General | Cybersecurity, Payment Security & Cryptography

OWASP Top 10 2021

La versión 2021 del Top 10 de vulnerabilidades en aplicaciones web de OWASP ha sido liberada oficialmente.

Esta lista de vulnerabilidades es una referencia clave en la industria de seguridad informática y conlleva una actualización que es importante que conozcamos quienes estamos involucrados en ella.

Particularmente una de las cosas que llama la atención es la inclusión de una categoría denominada A02: Cryptographic Failures. Esta categoría incluye los debilidades ( CWE ) asociadas a fallas criptográficas ya sea por problemas en las configuraciones o en las implementaciones de la criptografía en las aplicaciones. Entre ellas destacan:

Debilidad en las contraseñas.
Intercambio de llaves criptográficas sin autenticación.
Nivel de entropía insuficiente.
Problemas en la generación de datos pseudoaleatorios.
Transmisión de información sensible en claro.
entre muchos otros.

… seguramente estaré platicando de algunas en el transcurso de los días.

La lista actualizada de vulnerabilidades quedó de la siguiente forma:

A01:2021-Broken Access Control
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery

El enlace oficial y toda la documentación la encuentran directamente en el portal de OWASP.org Top 10.

Implementations: The Achilles heel in cybersecurity

Heartbleed

There are many new technologies, controls, mechanisms, modules, libraries for protecting and securing assets and information. Usually these new technologies were created and developed by people with good skills in the field, however, one of the main problems is the implementation phase.

Believe it or not, most of the vulnerabilities, either published or zero-day, exist because of a bad or terrible implementation of something that is secure in escense.

Think about cryptography. In general, cryptographic standard algorithms are approved and validated by many cryptographers around the world but when it comes the implementation phase, the standard or algorithm is implemented by a group of peole working at the same company or sometimes by only one developer with limited training in security and/or cryptography.

One of these examples is WEP Security Protocol for Wireless communications. It has different vulnerabilities but particularly the vulnerability of the key stream is a consequence of a weakness in the implementation of the RC4 stream cipher, not the RC4 algorithm by itself.

Continue reading

El desperdicio de los correos electrónicos

email

Este post lo tenía pendiente desde hace tiempo debido a que se me hace increíble que, al día de hoy, no exista otro método mucho más práctico para resolver esta necesidad y que las opciones que han surgido con el tiempo no hayan alcanzado el suficiente nivel de adopción como para desplazar a las tecnologías que ya deberían ser obsoletas como el tradicional correo electrónico.
Continue reading El desperdicio de los correos electrónicos

HTTPS and the TLS handshake protocol.

In the previous post I talked about how web browsers connect to the server and how a negotiation is initialized between server and client to establish a secure connection when the HTTPS protocol is used.

In this post I wil explain the SSL/TLS protocol and how a client (computer, smartphone, tablet, terminal, etc) and server can encrypt the data sent and received by an HTTPS connection.
Continue reading HTTPS and the TLS handshake protocol.

Actualización del blog

Creo que es momento de actualizar un poco o mucho este blog. Secciones, páginas, información y de más.

Pronto verán cambios.
¿ Alguna recomendación ?

Do you really know what a hacker is ?

Personally I almost never use the word “Hacker”. Why’s that? Well, I don’t like how people use it nowadays. Newspapers, magazines, TV, even Internet use to name “hacker” to every person who breaks into a bank account, steals information, gets into an e-mail account, corrupts a program and, in general, any kind of criminal acts related to computing.

Personally I think being a “hacker” involves much more than that. People with some computing knowledge know that when you find a real hacker you will not want to loose the contact. Being a real hacker involves to know a lot of useful things about almost everything. You can ask them something about literature and they will know about the topic, you can ask them about politics and they will know, about administration, psychology and, really, almost every topic you can think of.

How do they obtain the information ? Well, it’s a simple question but the answer can be very complex.

Reading (also real books obviously), blogging, watching, listening and with almost every activity they do. After that the information is analyzed, is associated, linked and stored very very carefully for being able to find it in the future, when ? when they need it and just when they need it. Real hackers will never tell you all the stuff they know, will never presume their knowledge, even they will not tell you if you are wrong until you ask for their opinion. You must never underestimate a hacker, that is a terrible mistake and you must know that the way they think is extremely fast. Maybe you’re thinking that you will surprise them but trust me, they already thought in that situation.

All that information can only be acquired sacrificing part of their life. Usually the social part.

They know the power they have and they know exactly the things they can do. Even so… they know that they will never know everything.

Megabytes vs Megabits [Cultura general en sistemas]

El día de ayer decidí llamar por teléfono a una empresa para contratar su servicio de Internet de banda ancha. Como era de esperarse inmediatamente me atendieron y me comenzaron a proporcionar los datos para realizar la transferencia electrónica a lo cual respondí que primero me interesaba que me resolvieran unas dudas técnicas que tenía referente a su servicio.
Debido a que eran dudas técnicas me transfirieron al area de soporte técnico para que me pudieran ayudar. Una vez ahí la plática transcurrió más o menos como sigue:

soporte: Buenas tardes. Mi nombres es […] en qué le puedo ayudar ?

yo: Que tal, buenas tardes. El objetivo de mi llamada es aclarar unas dudas técnicas que tengo ya que me interesa contratar un plan de Internet con ustedes.

Continue reading Megabytes vs Megabits [Cultura general en sistemas]

The new office wall

After some days of thinking about how to use the biggest wall we have in our office (Activ), we decided to place our certificates and a poster and I think it looks really cool.Here you have some images.