Tag: Uncategorized

I2C

--Originally published at Information Security A01229898

Hi everyone, on the other post I talk a little about some protocols, but I want to talk more about I2C, so let’s start.

As I explained on the other post I2C means  Inter-Integrated Circuit and it is a synchronous, multi-master, multi-slave, packet switched, single-ended, serial computer bus invented in 1982 by Philips Semiconductor (now NXP Semiconductors). It is widely used for attaching lower-speed peripheral Integrated Circuits to processors and microcontrollers in short-distance, intra-board communication.

 

I2C uses only two bidirectional open-drain lines, Serial Data Line (SDA) and Serial Clock Line (SCL), on the SDA the master and the slave will send and receive information and the SCL is the clock that the master provides, that clock will determine the velocity of the the transmission.

The bus has two roles for nodes: master and slave:

  • Master node – node that generates the clock and initiates communication with slaves.
  • Slave node – node that receives the clock and responds when addressed by the master.

The bus is a multi-master bus, which means that any number of master nodes can be present. Additionally, master and slave roles may be changed between messages (after a STOP is sent).

There may be four potential modes of operation for a given bus device, although most devices only use a single role and its two modes:

  • master transmit – master node is sending data to a slave,
  • master receive – master node is receiving data from a slave,
  • slave transmit – slave node is sending data to the master,
  • slave receive – slave node is receiving data from the master.

 

So this is a little of I2C, but the real question on this post is, WHY ARE YOU TALKING ABOUT COMMUNICATION PROTOCOLS ON MICROCONTROLLERS IF THIS A INFORMATION SECURITY POST?

The answer is easy, I’m an electronic engineer and I have more knwoledge of microcontrollers, I don’t work too much with software and don’t Continue reading "I2C"

Communication protocols

--Originally published at Information Security A01229898

Hi everyone, on this topic I will talk a little about Communication protocols, this topic is related with microcontrollers, because I’m talking about the communications protocols that microcontrollers use, I’m not going to talk about all the communications protocols, so let’s start.

-CAN: I know that I talk about CAN in other post, in fact, I have a post that talks only talks about CAN, but it is a important protocol and I think that I should mention it.

CAN is a protocol that in short words, is a bus, it has two cables and that’s it, it doesn’t have any security, so once your are in, you can know everything and technically you can interfer the system, if you want to know more about CAN protocol you can check my post of CAN and there I explain more and there’s a video that explains more.

-UART: Universal Asynchronous Receivert Transmitter (UART)  is a computer hardware device for asynchronous serial communication in which the data format and transmission speeds are configurable. The electric signaling levels and methods are handled by a driver circuit external to the UART. A UART is usually an individual integrated circuit used for serial communications over a computer or peripheral device serial port. One or more UART peripherals are commonly integrated in microcontroller chips.

-I2C: Inter-Integrated Circuit (I2C) is a synchronous, multi-master, multi-slave, packet switched, single-ended, serial computer bus invented in 1982 by Philips Semiconductor (now NXP Semiconductors). It is widely used for attaching lower-speed peripheral Integrated Circuits to processors and microcontrollers in short-distance, intra-board communication.

-LIN: Local Interconnect Network (LIN) is a serial network protocol used for communication between components in vehicles. The need for a cheap serial network arose as the technologies and the facilities implemented in the car grew, while the CAN bus was too expensive to implement for every component in the car. European car manufacturers started using different serial communication topologies, which led to compatibility problems.

 

There are other protocols that I could Continue reading "Communication protocols"

Microcontrollers and security

--Originally published at Information Security A01229898

Hi everyone, This time I will talk a little about Microcontrollers and security, I talk about that topic on class a few classes ago and I realize it could be a good topic for my blog, I think that microcontrollers will need to get upgrades on security, since all this thing of IoT started the quantity of microcontrollers connected to the world has increased and will increase more, a lot of products and projects related with IoT are using microcontrollers and with that we have the problem that they are not secure and maybe they aren’t secure because normally a microcontroller won’t need that security, because no one cared about getting information of a microcontroller, but now,  I think that security is becoming a must have, because maybe it will be easier to try to get information from the microcontroller than trying to hack other thing.

