It’s me, open up!

Sooooo, before my coffee power runs out, I’ve got to finish this post, so, buckle up and prepare for a not so wild, not so boring and very instructional reading. Don’t worry, I’m not that a great writer so it won’t be long, just long enough to prove I know what I’m  typing 😀

Kids, this is the story of “how I met your mother”, no, actually it’s not about how I met her, but sounds like an interesting post, or TV show to make, oh wait…

Since the “how I met your mother” has been already taken, lets see what we can say about authentication. Why?, you ask, why going from super cool to super-boring? well kids, it’s because of our security blog, eventually I’ll write about more interesting things, but for now, lets keep with authentication and security, shall we?

So, authentication and security basic goals (like the 101 of security):

1. Keep unauthorized persons from gaining access to resources
2. Ensure that authorized persons can access the resources they need

Therefore, you can imagine it is important to know who is knocking at our door before we open it (only in Mexico we open up the door by just saying “It’s me, open up!”

So, we know how insecure Mexico is (and yes, I can say that because I’ mexican, I live in Mexico and I care about it, any complains please refer them to your hand and the Mexican government, thank you); even though is not because we open the door without proper authentication, the computer and network world can’t work like that.

How can we protect data from people who is not authorized to see/have it but still make it available to those who should and depend on it. Keeping it under the mattress is not an option anymore (might be good for money but not so much for Pinky and the Brain’s plan to take over the world).

Since many data need to be accessed from different parts of the world at the same time by many people. So, the trick is to let those people see it, but keeping the rest out of it. To do that, one of the ways is setting access permissions, but, as our friends from TechRepublic say: “Access permissions work only if you are able to verify the identity of the user who is attempting to access the resources. That’s where authentication comes in.”

Again to the basics, lets define authentication: “the process of confirming the identification of a user (or in some cases, a machine) that is trying to log on or access resources”. It is important not to confuse authentication with authorization, “authentication verifies the user’s identity, authorization verifies that the user in question has the correct permissions and rights to access the requested resource. The two work together. Authentication occurs first, then authorization”.

There are many many ways to accomplish our task, I can go through all of them and so you will be bored and stop reading half way if I just copy paste what is said at the TechRepublic’s article. Here they talk about many of the authentication methods.

Let me mention and explain a little about the most common ones:

• SSL: First of all, SSL stands for “Secure Sockets Layer”. It uses a combination of secret keys and public keys to ensure they are talking to the right guy. It is supported by many browsers and most of the web servers (the important ones, at least). The basics you need to know about SSL, on how it works is this: “SSL authentication is based on digital certificates that allow Web servers and clients to verify each other’s identities before they establish a connection. (This is called mutual authentication.) Thus, two types of certificates are used: client certificates and server certificates”.
• Password authentication: The very basic one, the equivalent of the action when you arrive some place and they ask you for a magic word to open the door. In theory the magic word is set by you previously, so when you come to that place, you remember the word and so you can enter, right? Well, in theory it works and is beautiful, but (like the mexican law that works in theory but in reality it doesn’t…Ooops, I’m not supposed to talk about the mexican law here, right?, well, who cares…) it is not fail-proof. For many things, like forgetting the password, or making it too simple to figure out, by the way, never ever use “password” as password please, it’s just… just… just DON’T, ok? Deal! Another issue is that it is vulnerable to “cracking” it, meaning that, using brute force, someone might figure it out and then use it, there are methods to prevent it, like locking against X amount of failed attempts (might not be the greatest idea if your kid uses your phone a lot, you might end up with a wiped-out phone every other week).

Now, quick break, since by now you are getting tired of reading all this fancy and cool things about your password, let me tell you some nice jokes, they are in spanish so, if you don’t know spanish, you can learn it and come back, or skip this part (which would be sad cause this is the best part of the post, actually!) there are many more, but this is my top 10 (y el pilón, como con los tacos)…

By the way, if you don’t speak spanish, you should really try to, it is a beautiful language, and even better to speak “mexican”, you’ll have tons of fun with double-sensed phrases

So, after this nice break, lets keep going…

Other forms of authentication involve your actual body, like the face recognition, retina-scan or fingerprint scan. All this 007-stuff that one can see in movies where Dr. Evil keeps his darkest secret and the good guy hast to brake-in with a fake thumb, you know what I’m saying, right? Even with these advanced methods, they can be trespassed using different tricks. Like the face recognition can become useless by drawing some lines in your face or using some portrait when looking at the camera or input device. The fingerprint is a nice one (it has to be if the mighty Apple uses it in their iPhone, after all, they never do anything wrong, right?), but guess what? It has been hacked too!, this cool blog-post talks about how he hacked the Touch-ID in an iPhone (iPhone users please don’t die after such disappointment). The retina-scan is pretty fancy stuff, but because of that, it is expensive, and in my opinion, if you work somewhere that require your retinal scan, I’d be very worried about being hijacked and having my eye popped-out (yes, I watch too much TV, I know). By the way, all these methods are called Biometric authentication, they have the advantage that you don’t need to carry your card/key/remember a word or any other rocket-science stuff, just, you know, be there, be yourself (sounds like a love advice, like when trying to hit on someone) and that should be enough to open the door or safe or whatever it is that you are trying to open (it might be enough to open his/her pants too, by the way, but that’s another topic for the “how I met your mother” story kids!).

