Gracias TOTALES!

This is to you Ken. I know I’ve said it before, but I’ll never get tired of thanking you, thank you for your thoughts, your teaching, and for being the way you are. Thank you for always inspiring the maximum on us, thank you for pushing us to always learn more and never settle, thank you for not letting us stand still in a moving world.

This is my review of the course and all I can say is thank you. To be honest, I wasn’t sure what to expect on how much I was going to learn from this course. Now I realize that I learned a lot, and not only learned from the course, but I have learnings that have made me a better person. Thank you for that.

Maybe I would’ve liked more activities like hacking into a wireless network that wasn’t possible with the infrastructure that we have at the Tec. But also I know that if it didn’t happen is because I didn’t generate that, I know that is nobody’s fault but mine if any. Thank you for making me realize how much impact I can create in my society and in my surroundings.

I was actually telling one of my friends, how much I loved this course, and how much I enjoyed having you as a teacher, and believe me, this is pretty much what I wrote in the ECOA, because from this course I take things that will help me my entire life, not just for my professional career, but for my life. That is why I think you’ve been one of the bests professors (if not the best) I’ve ever had.

If I would recommend you to my friends?, said one of the questions. Well, I think I don’t need to tell you what I said. The why?, because I know that taking a class with you is not just learning about computers and information technologies, but learning about life too. There are things that we will get to live at some point of our life and when that point arrives, we will remember you and the lessons you taught us. So, thank you, thank you for everything.

Gracias ¡TOTALES!

A beautiful talk

This time I decided to make a recording about the Network and Wireless Security.

Here is the link to my thoughts…

Should I click on that?

Noooooo

That’s the simple answer. And when we talk about security, better safe than sorry. As possible, do not click on any funny stuff that you find across the internet, if it looks weird, if it tells you that you should scan your computer for viruses, or if it tells you that you just won $500,000 USD since you are the 500,000 visitor. What a coincidence, but it is not; its just a few guys trying to make a living out of you, by getting your information and doing something dirty with it.

Clicking things like this one would usually lead to a privacy breach or something you really don’t want to have in your mind.

Stay safe and don’t click things that ask for something from you.

As a user of the internet, you are exposed to many things, many threats. It starts with where you are connecting from and it goes all the way to what sites you are visiting.

Alex Carrillo makes an interesting post about this in his blog, you can read the Security on the web post that he made and you will have a better picture of some simple threats that you should look for.

Now, besides the passwords, sharing information, clicking on things, using nice browsers and downloading dirty stuff; there are some other threats. This ones are more discreate, like phishing or false emails trying to get your information.

Phishing is a serious thing, since many times you don’t even notice you’ve been giving information or that you’ve been victim of an attack. So, what is phishing exactly?, here is the definition:

“Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.” (SearchSecurity – TechTarget)

Many times is a false facebook login page, sometimes is a false email, it can be many things and you don’t even notice. Usually the banks tell you not to click on the links that come in emails, since they usually don’t send links in their email, with this intention, to avoid possible phishing attacks from other persons to you and their clients.

Stay away from any kind of weird email that comes into your inbox, check before you click anything and specially, check before giving away information when you type your passwords and other stuff. Double check and if any doubt don’t do it.

If it is too late and you notice that you already gave away your data. Change passwords and deactivate access from all your in-risk accounts, don’t panic, just go and change what you gave away in order for that information to become useless.

Between Alex’s post and this one, you should have enough information to stay safe and prevent any kind of attacks or dangerous websites that try to get your information.

That’s it for now, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Please, not Windows again!

As part of the collective knowledge, I parter up with my friend Alex Carrillo, please give it a check at his blog too!

This time, we decided to work together on a blog about OS security. Here is what we came up with:

An OS can face many types of threats, and it needs to be able to protect itself. Here we will list some features or actions, that an OS needs to have or be done.

• User Authentication
  • User authentication is a very important aspect to have, because with this, the OS can give access only to does people that have a user and a password. if an external person tries to access the computer by trying an invalid user and password, this will immediately reject them. Also by creating users, the OS can gave special privileges to some users. Of course, to be able to do that, the administrator is the one user that can do.
• Security Policy
  • Creating a good and well-though security policy for the OS is a fundamental piece in making the OS more secure. We mention this, because this will be the base of creating the OS we want.
• Vulnerability Assessment
  • From time to time, is very important to check for vulnerabilities in the system,and trying to solve them. Like they say, a computer connected to the internet is more vulnerable than an isolated one. So with that last thought in mind, we have to make sure to fix any problem that the OS might have before anyone else.