 

This post is related with the other posts because most of the security problems that we have and we will have are going to be related with IoT, having everything connected to the net is really usefull for the users, but is a two-edged knife, having everything connected means that people could access to your personal information and that could be problematic, now with the microcontrollers getting directly connected to the for the Internet of Things could be really dangerous, microcontrollers don’t have that security with the data they transfer, it’s relatively easy to get the data of a microcontroller, for example, in some classes, to know that what we are sending is ok, we check with a oscilloscope what we are sending, and that is just connecting the oscilloscope to the transmit of the microcontroller, so, if we can get that information that easy, imagine if that kind of security could be Continue reading "Microcontrollers and security"

Ataque man-in-the-middle

--Originally published at Toledo

Un ataque man-in-the-middle, “hombre en el medio” en español, es un tipo de ataque en el mundo de seguridad informatica, en el que el atacante, con intenciones maliciosas, se interpone en la comunicación entre su victima y el servidor al que quiere acceder.

En término cotidianos, un ataque man-in-the-middle es como el juego popular del telefono descompuesto. Las personas en los extremos estan intentando comunicarse, quizá para decir la primera frase o chiste que se les ocurrió, al fin es un juego. La persona en medio, es parte del medio de comunicación, es decir, tiene que escuchar y repetir lo que oye para que el mensaje llegue al otro extremo. Para que ésto funcione, ambas personas en los extremos tienen que confiar que la persona en medio va a jugar su papel de manera correcta, no va a divulgar chismes que probablemente escuche, ni va a modificar lo que alguien dijo para armar un alboroto.

2009-08-19-oseano-telefono-descompuesto

La situación cambia ligera cuando se trata de un ataque man-in-the-middle. Las personas en los extremos ahora son: algún usuario despistado navegando en internet, y el servidor de alguna de sus páginas favoritas. El atacante toma el lugar de la persona de en medio, sin que los otros se enteren.  Y lo que intentan comunicar, ya no son cosas sin sentido, los mensajes podrían contener datos sensibles (tarjetas de crédito, contraseñas, domicilios, etc.). Es aquí la principal razón por la que se invierte tanto tiempo y esfuerzo en llevar a cabo éste tipo de ataques, en el valor de la información que se puede conseguir.

man-in-the-middle-mitm

Un atacante puede utilizar su computadora, celular o dispositivo especializado para planear e configurar el ataque. Dependiendo del caso en específico, y de las precauciones que la víctima tome en cuenta, un atacante podría explotar a Continue reading "Ataque man-in-the-middle"

5 Rules For Designing With Security In Mind

--Originally published at Information Security Class

Whenever we buy something on Amazon, change the settings of our social media accounts or download a new application, we risk our digital identity. That’s why developers invest lots of hours into refining these actions and making them secure.

Beside hacker attacks, there is also another risk, that can’t be handled by developers, but only by designers: The users. To help them we should obey some rules which are especially relevant when the actions can have drastic impact on the user in a financial or social way.

1. Different actions look different

Whenever a user is doing tasks that could have dramatic impact, e. g. changing account settings or a password, that’s stressful for the user and makes him nervous. Therefore, the UI should make clear what the user has to do right now.

If a user has to enter his mail on one screen and his password on another, like Yahoo and Gmail demand it, the two screens have to look different from each other. Just replacing the word “Email” with “Password” is usually not enough, when the whole structure of the two screens looks the same.

At least the standard text within the text fields should be used to show what’s to enter, as that’s the part of the screen which will attract the user’s attention. Furthermore, it’d be helpful to use different colors for username input and password input, if this doesn’t conflict with the brand. To improve it even further, you could use big icons that show what to enter.

That’s a pretty good option for a two-screen login process. The changed icons, changed options and username on top show that there’s something different to do on the second screen.

2. Show the user what’ll happen next

Predictability is, in my opinion, the aspect of an UI that makes it useable.

Continue reading "5 Rules For Designing With Security In Mind"

Cross site scripting

--Originally published at Information Security Class

Cross-site Scripting (XSS) Attack

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS is amongst the most common of web application vulnerabilities and occurs when a web application makes use of unvalidated user input within the output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

While XSS can be taken advantage of within VBScript, ActiveX and Flash, unquestionably, the most widely abused is JavaScript – primarily because JavaScript is fundamental to most browsing experiences.

How Cross-site Scripting works

In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.

In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.

The following server-side pseudo-code is used to display the most recent comment on a web page.

print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"

The above script is simply printing out the latest comment from a comments database and printing the contents out to an HTML page, assuming that the comment printed out only consists of text.