Very well, now you should know the basics of authentication. Remember don’t use “password” as your password, don’t give out your password, use secure browsers to surf the web and secure networks too (specially when doing important stuff that no one else should see/know/hear about). Always look for the “https” at the beginning of the link on the website you are on (the S means “secured”, not Superman in this context, so it is kind of important as you might think, Superman can’t help you here). I understand that you might not be like Obama or any super important figure that everyone is trying to hack and things like that, but even if you are the average Joe (just like me), you should be careful about this things, it is easier to prevent than to remake.

Coffee power is out, and I’m too; good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

 

PS: credits for the pictures go to the awesome internet and the Filosorex, many things were taken out of this link, in case you want to read some more on a specific topic:

http://www.techrepublic.com/article/understanding-and-selecting-authentication-methods/

Also, thanks to Wikipedia for this whole bunch of articles where you can find more information about authentication methods and definitions:

https://en.wikipedia.org/wiki/Category:Authentication_methods

Cheers!

My powerful cryptosomething

Hardware VS Software

There are some kinds of HW encryption…

Whole disk, this refers to the encryption of an entire physical or logical disk. While this is currently done mostly in software, hardware based disk encryption is a growing technology which is expected to surpass software products for whole disk encryption over the next few years.

This form of encryption secures the entire content of a disk or volume and decrypts/encrypts it during use after a key has been given. It would not protect the information if you send it over the network…

but it helps if you lost it!

Now let’s get into some heavy technical encryption. Let’s talk about PGP.

PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem.

PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

Keys are stored in encrypted form. PGP stores the keys in two files on your hard disk; one for public keys and one for private keys. These files are called keyrings. As you use PGP, you will typically add the public keys of your recipients to your public keyring. Your private keys are stored on your private keyring. If you lose your private keyring, you will be unable to decrypt any information encrypted to keys on that ring.

A digital certificate consists of three things:

• A public key.
• Certificate information. (“Identity” information about the user, such as name, user ID, and so on.)
• One or more digital signatures.

Watch this super cool youtube video on public keys!

The purpose of the digital signature on a certificate is to state that the certificate information has been attested to by some other person or entity.

Only the certificate’s owner (the holder of its corresponding private key) or someone whom the certificate’s owner has designated as a revoker can revoke a PGP certificate. (Designating a revoker is a useful practice, as it’s often the loss of the passphrase for the certificate’s corresponding private key that leads a PGP user to revoke his or her certificate — a task that is only possible if one has access to the private key.) Only the certificate’s issuer can revoke an X.509 certificate.

A passphrase is a longer version of a password, and in theory, a more secure one. Typically composed of multiple words, a passphrase is more secure against standard dictionary attacks, wherein the attacker tries all the words in the dictionary in an attempt to determine your password.

If you forget your passphrase, you are out of luck. Your private key is totally and absolutely useless without your passphrase and nothing can be done about it.

To continue reading on this, you can let your browser decipher the next post here.

So your Uber driver doesn’t become a moto-thief!

Why study computer and information security? Actually, there are many reasons, from both sides, as a programmer and as a user, we should all, at least, be aware of what the heck can happen to us when we stand up from our chair and don’t lock the computer, or our cellphone, or our hard drive.

Many can say, “well, I’m not really anybody important with million-dollar secrets”, and yes, its not like we are protecting the formula to make the Coke, we are protecting something even bigger and with more value (maybe not according to the insurance companies, but still): OURSELVES!!!!!

So, quick story before you click to go back and stop reading this post. I was on Facebook reading my news feed (nothing fancy there), when I get to an interesting post that you can find here. Basically, what is says is that on August 11, the daughter of Ana Marcela Chavez (person who made the post) ordered an Uber to get back home. As usual, she got a text saying that her Uber had arrived. When she came out, 2 guys in a motorcycle were waiting for her instead of the Uber. They threatened her with a knife and she got robbed. The Uber never came. Mrs. Chavez tried to get in touch with someone from Uber but she never got a reply from them (but she did get a receipt and a charge for the trip that her daughter never took, by the way). Now, I am not saying this was a digital security breach, maybe the driver was an accomplice of the thieves and he alerted them of the girls location so they could assault on her. However, lets believe that the driver was not an accomplice and he just got his Uber phone stolen and the little bastards decided to use the Uber Driver App to get some victims. This is sad, this shouldn’t happen, but unfortunately, it does, and its our job to prevent it from happening again.

Having security sometimes can be a pain in the butt, but is important, its all about being safe and sound…

So, we need to look for ways to make ourselves more secure, minimize the risk; but at the same time, we cannot make our lives too complicated at  the point where we just hate it. You can setup 2-step verification, maybe the Uber driver has to enter a password or his fingerprint every time he accepts a trip or do something else in case his phone gets stolen. But then you face the fact that this might put him in danger, because maybe the thieves now are going to threat the driver to get the password or chop off his finger to keep his fingerprint, but every layer of security also makes it less likely for a simple bastard to steal something from you if its too much trouble…

There are many security threats out there, they come in many forms and from many places. They say ignorance is bliss, but not when it comes to security, to your well-being, because at that point, it stops being funny, it becomes a nightmare, because you don’t even expect it to happen, you didn’t even know it could happen.

So, how do you fix a problem you don’t even know you have yet? By studying the information security so you know the problems, the threats, how to fight them, how to prevent losses or breaches. It might be hard, you might not like it, but then again, its just so your Uber driver doesn’t become a moto-thief!

The Hello, World!

So this is me, trying the Blog in WordPress…