Even though we try to make our computer more secure, the reality is that we are not going to be able to make it 100% secure; but we can try to make it the most secure we can. There exist dozens of OS around the world, and because of that there is a classification of how trustworthy is a computer. This classification was made by the U.S. Department of Defense and it is called “Trusted Computer System’s Evaluation Criteria”, and this how they classify them

• Type A.- is the highest level of security. This systems are proved not to have any kind of bugs or possibilities of having vulnerabilities.
• Type B.- this level provides the mandatory protection. Users have special features of what can they do and what they can’t do.
• Type C.- this level counts with user authentication and access control.
• Type D.- this level doesn’t have any security at all, is the least secure.

So, which one is the most secure OS?

Nearly every Operating System is designed with Security as a requirement, but there can’t be a truly Secure Operating System. Maybe you have probably already heard of various security-focused Operating Systems like Tails, Whonix and Kali Linux. All these operating systems, including Windows, Linux, BSD, even OSX, are all based on a Monolithic Kernels, and it requires just one successful Kernel Exploit to hack the whole system. So, a reasonably secure operating system is one that keeps all crucial elements and activities isolated from each other.

There is a project with an OS called Qubes OS. It is a Linux based security-oriented and open-source operating system for personal computers, which runs everything inside the virtual machines.

Its visualization mechanism follows ‘Security by Isolation’ (Software Compartmentalization) principle to secure the systems, i.e. enabling the Principle of least privileges.

So, If you are a victim of a malicious cyber attack, doesn’t let an attacker take over your entire computer.

This can be a good way to keep security for the OS, at then end, is not perfect and as always, it tends to be on one or two sides of the security triangle, enforcing confidentiality and integrity, but may not have the complete availability as other systems do.

Other interesting topic to review is about Windows 10 and its updates. To comment a little on the subject, here is an article that might be interesting to read from the ONMsft site. “For those that didn’t know, Windows 10 now has forced automatic updates (unless you are on Windows 10 Professional, then you can delay Windows Updates). Yes, your PC will now be kept secure at all times, but this isn’t limited to just security updates. In fact, Windows 10’s forced automatic updates cover anything/everything Microsoft wants to put on your PC as part of Windows 10. This can potentially lead to problems, say for example a bad graphics driver.”

There are so many reasons why this is bad, the most important is because this can lead to major problems in your computer, which is not cool. Personally, we recommend a few things against this:

1. Do NOT use Windows! Use Mac (if you have enough money and are willing to try it), or get a PC and install any flavor of Linux in it.
2. If you really need Windows, do NOT use Windows 10! Instead, keep the nice and stable Windows 7. It is still not the best option, but way better than using Windows 10.
3. Switch to Windows 10 PRO. If you just can’t stop using Win 10, then at least use a distribution that gives you more power over your PC.
4. Return the PC and ask for another one without Win 10, or ask the downgrade to Win 7.

References

http://es.slideshare.net/abubakrashraf/security-protection-in-operating-system

https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html

https://www.tutorialspoint.com/operating_system/os_security.htm

http://thehackernews.com/2015/10/secure-operating-system.html

https://www.onmsft.com/news/windows-10s-policy-automatic-updates-causing-headaches-many

Houston, we have THE framework!

This is a similar topic to the one about Risk Assessment Methodologies, but the difference here is that we are focusing on the complete way to prevent and mitigate risk in the IT department.

The main framework is pretty much this:

Step 1: Categorize
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement
Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Step 4: Assess
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Step 5: Authorize
Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor
Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.

For more information about this, you can take a look at a document here. Or you can go to the NIST-RMF Overview and go as deep as you may want to go.

For now, that’s it, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

So, what do we do now?

The countermeasure…

“In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.” (Wikipedia)

At some point, as a system admin or a software developer, you will have to deal with this, since there is no such thing as a “completely secure” system, any system can be cracked, is just a matter of time and intention.

So when the moment comes, actions will be required, what kind of actions?, that depends on the type of problem, but if the problem is too big, you will want to have Mr. Winston Wolf right by your side at that moment.

Here is a table of what is a good idea against different types of attacks:

Threat	Countermeasures
Spoofing user identity	Use strong authentication.Do not store secrets (for example, passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data	Use data hashing and signing.Use digital signatures. Use strong authorization. Use tamper-resistant protocols across communication links. Secure communication links with protocols that provide message integrity.
Repudiation	Create secure audit trails.Use digital signatures.
Information disclosure	Use strong authorization.Use strong encryption. Secure communication links with protocols that provide message confidentiality. Do not store secrets (for example, passwords) in plaintext.
Denial of service	Use resource and bandwidth throttling techniques.Validate and filter input.
Elevation of privilege	Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Many more resources and information can be found here. At that Microsoft’s page, they have a lot of information about different attacks on different types of systems, how they define them, and how to prevent and countermeasure it. Great information to go deeper on that.