The above page is vulnerable to XSS because an attacker could submit a

Cross site scripting
Continue reading "Cross site scripting"

Cryptography

--Originally published at Information Security Class

Cryptography involves creating written or generated codes that allow information to be kept secret. Cryptography converts data into a format that is unreadable for an unauthorized user, allowing it to be transmitted without unauthorized entities decoding it back into a readable format, thus compromising the data.

Information security uses cryptography on several levels. The information cannot be read without a key to decrypt it. The information maintains its integrity during transit and while being stored. Cryptography also aids in nonrepudiation. This means that the sender and the delivery of a message can be verified.

Operating System Security

--Originally published at Information Security Class

Many attacks are silent and invisible. What good is an attack if the victim can see and perhaps counter it? As I described in my last post, viruses, Trojan horses, and similar forms of malicious code may masquerade as harmless programs or attach themselves to other legitimate programs. Nevertheless, the malicious code files are stored somewhere, usually on disk or in memory, and their structure can be detected with programs that recognize patterns or behavior. A powerful defense against such malicious code is prevention to block the malware before it can be stored in memory or on disk.

The operating system is the first line of defense against all sorts of unwanted behavior. It protects one user from another, ensures that critical areas of memory or storage are not overwritten by unauthorized processes, performs identification and authentication of people and remote operations, and ensures fair sharing of critical hardware resources. As the powerful traffic cop of a computing system it is also a tempting target for attack because the prize for successfully compromising the operating system is complete control over the machine and all its components.

Because of its fundamental position in a computing system, an operating system cannot be weak. The strength of an operating system comes from its tight integration with hardware, its simple design, and its focus intentionally or not on security. Of course, an operating system has the advantage of being self-contained on a distinct platform.

Malware

--Originally published at Information Security Class

Malware, a shortened combination of the words malicious and software, is a term for any sort of software designed with malicious intent. That malicious intent is often theft of your information or the creation of a backdoor to your computer so someone can gain access to it without your permission. However, software that does anything that it didn’t tell you it was going to do could be considered malware.

What are Common Types of Malware?

  • Virus: Infects program files and/or personal files
  • Spyware: Software that collects personal information
  • Worm: Malware that can replicate itself across a network
  • Trojan horse: Malware that looks, and may even operate, as a legitimate program
  • Browser hijacker: Software that modifies your web browser
  • Rootkit: Software that gains administrative rights for malicious intent
  • Malvertising: The use of legitimate online advertising to spread malicious software.

There are other types of programs, or parts of programs, that could be considered malicious due to the simple fact that they carry a malicious agenda, but the ones listed above are so common that they get their own categories.

How Does a Malware Infection Happen?

Malware can infect a computer or other device in a number of ways. It usually happens completely by accident, thhe most common is by downloading software that is bundled with a malicious application. Some malware can get on your computer by taking advantage of security vulnerabilities in your operating system and software programs. Outdated versions of browsers, and often their add-ons or plug-ins as well, are easy targets.

Another common source of malware is via software downloads that at first seem to be something safe like a simple image, video, or audio file, but in reality is a harmful executable file that installs the malicious program.

How Do You Remove Malware?

The most common types of malware are actual programs like Continue reading "Malware"

Self-driving car accident

--Originally published at Information Security A01229898

On my last post I talked about the dangers of IoT and cars and a few weeks ago an accident occur involving a self-driving car, yes, I’m talking about the self-driving car of uber that killed a person, even though, it isn’t a problem of the car been hacked, is a problem with security.

 

The first question that we should ask is, who will be blamed, Uber?, the woman inside the car?, the person that was killed?, or who?. I discuss that on one of my classes and I heard a lot of comments of my friends, there was a comment that took my attention, one of my classmates said that there have to be sacrifices, that is true, some people would think that’s cruel, but it’s true, when the moon race occur, a lot of people died and does deaths didn’t stop the moon race and let me be honest, the moon race was something that didn’t have sense, they wanted to put a person on the moon, so what we get from that, all those deaths were for something????

I think that the race for the self-driving car has more sense that the moon race had at that moment, but maybe they aren’t doing it in a good way, maybe they should start little by little, instead of creating a full self-driving car, they should install little by little things that will create the self-driving car and when they have tested everything very well then you start to tested it all those parts together.

 

However those are my thoughs you don’t need to think the same as me, I would love to see what others think, I would love if we discuss the topic, I will give you a link of the video Continue reading "Self-driving car accident"