using a VPN to avoid or prevent a interception from another person is a very useful took. It is important to mention that the VPN doesn’t protect your information entirely, but it can make it harder for people to track your online information. As an example, we can see this useful feature as a shield that protects your information from a man-in-the-middle attack.
Avoiding censorship might be illegal in some countries, maybe in most of them, but it can be very practical. We can see this as a tool for a journalist. A journalist needs to find information for his or her research, but maybe the country blocks this information for many reasons. In this case, a journalist