Implementations: The Achilles heel in cybersecurity

Heartbleed

There are many new technologies, controls, mechanisms, modules, libraries for protecting and securing assets and information. Usually these new technologies were created and developed by people with good skills in the field, however, one of the main problems is the implementation phase.

Believe it or not, most of the vulnerabilities, either published or zero-day, exist because of a bad or terrible implementation of something that is secure in escense.

Think about cryptography. In general, cryptographic standard algorithms are approved and validated by many cryptographers around the world but when it comes the implementation phase, the standard or algorithm is implemented by a group of peole working at the same company or sometimes by only one developer with limited training in security and/or cryptography.

One of these examples is WEP Security Protocol for Wireless communications. It has different vulnerabilities but particularly the vulnerability of the key stream is a consequence of a weakness in the implementation of the RC4 stream cipher, not the RC4 algorithm by itself.

Continue reading Implementations: The Achilles heel in cybersecurity

El desperdicio de los correos electrónicos

email

Este post lo tenía pendiente desde hace tiempo debido a que se me hace increíble que, al día de hoy, no exista otro método mucho más práctico para resolver esta necesidad y que las opciones que han surgido con el tiempo no hayan alcanzado el suficiente nivel de adopción como para desplazar a las tecnologías que ya deberían ser obsoletas como el tradicional correo electrónico.
Continue reading El desperdicio de los correos electrónicos

HTTPS and the TLS handshake protocol.


In the previous post I talked about how web browsers connect to the server and how a negotiation is initialized between server and client to establish a secure connection when the HTTPS protocol is used.

In this post I wil explain the SSL/TLS protocol and how a client (computer, smartphone, tablet, terminal, etc) and server can encrypt the data sent and received by an HTTPS connection.
Continue reading HTTPS and the TLS handshake protocol.

Do you really know what a hacker is ?


Personally I almost never use the word “Hacker”. Why’s that? Well, I don’t like how people use it nowadays. Newspapers, magazines, TV, even Internet use to name “hacker” to every person who breaks into a bank account, steals information, gets into an e-mail account, corrupts a program and, in general, any kind of criminal acts related to computing.

Personally I think being a “hacker” involves much more than that. People with some computing knowledge know that when you find a real hacker you will not want to loose the contact. Being a real hacker involves to know a lot of useful things about almost everything. You can ask them something about literature and they will know about the topic, you can ask them about politics and they will know, about administration, psychology and, really, almost every topic you can think of.

How do they obtain the information ? Well, it’s a simple question but the answer can be very complex.

Reading (also real books obviously), blogging, watching, listening and with almost every activity they do. After that the information is analyzed, is associated, linked and stored very very carefully for being able to find it in the future, when ? when they need it and just when they need it. Real hackers will never tell you all the stuff they know, will never presume their knowledge, even they will not tell you if you are wrong until you ask for their opinion. You must never underestimate a hacker, that is a terrible mistake and you must know that the way they think is extremely fast. Maybe you’re thinking that you will surprise them but trust me, they already thought in that situation.

All that information can only be acquired sacrificing part of their life. Usually the social part.

They know the power they have and they know exactly the things they can do. Even so… they know that they will never know everything.

Megabytes vs Megabits [Cultura general en sistemas]

El día de ayer decidí llamar por teléfono a una empresa para contratar su servicio de Internet de banda ancha. Como era de esperarse inmediatamente me atendieron y me comenzaron a proporcionar los datos para realizar la transferencia electrónica a lo cual respondí que primero me interesaba que me resolvieran unas dudas técnicas que tenía referente a su servicio.
Debido a que eran dudas técnicas me transfirieron al area de soporte técnico para que me pudieran ayudar. Una vez ahí la plática transcurrió más o menos como sigue:

  • soporte: Buenas tardes. Mi nombres es […] en qué le puedo ayudar ?
  • yo: Que tal, buenas tardes. El objetivo de mi llamada es aclarar unas dudas técnicas que tengo ya que me interesa contratar un plan de Internet con ustedes.
  • Continue reading Megabytes vs Megabits [Cultura general en sistemas]