This was a quick post then, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Are you ethical enough?

Uncomfortable question, right?

Well, ethical hacking is all about you. Why? Because the important question is, what will you do when you discover a major security problem with certain system? Will you inform the company about this, will you take advantage of it, will you tell someone else, will you try to fix it yourself?

There are many ways to react when you encounter a problem…

so is up to you to decide what will you do.

Regarding this, in the computer science area, there exists some ways to get the “Ethical Hacking Certification”. The association that gives these things defines that: A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

Here is more information about the exam and the program:

The purpose of the CEH credential is to:

Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
Inform the public that credentialed individuals meet or exceed the minimum standards.
Reinforce ethical hacking as a unique and self-regulating profession.

About the Exam:

Number of Questions: 125
Test Duration: 4 Hours
Test Format: Multiple Choice
Test Delivery: ECC EXAM, VUE
Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)

For more information about this, you can go here.

There is this other place that you can check out too if you are interested, here they have lots of information that you can get and that you can request. Is up to you how deep you want to go in this topic.

Lastly, the goal is to make the cyber world a better place and one where you can feel safe about surfing in it. Is not an easy job, since everyday there are thousand of new apps and websites that try to harm you, so this is not only their job, but also ours, we also need to stay safe when looking around the different websites and be aware of suspicious and funny-look-like website…

And that’s the why of the first question. Because is about you, you can be whatever you want, you can become whatever you want, but make sure that whatever you do, always generate the maximum amount of positive points, and for that, nobody else can get red points. Also, every time something goes wrong, please ask yourself the question “how am I generating this?, how can I be part of this?” you will realize, eventually, that you could be part of any event you want, and therefore, that question is way more powerfull than what you may think.

So, for now that is all folks, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Is it at risk or not?

In the Podcast with Fernando Rubio, I mentioned I would upload a form to assess the risk in a project, this would tell you if the project is safe enough or if there are parts that need to be reworked. Knowing is the first part, after that, you would decide if the changes cost too much.

Here it is:

RiskAssessmentMets

For now, that is all, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Thank you Julius Caesar!

Since the beginning of time, when human kind learn that to communicate between a lot of people, they had to speak the same language, more and more people started to learn the same language so they could understand what others were saying. This started to happen and at some point, we also felt the need to give messages to certain people without others finding out what we were saying to each other. So, how can we pass a message to someone else that is not physically close to us, but also in a secure way such that nobody else in between finds and knows what we were saying? Julius Caesar came out with a solution and an idea for this: The Cipher. What it would do is change the letters in a certain pattern, making it appear like the message has no sense when you read it, and you need the exchange pattern to decipher it.

Written in Java, a Caesar cipher could be programmed like this:

package cipher;

public class CaesarsAlg {
 
 String encrypt(int key, String text){
 char abc[] = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
 String result = "";
 int size = text.length();
 Character next;
 for (int i = 0; i < size; i++) {
 next = text.charAt(i);
 int numVal = next.getNumericValue(next)-10;
 result += abc[(numVal + key)%26];
 }
 
 return result;
 }

 public static void main(String[] args) {
 CaesarsAlg myTest = new CaesarsAlg();
 String text = "sbgsnofbcsghfobgtsfwfqcbcqwawsbhcgwbcqfsofzogdcgwpwzwrorsgdofogidfcdwodfcriqqwobcqcbghfiqqwob";
 for(int i=0; i<26; i++){
 System.out.println(myTest.encrypt(i, text));
 }
 }
}

Another classic security model to cipher things and messages is the Vigenère Cipher, this one is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.

Making a Vigenère Cipher is not so hard to program it, deciphering a message encrypted that way is quite a challenge instead.

An implementation in Java of the cipher could look like this:

package cipher;

public class VigenerAlg {
 String encrypt(int key, char text){
 char abc[] = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
 String result = "";
 Character next;
 next = text;
 int numVal = next.getNumericValue(next)-10;
 result += abc[(numVal + key)%26];
 return result;
 }

 public static void main(String[] args) {
 VigenerAlg myTest = new VigenerAlg();
 String text = "defendtheeastwallofthecastle";
 String encipher = "fortification";
 int text_i = 0;
 int encipher_i = 0;
 int key = 0;
 Character letter;
 String res = "";
 //myTest.encrypt(i, text);
 while(text_i < text.length()){
 if(encipher_i >= encipher.length()){
 encipher_i = 0;
 }
 letter = encipher.charAt(encipher_i);
 key = letter.getNumericValue(letter)-10;
 
 encipher_i++;
 
 res += myTest.encrypt(key, text.charAt(text_i));
 text_i++;
 }
 System.out.println(res);

 }

}

So this is it for now, there are many more ways to cipher things, since is the major part of the classical information security models.

As always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Not so “Trump’s” CIA…

This is a post that I’ve been wanting to write since it is basis of Information Security, and is about the 3 pillars of this subject: Information Integrity, Availability and Confidentiality (that’s the IAC, or the not-Trumps-CIA as I like to call it).

So, right to the chest: why they are the 3 most important things in IT security? Because if you can ensure the 3 of them all the time at the same time, then you would become God of IT, with higher powers than the Power Rangers or Linus Torvalds.

Ensuring those 3 things all the time for any system sounds easy, but it isn’t really. You have to make sure that one doesn’t block the other but it doesn’t affect it either. For example: I could make public a big data base, so is available and in compliance with integrity, but is so available that affects confidentiality, so I’m missing one side of the triangle.

Pretty much all the systems try to be in compliance of these 3 things all the time, many of them achieve it for some time, until an update comes or an issue rises or someone tries to play the “smart-ass” and do dirty things into the system, ruining the complete triangle sometimes.

So, let’s define each of the parts:

• Integrity:  Assurance that the data being accessed or read has neither been tampered with, nor been altered or damaged through a system error, since the time of the last authorized access.Read more: http://www.businessdictionary.com/definition/information-integrity.html
• Availability: In the context of a computer system, refers to the ability of a user to access information or resources in a specified location and in the correct format.Read more: https://www.techopedia.com/definition/990/availability
• Confidentiality: Is whether the information stored on a system is protected against unintended or unauthorized access. Since systems are sometimes used to manage sensitive information, Data Confidentiality is often a measure of the ability of the system to protect its data.Read more: http://hitachi-id.com/concepts/confidentiality.html

I guess, you can see why this topic is so important, since pretty much any system you use either for fun or at work or wherever, it is the base of any shared system that more than 1 person uses at some time.

Going deeper in the 3 topics, I found this read in the WhatIs webpage. I really recommend it and I leave the abstract of the 3 pillars here:

Confidentiality:

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it: Access must be restricted to those authorized to view the data in question. It is common, as well, for data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands. More or less stringent measures can then be implemented according to those categories.

Sometimes safeguarding data confidentiality may involve special training for those privy to such documents. Such training would typically include security risks that could threaten this information. Training can help familiarize authorized people with risk factors and how to guard against them. Further aspects of training can include strong passwords and password-related best practices and information about social engineering methods, to prevent them from bending data-handling rules with good intentions and potentially disastrous results.

A good example of methods used to ensure confidentiality is an account number or routing number when banking online. Data encryption is a common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication is becoming the norm. Other options include biometric verification and security tokens, key fobs or soft tokens. In addition, users can take precautions to minimize the number of places where the information appears and the number of times it is actually transmitted to complete a required transaction. Extra measures might be taken in the case of extremely sensitive documents, precautions such as storing only on air gapped computers, disconnected storage devices or, for highly sensitive information, in hard copy form only.

Integrity:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controls. Version control maybe used to prevent erroneous changes or accidental deletion by authorized users becoming a problem. In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. Some data might include checksums, even cryptographic checksums, for verification of integrity. Backups or redundancies must be available to restore the affected data to its correct state.

Availability:

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can mitigate serious consequences when hardware issues do occur. Fast and adaptive disaster recovery is essential for the worst case scenarios; that capacity is reliant on the existence of a comprehensive disaster recovery plan (DRP). Safeguards against data loss or interruptions in connections must include unpredictable events such as natural disasters and fire. To prevent data loss from such occurrences, a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. Extra security equipment or software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.

After all this information, you now have a better idea and understanding of why the CIA of computer science is basic for any system you may find, since is what supports everything, and without it, a lot of systems wouldn’t have the success they do now, like Facebook, Twitter, or any other social network; or the banks systems to keep your money to you and only you. Also, helps you understand that these 3 things won’t always be succeeded all the time, and that is when the problems come.

So, this is all for now, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!